gf4
/
personal-security-checklist
mirror of https://git.hackliberty.org/Awesome-Mirrors/personal-security-checklist
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:Lissy93/personal-security-checklist into gh-pages

pull/41/head
Alicia Sykes 2020-07-15 17:10:36 +01:00
parent ca3bcd1ea4 41342fc237
commit 2b01f0b050
5 changed files with 370 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
2_TLDR_Short_List.md
View File

@ -13,27 +13,27 @@ It lays out the 20 most essential security + privacy tips, that you should compl
### Authentication
- Use a long, strong and unique password for each of your accounts (see [HowSecureIsMyPassword.net](https://howsecureismypassword.net))
- Use a secure [password manager](/5_Privacy_Respecting_Software.md#password-managers), to encrypt, store and fill credentials, such as [BitWarden](https://bitwarden.com) or KeePass (no cloud-sync)
- Enable 2-Factor authentication where available, and use an [authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication) or hardware token
- Use a secure [password manager](/5_Privacy_Respecting_Software.md#password-managers), to encrypt, store and fill credentials, such as [BitWarden](https://bitwarden.com) or [KeePass](https://keepass.info) / [KeePassXC](https://keepassxc.org)
- Enable 2-Factor authentication where available, and use an [authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication) or [hardware token](/6_Privacy_and-Security_Gadgets.md#fido-u2f-keys)
- Sign up for breach alerts (with [Firefox Monitor](https://monitor.firefox.com) or [HaveIBeenPwned](https://haveibeenpwned.com)), and update passwords of compromised accounts
### Browsing
- Use a Privacy-Respecting Browser, [Brave](https://brave.com) and [Firefox](https://www.mozilla.org/en-US/exp/firefox/new) are gtrat options. Set your default search to a non-tracking search engine, such as [DuckDuckGo](https://duckduckgo.com)
- Use a Privacy-Respecting Browser, [Brave](https://brave.com) and [Firefox](https://www.mozilla.org/en-US/exp/firefox/new) are good options. Set your default search to a non-tracking engine, such as [DuckDuckGo](https://duckduckgo.com)
- Do not enter any information on a non-HTTPS website (look for the lock icon), consider using [HTTPS-Everywhere](https://www.eff.org/https-everywhere) to make this easier
- Block invasive 3rd-party trackers and ads using an extension like [Privacy Badger](https://privacybadger.org) or [uBlock](https://github.com/gorhill/uBlock)
- Don't allow your browser to save your passwords or auto-fill personal details (instead use a [password manager](https://github.com/Lissy93/personal-security-checklist/blob/master/5_Privacy_Respecting_Software.md#password-managers), and [disable your browsers own auto-fill](https://www.computerhope.com/issues/ch001377.htm))
- Keep your browser up-to-date, explore the privacy settings and remove unnecessary add-ons/ extensions
- Consider using compartmentalization to separate different areas of your browsing (such as work, social, shopping etc), in order to reduce tracking. This can be done with [Firefox Containers](https://support.mozilla.org/en-US/kb/containers), or by using separate browsers or browser profiles
- Don't allow your browser to save your passwords or auto-fill personal details (instead use a [password manager](/5_Privacy_Respecting_Software.md#password-managers), and [disable your browsers own auto-fill](https://www.computerhope.com/issues/ch001377.htm))
- Clear your cookies, session data and cache regularly. An extension such as [Cookie-Auto-Delete](https://github.com/Cookie-AutoDelete/Cookie-AutoDelete) to automate this
- Don't sign into your browser, as it can link further data to your identity. If you need to, you can use an open source [bookmark sync](/5_Privacy_Respecting_Software.md#browser-sync) app
- Consider using [Decentraleyes](https://decentraleyes.org) to decrease the number of trackable CDN requests your device makes
- Consider using compartmentalization to separate different areas of your browsing (such as work, social, shopping etc), in order to reduce tracking. This can be done with [Firefox Containers](https://support.mozilla.org/en-US/kb/containers), or by using separate browsers or browser profiles
- Test your browser using a tool like [Panopticlick](https://panopticlick.eff.org) to ensure there are no major issues. [BrowserLeaks](https://browserleaks.com) and [Am I Unique](https://amiunique.org/fp) are also useful for exploring what device info your exposing to websites
- Keep your browser up-to-date, explore the privacy settings and remove unnecessary add-ons/ extensions (as they may make you more trackable)
- For anonymous browsing use [The Tor Browser](https://www.torproject.org/), and avoid logging into any of your personal accounts
### Phone
- Set a device PIN, ideally use a long passcode
- Set a device PIN, ideally use a long passcode. If supported, configure fingerprint authentication, but avoid face unlock
- Encrypt your device, in order to keep your data safe from physical access. To enable, for Android: `Settings --> Security --> Encryption`, or for iOS: `Settings --> TouchID & Passcode --> Data Protection`
- Keep device up-to-date. System updates often contain patches for recently-discovered security vulnrabilities. You should install updates when prompted
- Review application permissions. Don't grant access permissions to apps that do not need it. (For Android, see also [Bouncer](https://play.google.com/store/apps/details?id=com.samruston.permission&hl=en_US) - an app that allows you to grant temporary permissions)
@ -53,15 +53,22 @@ It's important to protect your email account, as if a hacker gains access to it
- Using a custom domain, will mean you will not loose access to your email address if your current provider disappears. If you need to back up messages, use a secure IMAP client [Thuderbird](https://www.thunderbird.net)
### Secure Messaging
- Use a [secure messaging app](/5_Privacy_Respecting_Software.md#encrypted-messaging) that is both fully open source and end-to-end encrypted with perfect forward secrecy (e.g. [Signal](https://www.signal.org/))
- Ensure that both your device, and that of your recipient(s) is secure (free from malware, encrypted and has a strong password)
- Disable cloud services, such as web app companion or cloud backup feature, both of which increases attack surface
- Strip meta data from media before sharing, as this can lead to unintentionally revealing more data than you intended
- Verify your recipient is who they claim to be, which can be done cryptographically by using an app that offers contact verification
- Opt for a stable and actively maintained messaging platform, that is backed by reputable developers and have a transparent revenue model or are able to account for where funding has originated from. It should ideally be based in a friendly jurisdiction and have undergone an independent security audit.
- In some situations, it may be appropriate to use an app that supports disappearing messages, and/ or allows for anonymous sign up (without phone number or email address). A [decentralized platform](/5_Privacy_Respecting_Software.md#p2p-messaging) can offer additional security and privacy benefits in some circumstances, as there is no single entity governing it, e.g. [Matrix](https://matrix.org/), [Session](https://getsession.org/), [Tox](https://tox.chat/) or [Briar](https://briarproject.org/)
- Avoid SMS, but if you must use it then encrypt your messages, e.g. using the [Silence](https://silence.im/) app
### Networking
- Use a reputable VPN to keep your IP protected and reduce the amount of browsing data your ISP can log, but understand their limitations. Good options include [ProtonVPN](https://protonvpn.com) and [Mullvad](https://mullvad.net), see [thatoneprivacysite.net](https://thatoneprivacysite.net/) for detailed comparisons
- Use a reputable VPN to keep your IP protected and reduce the amount of browsing data your ISP can log, but understand their [limitations](5_Privacy_Respecting_Software.md#word-of-warning-4). Good options include [ProtonVPN](https://protonvpn.com) and [Mullvad](https://mullvad.net), see [thatoneprivacysite.net](https://thatoneprivacysite.net/) for detailed comparisons
- Change your routers default password. Anyone connected to your WiFi is able to listen to network traffic, so in order to prevent people you don't know from connecting, use WPA2 and set a strong password.
- Update your router settings to use a secure DNS, such as [Cloudflare's 1.1.1.1](https://1.1.1.1/dns/), this should also speed up your internet. If you cannot modify your roters settings, you can set the DNS on your phone (with the [1.1.1.1. app](https://1.1.1.1/)), or [Windows](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/windows/), [Mac](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/mac/) or [Linux](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/linux/). DNS is the system used to resolve URL's to their server addresses, many DNS providers collect data on your browsing habbits and use it to target you with ads or sell it on.
### Devices
- Keep software up-to-date. Security fixes and patches are released as updates, so it is important to install updates when prompted, for your phone, PC, router, IoT devices and all software/apps.
**📜 See More**: [The Complete Personal Security Checklist](https://github.com/Lissy93/personal-security-checklist/blob/master/README.md)
----

99
4_Privacy_And_Security_Links.md
View File

@ -36,6 +36,7 @@
- Protection from Identity Theft: via [Restore Privacy](https://restoreprivacy.com/identity-theft-fraud)
- Harden your MacOS Security: via [@drduh on GitHub](https://github.com/drduh/macOS-Security-and-Privacy-Guide)
- Protecting from key-stroke-logging, with KeyScrambler: via [TechRepublic](https://www.techrepublic.com/blog/it-security/keyscrambler-how-keystroke-encryption-works-to-thwart-keylogging-threats)
- Guide to Hash Checks, to ensure a program has not been tampered with: via [ProPrivacy](https://proprivacy.com/guides/how-why-and-when-you-should-hash-check)
- Permanently and Securely Delete Files and Directories in Linux: via [TechMint](https://www.tecmint.com/permanently-and-securely-delete-files-directories-linux/)
- **Netowkring**
- How to enable DNS over HTTPS: via [geekwire](https://geekwire.co.uk/privacy-and-security-focused-dns-resolver)
@ -46,10 +47,13 @@
- Beginners guide on getting started with Tor: via [ProPrivacy](https://proprivacy.com/privacy-service/guides/ultimate-tor-browser-guide)
- Beginners guide to I2P: via [The Tin Hat](https://thetinhat.com/tutorials/darknets/i2p.html)
- How to Use a VPN and Tor together: via [ProPrivacy](https://proprivacy.com/vpn/guides/using-vpn-tor-together)
- How to use `__nomap`, to reduce public exposure of SSID: via [ghacks](https://www.ghacks.net/2014/10/29/add-_nomap-to-your-routers-ssid-to-have-it-ignored-by-google-and-mozilla/)
- **Communication**
- Email Self-Defense, Configure your mail client securly, from scratch - via [FSF.org](https://emailselfdefense.fsf.org)
- How to avoid Phishing Attacks: via [EFF](https://ssd.eff.org/en/module/how-avoid-phishing-attacks)
- How to use PGP: Via EFF - [Windows](https://ssd.eff.org/en/module/how-use-pgp-windows), [MacOS](https://ssd.eff.org/en/module/how-use-pgp-mac-os-x) and [Linux](https://ssd.eff.org/en/module/how-use-pgp-linux)
- How to Maintain Anonyimity in BitCoin Transactions: [coinsutra.com](https://coinsutra.com/anonymous-bitcoin-transactions/)
- Beginners Guide to Signal (secure messaging app): via [Freedom of the Press Foundation](https://freedom.press/news/signal-beginners/)
- **Devices**
- How to Enable Encryption on your Devices: via [SpreadPrivacy.com](https://spreadprivacy.com/how-to-encrypt-devices/)
- How to Delete your Data Securely: Via EFF - [Windows](https://ssd.eff.org/en/module/how-delete-your-data-securely-windows), [MacOS](https://ssd.eff.org/en/module/how-delete-your-data-securely-macos) and [Linux](https://ssd.eff.org/en/module/how-delete-your-data-securely-linux)
@ -58,12 +62,16 @@
- For: [Windows 10](https://spreadprivacy.com/windows-10-privacy-tips/), [MacOS](https://spreadprivacy.com/mac-privacy-tips/), [Linux](https://spreadprivacy.com/linux-privacy-tips/), [Android](https://spreadprivacy.com/android-privacy-tips/) and [iOS](https://spreadprivacy.com/iphone-privacy-tips/)
- Guide to scrubbing Windows OSs from forensic investigation: by u/moschles, via [Reddit](https://www.reddit.com/r/security/comments/32fb1l/open_guide_to_scrubbing_windows_oss_from_forensic)
- A curated list of Windows Domain Hardening techniques: by @PaulSec, via: [GitHub](https://github.com/PaulSec/awesome-windows-domain-hardening)
- Configuring Gboard for better Privacy: via [Ghacks](https://www.ghacks.net/2016/12/21/configure-gboard-privacy-google-keyboard/)
- Settings to update on iPhone, for better privacy: via [lifehacker](https://lifehacker.com/the-privacy-enthusiasts-guide-to-using-an-iphone-1792386831)
- How to check App Permissions (Android, iOS, Mac & Windows): via [Wired](https://www.wired.com/story/how-to-check-app-permissions-ios-android-macos-windows/)
- **Software**
- How to use Vera Crypt: via [howtogeek](https://www.howtogeek.com/108501/the-how-to-geek-guide-to-getting-started-with-truecrypt)
- How to use KeePassXC: via [EFF](https://ssd.eff.org/en/module/how-use-keepassxc)
- How to use uMatrix browser addon to block trackers: via [ProPrivacy](https://proprivacy.com/privacy-service/guides/lifehacks-setup-umatrix-beginners)
- How to set up 2-Factor Auth on common websites: via [The Verge](https://www.theverge.com/2017/6/17/15772142/how-to-set-up-two-factor-authentication)
- How to use DuckDuckGo advanced search features: via [Ghacks](https://www.ghacks.net/2013/03/24/duckduckgo-another-bag-of-tricks-to-get-the-most-out-of-it/)
- How to use Cryptomator (encrypt files on cloud storage): via [It's Foss](https://itsfoss.com/cryptomator/)
- **Physical Security**
- Hiding from Physical Surveillance: via [Snallabolaget](http://snallabolaget.com/hiding-from-surveillance-how-and-why)
- Guide to opting-out of public data listings and marketing lists: via [World Privacy Forum](https://www.worldprivacyforum.org/2015/08/consumer-tips-top-ten-opt-outs)
@ -76,14 +84,14 @@
- Product reviews from a privacy perspective, by Mozilla: via [Privacy Not Included](https://foundation.mozilla.org/en/privacynotincluded)
- Surveillance Catalogue - Database of secret government surveillance equipment, Snowden: via [The Intercept](https://theintercept.com/surveillance-catalogue)
- See also: The source code, on WikiLeaks [Vault7](https://wikileaks.org/vault7) and [Vault8](https://wikileaks.org/vault8), and the accompanying [press release](https://wikileaks.org/ciav7p1)
- Who Has Your Back? - Which companies hand over your comply with Government Data Requests 2019: via [EFF](https://www.eff.org/wp/who-has-your-back-2019)
- Open project to rate, annotate, and archive privacy policies: via [PrivacySpy.org](https://privacyspy.org)
- Check who your local and government representatives in your local area are [WhoAreMyRepresentatives.org](https://whoaremyrepresentatives.org)
- Impartial VPN Comparison Data: via [ThatOnePrivacySite](https://thatoneprivacysite.net/#detailed-vpn-comparison)
- Hosts to block: via [someonewhocares/ hosts](https://someonewhocares.org/hosts) / [StevenBlack/ hosts](https://github.com/StevenBlack/hosts)
- Magic Numbers - Up-to-date file signature table, to identify / verify files have not been tampered with: via [GaryKessler](https://www.garykessler.net/library/file_sigs.html)
- List of IP ranges per country: via [Nirsoft](https://www.nirsoft.net/countryip)
- Database of default passwords for various devices by manufacturer and model: via [Default-Password.info](https://default-password.info)
- Who Has Your Back? - Which companies hand over your comply with Government Data Requests 2019: via [EFF](https://www.eff.org/wp/who-has-your-back-2019)
- Open project to rate, annotate, and archive privacy policies: via [PrivacySpy.org](https://privacyspy.org)
- Check who your local and government representatives in your local area are [WhoAreMyRepresentatives.org](https://whoaremyrepresentatives.org)
- Impartial VPN Comparison Data: via [ThatOnePrivacySite](https://thatoneprivacysite.net/#detailed-vpn-comparison)
- Hosts to block: via [someonewhocares/ hosts](https://someonewhocares.org/hosts) / [StevenBlack/ hosts](https://github.com/StevenBlack/hosts)
- Magic Numbers - Up-to-date file signature table, to identify / verify files have not been tampered with: via [GaryKessler](https://www.garykessler.net/library/file_sigs.html)
- List of IP ranges per country: via [Nirsoft](https://www.nirsoft.net/countryip)
- Database of default passwords for various devices by manufacturer and model: via [Default-Password.info](https://default-password.info)
## Articles
@ -92,6 +100,7 @@
- Rethinking Digital Ads: via [TheInternetHealthReport](https://internethealthreport.org/2019/rethinking-digital-ads)
- **Encryption**
- Overview of projects working on next-generation secure email: via [OpenTechFund](https://github.com/OpenTechFund/secure-email)
- Anatomy of a GPG Key: via [@DaveSteele](https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key/)
- **Surveillance**
- Twelve Million Phones, One Dataset, Zero Privacy: via [NY Times](https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html)
- Windows data sending: via [The Hacker News](https://thehackernews.com/2016/02/microsoft-windows10-privacy.html)
@ -107,16 +116,50 @@
- How a highly targeted ad can track your precise movements: via [Wired](https://www.wired.com/story/track-location-with-mobile-ads-1000-dollars-study/)
- Based on the paper, Using Ad Targeting for Surveillance on a Budget: via [Washington.edu](https://adint.cs.washington.edu/ADINT.pdf)
- Law Enforcement Geo-Fence Data Requests- How an Innocent cyclist became a suspect when cops accessed his Google location data: via [Daily Mail](https://www.dailymail.co.uk/news/article-8086095/Police-issue-warrant-innocent-mans-Google-information.html)
- **Breaches**
- Grindr and OkCupid Spread Personal Details Study Says: via [NY Times](https://www.nytimes.com/2020/01/13/technology/grindr-apps-dating-data-tracking.html)
- The Asia-Pacific Cyber Espionage Campaign that Went Undetected for 5 Years: via [TheHackerNews](https://thehackernews.com/2020/05/asia-pacific-cyber-espionage.html)
- **Threats**
- 23 reasons not to reveal your DNA: via [Internet Health Report](https://internethealthreport.org/2019/23-reasons-not-to-reveal-your-dna)
- Security of Third-Party Keyboard Apps on Mobile Devices: via [Lenny Zelster](https://zeltser.com/third-party-keyboards-security)
- Mobile Websites Can Tap Into Your Phone's Sensors Without Asking: via [Wired](https://www.wired.com/story/mobile-websites-can-tap-into-your-phones-sensors-without-asking)
- Non-admin accounts mitigate 94% of critical Windows vulnerabilities: via [ghacks](https://www.ghacks.net/2017/02/23/non-admin-accounts-mitigate-94-of-critical-windows-vulnerabilities/)
- Android Apps are able to monitor screen state, data usage, installed app details and more without any permissions: by @databurn-in, via [GitHub](https://github.com/databurn-in/Android-Privacy-Issues)
- See also, [PrivacyBreacher](https://github.com/databurn-in/PrivacyBreacher) - an app developed by @databurn-in, which demonstrates these issues
- How URL Previews in Apps can Leak Personal Info: via [hunch.ly](https://hunch.ly/osint-articles/osint-article-how-to-blow-your-online-cover)
- Big data privacy risks: via [CSO Online](https://www.csoonline.com/article/2855641/the-5-worst-big-data-privacy-risks-and-how-to-guard-against-them.html)
- Anti-Doxing Guide (For Activists Facing Attacks): via [Equality Labs](https://medium.com/@EqualityLabs/anti-doxing-guide-for-activists-facing-attacks-from-the-alt-right-ec6c290f543c)
- **Breaches**
- Wired guide to data breaches- past, present and future: via [Wired](https://www.wired.com/story/wired-guide-to-data-breaches/)
- Grindr and OkCupid Spread Personal Details Study Says: via [NY Times](https://www.nytimes.com/2020/01/13/technology/grindr-apps-dating-data-tracking.html)
- The Asia-Pacific Cyber Espionage Campaign that Went Undetected for 5 Years: via [TheHackerNews](https://thehackernews.com/2020/05/asia-pacific-cyber-espionage.html)
- ClearView AI Data Breach - 3 Billion Faces: via [Forbes](https://www.forbes.com/sites/kateoflahertyuk/2020/02/26/clearview-ai-the-company-whose-database-has-amassed-3-billion-photos-hacked/)
- The MongoDB hack and the importance of secure defaults: via [Synk](https://snyk.io/blog/mongodb-hack-and-secure-defaults/)
- Truecaller Data Breach 47.5 Million Indian Truecaller Records On Sale: via [GBHackers](https://gbhackers.com/truecaller-data-breach/)
- Hundreds of millions of Facebook user records were exposed on Amazon cloud server: via [CBS News](https://www.cbsnews.com/news/millions-facebook-user-records-exposed-amazon-cloud-server/)
- Microsoft data breach exposes 250 million customer support records: via [Graham Cluley](https://www.grahamcluley.com/microsoft-data-breach/)
## Blogs
- **Security Reserachers**
- [Krebs on Security](https://krebsonsecurity.com/) - Lots of up-to-date, in-depth interesting cyber security news and investigations, by a true legend in the field and NY Times Bestseller, Brian Krebs. [RSS](https://krebsonsecurity.com/feed/)
- [Schneier on Security](https://www.schneier.com/) - Commentary, news, essays and more all about cryptography, cyber security and privacy. New posts are written almost daily, and this is also home to the famous [Crypto Gram](https://www.schneier.com/crypto-gram/) weekly newsletter, that's been popular since 1994. By the world-renowned security professional, and serial bestselling author, Bruce Schneier. [RSS](https://www.schneier.com/blog/atom.xml)
- [Troy Hunt](https://www.troyhunt.com/) - Security researcher and data breach collector. [RSS](https://feeds.feedburner.com/TroyHunt)
- [Graham Cluley](https://www.grahamcluley.com/) - Security news, advise and opinion. From Graham Cluley, co-host of Smashing Security.
- [The Last Watch Dog](https://www.lastwatchdog.com/) - Privacy and Security articles, opinion and media by Byron Acohido
- [Daniel Miessler](https://danielmiessler.com/) - Summaries recent news and events, and focuses on security, technology and people. [RSS](https://danielmiessler.com/feed/)
- [Errata Security](https://blog.erratasec.com/) - Covers latest interesting news, and explains concepts clearly. By Robert Graham and David Maynor. [RSS](https://blog.erratasec.com/feeds/posts/default?alt=rss)
- **Cyber Security News**
- [Dark Reading](https://www.darkreading.com/) - Well-known cyber security news site, with articles on a range of topics, ranging from data breaches, IoT, cloud security and threat intelligence. [RSS](https://www.darkreading.com/rss_simple.asp)
- [Threat Post](https://threatpost.com/) - News and Articles Cloud Security, Malware, Vulnerabilities, Waterfall Security and Podcasts. [RSS](https://threatpost.com/feed/)
- [We Live Security](https://www.welivesecurity.com/) - Security news, views, and insight, by ESET + Community. [RSS](https://www.welivesecurity.com/rss-configurator/)
- [The Hacker News](https://thehackernews.com/) - News and info covering Data Breaches, Cyber Attacks, Vulnerabilities, Malware. [RSS](https://feeds.feedburner.com/TheHackersNews)
- [Sophos: Naked Security](https://nakedsecurity.sophos.com/) - Security news and updates, presented in an easy-to-digest format. [RSS](https://nakedsecurity.sophos.com/feed/)
- [IT Security Guru](https://www.itsecurityguru.org/) - Combines top cyber security news from multiple sites, easier to stay up-to-date
- [FOSS Bytes- Cyber Security](https://fossbytes.com/category/security) - News about the latest exploits and hacks
- **Cyber Security Infomation**
- [Heimdal](https://heimdalsecurity.com/blog) - Personal Cyber Security Tutorials and Articles
- [Tech Crunch](https://techcrunch.com/tag/cybersecurity-101) - Cyber Security 101
- [Email Self-Defense](https://emailselfdefense.fsf.org) - Complete guide to secure email
- [Security Planner](https://securityplanner.org) - Great advise for beginners
- [My Shaddow](https://myshadow.org) - Resources and guides, to help you take controll of your data
- **Privacy**
- [EFF SSD](https://ssd.eff.org) - Tips for safer online communications
- [Spread Privacy](https://spreadprivacy.com) - Raising the standard of trust online, by DuckDuckGo
@ -130,21 +173,11 @@
- [PrismBreak](https://prism-break.org/en/all) - Secure app alternatives
- [The VERGE guide to privacy](https://bit.ly/2ptl4Wm) - Guides for securing mobile, web and home tech
- [BringBackPrivacy](https://bringingprivacyback.com) - Easy-reading, sharable privacy articles
- **Cyber Security**
- [FOSS Bytes- Cyber Security](https://fossbytes.com/category/security) - News about the latest exploits and hacks
- [Heimdal](https://heimdalsecurity.com/blog) - Personal Cyber Security Tutorials and Articles
- [Tech Crunch](https://techcrunch.com/tag/cybersecurity-101) - Cyber Security 101
- [Email Self-Defense](https://emailselfdefense.fsf.org) - Complete guide to secure email
- [Security Planner](https://securityplanner.org) - Great advise for beginners
- [My Shaddow](https://myshadow.org) - Resources and guides, to help you take controll of your data
- [The Privacy Project](https://www.nytimes.com/interactive/2019/opinion/internet-privacy-project.html) - Articles and reporting on Privacy, by the NYT
- **Internet Freedom**
- [OONI](https://ooni.org/post), Internet freedom and analysis on blocked sites
- [Internet Health Report](https://foundation.mozilla.org/en/internet-health-report) - Mozilla is documenting and explaining whats happening to openness and freedom on the Internet
- [Worth Hiding](https://worthhiding.com) - Posts about privacy, politics and the law
- **News and Updates**
- [The Privacy Project](https://www.nytimes.com/interactive/2019/opinion/internet-privacy-project.html) - Articles and reporting on Privacy, by the NYT
- [The Hacker News](https://thehackernews.com) - Up-to-date Cybersecurity News and Analysis
## Books
- [Permanent Record](https://www.amazon.co.uk/Permanent-Record-Edward-Snowden/dp/1529035651) by Edward Snowden
@ -152,6 +185,7 @@
- [Extreme Privacy](https://www.amazon.co.uk/Extreme-Privacy-Takes-Disappear-America/dp/1093757620) by Michael Bazzell: Thoroughly detailed guide for protecting your privacy both electronically and physically
- [Ghost in the Wires](https://www.amazon.co.uk/gp/product/B00FOQS8D6) by Kevin Mitnick: Kevin tells his story of being the world's most wanted hacker
- [The Art of Invisibility](https://www.amazon.com/Art-Invisibility-Worlds-Teaches-Brother/dp/0316380504), by Kevin Mitnick: You How to Be Safe in the Age of Big Brother
- [Eyes in the Sky](https://www.goodreads.com/book/show/40796190-eyes-in-the-sky): The Secret Rise of Gorgon Stare and How It Will Watch Us All, by Arthur Holla Michel: Outlines the capabilities of the digital imaging in continuous aerial and satellite surveillance, and discusses both the current systems that are deployed, and the technical feasibility of future plans
## Podcasts
- [Darknet Diaries] by Jack Rhysider: Stories from the dark sides of the internet.<br>
@ -247,6 +281,8 @@ More Security Podcasts on [player.fm](https://player.fm/featured/security)
- [The Power of Privacy](https://youtu.be/KGX-c5BJNFk) by The Guardian
- [Why Privacy matters, even if you have nothing to hide](https://youtu.be/Hjspu7QV7O0) by The Hated One
- [The Unhackable Email Service](https://youtu.be/NM8fAnEqs1Q) by Freethink
- **Cryptography**
- [Advanced Into to GnuPGP](https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.html) by Neal Walfield ([walfield.org](http://walfield.org/))
- **TED Talks**
- [How Online Trackers Track You, and What To Do About It](https://youtu.be/jVeqAemtC6w) by Luke Crouch
- [Why you should switch off your home WiFi](https://youtu.be/2GpNhYy2l08) by Bram Bonné
@ -295,6 +331,7 @@ See also: [awesome-sec-talks](https://github.com/PaulSec/awesome-sec-talks) by @
- **IP Tools**
- [I Know What You Download](https://iknowwhatyoudownload.com) - Shows torrents that have been downloaded or distributed from your IP address
- [Hetrix Tools - Blacklist Check](https://hetrixtools.com/blacklist-check/) - Check if your Domain or IP appears on any common blacklists
- [Check: The Tor Project](https://check.torproject.org/) - Check if your connected via Tor, and diagnose issues
- **Public Domain and Website Scanning Tools**
- [URL Scan](https://urlscan.io) - Scan and analyse websites, shows IP, DNS, domain and host data, as well as info about resources and requests
- [Security Trails](https://securitytrails.com/#search) - Shows all DNS records, historical DNS data and sub domains
@ -353,6 +390,7 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- [HashToolkit](http://hashtoolkit.com) - Database of 'cracked' hashes
- [SecLists](https://github.com/danielmiessler/SecLists) - Starter list of leaked databases, passwords, usernames etc (Great for programming)
- [Qualys SSL Pulse](https://www.ssllabs.com/ssl-pulse) - A continuous and global dashboard for monitoring the quality of SSL / TLS support over time across 150,000 SSL- and TLS-enabled websites, based on Alexas list of the most popular sites in the world
- [Tor Bulk Exit List](https://check.torproject.org/torbulkexitlist) - List of all exit nodes (IP) in use on the Tor network
- **Fun with Live Data** 🌠
- **Internet**
- [Tor Flow](https://torflow.uncharted.software) - Real-time data flow between Tor nodes
@ -395,6 +433,7 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- Detecting and Defending Against Third-Party Tracking on the Web: via [Franziska Roesner](http://www.franziroesner.com/pdf/webtracking-NSDI2012.pdf)
- Is Google degrading search? Consumer Harm from Universal Search: via [law.berkeley.edu](https://www.law.berkeley.edu/wp-content/uploads/2015/04/Luca-Wu-Yelp-Is-Google-Degrading-Search-2015.pdf)
- A Comprehensive Evaluation of Third-Party Cookie Policies: via [WhoLeftOpenTheCookieJar.com](https://wholeftopenthecookiejar.com/static/tpc-paper.pdf)
- The Dangers of Surveillance: via [Harvard Law Review](https://harvardlawreview.org/wp-content/uploads/pdfs/vol126_richards.pdf)
- Recognizing Speech From Gyroscope Signals: via [Stanford](https://crypto.stanford.edu/gyrophone/)
- A Study of Scripts Accessing Smartphone Sensors: via [sensor-js.xyz](https://sensor-js.xyz/webs-sixth-sense-ccs18.pdf)
- Pixel Perfect, Fingerprinting Canvas in HTML5: [hovav.net](https://hovav.net/ucsd/dist/canvas.pdf)
@ -454,6 +493,7 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- **Cybercrime**
- [Consumer Fraud Reporting](http://consumerfraudreporting.org) - US's Catalogue of online scams currently circulating, and a means to report cases
- [Action Fraud](https://www.actionfraud.police.uk) - UKs national reporting centre for fraud and cyber crime
- [Crime Stoppers](https://crimestoppers-uk.org/) - UK Independent Charity, for reporting crimes anonymously
- **Fact Checkling**
- [Full Fact](https://fullfact.org) - UK independent fact checking charity, campaigning to expose bad information, and the harm it does
- **CERT** - Your local jurisdiction will likely have a Computer emergency response team (historically known as [CERT](https://online.norwich.edu/academic-programs/resources/how-computer-emergency-response-teams-and-computer-security-incident-response-teams-combat-cyber-threats)). Who is in charge of handline handles domestic and international computer security incidents.
@ -466,12 +506,15 @@ This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products,
- **Global**: [first.org](https://www.first.org) - The global Forum of Incident Response and Security Teams
## Mega Guides
- by [Fried](https://fried.com/privacy)
- by [ivpn](https://www.ivpn.net/privacy-guides)
- by [ProPrivacy](https://proprivacy.com/guides/the-ultimate-privacy-guide)
- by [Heimdal Security](https://heimdalsecurity.com/blog/cyber-security-mega-guide)
- by [Wired](https://www.wired.com/2017/12/digital-security-guide)
- by [Vice](https://www.vice.com/en_us/article/d3devm/motherboard-guide-to-not-getting-hacked-online-safety-guide)
- Trusted software reccomendations and avice for privacy: [privacytools.io](https://www.privacytools.io/)
- Tips and tricks, for internet freedom, data health and privacy: [datadetoxkit.org](https://datadetoxkit.org/)
- Digital security tools and tactics: [securityinabox.org](https://securityinabox.org/)
- Online privacy guide, and software reccomendations: via [Fried](https://fried.com/privacy)
- Guide to security through encryption: via [ProPrivacy](https://proprivacy.com/guides/the-ultimate-privacy-guide)
- Large collection of beginner security guides: [Heimdal Security](https://heimdalsecurity.com/blog/cyber-security-mega-guide)
- The Motherboard guide to not getting hacked: via [Vice](https://www.vice.com/en_us/article/d3devm/motherboard-guide-to-not-getting-hacked-online-safety-guide)
- Online anonimity, and Tor + VPN tutorials: via [ivpn](https://www.ivpn.net/privacy-guides)
## More Awesome GitHub Lists

153
5_Privacy_Respecting_Software.md
View File

@ -42,6 +42,8 @@ corporations, governments, and hackers from logging, storing or selling your per
- [Proxies](#proxies)
- [DNS Providers](#dns)
- [Firewalls](#firewalls)
- [Ad Blockers](#ad-blockers)
- [Host Block Lists](#host-block-lists)
- [Router Firmware](#router-firmware)
- [Network Analysis](#network-analysis)
- [Cloud Hosting](#cloud-hosting)
@ -56,6 +58,7 @@ corporations, governments, and hackers from logging, storing or selling your per
- [Browser Sync](#browser-sync)
- [Secure Conference Calls](#video-conference-calls)
- **Utilities**
- [Virtual Machines](#virtual-machines)
- [PGP Managers](#pgp-managers)
- [Metadata Removal](#metadata-removal-tools)
- [Data Erasers](#data-erasers)
@ -66,7 +69,7 @@ corporations, governments, and hackers from logging, storing or selling your per
- [News Readers](#news-readers-and-aggregation)
- **Operating Systems**
- [Mobile Operating Systems](#mobile-operating-systems)
- [PC Operating Systems](#pc-operating-systems)
- [Desktop Operating Systems](#desktop-operating-systems)
- [Linux Defences](#linux-defences)
- [Windows Defences](#windows-defences)
- [Mac OS Defences](#mac-os-defences)
@ -74,8 +77,10 @@ corporations, governments, and hackers from logging, storing or selling your per
- **Home/ IoT**
- [Home Automation](#home-automation)
- [Voice Assistants](#ai-voice-assistants)
- **Payment Methods**
- **Finance**
- [Cryptocurrencies](#cryptocurrencies)
- [Crypto Wallets](#crypto-wallets)
- [Crypto Exchanges](#crypto-exchanges)
- [Virtual Credit Cards](#virtual-credit-cards)
- [Other Payment Methods](#other-payment-methods)
- [Secure Budgeting](#budgeting-tools)
@ -86,6 +91,7 @@ corporations, governments, and hackers from logging, storing or selling your per
- [Self-Hosted Sys-Admin](#bonus-4---self-hosted-sysadmin)
- [Self-Hosted Dev Tools](#bonus-5---self-hosted-development-tools)
- [Security Testing Tools](#bonus-6---security-testing-tools)
- [Raspberry Pi Security Projects](#bonus-7---raspberry-pi-iot-security-software)
#### See Also
- [Personal Security Checklist](/README.md)
@ -120,6 +126,7 @@ If you are using a deprecated PM, you should migrate to something actively maint
**[Aegis](https://getaegis.app)** (Android) | Free, secure and open source authenticator app for Android. Has a backup/ restore feature and a customisable UI with dark mode
**[AndOTP](https://github.com/andOTP/andOTP)** (Android) | Another open source, secure authenticator app. AndOTP is well established with a strong user base
**[Tofu](https://www.tofuauth.com)** (iOS) | An easy-to-use, open-source two-factor authentication app designed specifically for iOS
**[WinAuth](https://winauth.github.io/winauth)** (Windows) | Portable, encrypted desktop authenticator app for Microsoft Windows. With useful features, like hotkeys and some additional security tools, WinAuth is a great companion authenticator for desktop power-users. It's open source and well-established (since mid-2010)
*Check which websites support multi-factor authentication: [twofactorauth.org](https://twofactorauth.org)*
@ -129,6 +136,8 @@ If you are using a deprecated PM, you should migrate to something actively maint
For KeePass users, [TrayTop](https://keepass.info/plugins.html#traytotp) is a plugin for managing TOTP's- offline and compatible with Windows, Mac and Linux.
[Authy](https://authy.com/) (propriety) is a popular option among new users, due to it's ease of use and device sync capabilities, however it is not open source, and therefore can not recommended.
**See also** [2FA Security Checklist](/README.md#2-factor-authentication)
@ -140,9 +149,11 @@ For KeePass users, [TrayTop](https://keepass.info/plugins.html#traytotp) is a pl
**[Cryptomator](https://cryptomator.org)** | Open source client-side encryption for cloud files- Cryptomator is geared towards using alongside cloud-backup solutions, and hence preserves individual file structure, so that they can be uploaded. It too is easy to use, but has fewer technical customizations for how the data is encrypted, compared with VeraCrypt. Cryptomator works on Windows, Linux and Mac- but also has excellent mobile apps.
#### Notable Mentions
[CryptSetup](https://gitlab.com/cryptsetup/cryptsetup) is a convinient layer for use on top of [dm-crypt](https://wiki.archlinux.org/index.php/Dm-crypt). [EncFS](https://www.arg0.net/encfs) is a cross-platform file-based encryption module, for use within user local directories. [geli](https://www.freebsd.org/cgi/man.cgi?query=geli&sektion=8) is a disk encryption subsystem included with FreeBSD
PGP may be useful for encrypting individual files and folders, preparing files for transmission, or adding an additional layer of security to sensitive
data. With PGP, you can encrypt, decrypt, sign and verify files and folders: see [PGP Tools](#pgp-managers)
If you need to create a compressed archive, prior to encrypting your files, then [PeaZip](https://www.peazip.org/) is a great little cross-platform open source file archiver utility. It allows you to create, open, and extract RAR TAR ZIP archives.
@ -192,7 +203,7 @@ The below email providers are private, end-to-end encrypted (E2EE) and reasonabl
| Provider | Description |
| --- | --- |
**[ProtonMail](https://protonmail.com/)** | An open-source, end-to-end encrypted anonymous email service. ProtonMail has a modern easy-to-use and customizable UI, as well as fast, secure native mobile apps. ProtonMail has all the features that you'd expect from a modern email service and is based on simplicity without sacrificing security. It has a free plan or a premium option for using custom domains. ProtonMail requires no personally identifiable information for signup, they have a [.onion](https://protonirockerxow.onion) server, for access via Tor, and they accept anonymous payment: BTC and cash (as well as the normal credit card and PayPal).
**[Tutanota](https://tutanota.com/)** | Free and open source email service based in Germany. It has a basic intuitive UI, secure native mobile apps, anonymous signup, and a .onion site. Tutonota has a full-featured free plan or a premium subscription for businesses allowing for custom domains ($12/ month).
**[Tutanota](https://tutanota.com/)** | Free and open source email service based in Germany. It has a basic intuitive UI, secure native mobile apps, anonymous signup, and a .onion site. Tutonota has a full-featured free plan or a premium subscription for businesses allowing for custom domains ($12/ month).<br>Tutanota [does not use OpenPGP](https://tutanota.com/blog/posts/differences-email-encryption/) like most encrypted mail providers, instead they use a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm (with 128 bit AES, and 2048 bit RSA). This causes compatibility issues when communicating with contacts using PGP. But it does allow them to encrypt much more of the header data (body, attachments, subject lines, and sender names etc) which PGP mail providers cannot do
**[Mailfence](https://mailfence.com?src=digitald)** | Mailfence supports OpenPGP so that you can manually exchange encryption keys independently from the Mailfence servers, putting you in full control. Mailfence has a simple UI, similar to that of Outlook, and it comes with bundled with calendar, address book, and files. All mail settings are highly customizable, yet still clear and easy to use. Sign up is not anonymous, since your name, and prior email address is required. There is a fully-featured free plan, or you can pay for premium, and use a custom domain ($2.50/ month, or $7.50/ month for 5 domains), where BitCoin, LiteCoin or credit card is accepted.
See [OpenTechFund- Secure Email](https://github.com/OpenTechFund/secure-email) for more details.
@ -200,6 +211,11 @@ See [OpenTechFund- Secure Email](https://github.com/OpenTechFund/secure-email) f
#### Other Notable Mentions
[HushMail](https://www.hushmail.com/tapfiliate/?tap_a=44784-d2adc0&tap_s=724845-260ce4&program=hushmail-for-small-business), [StartMail](https://www.startmail.com), [Posteo](https://posteo.de), [Lavabit](https://lavabit.com). For activists and journalists, see [Disroot](https://disroot.org/en), [Autistici](https://www.autistici.org) and [RiseUp](https://riseup.net/en)
**Beta Mail Providers**
- **[CTemplar](https://ctemplar.com/)** - Swiss provider specializing in private & secure mail, with total 4096 bit RSA encryption, anonymous sign up, and full legal protection. Due to it still being in beta, the apps are still a little buggy
- **[CriptText](https://www.criptext.com/)** - CriptText is another option- it's encrypted, free and open source, but works a little differently from convectional mail. There is no cloud storage, and all email is instead stored on your devices. This greatly improves security- however you must be signed into the app (either on desktop or mobile) in order to receive mail. If you are not signed in, then mail sent to you will be permanently lost. For mobile users, your device can be offline or in airplane mode for up to 30 days before mail becomes discarded. The client apps are very good, email is synced seamless between devices, and you can enable automated and encrypted backups. Since your email is stored on your device, they are able to work offline- due to this, there is no web client. Encryption is done with the [Signal protocol](https://en.wikipedia.org/wiki/Signal_Protocol) (rather than PGP), and there are a bunch of really neat features that you can use while communicating to other Criptext users.
Criptext is still in beta, but with an extremely smooth user experience, and no noticeable usability bugs.
### Self-Hosted Email
If you do not want to trust an email provider with your messages, you can host your own mail server. Without experience, this can be notoriously hard to correctly configure, especially when it comes to security. You may also find that cost, performance and features make it a less attractive option. If you do decide to go down this route, [Mail-in-a-box](https://mailinabox.email/), is an easy to deploy, open source mail server. It aims to promote decentralization, innovation, and privacy on the web, as well as have automated, auditable, and idempotent system configuration. Other ready-to-go self-hosted mail options include [Mailu](https://mailu.io/1.7/) and [Mail Cow](https://mailcow.email/), both of which are docker containers.
@ -240,15 +256,18 @@ Alternatively you could host your own catch-all email service. [Mailu](https://g
| --- | --- |
**[Brave Browser](https://brave.com/?ref=ali721)** | Brave Browser, currently one of the most popular private browsers- it provides speed, security, and privacy by blocking trackers with a clean, yet fully-featured UI. It also pays you in [BAT tokens](https://basicattentiontoken.org/) for using it. Brave also has Tor built-in, when you open up a private tab/ window.
**[FireFox](https://www.mozilla.org/firefox)** | Significantly more private, and offers some nifty privacy features than Chrome, Internet Explorer and Safari. After installing, there are a couple of small tweaks you will need to make, in order to secure Firefox. You can follow one of these guides by: [Restore Privacy](https://restoreprivacy.com/firefox-privacy/), [Security Gladiators](https://securitygladiators.com/firefox-privacy-tips/) or [12Bytes](https://12bytes.org/7750)
**[Bromite](https://www.bromite.org/)** | Bromite is Chromium (Chrome without Google) plus ad blocking and enhanced privacy. It provides a no-clutter browsing experience without privacy-invasive features- it's lightweight and minimal
**[Tor Browser](https://www.torproject.org/)** | Tor provides an extra layer of anonymity, by encrypting each of your requests, then routing it through several nodes, making it near-impossible for you to be tracked by your ISP/ provider. It does make every-day browsing a little slower, and some sites may not work correctly. As with everything there are [trade-offs](https://github.com/Lissy93/personal-security-checklist/issues/19)
#### Notable Mentions
[WaterFox](https://www.waterfox.net), [Epic Privacy Browser](https://www.epicbrowser.com) and [PaleMoon](https://www.palemoon.org).
Mobile Browsers: [Bromite](https://www.bromite.org/) (Android), [Firefox Focus](https://support.mozilla.org/en-US/kb/focus) (Android/ iOS), [DuckDuckGo Browser](https://help.duckduckgo.com/duckduckgo-help-pages/mobile/ios/) (Android/ iOS), [Orbot](https://guardianproject.info/apps/orbot/) + [Tor](https://www.torproject.org/download/#android) (Android), [Onion Browser](https://onionbrowser.com/) (iOS),
Additional Desktop: [WaterFox](https://www.waterfox.net), [Epic Privacy Browser](https://www.epicbrowser.com), [PaleMoon](https://www.palemoon.org), [Iridium](https://iridiumbrowser.de/) and [Sea Monkey](https://www.seamonkey-project.org/).
#### Word of Warning
New vulnerabilities are being discovered and patched all the time - use a browser that is being actively maintained, in order to receive these security-critical updates
**See also** [Browser & Search Security Checklist](/README.md#browser-and-search) and recommended [Browser Extensions](#browser-extensions) for privacy & security.
## Search Engines
Google frequently modifies and manipulates search, and is in pursuit of eliminating competition and promoting their own services above others. They also track, collect, use and sell detailed user search and meta data.
@ -317,9 +336,10 @@ The following browser add-ons give you better control over what content is able
**[Island]** | A sandbox environment, allowing you to clone selected apps and run them in an isolated box, preventing it from accessing your personal data, or device information
**[Exodus]** | Shows which trackers, each of your installed apps is using, so that you can better understand how your data is being collected. Uses data from the Exodus database of scanned APKs.
**[Bouncer]** | Gives you the ability to grant permissions temporarily, so that you could for example use the camera to take a profile picture, but when you close the given app, those permissions will be revoked
**[XPrivacyLua](https://github.com/M66B/XPrivacyLua/)** | Simple to use privacy manager for Android, that enables you to feed apps fake data when they request intimate permissions. Solves the problem caused by apps malfunctioning when you revoke permissions, and protects your real data by only sharing fake information. Enables you to hide call log, calendar, SMS messages, location, installed apps, photos, clipboard, network data plus more. And prevents access to camera, microphone, telemetry, GPS and other sensors
**[SuperFreezZ]** | Makes it possible to entirely freeze all background activities on a per-app basis. Intended purpose is to speed up your phone, and prolong battery life, but this app is also a great utility to stop certain apps from collecting data and tracking your actions while running in the background
**[Haven]** | Allows you to protect yourself, your personal space and your possessions- without compromising on security. Leveraging device sensors to monitor nearby space, Haven was developed by [The Guardian Project](https://guardianproject.info/), in partnership with [Edward Snowden](https://techcrunch.com/2017/12/24/edward-snowden-haven-app/)
**[XUMI Security]** | Checks for, and resolves known security vulnerabilities. Useful to ensure that certain apps, or device settings are not putting your security or privacy at risk
**[SuperFreezZ]** | Makes it possible to entirely freeze all background activities on a per-app basis. Intended purpose is to speed up your phone, and prolong battery life, but this app is also a great utility to stop certain apps from collecting data and tracking your actions while running in the background
**[Daedalus]** | No root required Android DNS modifier and hosts/DNSMasq resolver, works by creating a VPN tunnel to modify the DNS settings. Useful if you want to change your resolver to a more secure/ private provider, or use DNS over HTTPS
**[Secure Task]** | Triggers actions, when certain security conditions are met, such as multiple failed login attempts or monitor settings changed. It does require [Tasker], and needs to be set up with ADB, device does not need to be rooted
**[Cryptomator]** | Encrypts files and folders client-side, before uploading them to cloud storage (such as Google Drive, One Drive or Dropbox), meaning none of your personal documents leave your device in plain text
@ -334,6 +354,8 @@ The following browser add-ons give you better control over what content is able
**[PrivateLock](https://f-droid.org/en/packages/com.wesaphzt.privatelock/)** | Auto lock your phone based on movement force/ acceleration
**[CamWings](https://schiffer.tech/camwings-mobile.html)** | Prevent background processes gaining unauthorized access to your devices camera. Better still, use a [webcam sticker](https://supporters.eff.org/shop/laptop-camera-cover-set-ii)
**[ScreenWings](https://schiffer.tech/screenwings-mobile.html)** | Prevent background processes taking unauthorized screenshots, which could expose sensetive data
**[AFWall+](https://github.com/ukanth/afwall/)** | Android Firewall+ (AFWall+) is an advanced iptables editor (GUI) for rooted Android devices, which provides very fine-grained control over which Android apps are allowed to access the network
#### Other Notable Mentions
For more open source security & privacy apps, check out these publishers: [The Guardian Project], [The Tor Project], [Oasis Feng], [Marcel Bokhorst], [SECUSO Research Group] and [Simple Mobile Tools]- all of which are trusted developers or organisations, who've done amazing work.
@ -491,6 +513,7 @@ A firewall is a program which monitors the incoming and outgoing traffic on your
| --- | --- |
**[NetGuard](https://play.google.com/store/apps/details?id=eu.faircode.netguard)** <br>(Android) | Provides simple and advanced ways to block access to the internet. Applications and addresses can individually be allowed or denied access to Wi-Fi and/or mobile connection
**[NoRoot Firewall](https://play.google.com/store/apps/details?id=app.greyshirts.firewall)** <br>(Android) | Notifies you when an app is trying to access the Internet, so all you need to do is just Allow or Deny. Allows you to create filter rules based on IP address, host name or domain name, and you can allow or deny only specific connections of an app
**[AFWall+](https://github.com/ukanth/afwall/)** <br>(Android - Rooted) | Android Firewall+ (AFWall+) is an advanced iptables editor (GUI) for rooted Android devices, which provides very fine-grained control over which Android apps are allowed to access the network.
**[Lockdown](https://apps.apple.com/in/app/lockdown-apps/id1469783711)** <br>(iOS) | Firewall app for iPhone, allowing you to block any connection to any domain
**[SimpleWall](https://github.com/henrypp/simplewall)** <br>(Windows) | Tool to control Windows Filtering Platform (WFP), in order to configure detailed network activity on your PC
**[LuLu](https://objective-see.com/products/lulu.html)** <br>(Mac OS) | Free, open source macOS firewall. It aims to block unknown outgoing connections, unless explicitly approved by the user
@ -506,6 +529,42 @@ A firewall is a program which monitors the incoming and outgoing traffic on your
There are different [types](https://www.networkstraining.com/different-types-of-firewalls) of firewalls, that are used in different circumstances. This does not omit the need to configure your operating systems defences. Follow these instructions to enable your firewall in [Windows](https://support.microsoft.com/en-us/help/4028544/windows-10-turn-windows-defender-firewall-on-or-off), [Mac OS](https://support.apple.com/en-us/HT201642), [Ubuntu](https://wiki.ubuntu.com/UncomplicatedFirewall) and other [Linux ditros](https://www.tecmint.com/start-stop-disable-enable-firewalld-iptables-firewall).
Even when properly configured, having a firewall enabled does not guarantee bad network traffic can not get through and especially during boot if you don't have root privileges.
## Ad Blockers
There are a few different ways to block ads- browser-based ad-blockers, router-based / device blockers or VPN ad-blockers. Typically they work by taking a maintained list of hosts, and filtering each domain/ IP through it. Some also have other methods to detect certain content based on pattern mathcing
| Provider | Description |
| --- | --- |
**[Pi-Hole](https://pi-hole.net/)** (Server/ VM/ Pi) | Incredibly powerful, network-wide ad-blocker. Works out-of-the-box, light-weight with an intuitive web interface, but still allows for a lot of advanced configuration for power users. As well as blocking ads and trackers, Pi-Hole speeds up your network speeds quite significantly. The dashboard has detailed statistics, and makes it easy to pause/ resume Pi-Hole if needed.
**[Diversion](https://diversion.ch/)** (Router) | A shell script application to manage ad-blocking, Dnsmasq logging, Entware and pixelserv-tls installations and more on supported routers running [Asuswrt-Merlin firmware](https://www.asuswrt-merlin.net/), including its forks
**[DN66](https://github.com/julian-klode/dns66)** (Android) | DNS-based host and ad blocker for Android. Easy to configure, but the default config uses several widely-respected host files. aimed at stopping ads, malware, and other weird stuff
**[BlockParty](https://github.com/krishkumar/BlockParty)** (iOS/ MacOS) | Native Apple (Swift) apps, for system-wide ad-blocking. Can be customized with custom host lists, primarily aimed for just ad-blocking
**[hBlock](https://hblock.molinero.dev/)** (Unix) | A POSIX-compliant shell script, designed for Unix-like systems, that gets a list of domains that serve ads, tracking scripts and malware from multiple sources and creates a hosts file (alternative formats are also supported) that prevents your system from connecting to them. Aimed at improving security and privacy through blocking advert, tracking and malware associated domains
**[Ad Block Radio](https://github.com/adblockradio/adblockradio)** (Sound) | Python script that uses machine learning to block adverts in live audio streams, such as Radio, Podcasts, Audio Books, and music platforms such as Spotify. See [live demo](https://www.adblockradio.com/en/)
**[uBlock Origin](https://github.com/gorhill/uBlock)** (Browser) | Light-weight, fast browser extension for Firefox and Chromium (Chrome, Edge, Brave Opera etc), that blocks tracking, ads and known malware. uBlock is easy-to-use out-of-the-box, but also has a highly customisable advanced mode, with a point-and-click firewall which can be configured on a per-site basis
**[uMatrix]()** (Browser) | Another light-weight browser extension, for Chromium and Firefox browsers. uMatrix acts more like a firewall, giving you the option for super fine-grained control over every aspect of resource blocking. It is possible to use both uBlock (for simple/ cosmetic ad blocking) and uMatrix (for detailed JavaScript blocking) at the same time
#### Notable Mentions
[AdGuardHome](https://github.com/AdguardTeam/AdGuardHome) is a cross-platform DNS Ad Blocker, similar to Pi Hole, but with some additional features, like parental controls, per-device configuration and the option to force safe search. This may be a good solution for families with young children.
Some VPNs have ad-tracking blocking features, such as [TrackStop with PerfectPrivacy](https://www.perfect-privacy.com/en/features/trackstop?a_aid=securitychecklist).
[Private Internet Access](https://www.privateinternetaccess.com/), [CyberGhost](https://www.cyberghostvpn.com/), [PureVPN](https://www.anrdoezrs.net/click-9242873-13842740), and [NordVPN](https://www.kqzyfj.com/l5115shqnhp4E797DC8467D69A6D) also have ad-block features.
## Host Block Lists
| Provider | Description |
| --- | --- |
**[SomeoneWhoCares/ Hosts](https://someonewhocares.org/hosts/)** | An up-to-date host list, maintained by Dan Pollock- to make the internet not suck (as much)
**[Hosts by StevenBlack](https://github.com/StevenBlack/hosts)** | Open source, community-maintained consolidated and extending hosts files from several well-curated sources. You can optionally pick extensions to block p0rn, Social Media, gambling, fake news and other categories
**[No Google](https://github.com/nickspaargaren/no-google)** | Totally block all direct and indirect content from Google, Amazon, Facebook, Apple and Microsoft (or just some)
**[EasyList](https://easylist.to)** | Comprehensive list of domains for blocking tracking, social scripts, bad cookies and annoying stuff
**[iBlockList](https://www.iblocklist.com/)** | Variety of lists (free and paid-for) for blocking content based on certain topics, inducing: spam, abuse, political, illegal, hijacked, bad peers and more
**[Energized](https://github.com/EnergizedProtection/block)** | A variety of well-maintained lists, available in all common formats, with millions of hosts included
## Router Firmware
Installing a custom firmware on your Wi-Fi router gives you greater control over security, privacy and perfromance
@ -532,6 +591,18 @@ Weather you live in a country behind a firewall, or accessing the internet throu
**[Proxy Checker](https://ping.eu/proxy/)** | You can quickly check if a given IP is using a proxy, this can also be done through the [command line](https://superuser.com/questions/346372/how-do-i-know-what-proxy-server-im-using)
## Intrusion Detection
An IDS is an application that monitors a network or computer system for malicious activity or policy violations, and notifies you of any unusual or unexpected events. If you are running a server, then it's essential to know about an incident as soon as possible, in order to minimize damage.
| Provider | Description |
| --- | --- |
**[Zeek](https://zeek.org/)** | Zeek (formally Bro) Passively monitors network traffic and looks for suspicious activity
**[OSSEC](https://www.ossec.net/)** | OSSEC is an Open Source host-based intrusion detection system, that performs log analysis, integrity checking, monitoring, rootkit detection, real-time alerting and active response
**[Kismet](https://www.kismetwireless.net/)** |An 802.11 layer2 wireless network detector, sniffer, and intrusion detection system
**[Snare](https://www.snaresolutions.com/products/snare-central/)** | SNARE (System iNtrusion Analysis and Reporting Environment) is a series of log collection agents that facilitate centralized analysis of audit log data. Logs from the OS are collected and audited. Full remote access, through a web interface easy to use manually, or by an automated process
## Cloud Hosting
Weather you are hosting a website and want to keep your users data safe, or if you are hosting your own file backup, cloud productivity suit or VPN- then choosing a provider that respects your privacy and allows you to sign up anonymously, and will keep your files and data safe is be important.
@ -580,7 +651,11 @@ Self-hosting your own mail server is not recommended for everyone, it can be tim
**[Notable](https://notable.md)** | Markdown-based note editior for desktop, with a simple, yet feature-rich UI. All notes are saved individually as .md files, making them easy to manage. No mobile app, or built-in cloud-sync or encryption
#### Notable Mentions
If you are already tied into Evernote, One Note etc, then [SafeRoom](https://www.getsaferoom.com) is a utility that encrypts your entire notebook, before it is uploaded to the cloud. [Org Mode](https://orgmode.org) is a very comprehensive CLI tool for keeping notes, maintaining todo lists, planning projects, and authoring documents -based on a fast and effective plain-text system, from the command line. For a simple plain text note taking app, with strong encryption, see [Protected Text](https://www.protectedtext.com), which works well with the [Safe Notes](https://play.google.com/store/apps/details?id=com.protectedtext.android) Android app
If you are already tied into Evernote, One Note etc, then [SafeRoom](https://www.getsaferoom.com) is a utility that encrypts your entire notebook, before it is uploaded to the cloud.
[Org Mode](https://orgmode.org) is a very comprehensive CLI tool for keeping notes, maintaining todo lists, planning projects, and authoring documents -based on a fast and effective plain-text system, from the command line.
For a simple plain text note taking app, with strong encryption, see [Protected Text](https://www.protectedtext.com), which works well with the [Safe Notes](https://play.google.com/store/apps/details?id=com.protectedtext.android) Android app. [Laverna](https://laverna.cc/) is a cross-platform secure notes app, where all entries are formated with markdown.
## Cloud Productivity Suits
@ -745,6 +820,22 @@ There's no need to use a third-party tool. You can boot into a UNIX-based system
Such as the [`dd`](https://en.wikipedia.org/wiki/Dd_%28Unix%29) command, is a tool to convert and copy files, but running `sudo dd if=/dev/zero of=/dev/sdX bs=1M` will quickly overwrite the whole disk with zeros. Or [badblocks](https://linux.die.net/man/8/badblocks) which is intended to search for all bad blocks, but can also be used to write zeros to a disk, by running `sudo badblocks -wsv /dev/sdd`. An effective method of erasing an SSD, it to use [hdparm](https://en.wikipedia.org/wiki/Hdparm) to issue a [secure erase](https://en.wikipedia.org/wiki/Parallel_ATA#HDD_passwords_and_security) command, to your target storage device, for this, see step-by-step instructions via: [wiki.kernel.org](https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase). Finally, `[srm](https://www.systutorials.com/docs/linux/man/1-srm/)` can be use to securely remove files or directories, just run `srm -zsv /path/to/file` for a single pass over.
## Virtual Machines
A VM is a sandboxed operating system, running within your current system. Useful for compartmentalisation and safley testing software, or handling potentially malicious files
| Provider | Description |
| --- | --- |
**[VirtualBox](https://www.virtualbox.org/)** | Open source, powerful, feature-rich virtualization product, supporting x86 and AMD64/Intel64 architectures. Available for Windows, MacOS, Linux and BSD, and free for both personal and enterprise use. VirtualBox is backed by a strong community, and has been under active development since 2007.
**[Xen Project](https://xenproject.org/)** (Servers) | Open source virtual machine monitor intended to serve as a type-1 hyperviser for multiple operating systems using the same hardware - very useful for servers, as it allows for fully independent virtual Linux machines
#### Notable Mentions
[QEMU](https://wiki.qemu.org/Main_Page) is a virtual hardware emulation tool, meaning it is less appropriate for creating fully independant sandboxes, but performance is considerable better than that of a traditional virtual machine.
[VMWare](https://www.vmware.com/) is popular in the enterprise world, it is not open source, and although there is a free version, a license is required to access all features. VMWare perfoms very well when running on a server, with hundreds of hosts and users. For Mac users, [Parallels](https://www.parallels.com/uk/) is a popular option which performs really well, but again is not open source. For Windows users, there's [Hyper-V](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v), which is a native Windows product, developed by Microsoft.
## Social Networks
Over the past decade, social networks have revolutionized the way we communicate and bought the world closer together- but it came at the [cost of our privacy](https://en.wikipedia.org/wiki/Privacy_concerns_with_social_networking_services). Social networks are built on the principle of sharing- but you, the user should be able to choose with whom you share what, and that is what the following sites aim to do.
@ -833,6 +924,30 @@ Not all cryptocurrencies are anonymous, and without using a privacy-focused coin
Note: Cryptocurrency prices can go down. Storing any wealth in crypto may result in losses. If you are new to digital currencies- do your research first, don't invest more than you can afford, and be very weary of scams and cryptocurrency-related malware.
## Crypto Wallets
| Provider | Description |
| --- | --- |
**[Wasabi Wallet](https://www.wasabiwallet.io/)** (BitCoin) | An open source, native desktop wallet for Windows, Linux and MacOS. Wasabi implements trustless CoinJoins over the Tor network. Neither an observer nor the participants can determine which output belongs to which input. This makes it difficult for outside parties to trace where a particular coin originated from and where it was sent to, which greatly improves privacy. Since it's trustless, the CoinJoin coordinator cannot breach the privacy of the participants. Wasabi is compatible with cold storage, and hardware wallets, including OpenCard and Trezor.
**[Trezor](https://trezor.io/)** (All Coins) | Open source, cross-platform, offline, crypto wallet, compatible with 1000+ coins. Your private key is generated on the device, and never leaves it, all transactions are signed by the Trezor, which ensures your wallet is safe from theft. There are native apps for Windows, Linux, MacOS, Android and iOS, but Trezor is also compatible with other wallets, such as Wasabi. You can back the Trezor up, either by writing down the seed, or by duplicating it to another device. It is simple and intuitive to use, but also incredible customisable with a large range of advanced features
**[ColdCard](https://coldcardwallet.com/)** (BitCoin) | An easy-to-use, super secure, open source BitCoin hardware wallet, which can be used independently as an air-gapped wallet. ColdCard is based on partially signed Bitcoin transactions following the [BIP174](https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki) standard. Built specifically for BitCoin, and with a variety of unique security features, ColdCard is secure, trustless, private and easy-to-use. Companion products for the ColdCard include: [BlockClock](http://blockclockmini.com/), [SeedPlate](http://bitcoinseedbackup.com/) and [ColdPower](http://usbcoldpower.com/)
**[CryptoSteel](https://cryptosteel.com/how-it-works)** | A steel plate, with engraved letters which can be permanently screwed - CryptoSteel is a good fire-proof, shock-proof, water-proof and stainless cryptocurrency backup solution
#### Word of Warning
Avoid using any online/ hot-wallet, as you will have no control over the security of your private keys. Offline paper wallets are very secure, but ensure you store it properly- to keep it safe from theft, loss or damage.
## Crypto Exchanges
| Provider | Description |
| --- | --- |
**[Bisq](https://bisq.network)** | An open-source, peer-to-peer application that allows you to buy and sell cryptocurrencies in exchange for national currencies. Fully decentralized, and no registration required.
**[LocalBitcoins](https://localbitcoins.com/)** | Person-to-person exchange, find people local to your area, and trade directly with them, to avoid going through any central organisation. Primarily focused on BitCoin, Etherium, Ripple andd LiteCoin, as it gets harder to find people near you selling niche alt-coins
#### Notable Mentions
For traders, [BaseFEX](https://www.basefex.com/) doesn't require ID and has a good privacy policy. [BitMex](https://www.bitmex.com/) has more advanced trading features, but ID verification is required for higher value trades involving Fiat currency. For buying and selling alt-coins, [Binance](https://www.binance.com/en/register?ref=X2BHKID1) has a wide range of currencies, and ID verification is not needed for small-value trades.
## Virtual Credit Cards
@ -905,10 +1020,12 @@ It is not recommended to root, or flash your device with a custom ROM if you are
- Finally, rooting and flashing your device, will void your warranty
## PC Operating Systems
## Desktop Operating Systems
Windows 10 has many features that violate your privacy. Microsoft and Apple are able to collect all your data (including, but not limited to: keystrokes, searches and mic input, calendar data, music, photos, credit card information and purchases, identity, passwords, contacts, conversations and location data). Microsoft Windows is also more susceptible to malware and viruses, than alternative systems.
Switching to Linux is a great choice in terms of security and privacy- you don't need necessarily need to use a security distro, any well-maintained stable distro is going to be considerably better than a propriety OS
| Provider | Description |
| --- | --- |
**[Qubes OS](https://www.qubes-os.org/)** (containerized apps) | Open-source security-oriented operating system for single-user desktop computing. It uses virtualisation, to run each application in it's own compartment to avoid data being leaked. It features [Split GPG](https://www.qubes-os.org/doc/split-gpg/), [U2F Proxy](https://www.qubes-os.org/doc/u2f-proxy/), and [Whonix integration](https://www.qubes-os.org/doc/whonix/). Qubes makes is easy to create [disposable VMs](https://www.qubes-os.org/doc/disposablevm/) which are spawned quickly and destroyed when closed. Qubes is [recommended](https://twitter.com/Snowden/status/781493632293605376) by Edward Snowden
@ -919,14 +1036,22 @@ Windows 10 has many features that violate your privacy. Microsoft and Apple are
**[Alpine Linux](https://www.alpinelinux.org/)** | Alpine is a security-oriented, lightweight distro based on musl libc and busybox. It compiles all user-space binaries as position-independent executables with stack-smashing protection. Install and setup may be quite complex for some new users
#### Notable Mentions
[Subgraph OS](https://subgraph.com), [PureOS](https://pureos.net), [Kali](https://www.kali.org) (defensive security), [BlackArch](https://blackarch.org) (defensive security), [Kodachi](https://www.digi77.com/linux-kodachi/), [IprediaOS](https://www.ipredia.org) (obsolete), [Fedora CoreOS](https://getfedora.org/coreos?stream=stable)
[Septor](https://septor.sourceforge.io/) is a Debian-based distro with the KDE Plasma desktop environment, and Tor baked-in. Designed for surfing the web anonymously, and completing other internet-based activities (with Thunderbird, Ricochet IM, HexChat, QuiteRSS, OnionShare). Septor is light-weight, but comes bundled with all the essential privacy + security utilities (including: Gufw, Ark, Sweeper, KGpg, Kleopatra, KWallet, VeraCrypt, Metadata Anonymisation Toolkit and more).
[Subgraph OS](https://subgraph.com) is designed to be an *adversary resistant computing platform*, it includes strong system-wide attack mitigations, and all key applications run in sandbox environments. Subgraph is still in beta (at the time of writing), but still is well tested, and has some nice anonymization features
For defensive security, see [Kali](https://www.kali.org) and [BlackArch](https://blackarch.org), both are bundled with hundreds of security tools, ready for pretty much any job.
Other security-focused distros include: [TENS OS](https://www.tens.af.mil/), [Fedora CoreOS](https://getfedora.org/coreos?stream=stable), [Kodachi](https://www.digi77.com/linux-kodachi/) and [IprediaOS](https://www.ipredia.org). (Avoid systems that are not being activley maintained)
#### General Purpose Linux Distros
If you do not want to use a specalist security-based distro, or you are new to Unix- then just switching to any well-maintained Linux distro, is going to be significantly more secure and private than Windows or Mac OS.
Since it is open source, major distros are constantly being audited by members of the community. Linux does not give users admin rights by default- this makes is much less likley that your system could become infected with malware. And of course, there is no proprietary Microsoft or Apple software constantly monitoring everything you do.
Some good distros to consider would be: **[Fedora](https://getfedora.org/)**, **[Debian](https://www.debian.org/)**, or **[Arch](https://www.archlinux.org/)**- all of which have a large community behind them. **[Manjaro](https://manjaro.org/)** (based of Arch) is a good option, with a simple install process, used by new comers, and expers alike. See [comparison](https://en.wikipedia.org/wiki/Comparison_of_Linux_distributions).
Some good distros to consider would be: **[Fedora](https://getfedora.org/)**, **[Debian](https://www.debian.org/)**, or **[Arch](https://www.archlinux.org/)**- all of which have a large community behind them. **[Manjaro](https://manjaro.org/)** (based of Arch) is a good option, with a simple install process, used by new comers, and expers alike. **[POP_OS](https://pop.system76.com/)** and **[PureOS](https://www.pureos.net/)** are reasonably new general purpose Linux, with a strong focus on privacy, but also very user-firendly with an intuitive interfac and install process. See [comparison](https://en.wikipedia.org/wiki/Comparison_of_Linux_distributions).
#### BSD
BSD systems arguably have far superior network stacks. **[OpenBSD](https://www.openbsd.org)** is designed for maximum security — not just with its features, but with its implementation practices. Its a commonly used OS by banks and critical systems. **[FreeBSD](https://www.freebsd.org)** is more popular, and aims for high performance and ease of use.
#### Improve the Security and Privacy of your current OS
@ -968,6 +1093,10 @@ If you have chosen to stick with your current OS, there are a couple of things y
**[GMER](http://www.gmer.net)** | Rootkit detection and removal utility
**[ScreenWings](https://schiffer.tech/screenwings.html)** | Blocks malicious background applications from taking screenshots
**[CamWings](https://schiffer.tech/camwings.html)** | Blocks unauthorized webcam access
**[SpyDish](https://github.com/mirinsoft/spydish)** | Open source GUI app built upon PowerShell, allowing you to perform a quick and easy privacy check, on Windows 10 systems. Highlights many serious issues, and provides assistance with fixing
**[SharpApp](https://github.com/mirinsoft/sharpapp)** | Open source GUI app built upon PowerShell, for disabling telemetry functions in Windows 10, uninstalling preinstalled apps, installing software packages and automating Windows tasks with integrated PowerShell scripting
**[Debotnet](https://github.com/Mirinsoft/Debotnet)** | Light-weight, portable app for controlling the many privacy-related settings within Windows 10- with the aim of helping to keep private data, private
**[PrivaZer](https://privazer.com/)** | Good alternative to CCleaner, for deleting unnecissary data- logs, cache, history, etc
#### Word of Warning
(The above software was last tested on 01/05/20). Many of the above tools are not necessary or suitable for beginners, and can cause your system to break- only use sofware that you need, according to your threat moedl. Take care to only download from an official/ legitimate source, verify the executable before proceeding, and check reviews/ forums. Create a system restore point, before making any significant changes to your OS (such as disabling core features). From a security and privacy perspective, Linux may be a better option.

63
ARTICLES/Secure-Messaging.md Normal file
View File

@ -0,0 +1,63 @@
# Choosing a Secure Messenging Platform
This article explains the considerations you should be aware of when selecting a secure messenger.
**TLDR;** Opting for a secure messaging app can prevent any third-parties accessing your private conversions. Choose a platform that is E2E encrypted, open source and actively maintained. Advanced security features can harden defenses further, such as self-destructing messages, contact verification, forward secrecy, the ability to sign up with an aliases (instead of phone number or email) and a decentralized P2P network sending content over Tor.
## Considerations
### End-to-end Encryption
End-to-end encryption means that messages are encrypted locally on your device, before being sent to your recipient(s). Neither the service provider, nor any actor who intercepts messages can ever decrypt the content. This is important since your data is safe from a data breach, law enforcement warrant, rogue employee or a malicious actor. Avoid apps that offer E2E encryption as an optional feature, as this could increase the chance of a plain text accidentally message being sent. Be aware that some providers offer weak or backdore'd encryption- (often called [Snake Oil Encryption](https://en.wikipedia.org/wiki/Snake_oil_(cryptography))), if the platform is not open source, then there is no way of verifying weather this is the case.
### Open Source
The most secure designs, are the ones you do not have to trust. Without an app being open source, we can not verify that it is truly secure. It may have backdoors, weak cryptography or security vulnerabilities. This is one reason why apps which has fully-open and public source code can be more trustworthy But don't be fooled by false advertising; just because an app uses open source cryptography, does not mean it is fully open source, and hence cannot be verified. The published source code must be complete, and the security design system must be thoroughly documented.
### Code Audit
As well as encryption, the developers need to take care of code quality, user experience, and service availability. The math behind the cryptography may be flawless, but a small mistake in the implementation, can result in serious consequences for security. Therefore the code base should be regularly audited by independant security specialists, and the report published publicly.
### Active Maintenance
Pushing well tested security updates in a timely manner is of prime importance to security. New bugs, vulnerabilities and issues are being discovered all the time, and without being patched they may be exploited by an adversary. For a messenger to be secure, a public stable (non-beta) release needs to be available, and there needs to be secure auto-updating mechanisms to quickly mitigate security problems. It should be clear to the user which version they are running, and if a newer version is available
### Reproducible Builds
Most apps are distributed in a pre-compiled form, making it very difficult to verify that the version you downloaded is authentic and the same as that in the open source repository. [Binary Transparency](https://wiki.mozilla.org/Security/Binary_Transparency) allows third parties to verify that the binaries are built directly from the public source code. [Reproducible builds](https://reproducible-builds.org) is the practice of verifying the build are authentic, and do not contain backdoors. This is done with a pre-defined build environment and a fully deterministic build process - transforming a given set of source code must always output the same result. The user can then, if they desire build the app themselves and validate that the output matches the original build.
### Additional Features
Some messaging platforms have additional features, that can be enticing to users, but it critical that these features do not undermine the goals of security. For example, cloud backups should be off by default, and if exported data will be decrypted the user must be made aware of this. Avoid platforms that priorities feature development over security
### Meta Data
Sending and receiving messages generates meta data, and this can reveal a lot of information: Who do you talk to, how often/ for how long, when, where, how etc. Not all messaging platforms automatically encrypt this, so it is important to check: What is collected, how long is it stored, with whom is it shared for and for what purposes. In general, the best meta data policies are the shortest: We do not collect any user meta data.
### Stability
The app should be usable, salable and reliable. One of the biggest dangers is that if the platform fails to reliably deliver messages, users may be forced to fall back to less secure channels. Some smaller messaging services may not have the resources required to build a robust and reliable messaging platform, yet this is essential for security.
### Financing
Building apps and maintaining servers is expensive. Ask yourself - who is paying for all that? Because usually, if a service is free- you're the product. This isn't always the case, as some open source apps are funded by non-profit organisations, who receive donations and sponsorship. But if you cannot easily find out who is behind the app, this should be a red flag.
### Reputable Developers
Developers should have a solid history of responding to technical problems and legal threats with the platform, as well as a realistic and transparent attitude toward government and law enforcement
### Jurisdiction
The location of where the company is legally registered, where they run operations from and where they host user data plays a big role in security. In some countries or states, organisations are forced to comply with local government regulations, which can often require the organisation log all their users data, or hand over any encryption keys. Generally, it's better to avoid companies from within the [Five Eyes](https://en.wikipedia.org/wiki/Five_Eyes) Alliance.
### Anonymity
If the app asks for a phone number, email address or name, then you are not anonymous. For vulnerable users, the ability to sign up anonymously is critical, as a major identifier like a phone number is private information, and could be risky if they are being targeted by someone who knows their identity, (such as a government, stalker or criminal adversary). This may not be needed for everyone, but if you believe you may be targeted, then opt for an anonymous messaging app, download it over Tor, outside of Google Play / Apple App Store, create an anonymous identity ant only run the app while connected through Tor.
### Contact Verification
Your communications can only be as secure as the weakest link, and if you cannot verify your contacts identity, you cannot be sure that their account has not been taken over, or even that you are communicating with the intended entity. In the same way, if your recipient has been compromised, your messages are not safe at all. Contact fingerprint verification is a powerful feature, enabling users to trust the destination, and preventing hackers from hijacking the conversation. It usually takes the form of comparing fingerprint codes, even over a phone call or in real life via a QR code. A secure messenger should provide reliable indicators of compromise that are recognizable to an end-user, so if someone has logged on from a new device, both parties should be notified.
### Ephemeral Messages
You cannot always rely on the physical security of your device. Self-destructing messages is a really neat feature the causes your messages to automatically delete after a set amount of time. This means that if your device is lost or stolen, an adversary will only have access to the most recent communications. Unlike remote erase, disappearing messages does not require your device to be remotely accessible or have signal. You are able to vary this time frame from weeks all the way down to just a few seconds, depending on your threat model.
### Forward Secrecy
Opt for a platform that implements [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy). This is where your app generates a new encryption key for every message, then even if your adversary has obtained your device and extracted the private encryption key, they will not be able to use it to decrypt any previously captured messages. This means that even if a key from one party is compromised, it will not be possible to decrypt the remainder of the session with this key.
### Decentralization
Without freedom, your app will have a single point of failure. If all data flows through a central provider, then you have to trust them with your meta-data. And if that provider ceases to operate, the entire network will be unavailable for that duration. Whereas with a decentralized system, you have the freedom to delegate trust to someone else, in another jurisdiction. With a fully peer-to-peer app, there are no central servers to compromise, and there is no single point of failure.
## Additional Settings
Your choose an application that allows you to disable optional non-security features such as read receipt, last online and typing notification. If the app supports cloud sync either for backup or for access through a web app companion, this increases the attack surface and so should be disabled also.
## Final Considerations
The weakest point in any system is the user. If you or your recipient is compromised, then even the most advanced security features will become obsolete. Follow good security practices, and ensure the contact you are communicating with also does so. It's important to remember that new vulnerabilities are being discovered and exploited all the time, and the most secure messaging app of today could become compromised in the future

82
README.md
View File

@ -10,14 +10,17 @@
### Contents
[<img src="https://i.ibb.co/XbyGTrP/1-authentication-2-36x36.png" width="28" height="28" /> Authentication](#authentication)<br>
[<img src="https://i.ibb.co/r2L4D8X/2-internet-36x36.png" width="28" height="28" /> Browsing the Web](#web-browsing)<br>
[<img src="https://i.ibb.co/8KMrdbX/2-internet-36x36.png" width="28" height="28" /> Browsing the Web](#web-browsing)<br>
[<img src="https://i.ibb.co/7NrXW3L/5-email-36x36.png" width="28" height="28" /> Email](#emails)<br>
[<img src="https://i.ibb.co/DrWJBT9/13-messaging-36x36.png" width="28" height="28" /> Secure Messaging](#secure-messaging)<br>
[<img src="https://i.ibb.co/GFYyXMd/6-social-media-36x36.png" width="28" height="28" /> Social Media](#social-media)<br>
[<img src="https://i.ibb.co/SPVd9zt/3-networks-36x36.png" width="28" height="28" /> Networks](#networking)<br>
[<img src="https://i.ibb.co/0VTZQpH/3-networking-36x36.png" width="28" height="28" /> Networks](#networking)<br>
[<img src="https://i.ibb.co/F3WwqsV/7-phones-36x36.png" width="28" height="28" /> Mobile Phones](#mobile-devices)<br>
[<img src="https://i.ibb.co/ZftcgJq/8-computers-36x36.png" width="28" height="28" /> Personal Computers](#personal-computers)<br>
[<img src="https://i.ibb.co/b2S9372/9-smart-home-36x36.png" width="28" height="28" /> Smart Home](#smart-home)<br>
[<img src="https://i.ibb.co/4JTqL5y/12-finance-36x36.png" width="28" height="28" /> Personal Finance](#personal-finance)<br>
[<img src="https://i.ibb.co/KVPV1Lk/10-human-36x36.png" width="28" height="28" /> Human Aspect](#sensible-computing)<br>
[<img src="https://i.ibb.co/9NbhBww/11-physical-36x36.png" width="28" height="28" /> Physical Security](#physical-security)<br>
**Too long? 🦒** See the [TLDR version](/2_TLDR_Short_List.md) instead.
@ -157,6 +160,35 @@ The big companies providing "free" email service, don't have a good reputation f
- [Anonymous Mail Forwarding](/5_Privacy_Respecting_Software.md#anonymous-mail-forwarding)
- [Pre-Configured Mail Servers](/5_Privacy_Respecting_Software.md#pre-configured-mail-servers)
## Secure Messaging
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Only Use Fully End-to-End Encrypted Messengers** | Recommended | [End-to-end encryption](https://en.wikipedia.org/wiki/End-to-end_encryption) is a system of communication where messages are encrypted on your device and not decrypted until they reach the intend recipient. This ensures that any actor who intercepts traffic cannot read the message contents, nor can the anybody with access to the central servers where data is stored. Note that if an app is not completely open source, the extent to which the encryption is implemented cannot be verified, and it should not be trusted.
**Use only Open Source Messaging Platforms** | Recommended | If code is open source then it can be independently examined and audited by anyone qualified to do so, to ensure that there are no backdoors, vulnerabilities, or other security issues. Therefore propriety applications should not be trusted for communicating sensitive information. In open source echosystems, bugs are raised transparently and are usually fixed quickly, and version histories can show who added what, and when. When downloading a pre-built package, you can verify that it has not been tampered with by [doing a hash check](https://proprivacy.com/guides/how-why-and-when-you-should-hash-check) and comparing the digital signatures. It's important to note that, no piece of software that it totally bug free, and hence never truly secure or private- being open source, is in no way a guarantee that something is safe
**Use a "Trustworthy" Messaging Platform** | Recommended | When selecting an encrypted messaging app, ensure it's fully open source. It should be stable and actively maintained. Ideally it should be backed by reputable developers or at least be fully clear where funding originates from and/ or what their revenue model is. It should have undergone an independent code audit, with results publicly published
**Check Security Settings** | Recommended | Enable security settings, including contact verification, security notifications and encryption. Disable optional non-security features such as read receipt, last online and typing notification. If the app supports cloud sync either for backup or for access through a desktop or web app companion, this increases the attack surface and so should be disabled
**Ensure your Recipients Environment is Secure** | Recommended | Your conversation can only be as secure as the weakest link. Often the easiest way to infiltrate a communications channel, is to target the individual or node with the least protection. They may not even be aware that their environment has been compromised, leading to sensitive information being captured by an adversary. The best solution to this is to educate and inform the participants in your conversation, about good security practices. Focus on secure authentication, device encryption, network security and malware prevention
**Disable Cloud Services** | Recommended | Some mobile messaging apps offer a web or desktop companion. This not only increases attack surface, but it has been linked to several [critical security issues](https://www.perimeterx.com/tech-blog/2020/whatsapp-fs-read-vuln-disclosure/), and should therefore be avoided, if possible. Some messaging apps also offer a cloud backup feature. Again there a serious security issues with many of these implementations, for example WhatsApp [backups are not encrypted](https://www.ghacks.net/2018/09/04/whatsapp-backups-android/), and so with this feature available, you chat history may be breached. Again, this should be [disabled](https://www.techuntold.com/stop-whatsapp-backup-iphone-android/).
**Secure Group Chats** | Recommended | That the risk of compromise will rise exponentially, the more participants are in a group, as the attack surface increases. There is also a higher chance that an adversary lurking among the members can go unnoticed. Periodically check that all participants are legitimate, and ensure only trusted members have admin privileges. It may sometimes be worth only sharing sensitive information within smaller groups. Note that with some messengers, not all group chats are encrypted (especially if one recipient is on an [older](https://graziadaily.co.uk/life/real-life/whatsapp-group-chats-actually-encrypted-theres-way-find/) version)
**Create a Safe Environment for Communication** | Recommended | There are several stages where your digital communications could be monitored or intercepted. This includes: Your or your participants device, your ISP, national gateway or government logging, the messaging provider, the servers. You can help protect from these risks by: paying attention to your surroundings, keeping your devices up-to-date, avoiding malware, watching out for phishing attacks, relying on trustworthy services, creating strong passwords and second-factor authentication, using encryption and helping those with whom you communicate do the same. If you are concerned about your communications being intercepted, consider using a reputable VPN provider, or routing traffic through Tor
**Agree on a Communication Plan** | Optional | In certain situations (such as attending a protest, communicating with a source or traveling to a risky location), it may be worth making a communication plan. This should include primary and backup methods of securely getting in hold with each other, (in order to avoid falling back on insecure technologies). You may wish to include procedures to implement in potential situations, e.g. to signal for help or assistance
**Strip Meta-Data from Media** | Optional | [Metadata](https://www.maketecheasier.com/understanding-metadata-and-privacy/) is "Data about Data" or additional information attached to a file or transaction. When you send a photo, audio recording, video or document you may be revealing more than you intended to, or [leaking your location](https://nakedsecurity.sophos.com/2012/12/03/john-mcafee-location-exif/). For example [Exif data](https://en.wikipedia.org/wiki/Exif) attached to images typically includes: Device name and model, author, time & date taken, GPS location (latitude & longitude) and photography information. In order to protect privacy, you should [remove](https://en.wikipedia.org/wiki/Metadata_removal_tool) this data before uploading and file or media item. Some apps strip this information out automatically, but they may be logging it before doing so
**Defang URLs** | Optional | Sending links via WhatsApp, Slack, Apple Messenger, Wire, Facebook and other services can unintentionally [expose your personal information](https://hunch.ly/osint-articles/osint-article-how-to-blow-your-online-cover). This is because, when a thumbnail or preview is generated- it happens on the client-side, and therefore causes your IP, user-agent, device info to be logged. This broadcasts to the website owner that you are discussing that website. One way around this, is to [defang](https://privacymatters.ubc.ca/blocking-email-links-why-we-use-hxxp-emails) your URLs (e.g. `https://www.example.com` --> `hxxps://www[.]example[.]com`), using a VPN will also help protect your IP
**Verify your Recipient** | Optional | Your communication is only as secure as it's weakest link- Always ensure you are talking to the intended recipient, and that they have not been compromised. One method for doing so is to use an app which supports contact verification. This is a powerful feature that enables users to trust the destination, and ensure the conversation has not been hijacked. It usually takes the form of comparing fingerprint codes, even over a phone call or in real life via scanning a QR code. If you believe you may be targeted, use a secure messenger that provides reliable indicators of compromise, where both parties will be notified if there have been any changes
**Enable Ephemeral Messages** | Optional | You cannot always rely on the physical security of your device. Self-destructing messages is a really neat feature the causes your messages to automatically delete after a set amount of time. This means that if your device is lost, stolen or seized, an adversary will only have access to the most recent communications. Unlike remote erase, disappearing messages does not require your device to be remotely accessible or have signal. You are able to vary this time frame from weeks all the way down to just a few seconds, depending on your threat model. Without disappearing messages enabled, you should periodically delete conversation history, in case your device is breached
**Avoid SMS** | Optional | SMS may be convenient, but it's [not secure](https://en.wikipedia.org/wiki/SMS#Vulnerabilities). It is susceptible to threats, such as [interception](https://en.wikipedia.org/wiki/IMSI-catcher), [sim swapping](https://www.schneier.com/blog/archives/2020/01/sim_hijacking.html), manipulation and [malware](https://www.securitynewspaper.com/2019/09/13/hack-any-mobile-phone-with-just-a-sms). If you must use SMS, then you should encrypt messages before sending. One option is to use [Silence](https://silence.im/), an Android app that provides end-to-end encryption for SMS
**Watch out for Trackers** | Optional | A tracker is a piece of software meant to collect data about you or your usages. Be wary of messaging applications with trackers, as the detailed usage statistics they collect are often very evasive, and can sometimes reveal your identity as well as personal information that you would otherwise not intend to share. You can check how many, and which trackers a given app uses, by searching it in [Exodus Privacy](https://reports.exodus-privacy.eu.org/en/)
**Consider Jurisdiction** | Advanced | The jurisdictions where the organisation is based, and data is hosted should also be taken into account. As in some territories, organisations are forced to comply with local government regulations, which can require them to keep logs of all users interactions and metadata, or hand over encryption keys. Where possible, avoid [Five Eyes](https://en.wikipedia.org/wiki/Five_Eyes) and other [International Cooperatives](https://en.wikipedia.org/wiki/Five_Eyes#Other_international_cooperatives), and countries with poor respect for user privacy such as China, Russia, Singapore and Malaysia.
**Use an Anonymous Platform** | Advanced | If you believe you may be targeted, you should opt for an anonymous messaging platform that does not require a phone number, or any other personally identifiable information to sign up or use. Even using false or temporary information (such as a burner sim, VOIP number, temporary or forwarding email address, made-up details etc) cannot be grantee anonymity, and may put you at risk. As well as this you should download the app over Tor, outside of Google Play / Apple App Store, create an anonymous identity, only run the app while connected through Tor and ideally sandbox it to prevent data leaks (using a separate profile, virtual machine or even a secondary device)
**Ensure Forward Secrecy is Supported** | Advanced | Opt for a platform that implements [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy). This is where your app generates a new encryption key for every message. It means that if your adversary has obtained the private encryption key from one party, they will not be able to use it to decrypt any previously captured messages
**Consider a Decentralizes Platform** | Advanced | If all data flows through a central provider, you have to trust them with your data and meta-data. You cannot verify that the system running is authentic without back doors, and they may be subject to local laws, court orders or censorship, and if that provider ceases to operate, the entire network will be unavailable for that duration. Whereas with a decentralized system, there are no central servers to compromise, and no single point of failure. It cannot be raided, shut down, or forced to turn over data. Some decentralized platforms also route traffic through the Tor network, which provides an additional layer of anonymity and security.
**Recommended Software**
- [Secure Messaging Apps](/5_Privacy_Respecting_Software.md#encrypted-messaging)
- [P2P Messaging Platforms](/5_Privacy_Respecting_Software.md#p2p-messaging)
## Social Media
Online communities have existed since the invention of the internet, and give people around the world the opportunity to connect, communicate and share. Although these networks are a great way to promote social interaction and bring people together, that have a dark side - there are some serious [Privacy Concerns with Social Networking Services](https://en.wikipedia.org/wiki/Privacy_concerns_with_social_networking_services), and these social networking sites are owned by private corporations, and that they make their money by collecting data about individuals and selling that data on, often to third party advertisers.
@ -280,6 +312,8 @@ Although Windows and OS X are easy to use and convenient, they both are far from
**Check which Sharing Services are Enabled** | Optional | The ability to share files and services with other machines within your network, can be useful, but also acts as a gateway for common threats. You should disable the network sharing features that you are not using. For Windows, navigate to `Control Panel --> Network and Internet --> Network and Sharing Center --> Advanced sharing settings`, and for MacOS, just go to `System Preferences --> Sharing` and disable anything that you do not need. For Windows users, you should ensure that [remote desktop is disabled](https://www.laptopmag.com/articles/disable-remote-desktop). And also control apps ability to sync with non-pairing devices, such as beacons that transmit advertising information- this is also in the privacy settings
**Don't use Root/ Admin Account for Non-Admin Tasks** | Optional | You should not use administrator / root account for general use. Instead, use an unprivileged user account, and temporarily elevate permissions when you need to make administrator changes. This will [mitigate a large proportion of vulnerabilities](https://www.ghacks.net/2017/02/23/non-admin-accounts-mitigate-94-of-critical-windows-vulnerabilities/), because a malicious program or an attacker can do significantly less damage without an administrator power. See [this guide for Windows and MacOS](https://www.maketecheasier.com/why-you-shouldnt-use-admin-account/), on how to implement this. You should also ensure that a password is required for all system wide changes, as this helps protect against malware doing widespread damage. In Windows this is enabled by default, in MacOS, navigate to `System Preferences --> Security & Privacy --> General --> Advanced`
**Block Webcam + Microphone** | Optional | To prevent the potential risk of [being watched](https://opendatasecurity.io/hackers-can-watch-you-via-your-webcam/) through your webcam, consider covering it with a sticker, slider or electrical tape, while it's not being used. There are also application solutions- such as [Oversight](https://objective-see.com/products/oversight.html) (MacOS) or [CamWings](https://schiffer.tech/camwings.html) (Windows) - for ultimate protection, consider physically [removing the webcam](https://www.wired.com/story/remove-the-mic-from-your-phone/) all together. Blocking unauthorized audio recording, can be done with a [mic block](https://mic-lock.com/), which works by disabling the primary sound input source- but is not fool proof
**Use a Privacy Filter** | Optional | A lot of information can be gleaned just from glancing at someones screen over their shoulder. When working in a public space (train, coffee shop, share office), use a [screen privacy filter](https://www.3m.com/3M/en_US/company-us/all-3m-products/~/All-3M-Products/Privacy-Screen-Protectors/Privacy-Products/Black-Privacy/?N=5002385+8710873+8711017+8725317+8725356+8725359+3294857497). This will allow you to see the content of your screen when looking straight on, but for anyone looking at a slight angle, your screen will appear black.
**Physically Secure Device** | Optional | When working from a laptop think about using a [Kensington Lock](https://www.kensington.com/solutions/product-category/security/) to secure your device to a permanent fixture. To help protect against an opportunistic local attack, consider utilizing [port locks](https://lindy.com/en/technology/port-blockers/), to prevent or slow down an intruder from dropping a malicious payload onto your device. Ideally never leave your laptop or other devices unattended
**Don't Charge Devices from your PC** | Optional | Connecting your smart phone to a computer can be a security risk, it's possible for [a self-signed malicious app](https://www.pcworld.com/article/2465320/the-biggest-iphone-security-risk-could-be-connecting-one-to-a-computer.html) to be installed, without your knowledge. Also both iPhone or Android device have sync capabilities, which can lead to data being unintentionally shared. If you need to charge your device, consider using a [USB data-blocker](/6_Privacy_and-Security_Gadgets.md#usb-data-blockers).
**Randomize your hardware address on Wi-Fi** | Optional | A [MAC Address](https://en.wikipedia.org/wiki/MAC_address) is an identifier given to a device (specifically the Network Interface Controller), and is is one method used to identify, and track you across different WiFi networks. Some devices allow you to modify or randomize how this address appears. See how, on [Windows](https://support.microsoft.com/en-us/help/4027925/windows-how-and-why-to-use-random-hardware-addresses), [MacOS](https://poweruser.blog/how-to-spoof-the-wifi-mac-address-on-a-macbook-25e11594a932) and [Linux](https://itsfoss.com/change-mac-address-linux/). <br>You should also disallow you device from automatically connect to open Wi-Fi networks
**Use a Firewall** | Optional | A firewall is a program which monitors incoming and outgoing traffic, and allows you to blocks internet access for certain applications. This is useful to stop apps from collecting data, calling home, or downloading unnecessary content- correctly configured, firewalls can help protect against remote access attacks, as well as protect your privacy. <br>Your system will have a built-in firewall (Check it's enabled: [Windows](https://support.microsoft.com/en-us/help/4028544/windows-10-turn-windows-defender-firewall-on-or-off), [Mac OS](https://support.apple.com/en-us/HT201642), [Ubuntu](https://wiki.ubuntu.com/UncomplicatedFirewall) and other [Linux ditros](https://www.tecmint.com/start-stop-disable-enable-firewalld-iptables-firewall)). Alternatively, for greater control, consider: [LuLu](https://objective-see.com/products/lulu.html) (MacOS), [gufw](http://gufw.org/) (Linux), [LittleSnitch](https://github.com/evilsocket/opensnitch), [SimpleWall](https://github.com/henrypp/simplewall) (Windows), there's plenty more [firewall apps](/5_Privacy_Respecting_Software.md#firewalls) available
@ -348,10 +382,19 @@ Note about credit cards: Credit cards have technological methods in place to det
**Use Virtual Cards** | Optional | Virtual card numbers let you pay for items without revealing your real card or banking details. They also offer additional features, such as single-use cards and spending limits for each card. This means you will not be charged more than you specified, or ongoing subscriptions or in the case of a data breach. [Privacy.com](https://privacy.com/join/VW7WC), [MySudo](https://mysudo.com/) and [others](/5_Privacy_Respecting_Software.md#virtual-credit-cards) offer this service
**Use Cash for Local Transactions** | Optional | Unlike any digital payment method, cash is virtually untraceable. Using cash for local and everyday purchases will prevent any financial institution building up a comprehensive data profile based on your spending habits
**Use Cryptocurrency** | Optional | Unlike card payments, most cryptocurrencies are not linked to your real identity. However many blockchains have a public ledger, where transaction details can be publicly viewed online. A privacy-focused currency, such as [Monero](https://www.getmonero.org) or [ZCash](https://z.cash) (see [more](/5_Privacy_Respecting_Software.md#cryptocurrencies)) will allow you to pay for goods and services without any direct link to your identity
**Buy Crypto Anonymously** | Advanced | If you are buying a common cryptocurrency (such as BitCoin), in order to use it as a payment method avoid paying by card on an online exchange, since this will link directly back to your real identity. Instead use a service like [LocalBitcoins](https://localbitcoins.com), an anonymous exchange, such as [Bisq](https://bisq.network), or buy from a local BitCoin ATM ([find one here](https://coinatmradar.com)). Before converting BitCoin back to currency, consider using a [bitcoin mixer](https://en.bitcoin.it/wiki/Mixing_service), to make your transaction harder to trace.**Use an alias details for online shopping** | Advanced | When you pay for goods or services online, you do not know for sure who will have access to your data. Using an alias name, forwarding mail address and not disclosing your personal phone number will go a long way in keeping you safe. Services such as [SimpleLogin](https://simplelogin.io/?slref=bridsqrgvrnavso) or [Anonaddy](https://anonaddy.com) will allow you to create anonymous forwarding email addresses
**Store Crypto Securely** | Advanced | Generate wallet address offline, never let your private key touch the internet and preferably avoid storing it on an internet-connected device. Use a secure wallet, such as [Wasabi](https://www.wasabiwallet.io/), or a hardware wallet, like [Trezor](https://trezor.io/) or [ColdCard](https://coldcardwallet.com/). For long-term storage consider a paper wallet, or use [CryptoSteel](https://cryptosteel.com/how-it-works)
**Buy Crypto Anonymously** | Advanced | If you are buying a common cryptocurrency (such as BitCoin), purchasing it from an exchange with your debit/ credit card, will link directly back to your real identity. Instead use a service like [LocalBitcoins](https://localbitcoins.com), an anonymous exchange, such as [Bisq](https://bisq.network), or buy from a local BitCoin ATM ([find one here](https://coinatmradar.com)). Avoid any exchange that implements [KYC](https://en.wikipedia.org/wiki/Know_your_customer)
**Tumble/ Mix Coins** | Advanced | Before converting BitCoin back to currency, consider using a [bitcoin mixer](https://en.bitcoin.it/wiki/Mixing_service), or [CoinJoin](https://en.bitcoin.it/wiki/CoinJoin) to make your transaction harder to trace. (Some wallets, such as [Wasabi](https://www.wasabiwallet.io/) support this nativley)
**Use an Alias Details for Online Shopping** | Advanced | When you pay for goods or services online, you do not know for sure who will have access to your data. Consider using an alias name, forwarding mail address (using a service like [SimpleLogin](https://simplelogin.io/?slref=bridsqrgvrnavso) or [Anonaddy](https://anonaddy.com)), or a VOIP number
**Use alternate delivery address** | Advanced | When online shopping, if possible get goods delivered to an address that is not associated to you. For example, using a PO Box, forwarding address, corner-shop collection or pickup box
**Recommended Software**
- [Virtual Credit Cards](/5_Privacy_Respecting_Software.md#virtual-credit-cards)
- [Cryptocurrencies](/5_Privacy_Respecting_Software.md#cryptocurrencies)
- [Crypto Wallets](/5_Privacy_Respecting_Software.md#crypto-wallets)
- [Crypto Exchanges](/5_Privacy_Respecting_Software.md#crypto-exchanges)
- [Other Payment Methods](/5_Privacy_Respecting_Software.md#other-payment-methods)
- [Budgeting Tools](/5_Privacy_Respecting_Software.md#budgeting-tools)
## Sensible Computing
@ -381,9 +424,38 @@ Many data breaches, hacks and attacks are caused by human error. The following l
**Use a forwarding address** | Advanced | Have all mail addressed to a PO Box or forwarding address, to prevent any commerce, utility, finance, media or other companies knowing your read address. This would give you an extra layer of protecting if they suffered a breach, sold on personal details or were presented with a court order
**Use anonymous payment methods** | Advanced | Paying online with credit or debit card involves entering personal details, including name and residential address. Paying with cryptocurrency will not require you to enter any identifiable information. Both [Monero](https://www.getmonero.org) and [Zcash](https://z.cash/) are totally anonymous, and so best for privacy. See also: [Anonymous Payment Methods](/5_Privacy_Respecting_Software.md#payment-methods)
**See also**: [Online Tools](/5_Privacy_Respecting_Software.md#online-tools)
## Physical Security
Public records often include sensitive personal data (full name, date of birth, phone number, email, address, ethnicity etc), and are gathered from a range of sources (census records, birth/ death/ marriage certificates, voter registrants, marketing information, customer databases, motor vehicle records, professional/ business licenses and all court files in full detail). This sensitive personal information is [easy and legal to access](https://www.consumerreports.org/consumerist/its-creepy-but-not-illegal-for-this-website-to-provide-all-your-public-info-to-anyone/), which raises some [serious privacy concerns](https://privacyrights.org/resources/public-records-internet-privacy-dilemma) (identity theft, personal safety risks/ stalkers, destruction of reputations, dossier society)
CCTV is one of the major ways that the corporations, individuals and the government tracks your movements. In London, UK the average person is caught on camera about 500 times per day. This network is continuing to grow, and in many cities around the world, facial recognition is being rolled out, meaning the state can know the identity of residents on the footage in real-time.
Strong authentication, encrypted devices, patched software and anonymous web browsing may be of little use if someone is able to physically compromise you, your devices and your data. This section outlines some basic methods for physical security
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Destroy Sensitive Documents** | Recommended | Instead of disposing of paperwork in the trash, you should first shred it, or take steps to redact any personally identifiable information. This will help protect you from identity theft, reduce the chance of blackmail and keep confidential data confidential
**Opt-Out of Public Records** | Recommended | People search websites (such as [WhitePages](https://www.whitepages.com), [Spokeo](https://www.spokeo.com) and [Radaris](https://radaris.com)) list public records, including: full name, date of birth, address, and phone number. Some sites go further, showing place of work, previous addresses, criminal records and photos. This is bad for privacy, and can make you a target for fraud. It is recommended to contact these sites, and opt-out from these listings. Methods for doing so range considerably between countries and states, see [Personal Data Removal Workbook](https://inteltechniques.com/data/workbook.pdf) by Michael Bazzell or [Word Privacy Forum Opt-Out Guide](https://www.worldprivacyforum.org/2015/08/consumer-tips-top-ten-opt-outs/) or The LifeWire [Remove Personal Information Guide](https://www.lifewire.com/remove-personal-information-from-internet-3482691) to get started
**Don't Reveal Info on Inbound Calls** | Recommended | Only share sensitive personal data on outbound calls/ communications that you have initiated. Ensure the phone number is correct, and listen for anything that doesn't sound right. If a company phones you, and asks any questions, hang up and phone them back on their official number
**Stay Alert** | Recommended | Stay aware of your surroundings. Whenever you step into a new environment, take a moment to assess potential risks. Listen to your instincts, when approached by an unknown individual. Ensure you are not being followed, when you approach your home address. Understand basic self-defense principle, and know how to put them into practice to defend yourself, if needed
**Secure Perimeter** | Recommended | Maintain physical and structural integrity to all locations where devices with personal info are stored, and ensure steps have been put in place to stop any unauthorized access. Minimize external access: doors, windows, vents. Maintain locking devices responsibly: Keep keys safe, don't use guessable combinations, have multiple locks, change locks after a breach or potential risk. Consider intrusion detection systems, such as alarms and closed circuit monitoring. Make sure walls are structurally sound, and if there is a drop ceiling, ensure walls continue up into the ceiling. When inside - don't trust door chain lock and cover door peep hole
**Physically Secure Devices** | Recommended | Use a Kensington lock to secure your device. Never leave devices unattended. Cover your web cam, consider a microphone block or disable it when not in use, use a USB data blocker when charging devices, use a privacy screen when working in public spaces
**Keep Devices Out of Direct Sight** | Recommended | It is possible for an adversary to [communicate with voice assistants with lasers](https://arstechnica.com/information-technology/2019/11/researchers-hack-siri-alexa-and-google-home-by-shining-lasers-at-them/) at a certain frequency. This can be mitigated by keeping devices out direct line of sight from windows. Any electronics visible from outside, may also pose a risk from theft, and hence should be stored somewhere safe
**Protect your PIN** | Recommended | When entering a code or password (such as unlocking device, withdrawing money from an ATM, or inputting a building access code), ensure that no one is watching over your shoulder, and they you are not in direct line of sight of a camera. Cover the keypad while entering the code to shield your PIN. After entering your PIN on a touch screen device, wipe over the screen to ensure your PIN can not be determined from smudge marks left by skin.
**Check for Skimmers** | Recommended | Before entering your card into an ATM, check for any signs that it may have been tampered with. You could use a card [skimmer detector](https://lab401.com/products/hunter-cat-card-skimmer-detector), or try to pull the card intake device to ensure it's firmly fitted. Watch out for other signs of compromise, such as small cameras, keypad covers or blockage on the cash out slot. This also applies to any public device that requires biometric or personal data to complete an action.
**Protect your Home Address** | Optional | Don't set your home address in your phones settings, instead consider selecting a location in a similar region to where you live. Consider storing devices in faraday cage when at your home address. For deliveries, consider using an alias names, and if possible a forwarding or pickup address for receiving online deliveries. You could also combine this with anonymous payment (such as virtual card numbers/ privacy.com, cryptocurrency or cash), and a forwarding email address or VOIP number
**Use a PIN, Not Biometrics** | Advanced | For situations where law enforcement may be involved (such as a protest, or journalism), if your device is seized, authorities can not force you to hand over your device pin code, however they can ask for your fingerprint or face scan to unlock a device. Therefore in these situations disable biometric unlock.
**Reduce exposure to CCTV** | Advanced | Wearing a hat, hoodie, dark glasses or face cover can make it harder for your identity to be known. Less busy streets tend to have fewer cameras. Knowing where cameras in your local area are, can help you avoid being caught on them. See more in [this article](http://snallabolaget.com/hiding-from-surveillance-how-and-why) by Snälla Bolaget
**Anti-Facial Recognition Clothing** | Advanced | Most facial-recognition methods can be easily tricked with certain [patterns](https://www.theguardian.com/technology/2017/jan/04/anti-surveillance-clothing-facial-recognition-hyperface). Example products from: [Adversarial Fashion](https://adversarialfashion.com) or this item on [Redbubble](https://www.redbubble.com/i/t-shirt/Anti-Surveillance-Clothing-by-Naamiko/24714049.1YYVU).
**Reduce Night Vision Exposure** | Advanced | Infrared night vision cameras are very easy to block, by using a small IR light source, which is invisible to the human eye, but blinds night vision cameras. Alternatively super-reflective glasses (see [Reflectacles](https://www.reflectacles.com)) can also fool night vision cameras.
**Protect your DNA** | Advanced | DNA is totally unique person-to-person, and can directly identify you. Therefore it is important to avoid sharing this information, [do not submit your DNA to heritage websites](https://internethealthreport.org/2019/23-reasons-not-to-reveal-your-dna/), be careful about [where you leave your DNA](https://youtu.be/MoX_BDWZUG0).
----
#### There's more to check out!