An attempt to keep yourself secure online and off can be confusing and tedious but it is necessary. Keeping a secure platform is a process of patience, and through thoughtful planning and auditing, you can create a full risk report. When it comes down to the bare bones of security, most find it is not about the tools you use. It begins with understanding of the systems you use and the unique threats you face and how you can counter those threats. The process of threat modeling and risk management in computer security, is a finding a potential event that could undermine your efforts to defend your system. You can counter the threats you face by determining what you need to protect and from whom you need to protect it.
Here is a breakdown of a threat model or how to take audit and assess your risks. To start let us look at a basic What/Who/How flow.
File-system stacked level encryption
Block device level encryption
Install Clamav and a tool to send email notifications apt-get update && apt-get install clamav clamav-freshclam heirloom-mailx
Be sure that the virus definition will be updated with service ClamAV-freshclam start
To do a manual update of the virus definitions freshclam -v
Set Up Default Policies
Spectre / Meltdown Check
Generate Random Passwords Using Terminal and md5 SHA to hash the date, runs through base64, and then outputs the top 32 characters
Uses the built-in /dev/urandom feature, and filters out only characters that you would normally use in a password. Then it outputs the top 32
This one works a lot like the other urandom one, but just does the work in reverse.
Filters using the strings command, which outputs printable strings from a file, which in this case is the urandom feature.
Here is an even simpler version of the urandom one.
This one uses the dd command.
The easiest way to make a password from the command line
An Introduction to BIOS and BIOS Security
The Basic Input Output System is a pivotal set of stored on selected chips on the motherboard. This an intermediary between a computers hardware and BIOS, the PCs operating system would have no way control of, the hardware routines in a System, which is chip and in turn the BIOS acts as its operating system. Without the to communicate with, or take each motherboard and manufacturer utilizes a different BIOS and this can cause trouble for those looking to tinker with and fully involve themselves in every aspect of their system. A fair warning that changing a systems BIOS settings without foresight can cause your system to malfunction. If this were to happen then a BIOS reset will need to be done to return to the factory settings. Many office level manufacturers like Dell limit the options available to the user in the BIOS. Most systems on boot briefly display a message describing how you can enter the program where BIOS settings are adjusted. On most systems the F1, F2, F11 or F12 will allow you to enter the setup menu.
The security section of the BIOS is used to keep unauthorized people from making any changes to the BIOS.
Keeping your BIOS Secure and Ethical
A 100% Libre or in the case of Coreboot 99% Libre BIOS. As mentioned previously that when using Libre software, you in return become more Secure and Ethical. Because as the name implies Libre allows you to be free. So lets start with the Why? Many manufacturers and in turn users use non-free boot firmware. Which even if they use a FSF approved GNU/Linux operating system. A Non-free BIOS/UEFI firmware will often contain back-doors to your system that can allow government bodies and potential hackers into your system such as the Spectre and Meltdown exploits via the Intel Management Engine. It can also be slow, have bugs, and you are left to the mercy of the developers, which in many cases will not correct any problems that occur and only release a brief disclaimer after the bugs have been found and widely abused.
In contrast, Libreboot, for example is fully free software, where anyone can contribute or inspect their code to correct any and all underlying issues. Libre/Core are faster in boot time, more secure than their proprietary contemporaries and more reliable than the non-free firmware. Like standard BIOS options, Libre/Core offer many advanced features, like encrypted boot. Libre/Core De-blob and release custom patches to all open-source projects most listed on their home sites.
Now I will be from this point using Libreboot due to it being sponsored by the FSF and due to the wonderful amount of documentation on their site. Supported devices for Libreboot can be found here. https://libreboot.org/docs/hardware/
I will mainly however be listing the Laptops from their site, as in my opinion Laptops are best means of being secure online due to their portability and affordability. I would recommend checking each model out on Ebay so you can see how cheap these devices can be, many range from $50.00 to $200.00 pending on condition and hardware options.
And though I dislike all Apple devices due to their own ethics, a couple are also supported.
Further reading if this is the path for you can be found here https://libreboot.org/
Big brother is here and it is nothing new. Browser fingerprinting has been around without any of is ever noticing since the 20-aughts. Java-Script, Browser Identifiers, Internet Protocol Addresses, Even down to Time-Zone and Font choices. This canvas of data can be collected by both individual sites you visit or 3 letter Orgs with the means to blanket many sites to make mitigation tactics less useful to those would be Paranoids like You and Me. This huge advertising scheme to allows parent companies to create a digital copy of you, a 1 dimensional clone that is only your wants, likes, and dislikes. Purging everything that is unprofitable, making a you that is for sale and will be sold.
With the research done by the Electronic Frontier Foundation https://panopticlick.eff.org/static/browser-uniqueness.pdf
They have provided much of the information I use today to provide a list of Identifier Mitigation, I will also add some general good practices and System options. Step by Step, lets go by layers. Starting from the bottom. Your browsing habits and work our way up to your system.
Cookies are small packets of text files that are stored on your computer, these packets contain certain data that may give websites information to improve the user experience or to remember previous sessions allowing you to pick up where you left off. Every time you visit a website, your browser will download cookies if allowed.You can disallow cookies via your browser settings. Either by clocking 3rd party cookies (Everything beside the home site) or all cookies. I recommend all cookies though this may cause some issues on most high traffic sites.
Java Script and HTML5
I am placing these two together due to the nature of both JS and HTML5. HTML5 is the coding language used to build websites, a platform much like Java Script. It is the core fundamentals of every website and this allowed unique identifiers to be placed on the user from the site. In HTML5 , there is an element which is called Canvas, canvas discerns certain data, such as the font, font size and active background information like screen size based on the browser of the user. This information serves as the unique fingerprint of every visitor. These can be blocked via the browser settings, you can follow the following to disable JS on most major browsers.
The easiest to track and sometimes the most difficult to stop depending on your country and device. The "Internet Protocol Address" part refers to a unique number that gets linked to all online activity you do like a return address on a letter youd send out. A letter gets send asking for information and then gets returned with said information. Disguising your IP can be done in several ways, unfortunately nothing can be done via your browser settings. Using a VPN or Virtual Private Network this is widely considered the best option though I have to disagree due to the amount of VPNs available and many of them are absolute garbage. Here however are some fairly...fair VPNs
Using Tor, now I plan on going into a more in depth methodology of Tor. Here is a quick snippet. "The Tor Browser is a free software program that you download onto your computer that conceals your IP via Entry Nodes and Exit Nodes. These nodes are kinda like playing Telephone. You open with you IP, and as it goes through the Nodes, all with their own IP, by the time it reaches the Exit Node, in theory and somewhat in practice, your IP should be completely hidden. This process is layered with encryption, which means your data is obscured by security and privacy protection." More can be found here. https://www.torproject.org/
Meat-Space, your offline self and Geo-tracking
Geo-tracking, put simply is your location. Use an Open Wifi network like in a Coffee Shop or your Local Library and not your home. Living off grid when it comes to Internet is frightening for most including myself. But this is an excellent option as an IP address does not travel with you. So if you simply go to a coffee shop, library or hotel and use their Wi-Fi, you will temporarily hide your usual IP address. You will be using their networks IP address for as long as you are online on their network. Using all of these in conjunction can keep you secure, private, and safe from our advertising overlords. For further reading and a list of resources I used for this post check these sites out here. https://panopticlick.eff.org/
Private Search Engines
Though many browsers have the ability for a Private Browsing mode or Incognito Mode, those only protect you from saving cookies and history. However the browser and search engine method still can track you. However your privacy can be improved with the implementation of Private Search Engines, the search engines that do not store your queries or track your steps on the Internet. With plenty of options available and each using their own unique algorithms and search options it may be hard to sort through them all to get the most secure and private options for us Paranoids. Though keep in mind this list is for function over form. They may not look great but they certainly are functional. Lets start with some Libre Options. Libre is the term for Truly Free Software as in GNU-Libre or Free as in Freedom.
YaCy https://yacy.net/en/index.html Is a Libre engine that anyone can build a search portal for their private network or to the Internet. When contributing to the world-wide peer network, the scale of YaCy is limited only by the number of users in the world and can index billions of web pages. YaCy is fully decentralized and Peer-to-Peer, all users of the search engine network are equal, the network does not store user search requests and it is not possible for anyone to censor the content of the shared index. YaCy is true freedom when it comes to your searches.
SearX https://searx.me Is a Libre Internet meta engine which aggregates results from more than 70 search services. When using SearX you are neither tracked nor profiled. You can also use Public Instances or Private Instances of SearX allowing you personal Paranoia to take hold and establish your own private network of SearX.
Though on a centralized platform you can use SearX over Tor for online anonymity. If you are not a huge fan of tinkering and compiling you can also check out these more user friendly options.
Duck Duck Go https://duckduckgo.com/ Probably one of the most well known and most full featured engines available today. Available for major platforms like Firefox, Android, IOS, and more https://duckduckgo.com/app DDG is Quick and Simple.
Start Page https://www.startpage.com/ If you can not beat em, use em Start Page pays Google to use their results and in return Start Page removes all trackers and logs. What comes about is the in their own words Worlds best and most private search engine. This is great if you do not want to abandon Google result just yet and still want a full features Search Engine.
Now if these are still are not Wizard enough for you and you NEED to go full ArchMage you can also try some of these Tor options as well. These are the Onion URLs
And a odd one...
Feel free to try these over Google or your other preferred tracking option.
Live Persistence and You
A secure method of maintaining a full system that is both portable and encrypted. Usually, on a live CD or Live USB key, all modifications are discarded when you reboot. Which is great if you save all your work to a separate hard-drive. The persistence allows you to keep your preferences and data even after reboot. GNU/Linux has this option available for all Live medium distributions. Today I will be showcasing some of my personal favorite distributions to use Live-Persistence with. First off allow me to ramble about the benefits of the why.
Some excellent distributions to start using a encrypted live system with are as follows. (Note I am trying to exempt any distro that runs the systemd init system due to security issues of a monolithic system like systemd.)
Forensic GNU/Linux Distributions