We live in a world where anonymity and online privacy are impossible things. Your phone calls can be tapped, smartphone data can be stolen, and even the camera and microphone can be turned on remotely. You can be watched from the satellite, in real time.
We all live in the matrix and its special services that prey on those who threaten the system, and everything happens almost automatically. They are smart and improve quickly (read about timing attacks and site-fingerprinting) – they can track you down without decrypting any data.
But despite the fact that most technologies we use on daily basis are unsafe, there are some opportunities to ensure online security. Below I am going to provide several options that may help to ensure your security on the Internet (and a little bit in real life).
Security of your desktop/laptop
Do you remember the news, when all Windows XP machines in the world updated 9 system files even when Windows update service was disabled? And now with Windows 10, your processor is constantly a lit bit busy even in standby mode. Maybe they are bruteforcing something :)
So, use Linux, and preferably coreboot or Libreboot (open source BIOS). You can buy hardware based on the recommendations of well-known and respected (still a bit paranoid) cypherpunk Richard Stallman.
2. When you turn on the laptop normally, a completely different desktop should appear (you can have Windows, but this is just for distraction). But if you make a couple of secret clicks (and enter a password (or two different passwords)), the desired desktop should load. Everything described below is applicable for installation on a USB flash drive.
4. Setting up a safe and fast Internet connection.
4.1 Buy a Qualcomm Atheros Wi-Fi adapter. It is good to write your own kernel patch, which would generate a random MAC address every time the adapter is turned on. If you have Android (and it should be something like Replicant), then you can also patch the kernel and run a hotspot for your laptop.
4.2 If you have CDMA Internet in your country, then tweaking the modem firmware to be EVDO only – will not allow identifying the modem geo coordinates, as EVDO does not support X-Y-Z coordinates.
4.3 A lot of popular Chinese smartphones have their own special Android firmware that allows you to reflash IMEI, as well as change the MAC address by clicking just one button.
4.4 Configure all Internet traffic to go this way Tor1 > OpenVPN (possibly Double) > Tor2. Why does Tor appear as an initial point? Just because everybody uses Tor. Every school student uses Tor these days and being connected to a well-known OpenVPN provider directly (like Avast free VPN) – will make you stand out. Also, OpenVPN providers will not know your IP, and the frequent change of IP addresses will not cause suspicion at all, thanks to the presence of such config options.
Tor1 socks port can be configured to be used with a specific\separate browser profile (for watching YouTube anonymously, etc. Although my YouTube works fine at the end of the chain).
Through Tor2, all traffic should go by default (with the isolation of all end nodes and ports (and a separate Tor circuit for each of them). All DNS goes via Tor2, but you can also use OpenNIC with DNSSEC/DNSCrypt signatures (despite the fact that Tor lacks UDP).
Tor1 and Tor2 can be configured to use fast nodes. With both, it is better excluding more or less well-known NSA servers. For Tor1 I excluded oversees nodes (for a VPN to work faster).
Get your OpenVPN from a trusted provider who does not keep logs and has many offshore (safe jurisdiction) servers. Buy VPN using Bitcoins (use tumblers before sending Bitcoins).
For complete paranoids, you can wrap OpenVPN (double) in OpenSSL 443. This way identification of OpenVPN traffic will be impossible even in Tor. Tor has a simple rule: the more users, the safer and faster it is.
4.5 I advise to setup all Internet connections without virtual machines. Be careful setting up iptables / iproute2. Prepare your own script, which intercepts the DHCP response, takes the correct default gateway and substitutes it with the random one. Only Tor1 should know the default gateway, and there should not be any connection established at all if something in our chain does not turn on. A portion of the Tor config can be borrowed from Whonix.
4.6 To support UDP, or to connect to hosts that block Tor, or for IP-telephony, there should be a local socks/HTTP proxy port that sends traffic Tor1 > OpenVPN.
4.7 Customize Chromium and/or Firefox profiles (excluding any tracking completely).
- All cookies should be blocked by default. However, you can have a clickable whitelist.
- Create your own list of expiration times for cookies for each domain.
- Use all available lists to block ads, adware, spyware, bloatware.
- Use Privoxy, which blocks plenty of bad things including exploits.
- Use scripts and patches to reduce Chromium access to Google, even for extensions’ updates.
- User-Agent should change every N minutes, prepare a list for that.
- Complicate browser-fingerprinting using parameters from Panopticlick (test yourself).
- It is also possible to launch the browser using a separate computer user, who does not have access to files at all.
4.8 Use Tor1 > OpenVPN > I2P as an additional (emergency) Internet connection.
4.9 Your browser should be able to work with both .onion and .i2p sites.
5. Set up a Jabber client (with encryption). Access it via a different Tor2 port.
6. For email, use Thunderbird (with encryption). Each host should use a separate Tor pathway\circuit. For email, use your own server with full disk encryption.