Difference between revisions of "Operations security"

From Leftypedia
Jump to navigation Jump to search
m (Capuch1n moved page Operational Security to Operations security: More common name)
(Fixed formatting of Flash and a citation, moved prism-break.org to Additional resources)
(One intermediate revision by the same user not shown)
Line 6: Line 6:
 
Microsoft Windows and macOS are both backdoored by intelligence agencies and phone home, so are inherently an insecure option for privacy and security. Use Linux instead. A lot of Linux distros are actually pretty easy to install and have a step-by-step setup process, especially the more popular ones.
 
Microsoft Windows and macOS are both backdoored by intelligence agencies and phone home, so are inherently an insecure option for privacy and security. Use Linux instead. A lot of Linux distros are actually pretty easy to install and have a step-by-step setup process, especially the more popular ones.
 
===Web===
 
===Web===
Google Chrome has spyware built into it, as does Chromium. Firefox is a more secure option that also happens to be fast and customizable. Consider using Tor as well. Some web extensions to use are:
+
Google Chrome has spyware built into it, as does Chromium. Firefox is a more secure option that also happens to be fast and customizable. Consider using Tor as well.
 +
====Web extensions====
 
*uMatrix: blocks out things like scripts and cookies unless you specifically specify which ones you want enabled and on what level of a domain you want it enabled on (for instance, you can enable a certain script either only on the subdomain ''www.example.com'', or only everything on the domain ''example.com'', or everything contained by the top-level domain ''.com''.
 
*uMatrix: blocks out things like scripts and cookies unless you specifically specify which ones you want enabled and on what level of a domain you want it enabled on (for instance, you can enable a certain script either only on the subdomain ''www.example.com'', or only everything on the domain ''example.com'', or everything contained by the top-level domain ''.com''.
 
*HTTPS Everywhere: Makes your browser use HTTPS instead of HTTP wherever possible. Of course, this won't work if a website hasn't configured HTTPS and only works on HTTP, so be wary about going to HTTP pages. Most of the time though, especially in the case of more important websites, there will be an HTTPS version of a page.
 
*HTTPS Everywhere: Makes your browser use HTTPS instead of HTTP wherever possible. Of course, this won't work if a website hasn't configured HTTPS and only works on HTTP, so be wary about going to HTTP pages. Most of the time though, especially in the case of more important websites, there will be an HTTPS version of a page.
Line 13: Line 14:
 
*User-Agent Switcher: randomizes your user agent, which tells websites what kind of operating system and browser you use.
 
*User-Agent Switcher: randomizes your user agent, which tells websites what kind of operating system and browser you use.
 
*Privacy Settings: allows you to change settings found in about:config (on Firefox at least). You may want to keep this add-on as opposed to just changing those settings once because some websites may break because these changes, and you may have to toggle some settings periodically.
 
*Privacy Settings: allows you to change settings found in about:config (on Firefox at least). You may want to keep this add-on as opposed to just changing those settings once because some websites may break because these changes, and you may have to toggle some settings periodically.
 +
*Invidition: automatically redirects requests to YouTube and Twitter towards [https://github.com/iv-org/invidious Invidious] and Nitter, respectively. Both of these are alternative front-ends that basically just give you the content without the spyware. In the case of Invidious, this extension also lets you do some other things like switch between different instance of the Invidious service or setting the default resolution. On the Invidious instances themselves you can also set many more settings, such as whether dark mode is enabled or the default speed.
  
 
The more people using these, the more they can blend in and not have a unique signature. Thus it is important to share these.
 
The more people using these, the more they can blend in and not have a unique signature. Thus it is important to share these.
  
Some other Web tips:
+
====Best practices====
 
*Use Startpage or some other privacy-oriented search engine. Google, Bing, and Yahoo all aggressively farm your data and you should try to never use these.
 
*Use Startpage or some other privacy-oriented search engine. Google, Bing, and Yahoo all aggressively farm your data and you should try to never use these.
 
*Protonmail and Tutanota are decent email providers — Riseup.net on the other hand has been known to give up records of its users, so stay clear of that one.
 
*Protonmail and Tutanota are decent email providers — Riseup.net on the other hand has been known to give up records of its users, so stay clear of that one.
 
*Change browser cookie preferences to reject all third-party cookies or at least to only accept third-party cookies from visited pages.
 
*Change browser cookie preferences to reject all third-party cookies or at least to only accept third-party cookies from visited pages.
 +
*Try not to use Flash, which is insecure but is on its way out. Most browsers disable Flash content by default, and thus it can only be played if you click on it and press "Allow" in the dialog box.
 +
*Try not to use JavaScript
 +
JavaScript has many vulnerable libraries, and a large chunk of websites use these — as of 2017, 87% of the top 75,000 websites according to Alexa Internet.<ref>[https://web.archive.org/web/20200227190249/https://www.zdnet.com/article/an-insecure-mess-how-flawed-javascript-is-turning-web-into-a-hackers-playground An insecure mess: How flawed JavaScript is turning web into a hacker's playground]</ref> Besides unintentional vulnerability, Javascript can also be used to track users through a variety of methods. It also enables the use of [https://en.wikipedia.org/wiki/Evercookie evercookies], which are difficult to delete since a couple different places have to be cleared at once or else the evercookie will respawn to all of them, so long as one source keeps it. JavaScript can be disabled by default through an extension like uMatrix, and any code that needs to be enabled can be done so manually.
 
*Use a VPN. [https://thatoneprivacysite.net thatoneprivacysite.net] has a chart comparing a lot of different ones so you can choose a decent one. The following VPNs have a history of logging and cooperating with US/UK law enforcement, so do not use them:
 
*Use a VPN. [https://thatoneprivacysite.net thatoneprivacysite.net] has a chart comparing a lot of different ones so you can choose a decent one. The following VPNs have a history of logging and cooperating with US/UK law enforcement, so do not use them:
:*HideMyAss
+
**HideMyAss
:*PureVPN
+
**PureVPN
:*IPVanish
+
**IPVanish
:*RiseupVPN
+
**RiseupVPN
 
*Set your DNS server to "1.1.1.1"
 
*Set your DNS server to "1.1.1.1"
==References==
+
 
*https://prism-break.org/en/
+
===Fully encrypt the storage drive===
 +
Use an encryption password that is, at a minimum, 20 characters long and consists of random letters, numbers, and symbols. Alternatively, use a passphrase/sentence. Do not use anything from song lyrics or pop culture when using a passphrase. Use at least six words (consisting of at least five letters each) in the phrase, which should be nonsense and not found anywhere on the internet or in pop culture. These are much easier to memorize and therefore can be much, much longer, which is good. Your encryption password should be as long as is possible and therefore as hard to crack as possible, but you still need to remember it. True full-disk encryption requires either Coreboot/Libreboot with a payload like SeaBIOS or GRUB as the first-stage bootloader or putting the bootloader on some kind of removable medium. Normal UEFI/BIOS is unable to read encrypted EFI partitions/MBR and thus you cannot do full-disk encryption with it. An unencrypted bootloader partition is a point of vulnerability.
 +
 
 +
===Extra security===
 +
If it's necessary, you can do all your browsing within a virtual machine, using the aforementioned tools and practices, and reset it every single time. This is basically the equivalent of using a new computer every time you use the Internet, destroying the previous ones, so most unique identifiers tagged on that machine are useless — unless of course it relates to IP addresses or content that could still be used to identify you. A Live USB (or CD, or DVD) can also be used, which saves nothing to the disk when the computer is shut down.
 +
 
 +
==Additional resources==
 +
Two websites for determining your browser fingerprint, or basically how much you stand out among other users:
 +
*https://amiunique.org
 +
*https://panopticlick.eff.org
 +
 
 +
Various privacy tools:
 +
*https://prism-break.org/en
  
 
==See also==
 
==See also==
 
*[[Hacktivism]]
 
*[[Hacktivism]]
 +
 +
==References==

Revision as of 14:42, 2 August 2020

This article is a stub. You can help Leftypedia by expanding it.

Operations security (OPSEC) is the process which identifies critical information in order to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.

Computers

Microsoft Windows and macOS are both backdoored by intelligence agencies and phone home, so are inherently an insecure option for privacy and security. Use Linux instead. A lot of Linux distros are actually pretty easy to install and have a step-by-step setup process, especially the more popular ones.

Web

Google Chrome has spyware built into it, as does Chromium. Firefox is a more secure option that also happens to be fast and customizable. Consider using Tor as well.

Web extensions

  • uMatrix: blocks out things like scripts and cookies unless you specifically specify which ones you want enabled and on what level of a domain you want it enabled on (for instance, you can enable a certain script either only on the subdomain www.example.com, or only everything on the domain example.com, or everything contained by the top-level domain .com.
  • HTTPS Everywhere: Makes your browser use HTTPS instead of HTTP wherever possible. Of course, this won't work if a website hasn't configured HTTPS and only works on HTTP, so be wary about going to HTTP pages. Most of the time though, especially in the case of more important websites, there will be an HTTPS version of a page.
  • uBlock Origin: filters content, largely advertisements that can track your activity across the Internet. It's less resource-intensive than other content filters, like Adblock Plus.
  • Cookie AutoDelete: deletes unused cookies upon tab close, however may be configured in plenty of other way. Has support for whitelists and greylists.
  • User-Agent Switcher: randomizes your user agent, which tells websites what kind of operating system and browser you use.
  • Privacy Settings: allows you to change settings found in about:config (on Firefox at least). You may want to keep this add-on as opposed to just changing those settings once because some websites may break because these changes, and you may have to toggle some settings periodically.
  • Invidition: automatically redirects requests to YouTube and Twitter towards Invidious and Nitter, respectively. Both of these are alternative front-ends that basically just give you the content without the spyware. In the case of Invidious, this extension also lets you do some other things like switch between different instance of the Invidious service or setting the default resolution. On the Invidious instances themselves you can also set many more settings, such as whether dark mode is enabled or the default speed.

The more people using these, the more they can blend in and not have a unique signature. Thus it is important to share these.

Best practices

  • Use Startpage or some other privacy-oriented search engine. Google, Bing, and Yahoo all aggressively farm your data and you should try to never use these.
  • Protonmail and Tutanota are decent email providers — Riseup.net on the other hand has been known to give up records of its users, so stay clear of that one.
  • Change browser cookie preferences to reject all third-party cookies or at least to only accept third-party cookies from visited pages.
  • Try not to use Flash, which is insecure but is on its way out. Most browsers disable Flash content by default, and thus it can only be played if you click on it and press "Allow" in the dialog box.
  • Try not to use JavaScript

JavaScript has many vulnerable libraries, and a large chunk of websites use these — as of 2017, 87% of the top 75,000 websites according to Alexa Internet.[1] Besides unintentional vulnerability, Javascript can also be used to track users through a variety of methods. It also enables the use of evercookies, which are difficult to delete since a couple different places have to be cleared at once or else the evercookie will respawn to all of them, so long as one source keeps it. JavaScript can be disabled by default through an extension like uMatrix, and any code that needs to be enabled can be done so manually.

  • Use a VPN. thatoneprivacysite.net has a chart comparing a lot of different ones so you can choose a decent one. The following VPNs have a history of logging and cooperating with US/UK law enforcement, so do not use them:
    • HideMyAss
    • PureVPN
    • IPVanish
    • RiseupVPN
  • Set your DNS server to "1.1.1.1"

Fully encrypt the storage drive

Use an encryption password that is, at a minimum, 20 characters long and consists of random letters, numbers, and symbols. Alternatively, use a passphrase/sentence. Do not use anything from song lyrics or pop culture when using a passphrase. Use at least six words (consisting of at least five letters each) in the phrase, which should be nonsense and not found anywhere on the internet or in pop culture. These are much easier to memorize and therefore can be much, much longer, which is good. Your encryption password should be as long as is possible and therefore as hard to crack as possible, but you still need to remember it. True full-disk encryption requires either Coreboot/Libreboot with a payload like SeaBIOS or GRUB as the first-stage bootloader or putting the bootloader on some kind of removable medium. Normal UEFI/BIOS is unable to read encrypted EFI partitions/MBR and thus you cannot do full-disk encryption with it. An unencrypted bootloader partition is a point of vulnerability.

Extra security

If it's necessary, you can do all your browsing within a virtual machine, using the aforementioned tools and practices, and reset it every single time. This is basically the equivalent of using a new computer every time you use the Internet, destroying the previous ones, so most unique identifiers tagged on that machine are useless — unless of course it relates to IP addresses or content that could still be used to identify you. A Live USB (or CD, or DVD) can also be used, which saves nothing to the disk when the computer is shut down.

Additional resources

Two websites for determining your browser fingerprint, or basically how much you stand out among other users:

Various privacy tools:

See also

References