Kubuntu Trusty Privacy
- An interesting perspective on Internet privacy techniques can be found here.
- Message encryption does not protect email file attachments. It is important to encrypt files that are meant to be sent as attachments as well. Any file encrypter (used for encrypting files on disk) can be used (such as ccrypt, TrueCrypt, or EncFS), but a different encryption tool / password should be used for attachments than the one used for private encryption of important files on the hard drive.
Companies routinely monitor the email and IM of its workers, governments of countries (even those founded by intellectuals and "revolutionaries" like Thomas Jefferson, who advocated strong privacy rights) routinely spy on its own citizenry, and even ISPs monitor unencrypted internet traffic for their own entertainment (I have personally watched this happen). Due to the volume of email and texts over the internet, word recognition algorithms are generally required in order to accomplish meaningful data-mining of text messages.
For purposes that do not require encryption (but for which there is a desire to limit the text data-mining techniques commonly used today), a few methods are available (but not foolproof).
- One method of text obfuscation is to translate your article into another language (using Google Translate, for example, or Babelfish (now owned by Yahoo and without SSL encryption available), or Bing Translator (owned by Microsoft and without SSL encryption available) -- or even all three in series) and then to translate it back. This introduces random grammar, word choice, and spelling errors that obscures both the writing style of the original author and sometimes the text to the point of poor recognition by text-mining scanners. The more languages into which the message is serially translated, the greater the unrecognizability.
FauxCrypt is a small program with an alhroitgm for modifictaion of a planitext documnet (written in English) taht laeves it gneerally raedable by a person but not raedily saercehd or idnexed by macihne. the alhroitgm empyols a dicitnoary subtsituiton of selected wrods, and an obfusctanig trnasposition of lteters in ohter wrods. the obfusctaion is dseigned to laeve the wrods udnertsnadable, aghtuolh tehy are badly slelpde. fauxcrypt is fere, open suorce sfotwaer, with suorce code available. Downloads are available at the website.
- Download the Linux binary:
- To convert a text file to a faux-encrypted text file:
fauxcrypt <input.txt> <output.txt>
Message and file encryption
PGP (Message Encryption)
GnuPG is the free open source implementation of the OpenPGP standard for PGP. It is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it. While gpg is the default OpenPGP tool for command-line usage, gpg2 is the utility generally used by GUI frontends.
Enigmail with Thunderbird
By far the easiest method for encrypting email is using the Enigmail add-on for the Thunderbird email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.
Kleopatra (Cryptography and Certificate Manager)
sudo apt-get install kleopatra
- Create a new OpenPGP keypair:
- K menu -> Utilities -> Kleopatra -> File -> New Certificate... -> Create a personal OpenPGP key pair
sudo apt-get install kgpg
If KGPG or Kleopatra gives an error, it is because of a problem with settings in the gpg.conf configuration file ( ~/.gnupg/gpg.conf). Edit the file (using either ~/ or /home/user/ ):
Comment out the two lines at the bottom:
#debug-level basic #log-file socket:///home/user/.gnupg/log-socket
scrypt (Message Encryption)
scrypt encrypts / decrypts messages with a strong algorithm. Using a 10-character password combining random alphanumeric and special characters, an enormous amount of computing power is required to decode messages by someone that does not have the password. See the website for usage parameters. Install:
sudo apt-get install scrypt
bcrypt (Message Encryption)
bcrypt encrypts / decrypts messages with a strong blowfish algorithm. It is also able to overwrite the original message with a garbage-appearing replacement, further obscuring traces of the original message. See the website for usage instructions. Install:
sudo apt-get install bcrypt
File archival and encryption
Archives with Passwords
- See this section.
EncFS (File and Disk encryption)
sudo apt-get install encfs libpam-encfs
- A Dolphin file manager service menu "KDE Service Menu EncFS" is available:
- Dolphin -> Settings -> Configure Dolphin... -> Services -> Download New Services...
- -> Search: KDE Service Menu EncFS -> Install
- KEncFS is a KDE frontend for EncFS.
- A Gnome-based front-end named Cryptkeeper is available:
sudo apt-get install cryptkeeper
ccrypt (File and Attachment Encryption)
sudo apt-get install ccrypt
- Encrypt a file:
- which will yield the encrypted file test.odt.cpt after prompting for a password
- Decrypt a file:
ccrypt -d test.odt.cpt
- Several available GUIs for ccrypt are listed here.
TrueCrypt (File and Attachment Encryption)
Disk and Storage Encryption
- See the Ubuntu Community documentation for methods of full disk encryption.
- See the Ubuntu Community documentation for methods of filesystem encryption.
Passwords and file authentication
- See this excellent article at H-Online about password protection for everyone.
Random password generator
- Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
- Run pwgen:
- UUIDgen is a default utility to generate a random UUID (using only hex-digits). Run:
The random UUID can also be used as a 32-digit password, if desired.
Password checker and enforcement
John the Ripper is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john
- Passwdqc is a module to enforce password strength. Install:
sudo apt-get install passwdqc
- To check the MD5 sum of a file, use this command in the command line:
- There are several Dolphin service menus to add / check md5sums (and other types of checksums) for files, such as "Check md5sum within Dolphin", "MD5 verify", and "Checksum". Select and install:
- Dolphin -> Settings -> Configure Dolphin... -> Services -> Download New Services... -> Search: md5
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer (even when you turn off the cookies in your browser). It is highly recommended to configure your web browser to erase your cookies and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
- Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: Use custom settings for history
- -> Always use private browsing mode (or customise the settings to your desired level of privacy)
- In addition, both Adblock Plus and NoScript are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.
DNS Servers and Search engines
- Most users rely on the DNS server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as OpenDNS, Comodo, Google (though slightly less secure due to Google's own tracking mechanisms), another free DNS service, or (for maximum security) a publicly-available international DNS server. For example, a Verizon customer could use the AT&T DNS servers or the OpenDNS servers. An AT&T customer could use one of the Verizon servers or the Comodo servers. It is important to use a reliable DNS provider, however, as man-in-the-middle DNS redirection and DNS cache poisoning attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the CCI) on behalf of the MPAA and RIAA. If using one of these ISPs, take extra efforts to ensure your privacy. (It is also important to note that major ISPs now often censor content using filters such as Cleanfeed. Choose your DNS and search providers carefully.)
The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:
auto eth0 iface eth0 inet static address 192.168.0.35 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1 dns-nameservers 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
- Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. DuckDuckGo.com is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. (It can be used with Tor turned on.) Another search engine with similar privacy claims is Startpage / Ixquick.
- Many censorship/filtering/tracking techniques (that use deep packet inspection) cannot be used with secure (SSL/TLS encrypted) websites (denoted by https:// ). Use them whenever possible. For example, use the secure Wikimedia portal for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).
- Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see this info.
- It is possible to filter undesirable zones and countries entirely from DNS searches using the GeoDNS patch to the BIND module (see this info on installing a BIND DNS server). See here.
- ModSecurity is a free web application layer firewall that can be used in conjunction with Apache, IIS, and NGINX servers to enhance request filtering (and other security features). Here are some configuration tips. (Comparable commercial services such as CloudFlare and Incapsula also exist.)
- When browsing through Tor using the Firefox browser, it is possible to route DNS requests through Tor as a SOCKSv5 proxy so that the client computer is not exposed. See this section.
Changing a MAC address
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and many tracking methods now use the MAC address to record user habits. (See this informative blog post.) To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).
- It is possible to set the MAC address to a random selection in the Network Manager configuration:
- Network Manager -> Manage Connections... -> connection -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok
- Macchanger is a utility to change a MAC address. Install:
sudo apt-get install macchanger
- Certificate authorities charge a fee to store and verify certificates. However, many websites use self-signed certificates that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called Perspectives. A certificate's validity (even if self-signed) can be checked using a Firefox plugin. For more info see this introduction or this article.
- CAcert.org is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not (Canonical was originally founded with funds earned from Thawte, a certifying authority founded by Mark Shuttleworth.)
Tor (Network privacy)
Tor is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read this.) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)
- Install Tor by following the instructions here. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the Tor installation guide for details.
- By default Tor (once it is running) acts as a Socks5 proxy on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.
- Also see these additional tips.
Vidalia (Tor interface)
Vidalia is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia
Tork (KDE Tor interface)
TorK is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories. However, if desired it can be installed (along with the older Qt3 libraries). See this section.
Using Tor with Firefox and Thunderbird
Recent versions of Firefox and Thunderbird allow direct use of Tor as a Socks5 proxy, both for traffic and DNS resolution. See this section for information on configuring this for Firefox and this section for information on configuring this for Thunderbird.
Using Tor with other programs
- Other programs can also be used with Tor as a proxy. For an overview see these tips.
- Tails is a free, complete GNOME-based Debian Linux operating system with Tor enabled by default. (Here is a 2014 review.) Iceweasel (the free Debian version of Firefox) and other Internet tools are cryptographically-enhanced, and, for privacy, browsing and other Internet usage traces are minimised. Components (which can be individually installed in (K)Ubuntu) include:
- LUKS for disk-encryption (sudo apt-get install cryptsetup)
- Nautilus Wipe for erasing disk traces using the Nautilus file manager (sudo apt-get install nautilus-wipe)
- KeePassX for password generation and encyrypted password storage (sudo apt-get install keepassx or sudo apt-get install keepass2)
- HTTPS Everywhere, a Firefox plug-in to ensure the usage of encrypted website portals
- Off-the-Record_Messaging for Internet Message encryption
- other security utilities
- See this section for some recommended security practices.
- Unfortunately, there is a false sense of security in Linux operating systems by many users. Linux is not immune to rootkits, viruses, and trojans (no matter how often it is asserted). See this page for a partial list of malware concerns present in Linux.