From

Contents 1 Privacy 1.1 PGP (Message Encryption) 1.1.1 Enigmail with Thunderbird 1.1.2 Kleopatra (Cryptography and Certificate Manager) 1.1.3 KGPG 1.1.4 PGP Troubleshooting 1.2 Web browsing 1.3 Tor (Network privacy) 1.3.1 Vidalia (Tor interface) 1.3.2 Tork (KDE Tor interface) 1.3.3 Using Tor with Firefox 1.3.3.1 Torbutton (Firefox plug-in) 1.4 DNS Servers and Search engines 1.5 Changing a MAC address 1.6 Certificate verification 1.7 Passwords and file authentication 1.7.1 Random password generator 1.7.2 Password checker and enforcement 1.7.3 MD5Sum 1.8 File archival and encryption 1.8.1 Archives with Passwords 1.9 Disk and Storage Encryption

Privacy

An interesting perspective on Internet privacy techniques can be found here.

PGP (Message Encryption)

GnuPG is the free open source implementation of the OpenPGP standard for PGP. It is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it. While gpg is the default OpenPGP tool for command-line usage, gpg2 is the utility generally used by GUI frontends.

Enigmail with Thunderbird

By far the easiest method for encrypting email is using the Enigmail add-on for the Thunderbird email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

Kleopatra (Cryptography and Certificate Manager)

Kleopatra is a certificate manager and a universal crypto GUI for KDE. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Install:

sudo apt-get install kleopatra

• Create a new OpenPGP keypair:

K menu -> Utilities -> Kleopatra -> File -> New Certificate... -> Create a personal OpenPGP key pair

KGPG

KGpg is the GUI for KDE to manage the key pairs and other options of GnuPG. It has fewer options than Kleopatra. Install:

sudo apt-get install kgpg

PGP Troubleshooting

If KGPG or Kleopatra gives an error, it is because of a problem with settings in the gpg.conf configuration file ( ~/.gnupg/gpg.conf). Edit the file (using either ~/ or /home/user/ ):

kate /home/user/.gnupg/gpg.conf

Comment out the two lines at the bottom:

#debug-level basic
#log-file socket:///home/user/.gnupg/log-socket

Web browsing

Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your cookies and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:

Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: Use custom settings for history

-> Always use private browsing mode (or customise the settings to your desired level of privacy)

• In addition, both Adblock Plus and NoScript are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

Tor (Network privacy)

Tor is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read this.) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)

• Install Tor by following the instructions here. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the Tor installation guide for details.

• By default Tor (once it is running) acts as a Socks5 proxy on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

• Also see these additional tips.

Vidalia (Tor interface)

Vidalia is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:

sudo apt-get install vidalia

Tork (KDE Tor interface)

TorK is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories. However, if desired it can be installed (along with the older Qt3 libraries). See this section.

Using Tor with Firefox

Recent versions of Firefox allow direct use of Tor as a Socks5 proxy, both for traffic and DNS resolution. See this section for information on configuring this.

Torbutton (Firefox plug-in)

• Once Tor is installed and running properly, Torbutton allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the Tor Browser Bundle. Newer versions of Firefox may refuse to start if Torbutton is installed. See this section for more details.

DNS Servers and Search engines

• Most users rely on the DNS server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as OpenDNS, Comodo, ScrubIT, Google (though slightly less secure due to Google's own tracking mechanisms), another free DNS service, or (for maximum security) a publicly-available international DNS server. For example, a Verizon customer could use the AT&T DNS servers or the OpenDNS servers. An AT&T customer could use one of the Verizon servers or the Google servers. It is important to use a reliable DNS provider, however, as man-in-the-middle DNS redirection and DNS cache poisoning attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the CCI) on behalf of the MPAA and RIAA. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

• Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. DuckDuckGo.com is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. (It can be used with your Torbutton turned on.)

• Many censorship/filtering/tracking techniques (that use deep packet inspection) cannot be used with secure (SSL/TLS encrypted) websites (denoted by https:// ). Use them whenever possible. For example, use the secure Wikimedia portal for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

• Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see this info.

Changing a MAC address

The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

• It is possible to set the MAC address to a random selection in the Network Manager configuration:

Network Manager -> Manage Connections... -> connection -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

• Macchanger is a utility to change a MAC address. Install:

suod apt-get install macchanger

Certificate verification

• Certificate authorities charge a fee to store and verify certificates. However, many websites use self-signed certificates that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called Perspectives. A certificate's validity (even if self-signed) can be checked using a Firefox plugin. For more info see this article.

• CAcert.org is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not (Canonical was originally founded with funds earned from Thawte, a certifying authority founded by Mark Shuttleworth.)

Passwords and file authentication

• See this excellent article at H-Online about password protection for everyone.

Random password generator

• Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:

sudo apt-get install pwgen

• Run pwgen:

pwgen

• UUIDgen is a default utility to generate a random UUID (using only hex-digits). Run:

uuidgen

The random UUID can also be used as a 32-digit password, if desired.

Password checker and enforcement

John the Ripper is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:

sudo apt-get install john

• Passwdqc is a module to enforce password strength. Install:

sudo apt-get install passwdqc

MD5Sum

To check the MD5 sum of a file, use this command in the command line:

md5sum filename

File archival and encryption

Under construction

Archives with Passwords

• See this section.

Disk and Storage Encryption

Under construction

• See the Ubuntu Community documentation for methods of full disk encryption.
• See the Ubuntu Community documentation for methods of filesystem encryption.