Internet Security Walk-Through

This tutorial walks you through hardening your computer systems for better security and
privacy.
It does not go into depth about why you should care to do this. It would take an entirely
new write-up for that.
I hope this benefits those of you who care enough to take the time to read it.
It will be a lifestyle change in your awareness and interaction in regards to the internet.
Using all new software might sound intimidating and this process will take some time.
But using better software makes the experience more pleasurable.
And knowing that you cut out most of what potentially tracks you, will leave you less
stressed and more assured.
Remember that no matter what you do to anonymize yourself, if you are logged into your
account on a website, that website has the ability to see what you are doing on that site.
E.G. Youtube can see your youtube comments. And this is a concern in how you behave

on that site only if the account is associated with identifying information on you. (name,
email, ip address, etc.) Don't assume the website doesn't log every visit you've made.
Unless you've given no personal information and logged in every time with a vpn, are you
anonymous.
This tutorial walks you through setting up and tuning a new operating system and
software.
If you decide to follow this entirely and install new operating systems, I hope you enjoy all
the great new software.
This is for informational purposes and the author will not be held accountable for any
potential laws you break, warranties you void, devices you "brick", or damages to the
systems belonging to yourself or others; During or after using this document.
This tutorial is designed to walk you through getting your devices alike or similarly as
below:

PC:
-DNS encrypted via DNSCrypt
-Mac address spoofed
-Network Traffic wrapped in an encrypted tunnel and IP address location proxied with
Virtual Private Network
-VPN set-up on router to allow access to all home network devices
-Tor set-up for accessing Tor hidden services or optional extra security/anonymity
-Running all open-source software
-Security enhancing browser extensions Blur, Interest Based Advertising Opt-outs, Google
Analytics Opt-out, HTTPS Everywhere, & Ublock
-Blocked third party cookies and site data
-Encrypted messaging via Telegram, encrypted video chat, audio calls, and messaging via
qTox
-Secure Email via privatdemail.net and unseen.is providers with Enigmail/GnuPG set up
-GNU Privacy Assistant GUI GPG Front-end for GPG encryption outside of email
-Optional extra anonymous torrent downloading through onion routing via Tribler
-Anonymous searches via Disconnect search

-Passwords encrypted with KeePassX

-Veracrypt installed for hard disk encryptions
-Bitcoin wallet installed for Bitcoin use
-Dark Wallet installed for future bitcoin anonymity
-2048 character passwords with symbols, numbers, upper, and lower case letters (Not
generated and sent over the internet)
-Root system password set
-Webcam blocked
__________________________________________________________________________
Phone:
-Running CyanogenMod
(phone manufacturer bloatware removed, Google tracking removed, and root access
removed from apps)
-Running a VPN
-DNS encrypted via DNSCrypt
-Android Privacy Guard to encrypt, decrypt and sign files, messages or emails using Public
Key Encryption (like OpenPGP) or encrypt/decrypt files or messages with symmetric
encryption, securing them with a password.
-Security enhancing browser extensions Ublock and HTTPS by default
-Anonymous searches via Disconnect search
-Passwords encrypted with KeePassDroid
-Encrypted messaging via TextSecure and Telegram
-Encrypted video chat and audio calls via meet.Jit.si
-Encrypted phone calls with RedPhone
-App permissions restricted with Privacy Guard
-Adblock Plus filtering adware, malware, and tracking across device
-Device encrypted; and screen set to lock when outside of home network
__________________________________________________________________________
Other:
-Open-source LibreCMC firmware router
-Passwords encrypted with KeePassX on USB key-chain for on the go

Open Source

Open source means that the source code that makes up the software is non-proprietary
and open. This means that communities can and usually collaborate on it. That the code
can be used to share, modify and improve, or base newer projects off of. There is free
licensing which can caveat that the code must be kept free from monetary gain. And
ones which allow people to make monetary gains off of the source code of others, as
long as the freedoms you were given remain with the software. Open source software
evolves much faster because anyone can contribute to it. Many eyes are on the code and
malicious coding like spyware can not be easily hidden in it for long, while vulnerabilities
can be found by anyone to report or patch. You should support the open source
community by using as much open source software as you can.

Morality
The major problem with trying to secure your communications is always that, as long as
you are communicating to another person on another computer who doesn't use
encryption, that side of the line will be open and visible/audible.

End-to-End encryption (E2EE),

is a digital communications paradigm of uninterrupted protection of data traveling
between two communicating parties without being intercepted or read by other parties
except for the originating party encrypting data to be readable only by the intended
recipient, and the receiving party decrypting it, with no involvement in said encryption by
third parties. The intention of end-to-end encryption is to prevent intermediaries, such as
Internet providers or application service providers, from being able to discover or tamper
with the content of communications. End-to-end encryption generally includes
protections of both confidentiality and integrity.

Edward Snowden said, "Arguing that you don't care about the right to privacy because
you have nothing to hide
is no different than saying you don't care about free speech because you have nothing to
say,"

If someone suggests using a messenger that is designed to be encrypted and secure, and
you don't bother using it, or if you don't know how to use or have a single means of
private conversation like a PGP Public Key, then your monkey ass is holding the internet
back from evolving. If you use the internet every day and think this is all much to much,
you have no appreciation of all of the technologies that make a computer run, all the
coding that was written by hand. The linux kernel file alone contains 15 million lines of
code.

Don't force your friends to have to give up the right to privacy because you only
communicate over Facebook.

At the same time, since the NSA revelations, people are becoming more timid about
speaking out with different opinions. This is about freedom. "The rights of man come not
from the generosity of the state but from the hand of God." Stand up for what you
believe in. If something is stupid, say it. If someone has the wrong ideas about
something, explain it to them. Every key and mouse-click you make online shouldn't and
needn't be logged. Keep your personal life personal, and when you want to stand up for
something or be outspoken, do it. But keep your enemies from keeping you closest.

Operating System
Ditch Windows. Microsoft has been proven to have backdoors in Windows and Skype.
Microsoft , Aol, Yahoo, Apple, Facebook, and Google have knowingly participated or have
been pressured to comply in the tapping of their servers. Windows is corporate
proprietary closed source software that has a reputation for having holes and
vulnerabilities. It has always been overpriced, insecure, buggy, slow, ugly, bloated
software that I would consistently lose all of my data on once per year and need to wipe,
and reformat. Microsoft was known for a history of monopolizing the market. Of coding
Internet Explorer to different standards than HTML so that websites coded using Internet
Explorer would not work right on other browsers.

Install GNU / Linux. Malware includes viruses, trojans, worms and other types of
malware that affect the operating system. Linux, Unix and other Unix-like computer

operating systems are generally regarded as very well-protected against, but not
immune to, computer viruses. There has not yet been a single widespread Linux virus or
malware infection of the type that is common on Microsoft Windows; this is attributable
generally to the malware's lack of root access and fast updates to most Linux
vulnerabilities. Wikipedia lists only 54 known malware combined. There are over a million
known viruses on Windows. Viruses are not a threat on Linux and an anti-virus is not
necessary.

Linux is free as in freedom and free monetarily. Linux is open-source. Extremely

customizable. It feels sleek, streamlined, aesthetically beautiful, stable, fast, intuitive and
a more pleasurable experience in my opinion than Windows and Mac. Linux would be
way more popular if any computer manufacturers ever sold pcs with it. There is a world
of operating systems on the internet, all filling different niches, a lot of people enjoy and

maintain the alternative OSs. For the reasons I stated, Linux is more secure because it is
open-source. It's rate of development is unmatched and vulnerabilities are fixed much
more efficiently. It is dominating on mobile devices, enterprise, servers, web
infrastructure, data centers, super computing and more. It also uses a root system
password. This prevents viruses or malicious software to corrupt, spread, or modify
system files in any way. You need to type in your password any time you mess with core
system files. Linux also uses PGP keys to verify the integrity of the software packages in
their community's user repositories. (These are huge repositories of software packages
that work with your Linux Distribution and/or related ones. And updating the system
updates all of your software without needing to reboot. Linux will not reboot unless you
tell it to, and does not need to be restarted frequently because it gets slow, wacky, or has
memory leaks. It stays as fast as the day it was installed.

Ubuntu is the most well-known Linux distribution and is known as the most user-friendly.
It's a good system. I use Antergos Linux. Along with Manjaro, it is a user-friendly fork of
Arch Linux. In software, a project fork happens when developers take a copy of source
code from one software package and start independent development on it, creating a
distinct and separate piece of software. Because they are open-source, Linux
distributions will get popular and then new ones will be developed based off of them and
eventually become more popular. That's why distros are based off of Debian Linux, Arch,
or Fedora, etc.

Antergos has a slightly higher learning curve than Ubuntu. If you are comfortable with
your way around a computer, I recommend it. The only major difference is that Ubuntu
comes with a software center where software may be found just like the Google Play
Store. Pictures, description, reviews, and one status bar that once complete, has

downloaded and installed the software/application you chose. With Antergos things are
installed via a package manager or the terminal. A software center (Gnome's) can be
installed but doesn't have everything. You can search and install/uninstall software in the
package manager. In the terminal tho, it will look like this:
yaourt firefox
will list all packages relating to Firefox
you click the number of the corresponding package and it will begin. you click n for
editing packages and y to continue installing.

Arch systems are bleeding edge while being impressively stable. New software packages
are tested by Arch developers and released. User-friendly Arch-based distros (Antergos &
Manjaro) then test the software again. One thing I love, but may annoy new users is that
there are constantly updates. I sometimes update my computer twice a day. You can turn
notifications for these off but in less than a month you will have 120 updates or so. Even

with this many, it doesn't take too long to update on a decent computer. I recommend
updating at least once a month tho, as this helps you to stay secure from vulnerabilities.

I recommend that first time users install Linux on a separate hardware partition so that
they can dual boot and choose Windows or Linux at startup, until they wean themselves
off of Windows and no longer require it for anything like games, their printer, whatever.
If you choose to wipe your old operating system clean, make sure to back up all your
personal files first on an external hard drive. Download the .iso of the operating system
you choose from their website in 32 or 64-bit edition. (32-bit is for older pcs) Burn the file
to a blank DVD-r cd as an image. Once complete put it in your computers rom and
restart. The installer walks you through this process easily. Don't modify partitions if you
don't know what you are doing. When asked to select a desktop environment, I really
love gnome.

...
BSD also deserves a mention but if you were tech-savvy enough to use it you wouldn't
need to be reading this section.

There are also operating systems designed to keep the user completely anonymous like
Tails and Whonix. These operating systems are more restrictive of what you can do and
are not meant to be used as your main operating system. You can keep Tails on a USB
Pen and boot from it if you need absolute anonymity. It is worth mentioning although
this article's focus is to harden the security of your regular computers and phones.

DNS Encryption

Install DNSCrypt. DNSCrypt is an open source protocol that authenticates

communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It
uses cryptographic signatures to verify that responses originate from the chosen DNS
resolver and haven't been tampered with. DNSCrypt turns regular DNS traffic into
encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.
DNSCrypt is one of the most impactful advancements in Internet security that you can
make. It encrypts the last mile or the portion of your Internet connection between your
computer and your ISP. Essentially closing their backdoor and ability to see what you are
doing.

I only have experience installing this on Arch-based linux distributions and Android, but it
can be installed on Windows, OSX, Unix, Android iOS, and routers (OpenWRT, LibreCMC).
Instructions for Arch-based systems are as follows:

Once installed start DNSCrypt Proxy:

sudo systemctl enable dnscrypt-proxy.service
then

sudo systemctl start dnscrypt-proxy.service

Check DNSCrypt status

sudo systemctl status dnscrypt-proxy
Upon which it should state active (running)

Make sure that after each update it is still running. This is a reason to look at the updates
you are about to install before before just installing them.
I don't know if a future update will fix this but after updating DNSCrypt I had to again run
the "enable" & "start" commands above.
EDIT: After most recent update, it is still running. Probably still a good idea to check that
it's still running every once and a while.

Mac Spoofing
MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC)
address of a network interface on a networked device. The MAC address is hard-coded
on a network interface controller (NIC) and cannot be changed. However, there are tools
which can make an operating system believe that the NIC has the MAC address of a
user's choosing. The process of masking a MAC address is known as MAC spoofing.
Essentially, MAC spoofing entails changing a computer's identity, for any reason, and it is
relatively easy.

It is usually beneficial. But in some situations it might also lead to connectivity problems
or make your network activity look suspicious. This documentation explains whether to
use MAC spoofing or not, depending on your situation.

When to spoof MAC address

This is usually beneficial, even if you don't want to hide your geographical location.
Here are a few examples:
Using your own computer on an public network without registration, for
example a free Wi-Fi service in a restaurant where you don't need to register with
your identity. In this case, MAC address spoofing hides the fact that your
computer is connected to this network.
Using your own computer on a network that you use frequently, for example
at a friend's place, at work, at university, etc. You already have a strong
relationship with this place but MAC address spoofing hides the fact that your
computer is connected to this network at a particular time. It also hides the fact
that you are running Tor or etc. on this network.

When to disable MAC address spoofing

In some situations MAC address spoofing is not useful but can instead be problematic. In
such cases, you might want to disable MAC address spoofing.
If MAC spoofing is disabled:
And you are using anonymizing software, an adversary on the local network may
only see encrypted connections to the Tor network, for example.
Your MAC address is not sent over the Internet to the websites that you are
visiting.
Only people on the same LAN as you can see your MAC address.
However, disabling MAC address spoofing makes it possible again for the local network

to track your geographical location. If this is problematic, consider using a different

network device or moving to another network.
Here are a few examples:
Using a public computer, for example in an Internet caf or a library. This
computer is regularly used on this local network, and its MAC address is not
associated with your identity. In this case, MAC address spoofing can make it
impossible to connect. It can even look suspicious to the network administrators
to see an unknown MAC address being used on that network.
On some network interfaces, MAC address spoofing is impossible due to
limitations in the hardware or in Linux.
Some networks only allow connections from a list of authorized MAC
addresses. In this case, MAC address spoofing makes it impossible to connect to
such networks. If you were granted access to such network in the past, then MAC
address spoofing might prevent you from connecting.
In the same vein you can change your mac address to one on a payed WiFi, like an
Xfinity or an OptimumOnline, to gain access. They usually give you access for a
minute which gives you time to run a command "arp -a" which lists the macs
connected to the WiFi. You can then change your mac address to one of them.
Keep in mind though this is probably illegal wherever you are.
Using your own computer at home. Your identity and the MAC address of your
computer are already associated to this local network, so MAC address spoofing is
probably useless unless you or a program changes it often. But if access to your
local network is restricted based on MAC addresses it might be impossible to
connect with a spoofed MAC address.

Linux:
In Network settings click the settings for each Network you connect to including the wired
connection. Under "Identity", there should be a blank field under MAC Address labeled
"Cloned Address". Copy your MAC Address into it and change the characters.
Example:
A0:09:F4:BC:74:38

If you are running a different operating system check online:

http://www.howtogeek.com/192173/how-and-why-to-change-your-mac-address-on-windows-linux-and
-mac/

The Tor Browser is open source anonymizing software built on the open source Firefox
browser. It allows you access to the Tor network, a free, worldwide, volunteer network
consisting of more than six thousand relays to conceal a user's location and usage from
anyone conducting network surveillance or traffic analysis. Hosted on the Tor network
are underground websites inaccessible to regular internet browsers, unless you route
your network traffic over tor. It has humanitarian uses for journalists fearing oppressive

governments, for bipassing government control over the internet, e.g. the China firewall,
to access the rest of the internet.
For Example:
Operation Tunisia refers to the actions by internet group Anonymous during the Tunisian
revolution.
In their traditional manner; Anonymous launched a series of DDoS attacks against
government websites. Additionally, Anonymous provided protesters with documents
required to take down the incumbent government as well as distributing a care package,
among other things, including Tor, and a greasemonkey script to avoid proxy
interception by the government. The providing of information was considered by some a
part of Operation Leakspin. They also aided in passing information about the protests in
and out of the country.
Tor usage at the time was a lifesaver for Tunisians.

Tor uses Onion Routing. Onion routing is a technique for anonymous communication
over a computer network. In an onion network, messages are encapsulated in layers of
encryption, analogous to layers of the vegetable onion. The encrypted data is transmitted
through a series of network nodes called onion routers, each of which "peels" away a
single layer, uncovering the data's next destination. When the final layer is decrypted, the
message arrives at its destination. The sender remains anonymous because each
intermediary knows only the location of the immediately preceding and following nodes.

Install Tor if it's legal for you and your ISP isn't known to send users abuse of service
complaints. If your ISP does, install DNScrypt first. You can purchase Bitcoins and visit the
underground drug markets like Agora and buy whatever you like. If it is legal in your
country of course, the author does not encourage you to break any laws.

Never visit addresses ending in ".onion.to" within tor. This is a gateway to Tor hidden
services for providing convenient access to Tor hidden services. It is a pure proxy that
forwards requests to the respective hidden service. Onion.to as a gateway cannot offer
any anonymity for the visitor. Just remove the .to

You may use Tor as a poor mans VPN. Like Tor, a VPN is something that encrypts your
internet traffic and proxies your location making it appear that you're in whatever
location the server your connecting from, is located.

Benefits of Tor:
Free
Cons:
Your ISP can see that you are using it (Unless you have DNSCrypt installed!)
It slows your internet speeds down a significant degree. For me, using a higher-end cable
connection for a home user usually running at 55Mbps without Tor; I sometimes needed
to stop using Tor because my videos would stop to buffer.

But, it is slower than a VPN. To route all of your activity over Tor, you can set Tor Browser
to be launched every time you start up your computer and in your network settings you
set the Socks Host proxy to 127.0.0.1 and the port to 9150. The Tor Browser needs to be
open or you will not get a connection to the internet, with those proxy settings in place.

If you route your network traffic over Tor, you can view .onion sites through any browser.
Stick with the Tor Browser. It is open source and tweaked for enhanced security. When
downloading Tor, I would avoid using Google or any regular search engines. I will get into

private search engines further down but Tor can be located directly via their website.
https://www.torproject.org/

https://www.torproject.org/

VPN

A VPN stands for Virtual Private Network. It routes your internet traffic through an
encrypted tunnel and shows your location as coming from the location of the server.
These services cost money and you have to find a VPN that doesn't log users activity and
trust their word. With services like secure email and VPN, you optimally want a service
based in a country that is not closely allied with our government and the NSA.
Non-domestic services are termed "off-shore". And you want a service that isn't willing to
just hand your information over to authorities because they ask. For example the VPN
service TorGuard when asked in an interview:
"'How do you generally handle requests from law enforcement and copyright
agencies?'
'We do not communicate with any third party without first receiving a court order to do
so, period. This scenario has never occurred, but if it were to, we would be forced to
explain in more technical terms how we dont maintain any usage logs.'"

This particular service costs $60 a year and allows you to use it on up to 4 devices at
once. It has software that works on Windows, Mac, Linux (Debian/Ubuntu & Arch), and

Android, and scripts to install on routers with custom firmware (DD-WRT, OpenWRT,
LibreCMC). I recommend going to a convenience store like Walgreen's and buying a
prepaid Visa gift card like the birthday one. Put $60 on it and pay for the service that way,
so that a VPN service is not shown on your bills. It helps keep your purchase anonymous
from any potentially suspicious eyes.

You can use some VPNs on multiple devices at once. (TorGuard(4) and SurfEasy(5) for
instance). You can install the VPN on a router with custom firmware, as one of the
devices. This will allow any computer on your WiFi network to run through the VPN,
allowing many more devices to use it (while connected). Make sure to keep UDP as the
protocol and not to select TCP. Internet speeds while running UDP will be dramatically
faster, while TCP may make the VPN practically useless and slower than routing your
network traffic over Tor.

Running Tor over a VPN is the safest combination possible. But not necessary except for
the most extreme circumstances and is nice for added security when running Tor. I have
read that there is a vulnerability with government agencies hosting tor exit node servers
within the, about 1000 exit node servers. And that if you exit the tor network through
one, that they can see what you've been doing during that particular session. I am unsure
of the extent and details of this. But running Tor over a VPN would keep you anonymous
in this circumstance.

There are free VPN services but I can't recommend any I've tried as they were way too
slow.

I recommend having tor installed and routing your network traffic over it or better yet a

VPN. If you do so through tor, on the Linux gnome desktop there's a gnome extension
called "Proxy Switcher" at the gnome extensions site (extensions.gnome.org) that gives
you a taskbar icon to toggle your proxy settings on and off, making it easy to run your
network traffic through tor but then to easily turn it off when speeds are too slow.

Browser and Security-enhancing Extensions

I recommend using an open source browser. The browser is what you navigate the
internet with and using open source software for this is imperative. Firefox and
Chromium are your choices for this. I use Chromium. I will try to cover browser
extensions for each.

Chromium:
Install HTTPS Everywhere. This makes your browser use the encrypted version of HTTP if
the website offers it. HTTPS makes communications with a website encrypted rather than
open. Most websites offer HTTPS nowadays. HTTP provides no data security.
uBlock and
Blur are two browser extensions that block ads and tracking. uBlock is an efficient
blocker. Easy on CPU and memory. I found this better than Adblock Plus and replaced it.
Google Analytics Opt-out Add-on (by Google) Tells the Google Analytics JavaScript not to
send information to Google Analytics.
Facebook IBA Opt-out and IBA Opt-out (by Google) Opt out of Facebook and Google's
interest-based ads as you browse the web.
Cryptocat "is a fun, accessible app for having encrypted chat with your friends, right in

your browser and mobile phone. Everything is encrypted before it leaves your computer.
Even the Cryptocat network itself can't read your messages. (FYI - Cryptocat is early
development, experimental software. (For fail-safe encryption use PGP or GPG.)"
Dark Wallet is a bitcoin wallet designed to keep bitcoin transactions anonymous. It is in
early stages of development but it will be very important software in the near future for
keeping bitcoin transactions anonymous. https://youtu.be/Ouo7Q6Cf_yc
Amir Taaki and Cody Wilson are two co-founders of this project, and two very interesting
people. Cody Wilson is the guy who designed open-source 3D printable guns, believing in
"radical equality". Part of bitcoins lure is anonymity but bitcoin is not fully anonymous.
Transactions are logged on the blockchain. You can use services to generate new bitcoin
addresses. By donating a dollar to riseup.net they will generate you a new bitcoin
address. You can use a new one for each transaction. This will make your transactions
harder to track. There are also services like Bitcoin Fog and Bitcoin Tumbler.

Firefox:
HTTPtoHTTPS is the Firefox alternative to HTTPS Everywhere.
uBlock and
Blur are also available under Firefox.
-------https://www.eff.org/Https-everywhere
https://www.ublock.org/
https://dnt.abine.com/#register (Blur)
https://tools.google.com/dlpage/gaoptout
https://crypto.cat/
https://www.darkwallet.is/

https://addons.mozilla.org/en-us/firefox/addon/httptohttps/

Web Camera

Hardware and software should work together. Recently computer manufacturers like
Lenovo and HP have gotten caught doing things like working together with Microsoft to
run malware from hardware's firmware:
http://www.theregister.co.uk/2015/08/12/lenovo_firmware_nasty/
http://arstechnica.com/information-technology/2015/08/lenovo-used-windows-anti-theft-feature-to-inst
all-persistent-crapware/

and prebundling software for interest based advertising, that tampers with your
computer's security so that attackers can snoop on your browser traffic,
http://www.cnet.com/news/superfish-torments-lenovo-owners-with-more-than-adware/

(your computer's not affected if you're not running windows and/or are running linux)
In these times we look toward a future with projects of open source hardware.
https://www.crowdsupply.com/sutajio-kosagi/novena

Software is constantly evolving and we can't be 100% positive we are free from all
vulnerabilities all the time. Cover your webcam. Monitors with built in web cams should
come with a slider that covers the webcam when it is not being used. Don't cover it with
tape because it will leave glue residue on the lens. Good designs often use velcro or
magnets. "WebCamera Cover" and "NoSpy" seem to have the best reviews if you'd prefer to
buy one. Or you can make them yourself.

SSH Tunneling / Public WiFi

A SSH tunnel consists of an encrypted tunnel created through a "Secure Shell" protocol
connection. A SSH tunnel can be used to transfer unencrypted traffic over a network
through an encrypted channel. SSH tunnels also provide a means to bypass firewalls that
prohibits or filter certain internet services. For example an organization will block certain
sites using their proxy filter. But users may not wish to have their web traffic monitored
or blocked by the organization proxy filter.

This tutorial will not cover SSH tunneling in depth. A quick search online will bring up
some good articles. An example of a use of an SSH tunnel: You are sitting in Starbucks on
an open WiFi connection. You don't know who else is on the network with you. Someone
on the network can capture your data and perform attacks.
(packet sniffing, ARP spoofing, denial of service, man in the middle, or session hijacking
attacks)
Do not connect to public WiFi without protection. (Tor, VPN, SSH)
You can use an encrypted SSH tunnel to tunnel to your home network to browse the web
safely. This was worth mentioning but if you are routing your traffic over Tor or a VPN as I
recommended, this is not needed. You can also connect to your home router via your
VPN if it is installed on the router.

Block Third Party Cookies

In each browser set the option to block third party cookies and site data. (Including your
mobile browser). Cookies are an inherent internet vulnerability but a necessary evil if you
want convenience. Blocking third party cookies blocks cookies that are not directly
related to interaction with the website your visiting but maybe third parties that are
interested in tracking you or interests. To make money off the data via interest-based
advertising. Cookies should be done away with, block third party cookies.

Open-source firmware router: OpenWRT, DD-WRT, or LibreCMC

Firmware is the software that allows your hardware to properly communicate with your
computer. Open source firmware is sure not to hide malicious coding like spyware. There
are projects that offer fully open source firmware for the router. OpenWRT, DD-WRT, and

LibreCMC. Unless you're up for it and perhaps have a backup router, you may want or
need, to check out router benchmarks and buy a good 5Ghz router on ebay that has
open source firmware already installed. They are popular enough that people offer up
ones which they have already installed usually OpenWRT or DD-WRT on. Installing
firmware on a router is not difficult but you may run into problems. On my last router I
had the issue of a D-Link router not allowing custom firmware stating that it was wrong
or corrupt. And I could not access the "Emergency Room Interface" to force it to accept
any firmware. If you choose to do it yourself be sure to check that there is a stable open
source firmware version available for your particular router. In many respects, using an
open firmware is analogous to the use of an alternative Android ROM, like
CyanogenMod, where an older phone can be kept current long after the manufacturer
decides it's not worth supporting anymore.

OpenWRT's website states: "OpenWrt is described as a Linux distribution for embedded

devices.
Instead of trying to create a single, static firmware, OpenWrt provides a fully writable
filesystem with package management. This frees you from the application selection and
configuration provided by the vendor and allows you to customize the device through the
use of packages to suit any application. For developer, OpenWrt is the framework to
build an application without having to build a complete firmware around it; for users this
means the ability for full customization, to use the device in ways never envisioned."

It is a mostly open source as is the case for DD-WRT.

LibreCMC is completely open source. It is what Richard Stallman and the Free Software
Foundation use for their WiFi.

FSF: "OpenWRT unfortunately still contains some binary blobs for which source code is
not available.
Recently, a community of concerned programmers has emerged determined to remedy
this situation. To advance the free software frontier in yet another area, they have built
LibreWRT, a completely free GNU/Linux distribution for embedded devices, based on
OpenWRT."
Source: https://www.fsf.org/blogs/sysadmin/librewrt-what-we-use-for-wifi-at-the-fsf

ATM it is only officially supported on ten routers. But if you are going to purchase one
and think you can handle the installation process, which will be basically the same as
OpenWRT, I recommend trying to get this one. It is the only fully open source firmware.

https://openwrt.org/
https://www.dd-wrt.com/site/
https://librecmc.org/

Encrypted text, audio, and video apps

Pidgin messenger offers OTC Off-the-Record encryption for certain services that you use.
(AIM, Bonjour, Gadu-Gadu, Google Talk, Groupwise, ICQ, IRC, MSN, MXit, SILC, SIMPLE, Sametime, XMPP, Yahoo!, Zephyr)

But both ends have to be encrypting with OTC for this to work. If contacts don't have it
enabled, and yous haven't selected "start private conversation" and done the
authentication question, it won't work.
I've stopped using Pidgin for Telegram messenger which is a messenger and network.
Free. No ads. Security and privacy orientated. Works across platforms, mobile, has web
page and browser app versions. Simple registration using your cell number. Syncs chats
across devices. Destruct messages with a timer. Group messaging. Tons of
downloadable sticker sets. File sharing, no bandwidth limitations, a cloud service.
Open-Source. And which will soon offer video chat and audio Voice over IP calls. (VoIP
just means it uses the internet).

In some articles online, people that study encryption protocols question Telegram's
encryption and prefer they changed it. Instead of using well known and tested
encryption algorithms for instance, they designed their own. They claim:
"The team behind Telegram, led by Nikolai Durov, consists of six ACM champions, half of them
Ph.Ds in math. It took them about two years to roll out the current version of MTProto. Names
and degrees may indeed not mean as much in some fields as they do in others, but this protocol
is the result of thoughtful and prolonged work of professionals."

Others respond: "Math Ph.Ds are not cryptographers. The protocol they invented is
flawed. Here is a nice blog post explaining why. In addition to that, Telegram has issued a
rather ridiculous challenge offering a reward to anyone who can break the protocol.
Except that the terms they set makes even the most ridiculously weak protocol difficult to
break. Moxie Marlinspike has a nice blog post explaining why the challenge is ridiculous."

Another alternative for PC and Android is Wickr. This messenger is a bit bare at the
moment but offers more standard and proven encryption. I'm having an issue getting it
to work with one account synced on PC and Android with a long password. A lot of these
softwares are in their infancy and are part of a new wave of encryption software, sparked
by peoples concerns for internet privacy. In the future there will be a lot of good options,
but at the moment they are being heavily developed.

Mumble is an open source, low-latency, high quality voice chat software primarily
intended for use while gaming.
May be the best VoIP option for use over Tor because of its low latency:
https://guardianproject.info/2013/01/31/anonymous-cb-radio-with-mumble-and-tor/
It does not use end-to-end encryption, but encrypts to and from a mumble server. So
unless you host your own, use it over Tor or a VPN and don't give out identifying
information, like a CB radio.

If you are not routing over Tor you can try Tox or Jitsi. Meet.jit.si is also not end-to-end
encrypted. You have to trust the server with your communications.
You could host your own Jitsi videobridge server. But I wouldn't bother attempting this
unless you know what you're doing.
https://jitsi.org/Projects/JitsiVideobridge

Tox is a protocol for an encrypted Skype alternative messenger which allows messaging,

audio and video chat. Depending on the operating system there are different clients like
uTox, qTox and Tox. It is the encrypted Skype alternative. Skype has been proven to have
backdoor access.

Jitsi is another secure messenger. Jitsi is an audio/video and chat communicator that
supports protocols such as SIP, XMPP/Jabber, AIM/ICQ, Windows Live, Yahoo! and many
other useful features.
Jitsi is Open Source / Free Software, and is available under the terms of the LGPL.
I find Jitsi to be buggy and to have Java issues on my linux distribution. There is a web
page service by Jitsi, https://meet.Jit.si which offers video chat, audio calls, a text
messenger, sending attachments, and screen streaming. It allows any number of people
in rooms of whatever name you choose; admins having the ability to lock rooms with
passwords. It has good cross device/platform compatibility and is without the need to
install anything except a browser extension for desktop streaming. Tox is a better choice
for security tho because it uses end-to-end encryption and doesn't send your data to a
server you then have to trust.

https://telegram.org/
https://tox.chat/
https://jitsi.org/
https://meet.Jit.si

Email

Secure Email Providers

There are email providers offering off-shore secure email services. The two that I have
trusted enough to use have been Privatdemail.net, a german based provider.and
Unseen.is based in Iceland. At the moment Privatdemail's site seems to be fragmented
with no main page to link the pages. They use their own security certificates which your
email client won't accept unless you choose to, and a site which doesn't have HTTPS
access. I guess they use their own certificates for that as well? Privatdemail is only
accessible through an email client (use open source e.g. Thunderbird) while Unseen.is
can be accessed through their website and an email client.

Another with a good reputation is riseup.net but it is based within the US.

Email Client:
I recommend Thunderbird or Claws Mail. Claws mail has PGP built in.

Thunderbird Extensions:
Enigmail is an extension that provides built in PGP support for encrypting and
signing/authenticating messages.

TorBirdy is an extension by Jacob Appelbaum configures Thunderbird to make

connections over the Tor anonymity network. TorBirdy automatically enhances the
privacy settings of Thunderbird and configures it for use over Tor. TorBirdy requires that
a user has Tor installed.

If you are proxying over Tor already, this is not needed. If you are running a VPN, this will
not work. And I recommend doing one of the two, so if you are, this extension is not
really useful.

https://unseen.is/
http://hyperborea.bplaced.net/ (Privatdemail)

Anonymous Torrent Downloading

If you are routing traffic over Tor or a VPN this is not necessary but Tribler offers
anonymous torrent downloading through Tor-inspired onion routing.

http://www.tribler.org/

DemonSaw
DemonSaw is new software designed to be a secure and anonymous decentralized cloud
for peer-to-peer file sharing. Simple, secure, free, no logs, no tracking. It works on Windows,
Linux, OSX, Raspberry Pi. It looks like it will be the new Napster.

https://www.demonsaw.com/

PGP or GPG

Pretty Good Privacy (PGP) is a data encryption and decryption computer program that
provides cryptographic privacy and authentication for data communication. PGP is often
used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole
disk partitions and to increase the security of e-mail communications. It was created by
Phil Zimmermann in 1991.

PGP and similar software follow the OpenPGP standard (RFC 4880) for encrypting and
decrypting data.

After a report from RSA Data Security, Inc., who were in a licensing dispute with regard to
the use of the RSA algorithm in PGP, the United States Customs Service started a criminal
investigation of Zimmermann, for allegedly violating the Arms Export Control Act. The
United States Government had long regarded cryptographic software as a munition, and
thus subject to arms trafficking export controls. At that time, the boundary between what
cryptography was permitted ("low-strength") and impermissible ("high-strength") for
export from the United States was placed such that PGP fell on the too-strong-to-export
side of the boundary. The boundary for legal export has since been raised and now
allows PGP to be exported. The investigation lasted three years, but was finally dropped
without filing charges.

GNU Privacy Guard (GnuPG or GPG) is a free software replacement for the Symantec's

PGP cryptographic software suite. GnuPG is compliant with RFC 4880, which is the IETF
standards track specification of OpenPGP. Modern versions of PGP and Veridis' Filecrypt
are interoperable with GnuPG and other OpenPGP-compliant systems.

GnuPG is part of the GNU project, and has received major funding from the German
government.

Install GPG; With a graphical user interface on linux. (the package is called gpa) And
install Enigmail for Thunderbird.
Learn how to use:
https://youtu.be/m56dsDc2808

https://www.gnupg.org/

Anonymous Search Engines

Unlike Google there are search engines which do not log your IP address, your searches,
the times you visit, and the links you choose.

These search engines are

ixquick.com or startpage.com (Ixquick is known as StartPage in the United States)

simultaneously searches multiple popular search engine.

duckduckgo.com "emphasizes getting information from the best sources rather than the
most sources, generating its search results from key crowdsourced sites such as
Wikipedia and from partnerships with other search engines like Yandex, Yahoo!, Bing,
and Yummly." I find that the image results for duckduckgo are better than startpage.

Disconnect Search searches with Google, Bing, Yahoo, & more. Disconnect seems to
return to me the most favorable results. I thought this was because I had read Google
returns crappier results when they are being requested through another search engine
like duckduckgo and startpage, but that disconnect searches uses a VPN service which
makes their requests appear to Google as coming from a random person.

In Chromium, once you search any sites search it gets added in your list of search
engines. Or by right-clicking within the search bar and selecting "Add as a search
engine...". You can remove the default search engines and add ones you've used as
default search engines. you can set it so that in your address bar you can type "a" then
whatever you'd like to search Amazon. e for Ebay, d for Duckduckgo, s for Startpage, w
for Wikipedia, and so on. Disconnect Search is made to be used as a browser app which
requires the extra step of clicking on it. Instead I just went to search.disconnect.me,
right-clicked, and added as a search engine. The last search engine set as default is the
one that is searched by default when you type what you want to search within your
address bar.

https://startpage.com/
https://duckduckgo.com/
https://search.disconnect.me/

VeraCrypt

Veracrypt is software that allows you to encrypt your drives. Your personal folder of files
can be encrypted and your passwords especially should be encrypted.

VeraCrypt is a open source freeware utility used for on-the-fly encryption (OTFE). It can
create a virtual encrypted disk within a file or encrypt a partition or (under Microsoft
Windows except Windows 8 with UEFI or GPT) the entire storage device with pre-boot
authentication.
VeraCrypt is a fork of the discontinued TrueCrypt project. It was initially released on June
22, 2013 and has produced its eighth release (version 1.13) as of August 9, 2015.
According to its developers, security improvements have been implemented and issues
raised by the initial TrueCrypt code audit have been addressed.

Learn the process of using VeraCrypt

https://youtu.be/_fGUJ6AgOjQ

The only downside of encrypting via VeraCrypt, is that you need Veracrypt on the
computer your trying to decrypt with. and VeraCrypt makes the file invisible unless your
viewing it via VeraCrypt. Also if you encrypt a whole drive like a USB, and want to undo
the encryption, you will have to reformat the drive, which can be a bit trickier since
VeraCrypt makes the drive hidden after encrypting. For these reasons, in the following
"Password's section, I explain how to encrypt/decrypt passwords with KeePassX or to
encrypt plaintext passords in a compressed archive file like a tar ,z7, or a zip.

https://veracrypt.codeplex.com/

Passwords

Regular passwords using words or phrases you can remember are just not safe
anymore. Run test passwords through a website service like
https://howsecureismypassword.net/ or
https://blog.kaspersky.com/password-check/

and you will see that a powerful computer can crack an average password in just a
few seconds. Use a password generator. Here is an examlpe:
http://passwordsgenerator.net/
It is set by default to not send the generated password over the internet where it can
be intercepted on it's way to you.
If you use KeePassX like I recommend below, for storing your passwords, then I
recommend that one most.
It is open source software that can be accessed offline. Because of that, it's integrity
is higher than any website.
When generating a password that will be too long to type out, but instead will be
copied and pasted, uncheck "Exclude Similar Characters".
Doing this, for example, will raise a 2,048 length password from 13,229 bits to 13,424
bits.

DO NOT:
Use the same passwords for multiple accounts. If you do, someone who gets
just one of your passwords will have access to multiple accounts.
Use words or names as your password. Even with numbers added in. Strings
in your password containing words or names make cracking easier.
Use standard number substitutions. Think P455w0rd is a good password?
No. Cracking tools now have those built in.
Use a short passwordno matter how weird. Todays processing speeds
mean that even passwords like h6!r$q are quickly crackable. Your best
defense is the longest possible password.

DO:

 Enable two-factor authentication when offered. Two-Factor Authentication will

send you a text message with a code to confirm. This adds an extra
authentication step.
Give bogus answers to security questions. Think of them as secondary
passwords. Except that people who know you, may know certain answers to
your security questions, or the information may not be too hard to lookup ,
especially in a surveillance state. You can write in gibberish, and be sure not
to lose your password, or you can keep your answers somewhat memorable
and write them down somewhere. For example:
My first car? Why, it was a Camper Van Beethoven Freaking Rules.
Scrub your online presence. One of the easiest ways to hack into an account is
through your email and billing address information. Sites like Spokeo and
WhitePages.com offer opt-out mechanisms to get your information removed
from their databases.
Use a unique, secure email address for password recoveries. If a hacker knows where
your passwords can be retrieved or reset, thats a line of attack. You could create a
special email account you never use for communications and make sure to choose a
username that isnt tied to your nameso it cant be easily guessed. I would just make
sure to use a secure email service with a very good password.

I recommend passwords at least 32 characters long. But since you cannot remember
every password for all your different accounts, or even one password that is 32
characters or more of mixed symbols, numbers, and letters of mixed case; you might as
well generate passwords as long as possible. Many of my passwords are 2048 characters
long. The only issue with this, is that different services for registration will usually allow
only a certain password length. These services may tell you that near the password input

or after you try to register a very long password. A few sites will cause bugs or inhibit you
from proceeding and you will have to try smaller and smaller passwords until it works.
1024>512>256>128>64>32>16, for example.

Example of bugs:
Jbidwatcher Software:
Any passwordmuch over 128 characters causes Jbidwatcher's login
screen to expand width-wise beyond the parameters of the screen, and
will cause a system-crash in Gnome Desktop.
Torguards Arch Linux & Android VPN Software:
VPN password is limited to 64 characters. With a longer one nothing would happen after I
clicked login. No matter the protocol or location it sits at "connecting".
I have reported these bugs.
Another concern to keep in mind is that if you have all of your WiFi passwords super long
and you are setting up a new phone and need internet access, you are not going to be
able to type a super long one out, especially without errors. You can leave one as 16
characters, or you can send the password in a text file over USB storage, or perhaps
access the internet with your cell phone through a neighbors open WiFi or your mobile
provider and send your WiFi password from a computer to yourself through some
encrypted means like Telegram. However you do it, it's something to be aware of.
Once you have generated and registered or changed passwords, how will you store
them? I do allow my open-source browsers (Chromium & Firefox) to store my passwords
for me.

These browsers are open-source and use encryption to store the passwords. Remember
that if you do this, someone with access to your computer can go into your browsers
settings where you can edit saved passwords, and they can click to view the password in
plain text. Long mixed symbol passwords make them impossible to remember even if
one does see them. But a user with access to your computer can copy and send/save
your password. Therefore only let people you trust use your computer. Set a screen lock
password if you see the need. Or perhaps let them use a guest side if the computers
operating system.
But what is the best way to store encrypted passwords long-term? There's one open
source application called KeePassX, "for people with extremely high demands on secure
personal data management. Saves many different types of information such as
usernames, passwords, urls, attachments and comments in one single database." You
can generate passwords with this. You can encrypt your passwords with this.

You can install the "portable" version on a USB stick. So that you can access your
password database on whatever computer you plug it into without needing to install
KeePassX on each of the computers. You can also install KeePassDroid on your
Android-based phone. Then you can send your encrypted database to your phone.
For example "KeePassX Database.kdb" will go into your downloads folder. KeePassDroids
default location to look for or create a database is a folder on the sd card called keepass.
So I created a folder called keepass in that location>Then I went into Downloads and
selected the database>Then I went back into the keepass folder>Clicked options and

selected move selection. The database was then moved to the keepass folder. I went
back into keepass and selected the file, set it as default database, and opened it>typed in
my password and voil, I now have access to all of my passwords across devices.
Another option, if your passwords are already written in a plaintext file you can store
them in an encrypted in a folder.
In Linux you can open a program called archive manager. Drag text files with passwords
onto it>Select Create archive when prompted to create a new one>Select a zip file to save
it as, so that it works across systems for on the go> And before you click save, set a
password under "more options" and save or remember that password somewhere else.
To open the files, you open the zip file, double click the file you want to open, and input
your password. Very simple.
You may want to create a few if you have different categories for your passwords. One
category may contain enough passwords to warrant its own file. For example, it may be
easier to keep router related passwords separate. This may contain:
2 WiFi Bands
2 WiFi Guest Bands
router administrative password
WiFi passwords of friendly locations.
With KeePassX this is unnecessary because you can make different groups for your
passwords within the same database.
Keep your passwords encrypted. Keep a backup on a USB pen drive.

https://howsecureismypassword.net/ or https://blog.kaspersky.com/password-check/
http://passwordsgenerator.net/
https://www.keepassx.org/

Social Media / Delete Your Facebook

As Richard Stallman says, "Facebook is not your friend, it is a surveillance engine." It
seeks to track and log everything you do. They can use the content you post, for
whatever they want. When you delete things you have posted, There is no guarantee that
it is deleted. It is most likely archived of their servers indefinitely.

Facebook Tells the Cops When You Talk About Criminal Activity in Private Messages
http://theantimedia.org/facebook-tells-the-cops-when-you-talk-about-criminal-activity-in-private-messag
es

Here's what Facebook sends the cops in response to a subpoena

http://www.zdnet.com/article/heres-what-facebook-sends-the-cops-in-response-to-a-subpoena/

There are social media sites that focus on open-source, privacy, and security:

Ello
"You have the right to privacy.
You have the right not to be tracked.
You have the right to control what you see.
Your followers have the right to see everything you post publicly.
You have the right to own what you post.
You have the right to be anyone you want.
You have the right to relationships that wont be exploited.
You have the right to clear and transparent terms & conditions.
You have the right to see all the data collected about you.
You have the right to permanently delete your account."

more info at https://ello.co/wtf/about/what-is-ello/

Diaspora
"Decentralization
Instead of everyones data being contained on huge central servers owned by a large organization, local
servers (pods) can be set up anywhere in the world. You choose which pod to register with - perhaps
your local pod - and seamlessly connect with the diaspora* community worldwide.
Freedom
You can be whoever you want to be in diaspora*. Unlike some networks, you dont have to use your real
identity. You can interact with whomever you choose in whatever way you want. The only limit is your
imagination. diaspora* is also Free Software, giving you liberty to use it as you wish.
Privacy
In diaspora* you own your data. You do not sign over any rights to a corporation or other interest who
could use it. With diaspora*, your friends, your habits, and your content is your business ... not ours! In
addition, you choose who sees what you share, using Aspects."
more info at https://diasporafoundation.org/

Seen.is
"No Data Mining: If you value your privacy, this is a good place for you. We dont allow search engines to
crawl and archive your posts. Once you delete something on Seen, its gone for good."
"Seen does not require personal information for account registration.
Some users may opt to register personal information in the signup process, however.
We do not collect, sell, share, or disclose personal information such as we may have.
We do, however, comply by the laws of Iceland, where our company is located, and may under force of
law have to disclose what information we do have.
We do require an email address so that we may contact you for password reset purposes, and possibly
in regard to paid services or subscriptions.
Advertisers may use tracking cookies, but we do not. .
Users of our services at Unseen.is are advised to read the privacy statement for that site."

https://www.seen.is/

https://ello.co/
https://diasporafoundation.org/
https://www.seen.is/

Phone

Root Access

You need to get a phone that is unlocked. Meaning that you have root access. Either by
buying one or doing it yourself. It is bullshit to pay the expensive costs for a nice phone
and to receive something that is locked from your modification. You can find a great
price on a used one that is unlocked and is running a more open linux os like
CyanogenMod, which we will talk about more in the "Operating System" section below.

Tech-savvy people do this themselves and then eventually buy new phones. As the
market for this increases, more will become available. At the moment phones unlocked
with CyanogenMod may be found even cheaper than Android phones since not many
people know what it is.

You may also try to hack/unlock your current phone to gain root access and install the OS
yourself. This can be quite difficult as methods and exploits to gain root access are
usually patched. But CyanogenMod has just come out with an installer that does not
require root access to install the OS. You would just need to make sure that there are
stable versions of CyanogenMod available for your particular phone.
https://wiki.cyanogenmod.org/w/CyanogenMod_Installer#Supported_Devices
Don't spend money on an unlocked phone before checking that the operating system
you want is available and stable for that phone. If you don't know how to root an Android
device to install a different operating system listed below, you could install CyanogenMod
to gain root access and then install another OS, so long as there are stable versions of
each for your phone. Or you could check the xda-developers forum, which is a good
place to start for info on rooting your phone.

Operating System

For an operating system we want a free and open linux distribution. Google's Chrome OS
for desktops and Android for mobile devices are technically linux. But they are too
proprietary and allow google too much control. Google also keeps some of its source
code private. Some mobile distros of interest include Firefox OS and Ubuntu Touch,
which are open source. There is also Sailfish OS which is mostly open source. None of
these operating systems are 100% open source except for Replicant. Replicant only runs
on a few devices at the moment.

CyanogenMod is looking the best at the current moment. It's built off the open source
Android code. It is popular, open source, really cool looking, and security focused. They
plan to integrate DNSCrypt into new releases. And they fix bugs in Android with haste.
They add new features and UI effects to android, and some of their enhancements have
even been incorporated into the official Android code.

By using CyanogenMod or other custom linux distros we do away with the phone
manufacturers bloatware. This is unnecessary software a company, like Samsung for
instance, will add in. We can opt out of all of Google's services which inherently includes

Google's tracking. CyanogenMod now has their own account service which you will be
able to use to sync your contacts and settings, freeing you entirely from Google .
CyanogenMod also removes root access for apps. This means apps can not run rampant
doing whatever they want within or to your system. You may grant root access only for
whatever you want and for as long as you want. This allows you to grant only to the very
few apps that need it for security. Like Adblock Plus, DNSChanger, Universal Init.d, and
ClockworkMod. <---We'll get to these

Everything that works on Android works on CyanogenMod, since it is a fork of Android.

The play store is included.

http://www.replicant.us/
http://www.cyanogenmod.org/
http://www.ubuntu.com/phone
https://www.mozilla.org/en-US/firefox/android/

Setting up

For CyanogenMod or stock Android, once your phone is setup, you can long-press click,
hold, and drag apps up to "app data" where you can turn off notifications, clear cache
and data, and stop and uninstall apps. Clean your system and keep apps from running in
the background, and tracking/using permissions. I'm not sure if this is a concern with
default CyanogenMod apps since it's built off of the open-source version of Android that
is "code-dumped" once or twice a year.

I turn everything of Google's off. Even the "Verify apps: Disallow or warn before
installation of apps that may cause harm", under Security in Settings. Google has made a
world of progress for technology and the internet, I just don't believe they do enough for
privacy to use a phone or pc that is so proprietarily theirs. When Google asks to sync my
device, I sync Contacts so that it adds about 70 contacts it has stored from my older
Android device. I then turn Google sync off completely and add the rest in, ceasing to
give them anymore of my contacts.

Apparently Google does not sell users information to third parties unless it's
anonymized. Still, Google has definitely done stuff I disagree with in regards to privacy.

There is a book on the subject by Julian Assange titled When Google Met Wikileaks.
-----------------------------------------------------------------------------------------------------------------If you are using CyanogenMod, it comes with "system profiles" which goes by triggers.
You can have it set up so that when it leaves your wireless network, it turns on the screen
lock.
-----------------------------------------------------------------------------------------------------------------You need to allow your device to download apps from sources other than Google Play by
turning on the "Unknown sources" feature.
1.

On your device, open the Settings app

2.

Under "Personal," touch Security.

3.

Turn on Unknown sources.

Running DNSCrypt on Android currently requires a rooted device.

 Start by downloading a precompiled dnscrypt-proxy package for Android. The

most recent .zip file for Android
If you want to change the DNSCrypt resolver to use, unzip the archive, edit the
RESOLVER_NAME variable in system/etc/init.d/99dnscrypt. Keep the content as a
ZIP file, with the original structure. (NOT NECESSARY)
Download from or move the ZIP file to the device, into /sdcard or any location you
can write to.
Make sure that you have a custom recovery such as TWRP or CWM. The easiest
way is to download and install ClockworkMod or TWRP Manager from the Google
Play Store. DNSCrypt instructions name TWRP first as the easiest option. I used
ClockworkMod since I already have it to update CyanogenMod. It worked quickly
and simply for me. Select reboot into recovery mode within ClockworkMod and
install the ZIP file.
Reboot.
Download and install Universal Init.d from the Google Play Store. Follow the
instructions at the bottom to test if your kernel has init.d support. If it does not
click the slider in the Universal Init.d app to turn it on.
The DNSCrypt proxy should be running at this point, but your device may still use
the previous DNS settings. Download and install DNS Changer from the Google
Play Store. (I used the one by Eddy Pey) In order to actually use DNSCrypt, enter
127.0.0.1 as the primary DNS resolver. In order to stop using DNSCrypt, leave this
field empty.
DNS changes may not be visible immediately. Android has its own DNS cache, and
web browsers such as Chrome have another layer of DNS caching. In order to
clear Chrome's DNS cache, enter chrome://net-internals/#dns in the URL bar, and

press Clear host cache.

^^^I recommend not even using Chrome, and rebooting once your done.

When you have completed installation, you can set the installed apps to have root
privileges permanently, otherwise you will keep getting prompted to allow them when
they try to run. To do this in CyanogenMod, go into settings># Superser>and add to your
"ALLOW" list. Add DNSChanger, Universal Init.d, and ROM Manager.

https://download.dnscrypt.org/dnscrypt-proxy/ (Download)
https://dnscrypt.org/

VPN

Use a VPN that offers Android support. VPNs with Android apps:
TorGuard, VPN Unlimited, VYPR VPN, F-Secure Freedome VPN, Fast Secure VPN, FinchVPN
FlashVPN, Hideman VPN, Hideninja VPN, Hotspot Shield VPN, OpenVPN Connect,
OpenVPN for Android, SpeedVPN, SurfEasy VPN, Tigervpns, TunnelBear VPN
Most of which are in the Google Play Store. Install it and make sure it's set to launch after
each reboot. "Autostarts" is free/open-source software that does this, also available from
f-droid.)
Once you've launched your VPN, log into it, you may have options like your protocol (like
OpenVPN, UDP) and your server location. The farther away your server location is, the
slower your internet speeds may be. Because of this you may want to stay in your own
country. Unless you have restricted access in your country like in China. Which ever

location you choose, is where it will appear that you are located.

https://f-droid.org/

Orbot (Tor)

As I explained above, I recommend routing all traffic over Tor or a VPN. If you can't afford
a VPN, you can install Orbot on your phone to route all of your traffic over Tor. You may
need a rooted device and an iptables-capable ROM installed (such as Cyanogen). Check
out installation instructions here: https://www.torproject.org/docs/android.html.en

Orbot is available in the F-Droid repository.

As well as orWall which can force selected applications through Orbot while preventing
unchecked applications to have network access. This application takes care of your
connection, NOT what's your sending or receiving! This means you must use applications
providing enough privacy in order to avoid sending out your complete device
information. You need Orbot installed for this to work.

If you want to visit hidden services (tor websites), please use Orfox. A Tor browser

designed for Android.

https://f-droid.org/

Install F-Droid. F-Droid is an installable catalogue of FOSS (Free and Open Source
Software) applications for the Android platform. The client makes it easy to browse,
install, and keep track of updates on your device.

This app is in its early stages and needs to add a lot to its catalogue, which it is doing. I
would normally be concerned with the integrity of Google Play Stores software.
But Google Play Store does offer tampering detection and app certificate signing. For
now I trust them and it is your call on where you'd like to download software from.
Google Play, F-Droid, software developers individual websites, etc.

https://f-droid.org/

Browser and Security-enhancing Browser Extensions

Firefox is the only real open source browser option for phones. Chromium is in early

stages and will require some extra effort to install and test.
With Firefox mobile go to https://addons.mozilla.org/en-US/android/
Install "uBlock Origin" and "HTTPS Everywhere".

If you want to visit hidden services, please use Orfox. A Tor browser designed for
Android. You can access the current Orfox release by installing the F-Droid app and
subscribing to our F-Droid Alpha Channel at by clicking on the following link on your
phone: https://dev.guardianproject.info/debug/info.guardianproject.orfox/fdroid/repo

https://addons.mozilla.org/en-US/android/

Anonymous Search Engines

This subject was covered in more detail the first time above. There are apps for

Startpage, DuckDuckGo, and Disconnect Search.

Be sure to also set your Firefox default search engine as one. Add any website to your list
of search providers by long-pressing on its search field and then tapping the magnifying
glass+ symbol. Settings>Customize>Search>set it as default. This will allow you to search
using that search engine right in the browsers search bar.

https://startpage.com/
https://duckduckgo.com/
https://search.disconnect.me/

Encrypted text, audio, and video apps

As we mentioned above in the PC section for this subject, Telegram messenger is a great
instant messenger that uses encryption. It works on Android and CyanogenMod.

Make sure to download and install "TextSecure" and "RedPhone :: Private Calls", both by
Open Whisper Systems. TextSecure makes it so that every text message you send is
encrypted so long as BOTH people have it installed. RedPhone encrypts your phone call
conversations so long as both users have it installed. So if you don't have it installed,
someone who does, can not benefit from using it with you.

Like mentioned above https://meet.jit.si is a website which offers video chat, audio calls,
a text messenger, sending attachments, and screen streaming. It is currently very slow
and laggy on my older phone through Firefox Beta. Give it a try.

TextSecure protocol has begun shipping as part of the CyanogenMod OS-level SMS
provider in CM 11 builds, in an effort to provide completely transparent end-to-end text
message encryption between all of their users.

https://whispersystems.org/ (TextSecure and RedPhone developer)

EXIF Data: "Geolocation"

EXIF contains a ton of information about your camera, and potentially where the picture was taken (GPS
coordinates). That means, if youre sharing images, theres a lot of details others can glean from them.
EXIF stands for Exchangeable Image File Format. Every time you take a picture with your digital camera
or phone, a file (typically a JPEG) is written to your devices storage. In addition to all the bits dedicated to
the actual picture, it records a considerable amount of supplemental metadata as well. This can include
date, time, camera settings, and possible copyright information. You can also add further metadata to
EXIF, such as through photo processing software.
Finally, if you use a camera phone or digital camera with GPS capabilities, it can record EXIF geolocation

metadata. This is useful for geotagging, which creates all kinds of new possibilities, such as allowing
users on photo-sharing sites to see any images taken in specific locations, view where your pictures
were taken on a map, and to find and follow social events.

If your GPS is turned off and/or you are running a VPN, "geolocation" should not be able
to be tagged to a picture. Still, the option should be turned off if you prefer not to use it.
In Android it can be turned off in two similar ways. In versions earlier than 4.4 (KitKat),
long press the screen while in the camera. and swipe to the settings icon. A list of settings
will come up, turn "store location" off. To do this in Android 4.4.x KitKat, open the
Camera app and tap the round circle to the right of the shutter button, and from the
resulting menu, tap the Settings icon.

Now, in the settings menu tap the Location button.

You can tell geolocation is now disabled because of the icon overlaid on the options
button.

If youre using the newer Camera app, such as the one now included in Android 5.0
Lollipop, the process is a bit simpler. Swipe right to expose the options and tap the
Settings gear (it will be on the bottom-right in portrait mode).

There is also software available to read, edit, and clear EXIF data from pictures. There's
not much I can say about that as I have yet to test it.

Email
K-9 Mail is a free and open source email client for Android devices, that integrates
seamlessly with Android Privacy Guard.

The use of these two tools allows for easy encrypting and decrypting of email messages.

Android Privacy Guard

Android Privacy Guard (APG) is a free and open source application that lets you encrypt,
decrypt and sign files, messages or emails using Public Key Encryption (like OpenPGP) or
encrypt/decrypt files or messages with symmetric encryption, securing them with a
password.

Android Privacy Guard is not to be confused with Privacy Guard that is integrated into
CyanogenMod.

Privacy Guard
This is not to be confused with Android Privacy Guard for PGP. This Privacy Guard comes
with CyanogenMod.
(Settings>Security>Privacy Guard)
Privacy Guard lets you deny the app certain kinds of information without interfering with
functionality.
Essentially, Privacy Guard allows you to interrupt the flow of information you agreed to
provide when installing the app. You can remove the ability to provide location data,
disable access to your contacts list, and a whole lot more depending on what the app has
asked for. You activate the toggle within Privacy Guard, and the flow of data stops. This
gets set per app, so you can get as detailed as you want and even choose to activate

certain features temporarily with the all on/all off toggle at the top. You can deny
information to any app on your phone, including the ones made and released by
Cyanogen. If you decide to leave Privacy Guard enabled, you'll also get pop-up
notifications when an app is requesting certain kinds of information.

Adblock Plus

You can download Adblock Plus for Android on their website. Once downloaded go to
downloads, select the file, and install. You may turn "Allow acceptable Ads" off. Once
installed it will give you a further step to get it working. It involves setting your localhost
Proxy port in your networks settings. Adblock will tell you what to do. More generic
directions can also be seen at https://adblockplus.org/en/android-config

After installation you may want to give Adblock root privileges permanently or it will keep
prompting you to allow it. To do this go to settings># Superuser>and add it to the
"ALLOW" list.

https://adblockplus.org/

Encrypt Phone
After everything is completely set-up and a few days have gone by and you're done
tweaking things, it is a good idea to encrypt your phone. All the data inside the phone will
be encrypted and your phone will need to be unlocked with a password or PIN. A PIN is

shorter and less annoying to type in every single time you go to look in your phone.
CyanogenMod allows you the option of encryption/user login password. With lock screen
password every time your screen wakes, being a separate feature. You may choose to do
without this if your phone is kept from the hands of others.

Samourai Wallet

Samourai Wallet is a wallet is a anonymizing Bitcoin wallet for Android. At the time of
writing it's in alpha stages and it's the only Bitcoin wallet like it for Android.
There's too many features to go on talking about so I'm gonna paste links to two articles
about it.

http://bravenewcoin.com/news/bitcoins-dark-wallet-has-a-new-challenger-samourai/
http://cointelegraph.com/news/114387/samourai-wallet-a-serious-darkwallet-contender

This article was completed 08/25/2015 and as it relates to technology, will continue
to depreciate as time goes on. Continue to do your own research.

More Information :

Podcasts (also available on youtube):

Linux Action Show (Linux podcast)
http://www.jupiterbroadcasting.com/show/linuxactionshow/

TechSNAP (Systems, Network, and Administration Security Podcast)

http://www.jupiterbroadcasting.com/show/techsnap/

hak5 & ThreatWire (hacking/security/privacy)

https://hak5.org/category/episodes

https://hak5.org/category/episodes/threatwire

Security Now
https://twit.tv/shows/security-now

Honorable Mentions
Richard Stallman

Dennis Ritchie

Julian Assange

Jacob Appelbaum

Edward Snowden

Chelsea Manning

Moxie Marlinspike

Amir Taaki

Cody Wilson

Glenn Greenwald

Laura Poitras

Free Software Foundation https://www.fsf.org/

Electronic Frontier Foundation https://www.eff.org/

Open Bitcoin Privacy Project http://www.openbitcoinprivacyproject.org/
Privacy International https://www.privacyinternational.org/
Defense Distributed https://defdist.org/
Open Whisper Systems https://whispersystems.org/
Wikileaks https://wikileaks.org/index.en.html
BSD http://www.bsd.org/
Tails https://tails.boum.org/
Freedom of the Press Foundation https://freedom.press/
Human Rights Watch https://www.hrw.org/
Reporters Without Borders https://en.rsf.org/
Transparency International https://www.transparency.org/
Amnesty International https://www.amnesty.org/en/