Jump to content

Search the Community

Showing results for tags 'anonymity'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 15 results

  1. malakai1911

    Comprehensive Security Guide

    Comprehensive Security Guide NOTE: As of 1/1/2019 this guide is out of date. Until parts are rewritten, consider the below for historical reference only. i. Foreword The primary purpose of this guide is to offer a concise list of best-of-breed software and advice on selected areas of computer security. The secondary purpose of this guide is to offer limited advice on other areas of security. The target audience is an intermediately skilled user of home computers. Computer software listed are the freeware versions when possible or have free versions available. If there are no free versions available for a particular product, it is noted with the "$" symbol. The guide is as well formatted as I could make it, within the confines of a message board post. ii. Table of Contents i. Foreword ii. Table of Contents 1. Physical Security a. Home b. Computer c. Personal 2. Network Security a. Hardware Firewall b. Software Firewall 3. Hardening Windows a. Pre-install Hardening b. Post-install Hardening c. Alternative Software d. Keep Windows Up-To-Date 4. Anti-Malware a. Anti-Virus b. HIPS / Proactive Defense c. Malware Removal 5. Information and Data Security a. Privacy / Anonymity b. Encryption c. Backup, Erasure and Recovery d. Access Control (Passwords, Security Tokens) 6. Conclusion 1. Physical Security I just wanted to touch on a few things in the realm of physical security, and you should investigate physical and personal security in places other than here. a. Home How would you break in to your own home? Take a close look at your perimeter security and work inwards. Make sure fences or gates aren't easy to climb over or bypass. The areas outside your home should be well lit, and motion sensor lights and walkway lights make nice additions to poorly lit areas. If possible, your home should have a security system featuring hardwired door and window sensors, motion detectors, and audible sirens (indoor and outdoor). Consider integrated smoke and carbon monoxide detectors for safety. Don't overlook monitoring services, so the police or fire department can be automatically called during an emergency. Invest in good locks for your home, I recommend Medeco and Schlage Primus locks highly. Both Medeco and Schlage Primus locks are pick-resistant, bump-proof, and have key control (restricted copying systems). Exterior doors should be made of steel or solid-core wood and each should have locking hardware (locking doorknob or handle), an auxiliary lock (mortise deadbolt) with a reinforced strike plate, and a chain. Consider a fireproof (and waterproof) safe for the storage of important documents and valuables. A small safe can be carried away during a robbery, and simply opened at another location later, so be sure and get a safe you can secure to a physical structure (in-wall, in-floor, or secured to something reasonably considered immovable). You may be able to hide or obscure the location of your safe in order to obtain some additional security, but don't make it cumbersome for yourself to access. b. Computer Computers are easy to just pick up and take away, so the only goal you should have is to deter crimes of opportunity. For desktop computers, you may bring your desktop somewhere and an attacker may not be interested in the entire computer, but perhaps just an expensive component (video card) or your data (hard drive), and for that I suggest a well-built case with a locking side and locking front panel. There are a variety of case security screws available (I like the ones from Enermax (UC-SST8) as they use a special tool), or you can use screws with less common bits (such as tamper resistant Torx screws) to secure side panels and computer components. There are also cable lock systems available for desktop computers to secure them to another object. For laptop computers, you are going to be primarily concerned about a grab-and-go type robbery. There are a variety of security cables available from Kensington, which lock into the Kensington lock slot found on nearly all laptops, which you can use to secure it to another object (a desk or table, for example). Remember though, even if it's locked to something with a cable, it doesn't make it theft-proof, so keep an eye on your belongings. c. Personal Always be aware of your surroundings. Use your judgment, if you feel an area or situation is unsafe, avoid it altogether or get away as quickly and safely as possible. Regarding hand to hand combat, consider a self-defense course. Don't screw around with traditional martial arts (Karate, Aikido, Kung-Fu), and stay away from a McDojo. You should consider self-defense techniques like Krav Maga if you are serious about self defense in a real life context. I generally don't advocate carrying a weapon on your person (besides the legal mess that may be involved with use of a weapon, even for self-defense, an attacker could wrestle away a weapon and use it against you). If you choose to carry any type of weapon on your person for self-defense, I advise you to take a training course (if applicable) and to check with and follow the laws within the jurisdiction you decide to possess or carry such weapons. Dealing with the Police Be sure to read Know Your Rights: What to Do If You're Stopped by the Police a guide by the ACLU, and apply it. Its advice is for within the jurisdiction of the US but may apply generally elsewhere, consult with a lawyer for legal advice. You should a;so watch the popular video "Don't talk to the police!" by Prof. James Duane of the Regent University Law School for helpful instructions on what to do and say when questioned by the police: (Mirror: regent.edu) Travelling Abroad Be sure and visit the State Department or Travel Office for your home country before embarking on a trip abroad. Read any travel warnings or advisories, and they are a wealth of information for travelers (offering guides, checklists, and travel advice): (US, UK, CA). 2. Network Security As this is a guide geared towards a home or home office network, the central theme of network security is going to be focused around having a hardware firewall behind your broadband modem, along with a software firewall installed on each client. Since broadband is a 24/7 connection to the internet, you are constantly at risk of attack, making both a hardware and software firewall absolutely essential. a. Hardware Firewall A hardware firewall (router) is very important. Consider the hardware firewall as your first line of defense. Unfortunately, routers (usually) aren't designed to block outbound attempts from trojans and viruses, which is why it is important to use a hardware firewall in conjunction with a software firewall. Be sure that the firewall you choose features SPI (Stateful Packet Inspection). Highly Recommended I recommend Wireless AC (802.11ac) equipment, as it is robust and widely available. Wireless AC is backwards compatible with the earlier Wireless N (802.11n) G (802.11g) and B (802.11b) standards. 802.11ac supports higher speeds and longer distances than the previous standards, making it highly attractive. I generally recommend wireless networking equipment from Ubiquiti or Asus. Use WPA2/WPA with AES if possible, and a passphrase with a minimum of 12 characters. If you are really paranoid, use a strong random password and remember to change it every so often. Alternatives A spare PC running SmoothWall or IPCop, with a pair of NIC's and a switch can be used to turn a PC into a fully functional firewall. b. Software Firewall A software firewall nicely compliments a hardware firewall such as those listed above. In addition to protecting you from inbound intrusion attempts, it also gives you a level of outbound security by acting as a gateway for applications looking to access the internet. Programs you want can access the internet, while ones you don't are blocked. Do not use multiple software firewalls simultaneously. You can actually make yourself less secure by running two or more software firewall products at once, as they can conflict with one another. Check out Matousec Firewall Challenge for a comparison of leak tests among top firewall vendors. Leaktests are an important way of testing outbound filtering effectiveness. Highly Recommended Comodo Internet Security Comodo is an easy to use, free firewall that provides top-notch security. I highly recommend this as a first choice firewall. While it includes Antivirus protection, I advise to install it as firewall-only and use an alternate Antivirus. Alternatives Agnitum Outpost Firewall Free A free personal firewall that is very secure. Be sure to check out the Outpost Firewall Forums, to search, and ask questions if you have any problems. Online Armor Personal Firewall Free Online Armor Personal Firewall makes another great choice for those who refuse to run Comodo or Outpost. Online Armor 3. Hardening Windows Windows can be made much more secure by updating its components, and changing security and privacy related settings. a. Pre-install Hardening Pre-install hardening has its primary focus on integrating the latest available service packs and security patches. Its secondary focus is applying whatever security setting tweaks you can integrate. By integrating patches and tweaks, you will be safer from the first boot. Step 1 - Take an original Windows disc (Windows 7 or later) and copy it to a folder on your hard drive so you can work with the install files. Step 2 - Slipstream the latest available service pack. Slipstreaming is a term for integrating the latest service pack into your copy of windows. Step 3 - Integrate the latest available post-service pack updates. This can be done with a utility such as nLite or vLite, and post-service pack updates may be available in an unofficial collection (such as the RyanVM Update Pack for XP). Step 4 - Use nLite (Windows 2000/XP) or vLite (Windows Vista/7) to customize your install. Remove unwanted components and services, and use the tweaks section of nLite/vLite to apply some security and cosmetic tweaks. Step 5 - Burn your newly customized CD, and install Windows. Do not connect the computer to a network until you install a software firewall and anti-virus. b. Post-Install Hardening If you have followed the pre-install hardening section, then your aim will be to tweak settings to further lock down windows. If you hadn't installed from a custom CD, you will need to first update to the latest service pack, then install incremental security patches to become current. After updating, you'll then disable unneeded Windows services, perform some security tweaks, and use software such as xpy to tweak privacy options. Disable Services Start by disabling unneeded or unnecessary services. By disabling services you will minimize potential security risks, and use fewer resources (which may make your system slightly faster). Some good guides on disabling unnecessary services are available at Smallvoid: Windows 2000 / Windows XP / Windows Vista. Some commonly disabled services: Alerter, Indexing, Messenger, Remote Registry, TCP/IP NetBIOS Helper, and Telnet. Security Tweaks I highly recommend using a strong Local Security Policy template as an easy way to tweak windows security options, followed by the registry. Use my template (security.inf) to easily tweak your install for enhanced security (Windows 2000/XP/Vista/7): 1. Save the following attachment: (Download Link Soon!) 2. Extract the files. 3. Apply the Security Policy automatically by running the included "install.bat" file. 4. (Optional) Apply your policy manually using the following command: [ secedit /configure /db secedit.sdb /cfg "C:\<Path To Security.inf>\<template>.inf" ] then refresh your policy using the following the command:[ secedit /refreshpolicy machine_policy ] (Windows 2000), [ gpupdate ] (Windows XP/Vista/7) This template will disable automatic ("administrative") windows shares, prevent anonymous log on access to system resources, disable (weak) LM Password Hashes and enable NTLMv2, disable DCOM, harden the Windows TCP/IP Stack, and much more. Unfortunately my template can't do everything, you will still need to disable NetBIOS over TCP (NetBT), enable Data Execution Prevention (AlwaysOn), and perform other manual tweaks that you may use. Privacy Tweaks xpy (Windows 2000/XP) and vispa (Windows Vista/7) These utilities are great for modifying privacy settings. They supersede XP AntiSpy because they include all of XP Anti-Spy's features and more. You should use them in conjunction with the security tweaks I've listed above. c. Alternative Software Another simple way of mitigating possible attack vectors is to use software that is engineered with better or open security processes. These products are generally more secure and offer more features then their Microsoft counterparts. Highly Recommended Google Chrome (Web Browser) Mozilla Thunderbird (Email Client) OpenOffice.org (Office Suite) Alternatives Mozilla Firefox (Web Browser) Google Docs (Online) (Office Suite) Firefox Additions Mozilla has a Privacy & Security add-on section. There are a variety of add-ons that may appeal to you (such as NoScript). And although these aren't strictly privacy related, I highly recommend the AdBlock Plus add-on, with the EasyList and EasyPrivacy filtersets. d. Keep Windows Up-To-Date Speaking of keeping up-to-date, do yourself a favor and upgrade to at least Windows XP (for older PC's) and Windows 7 (or later) for newer PC's. Be sure to keep up-to-date on your service packs, they're a comprehensive collection of security patches and updates, and some may add minor features. Microsoft Windows Service Packs Windows 2000 Service Pack 4 with Unofficial Security Rollup Package Windows XP Service Pack 3 with Unofficial Security Rollup Package Windows XP x64 Service Pack 2 with Unofficial Security Rollup Package Windows Vista Service Pack 2 Windows 7 Service Pack 1 Microsoft Office Service Packs Office 2000 Service Pack 3 with the Office 2007 Compatibility Pack (SP3). Office XP (2002) Service Pack 3 with the Office 2007 Compatibility Pack (SP3). Office 2003 Service Pack 3 with the Office 2007 Compatibility Pack (SP3) and Office File Validation add-in. Office 2007 Service Pack 3 with the Office File Validation add-in. Office 2010 Service Pack 1 After the service pack, you still need to keep up-to-date on incremental security patches. Windows supports Automatic Updates to automatically update itself. However, if you don't like Automatic Updates: You can use WindowsUpdate to update windows periodically (Must use IE5 or greater, must have BITS service enabled), or you can use MS Technet Security to search for and download patches individually, or you can use Autopatcher, an unofficial updating utility. In addition to security patches, remember to keep virus definitions up-to-date (modern virus scanners support automatic updates so this should not be a problem), and stay current with latest program versions and updates, including your replacement internet browser and mail clients. 4. Anti-Malware There are many dangers lurking on the internet. Trojans, viruses, spyware. If you are a veteran user of the internet, you've probably developed a sixth-sense when it comes to avoiding malware, but I advocate backing up common sense with reliable anti-malware software. a. Anti-Virus Picking a virus scanner is important, I highly recommend Nod32, but there are good alternatives these days. Check out AV Comparatives for a comparison of scanning effectiveness and speed among top AV vendors. Highly Recommended Nod32 Antivirus $ I recommend Nod32 as a non-free Antivirus. Features excellent detection rates and fast scanning speed. Nod32 has a great heuristic engine that is good at spotting unknown threats. Very resource-friendly and historically known for using less memory than other AV's. There is a 30 day free trial available. Alternatives Avira AntiVir Personal I recommend Avira as a free Antivirus. Avira is a free AV with excellent detection rates and fast scanning speed. (Kaspersky no longer recommended, due to espionage concerns.) Online-Scanners Single File Scanning Jotti Online Malware Scan or VirusTotal These scanners can run a single file through a large number of different Antivirus/Antimalware suites in order to improve detection rates. Highly recommended. Whole PC Scanning ESET Online Scanner Nod32 Online Antivirus is pretty good, ActiveX though, so IE only. There is a beta version available that works with Firefox and Opera. b. HIPS / Proactive Defense Host-based intrusion prevention systems (HIPS) work by disallowing malware from modifying critical parts of the Operating System without permission. Classic (behavioral) HIPS software will prompt the user for interaction before allowing certain system modifications, allowing you stop malware in its tracks, whereas Virtualization-based HIPS works primarily by sandboxing executables. Although HIPS is very effective, the additional setup and prompts are not worth the headache for novice users (which may take to just clicking 'allow' to everything and defeating the purpose altogether). I only recommend HIPS for intermediate or advanced users that require a high level of security. Highly Recommended I highly recommend firewall-integrated HIPS solutions. Comodo Defense+ is a classic HIPS built into Comodo Internet Security, and provides a very good level of protection. Outpost and Online Armor provide their own HIPS solutions, and the component control features of the firewalls are powerful enough to keep unwanted applications from bypassing or terminating the firewall. If you want to use a different HIPS, you can disable the firewall HIPS module and use an alternative below. Alternatives Stand-alone HIPS solutions are good for users who either don't like the firewall built-in HIPS (and disable the firewall HIPS), or use a firewall without HIPS features. HIPS based on Behavior (Classic) ThreatFire ThreatFire provides a strong, free behavioral HIPS that works well in conjunction with Antivirus and Firewall suites to provide additional protection. HIPS based on Virtualization DefenseWall HIPS $ DefenseWall is a strong and easy-to-use HIPS solution that uses sandboxing for applications that access the internet. GeSWall Freeware GeSWall makes a nice free addition to the HIPS category, like DefenseWall it also uses sandboxing for applications that access the internet. Dealing with Suspicious Executables You can run suspicious executables in a full featured Virtual Machine (such as VMware) or using a standalone sandbox utility (such as Sandboxie) if you are in doubt of what it may do (though, you may argue that you shouldn't be running executables you don't trust anyway). A more advanced approach to examining a suspicious executable is to run it through Anubis, a tool for analyzing the behavior of Windows executables. It displays a useful report with things the executable does (files read, registry modifications performed, etc.), which will give you insight as to how it works. c. Malware Removal I recommend running all malware removal utilities on-demand (not resident). With a firewall, virus scanner, HIPS, and some common sense, you won't usually get to the point of needing to remove malware... but sometimes things happen, perhaps unavoidably, and you'll need to remove some pretty nasty stuff from a computer. Highly Recommended Anti-Spyware Spybot Search & Destroy Spybot S&D has been around a long time, and is very effective in removing spyware and adware. I personally install and use both Spybot & Ad-Aware, but I believe that Spybot S&D has the current edge in overall detection and usability. Anti-Trojan Malwarebytes' Anti-Malware Malwarebytes has a good trojan detector here, and scans fast. Anti-Rootkit Rootkit Unhooker RKU is a very advanced rootkit detection utility. Alternatives Anti-Spyware Ad-Aware Free Edition Ad-Aware is a fine alternative to Spybot S&D, its scanning engine is slower but it is both effective and popular. Anti-Trojan a-squared (a2) Free a-squared is a highly reputable (and free) trojan scanner. Anti-Rootkit IceSword (Mirror) IceSword is one of the most capable and advanced rootkit detectors available. 5. Information and Data Security Data can be reasonably protected using encryption and a strong password, but you will never have complete and absolute anonymity on the internet as long as you have an IP address. a. Privacy / Anonymity Anonymity is elusive. Some of the following software can help you achieve a more anonymous internet experience, but you also must be vigilant in protecting your own personal information. If you use social networking sites, use privacy settings to restrict public access to your profile, and only 'friend' people you know in real life. Don't use (or make any references to) any of your aliases or anonymous handles on any websites that have any of your personal information (Facebook, Amazon, etc..). You should opt-out from information sharing individually for all banks and financial institutions you do business with using their privacy policy choices. You should opt-out of preapproved credit offers (US), unsolicited commercial mail and email (US, UK, CA), and put your phone numbers on the "Do Not Call" list (US, UK, CA). Highly Recommended Simply install and use Tor with Vidalia to surf the internet anonymously. It's free, only downside is it's not terribly fast, but has fairly good anonymity, so it's a tradeoff. Keep in mind its for anonymity not for security, so make sure sites you put passwords in are SSL encrypted (and have valid SSL certificates), and remember that all end point traffic can be sniffed. You can use the Torbutton extension for Firefox to easily toggle on/off anonymous browsing. POP3/IMAP and P2P software won't work through Tor, so keep that in mind. Portable Anonymous Browsing The Tor Project now has a "Zero-Install Bundle" which includes Portable Firefox and Tor with Vidalia to surf anonymously from a USB memory stick pretty much anywhere with the internet. It also includes Pidgin with OTR for encrypted IM communications. Note: These won't protect you from Trojans/Keyloggers/Viruses on insecure public terminals. Never type important passwords or login to important accounts on a public computer unless it is absolutely necessary! Alternatives I2P functions similar to Tor, allowing you to surf the general internet with anonymity. IPREDator $ is a VPN that can be used to anonymize P2P/BitTorrent downloads. Freenet is notable, but not for surfing the general internet, it's its own network with its own content. b. Encryption For most people, encryption may be unnecessary. But if you have a laptop, or any sort of sensitive data (whether it be trade secrets, corporate documents, legal or medical documents) then you can't beat the kind of protection that encryption will offer. There are a variety of options available today, including a lot of software not listed here. A word to the wise, please, please don't fall for snake oil, use well established applications that use time tested (and unbroken) ciphers. Regardless of what software you use, the following "what to pick" charts will apply universally. If you have to pick an encryption cipher: Best: AES (Rijndael) (128-bit block size) Better: Twofish (128-bit block size), Serpent (128-bit block size) Good: RC6 (128-bit block size) Depreciated: Blowfish (64-bit block size), CAST5 (CAST-128) (64-bit block size), Triple-DES (64-bit block size) When encrypting large volumes of data, it is important to pick a cipher that has a block size of at least 128-bytes. This affords you protection for up to 2^64x16 bytes (264 exabytes) . 64-bit block ciphers only afford protection of up to 2^32x8 bytes (32 gigabytes) so using it as a full disk or whole disk encryption cipher is not recommended. The depreciated list is only because some of you might be stuck using software that only supports older encryption methods, so I've ordered it from what I feel is best to worst (though all three that are on there are pretty time tested and if properly implemented, quite secure). If you have to pick a hash to use: Best: Whirlpool (512-bit) Better: SHA-512 (512-bit), SHA-256 (256-bit) Good: Tiger2/Tiger (192-bit), RIPEMD-160 (160-bit) Depreciated: RIPEMD-128, SHA-1, MD-5. With all the recent advances in cryptanalysis (specifically with work on hash collisions) These days I wouldn't trust any hash that is less than 160-bits on principle. To be on the safe side, use a 192-bit, 256-bit, or 512-bit hash where available. There will be cases where your only options are insecure hashes, in which case I've ordered the "depreciated" list from best to worst (they are all varying levels of insecure). Many older hashes (MD4, MD2, RIPEMD(original), and others) are totally broken, and are not to be used. A quick software rundown, these applications are popular and trusted: Highly Recommended Freeware Whole Disk Encryption TrueCrypt Based upon E4M, TrueCrypt is a full featured disk encryption suite, and can even be run off a USB memory stick. TrueCrypt supports the whole disk encryption of Windows, with pre-boot authentication. Very nice. If you can't use whole-disk encryption (WDE), you can use the TCTEMP add-on to encrypt your swapfile, temp files and print spooler, and you can use the TCGINA add-on to encrypt your windows home directory. (Note: TCTEMP/TCGINA is less secure than WDE, and only preferable if WDE is not an option. WDE is highly recommended.) Freeware PKI Encryption GnuPG (GPG) GnuPG provides public-key encryption, including key generation and maintenance, signing and checking documents and email messages, and encryption and decryption of documents and email messages. Freeware Email Encryption Enigmail Enigmail is truly a work of art, it integrates with GnuPG and provides seamless support for encryption and decryption of email messages, and can automatically check PGP signed documents for validity. (Enigmail requires both Mozilla Thunderbird and GnuPG) Alternatives Encryption Suite (with Whole Disk and Email Encryption) PGP Full Disk Encryption $ PGP provides public-key encryption, including key generation and maintenance, signing and checking documents and email messages, encryption and decryption of documents and email messages, volume disk encryption, whole disk encryption, outlook integration, and instant messenger encryption support. c. Backup, Erasure and Recovery // This section is under construction. Backups Your data might be safe from prying eyes, but what if you are affected by hardware failure, theft, flood or fire? Regular backups of your important data can help you recover from a disaster. You should consider encryption of your backups for enhanced security. Local Backup Cobian Backup Cobian Backup is a fully-featured freeware backup utility. SyncBack Freeware, Macrium Reflect Free SyncBack Freeware and Macrium Reflect Free are feature-limited freeware backup utilities. Off-site Backup SkyDrive (25GB, filesize limited to 100MB), box.net (5GB) SkyDrive and box.net offer free online storage, useful for easy offsite backups. Be sure to utilize encrypted containers for any sensitive documents. Data Destruction It would be better to have your data residing in an encrypted partition, but sometimes that may not be possible. When sanitizing a hard drive, I recommend using a quality Block Erase tool like DBAN followed by a run-through with ATA Secure Erase if you really want a drive squeaky clean. Block erasing is good for data you can normally reach, but ATA secure erase can hit areas of the drive block erasers can't. As for multiple overwrite passes, there is no proof that data overwritten even one time can be recovered by professional data recovery corporations. For moderate security, a single pseudorandom block-erase pass (random-write) followed by an ATA Secure Erase pass (zero-write) is sufficient to thwart any attempts at data recovery. For a high level of security, a "DoD Short (3 pass)" block-erase pass followed by an ATA Enhanced Secure Erase will ensure no recovery is possible. Single-File/Free Space Erase If you are interested in just erasing single files or wiping free space, you can use the Eraser utility. Block Erase For hard drive block-erasure, use DBAN. ATA Secure Erase For ATA Secure Erasing, use the CMRR Secure Erase Utility. CMRR Secure Erase Protocols (.pdf) http://cmrr.ucsd.edu...seProtocols.pdf NIST Guidelines for Media Sanitation (.pdf) - http://csrc.nist.gov...800-88_rev1.pdf File Recovery Software This is kind of the opposite of data destruction. Keep in mind no software utility can recover properly overwritten data, so if it's overwritten there is no recovery. Highly Recommended Recuva Recuva is an easy to use GUI-based recovery utility. Alternatives TestDisk and PhotoRec These tools are powerful command-line recovery utilities. TestDisk can recover partitions, and PhotoRec is for general file recovery. Ontrack EasyRecovery Professional $ EasyRecovery is one of the best paid utilites for file recovery. d. Access Control (Passwords, Security Tokens) // This section is under construction. Secure Passwords //Section under construction. Your security is only as strong as its weakest password. There are a few basic rules to follow when creating a strong password. Length - Passwords should be at least 12 characters long. When possible, use a password of 12 or more characters, or a "passphrase". If you are limited to using less than 12 characters, you should try and make your password as long as allowable. Complexity - Passwords should have an element of complexity, a combination of upper and lowercase characters, numbers, and symbols will make your passwords much harder to guess, and harder to bruteforce. Uniqueness - Passwords should avoid containing common dictionary words, names, birthdays, or any identification related to you (social security, drivers license, or phone numbers for example). Secret - If you have a password of the utmost importance, do not write it down. Do not type them in plain view of another person or share them with anyone. Avoid use of the same password in multiple places. Security Tokens Security Tokens are cryptographic devices that allow for two-factor authentication. Google Titan Yubikey 5 Series 6. Conclusion And here we are at the end! I would like to thank all of you for taking the time to read my guide, it's a few (slow) years in the making and I've kept it up to date. This guide is always changing, so check back from time to time. Revision 1.10.020 Copyright © 2004-2012 Malakai1911, All Rights Reserved The information contained within this guide is intended solely for the general information of the reader and is provided "as is" with absolutely no warranty expressed or implied. Any use of this material is at your own risk, its authors are not liable for any direct, special, indirect, consequential, or incidental damages or any damages of any kind. This guide is subject to change without notice. Windows_Security_Template__1.10.015_.zip
  2. New policy will require users to provide identity information to use any blockchain service After killing all legitimate cryptocurrency businesses in the country, Chinese authorities are now turning their attention to other blockchain service providers. The country’s apex internet regulator, Cyberspace Administration of China (CAC), released a draft policy on Friday that will require all companies to collect their users’ real names and national identification card numbers before offering them any blockchain related service. The draft regulations are open to comments from the public until November 2, but CAC hasn’t given any timeline for when they will actually come into force. If the policy is implemented, the companies will be required to store their users’ data — to be made available for any investigation by the authorities. In addition, they also have to censor any content “deemed to pose a threat to national security.” Blockchain service providers will need to register with the CAC within ten days of starting the service. If they are in highly regulated fields in the country, such as education, media & publishing, or the pharmaceutical industry, they will also have to obtain licences from relevant authorities before registering with the CAC. According to South China Morning Post (SCMP), an anonymous open letter published on the Ethereum blockchain in April alleging sexual harassment at a top university could be the motivation behind the new regulations. While the authorities were able to remove the post from social media platforms like WeChat and Weibo, they were hopeless on the blockchain. The new regulations come hardly as a surprise. China’s aversion to free dissemination of information isn’t exactly a secret — with media giants such as Google, Facebook, Twitter, and Youtube banned in the country. Blockchain as a concept is even more opposed to Chinese government’s totalitarian communist ideology. China has been rigorously cracking down on “all things cryptocurrencies—” banning all exchange desks, media platforms, initial coin offerings (ICO), and any platform promoting or trading virtual currencies in any way. But research shows that the country’s outright bans haven’t exactly deterred illegitimate cryptocurrency businesses from operating in the country. It is likely that its blockchain regulations will end up with a similar fate. Source
  3. LAS VEGAS — Ask any hacker who’s been around long enough, and there’s a good chance you’ll hear an archetypal story, tinged with regret, about the first time his or her real identity was publicly disclosed. After enjoying years of online anonymity, the hacker known as Grifter was unmasked by a less-than-scrupulous spouse. “Hey, Neil!” his wife called out at him, absent-mindedly, from across a crowded room, while accompanying him (for the very first time) at a hacking conference. “My beautiful wife, she outed me in front of the entire hacker community,” he said with a laugh. Dead Addict’s version of the story involves an employer who pushed him to apply for a patent — for which he was required to provide his full legal name. “The people who later doxxed me,” he said, using a term for publishing private information about someone, usually with malicious intent, “pointed to that patent.” Nico Sell managed to stay “ungoogleable,” she said, until around 2012, when, acting as chief executive of a secure-messaging company, Wickr, she felt she needed to become more of a public figure — if reluctantly. “My co-founders and I, we all drew straws,” she said, “and that was that.” I met Grifter, whose real name is Neil Wyler; Dead Addict, who, citing privacy concerns, spoke with me on the condition that I not share his real name; Nico Sell, which, while undeniably the name she uses publicly, may or may not be her legal name; and dozens of other self-described hackers in August at DEFCON, an annual hacking convention — one of the world’s largest — held in Las Vegas. A lion’s share of the media attention devoted to hacking is often directed at deeply anonymous (and nefarious) hackers like Guccifer 2.0, a shadowy online avatar — alleged to have been controlled by Russian military intelligence officers — that revealed documents stolen from the Democratic National Committee in 2016. And, to be sure, a number of DEFCON attendees, citing various concerns about privacy, still protect their identities. Many conceal their real names, instead using only pseudonyms or hacker aliases. Some wear fake beards, masks or other colorful disguises. But new pressures, especially for those who attend DEFCON, seem to be reshaping the community’s attitudes toward privacy and anonymity. Many longtime hackers, like Sell and Wyler, have been drawn into the open by corporate demands, or have traded their anonymity for public roles as high-level cybersecurity experts. Others alluded to the ways in which a widespread professionalization and gamification of the hacking world — as evidenced by bug bounty programs offered by companies like Facebook and Google, which pay (often handsomely) for hackers to hunt for and disclose cybersecurity gaps on their many platforms — have legitimized certain elements of the culture. “It’s probably fair to say that fewer and fewer people are hiding behind their handles,” said Melanie Ensign, a longtime DEFCON attendee who works on security and privacy at Uber. “A lot of hackers who have been around for a while — they have families and mortgages now. At some point, you have to join the real world, and the real world does not run on anonymity.” “This is a profession for a lot of people now,” she added. “And you can’t fill out a W-9 with your hacker handle.” DEFCON has grown exponentially since its founding in 1993, when Jeff Moss — or, as many of his hacker friends know him, The Dark Tangent, or simply DT — gathered about 100 of his hacker friends for a hastily assembled party. By contrast, this year’s convention, the 26th, drew some 27,000 attendees, including students, security researchers, government officials and children as young as 8. It’s difficult to characterize the conference without being reductive. One could describe all of its 28 constituent “villages” (including the Voting Machine Hacking Village, where attendees deconstructed and scrutinized the vulnerabilities of electronic voting machines, and the Lockpick Village, where visitors could tinker with locks and learn about hardware and physical security), offer a complete list of this year’s presentations (including one by Rob Joyce, a senior cybersecurity official at the National Security Agency), catalog its many contests and events (like the Tin Foil Hat Contest and Hacker Karaoke) and still not get at its essence. The ethos of DEFCON is perhaps best embodied by a gentleman I encountered in a hallway toward the end of the conference. He was wearing an odd contraption on his back, with wires and antennas protruding from its frame and with a blinking black box at its center. An agribusiness giant, he said, had recently heralded the impenetrability of the security systems built into one of its new computing components. He had obtained a version of it — how, he wouldn’t say — and, having now subjected it to the ever-probing DEFCON crowds, had disproved the company’s claims. “Turns out it’s not very secure after all,” he said with a grin, before vanishing around a corner. As with many of his early online friends, Moss’ foray into aliases was directly tied to his interest in hacking and phone phreaking (the manipulation of telecommunications systems) — “stuff that wasn’t really legal,” he said. Aliases provided cover for such activity. And every once in a while, he explained — if a friend let slip your name, or if you outgrew a juvenile, silly alias — you’d have to burn your identity and come up with a new name. “In my case, I had a couple previous identities,” he said, “but when I changed to The Dark Tangent, I was making a clear break from my past. I’d learned how to manage identities; I’d learned how the scene worked.” He also remembers when everything changed. During the dot-com boom, many hackers transitioned to “real jobs,” he said, “and so they had to have real names, too.” “My address book doubled in size,” he said with a laugh. “The thing I worry about today,” he added, taking a more serious tone, “is that people don’t get do-overs.” Young people now have to contend with the real-name policy on Facebook, he said, along with the ever-hovering threats of facial-recognition software and aggregated data. “How are you going to learn to navigate in this world if you never get to make a mistake — and if every mistake you do make follows you forever?” Philippe Harewood, 30, represents a relatively new class of hackers. He is ranked second on Facebook’s public list of individuals who have responsibly disclosed security vulnerabilities for the site in 2018. And while he maintains an alias on Twitter (phwd), a vast majority of his hacking work is done under his real name — which is publicized on and by Facebook. He also maintains a blog (again, under his real name) where he analyzes and discusses his exploits. For Harewood, maintaining his alias is partly about creating a personal brand — a retro nod, in a sense, to the era when using a hacker handle was a more essential element of the trade. But it also has practical advantages. “People want to reach out all the time,” he said. “And I’m still not all that comfortable communicating with people on my Facebook profile, under my real name.” “In a way,” he said, “it just helps me filter my communications.” In the wake of the Cambridge Analytica scandal, Facebook expanded its existing bug bounty with a program that specifically targets data abuse. And just last week the company again widened the scope to help address vulnerabilities in third-party apps. Such efforts — coupled with the rise in recent years of companies like Bugcrowd and HackerOne, which mediate between hackers and companies interested in testing their online vulnerabilities — have created a broader marketplace for hackers interested in pursuing legitimate forms of compensation. Like Harewood, 11-year-old Emmett Brewer, who garnered national media attention at this year’s DEFCON by hacking a mock-up of the Florida state election results website in 10 minutes, also alluded to the marketing appeal of his alias, p0wnyb0y. “I came up with it a couple years ago, when I first got included in a news article,” he said. “I think an alias helps you get more recognition — sort of like how The Dark Tangent has his.” “P0wnyb0y is shorter and catchier than my name,” he added. “And it just seems a lot cooler.” Emmett said his involvement with DEFCON — he has attended for several years, accompanied by his father — has left him skeptical about the degree to which his peers share things online. “My friends put everything up on the internet,” he said, “but I’m more mindful.” Still, he said he wasn’t invested in keeping his real name separate from his alias. “I don’t see it as the end of the world” if people can easily link the two, he said. “But some other people take that stuff more seriously.” That’s not to say, though, that the younger generations of hackers are all comfortable operating so openly. Sell’s daughter, who spoke with me on the condition that I refer to her by her hacking handle, CyFi, was especially guarded about her identity. “When I was 9, I discovered a class of zero-day vulnerabilities,” said CyFi, 17, referring to software bugs that developers are unaware of. She ultimately disclosed the bugs, she added, “but I didn’t want to risk being sued by all those companies — so hiding my identity was the best way to go.” As with Emmett, CyFi is wary of her generation’s penchant for oversharing online. “My friends have definitely been frustrated with my lack of social media,” she said. “But the less data there is about you out in the world, the less people can try to mess with you.” One of the most intriguing aspects of DEFCON is the relationship between the hacker community and the attendees from the federal government, the complexities of which have ebbed and flowed over time. For many years, the tension resulted in a cat-and-mouse game called “Spot the Fed.” “In the early days, if a fed got spotted, it was pretty consequential,” Moss said. “Later on, they were outing each other,” he said with a laugh — because they wanted the T-shirt granted to both the fed and the person who outed them. Linton Wells II, a former principal deputy to the assistant secretary of defense for networks and information integration, began attending DEFCON around 2003. He now volunteers as a “goon” — the term for the volunteers (roughly 450 this year) who help organize and run the conference. Wells said governmental officials who attend DEFCON fall into one of three categories. “One was the people who openly announced they were feds — either speakers who announced their affiliations, or there was a Meet the Fed panel,” he said. “There were others who wouldn’t deny it if you asked them, but who didn’t go out of their way to advertise it. And then there were those who were either officially or unofficially undercover.” The relationship hasn’t always been contentious, he added, noting that, in 2012, Keith Alexander, who was then director of the NSA, “came out here and spoke in a T-shirt and bluejeans.” Less than a year later, though, after the Edward Snowden leak, things soured. “For the next couple years,” Wells said, “the feds were — well, if not uninvited, then at least tacitly not particularly welcome.” Joe Grand, who for many years operated under his alias, Kingpin, understands the complexities of the relationship as well as anyone. Twenty years ago, in May 1998, Grand was one of seven computer hackers who testified before a congressional panel that included Sens. John Glenn, Joseph Lieberman and Fred Thompson. The hackers, members of a collective called L0pht (pronounced “loft”), had recently boasted that they could shut down the internet in 30 minutes, and lawmakers had taken notice. “Due to the sensitivity of the work done at the L0pht,” Thompson explained in his opening remarks — haltingly, as if for effect — “they’ll be using their hacker names of Mudge, Weld, Brian Oblivion, Kingpin, Space Rogue, Tan and Stefan.” Chuckles echoed through the room. Until then, staff members had told the L0pht hackers, the only witnesses to testify while using aliases had been members of the witness protection program. “I hope my grandkids don’t ask me who my witnesses were today,” Thompson added, to another chorus of laughter. “It probably helped their agenda — by having these kids show up with fake names,” said Grand, who sat for an interview at DEFCON. “It probably made it that much more intriguing.” “But using our handles,” he added, “was our natural way of communicating. And having that protection, it felt good. We were putting ourselves out there as hackers communicating with the government — which, at the time, was not something you did.” As with many longtime hackers, Grand — who became widely known after appearing on a Discovery Channel show called “Prototype This!” — has grown more comfortable operating in the open. But he still appreciates the value of anonymity. “Hiding behind a fake name doesn’t mean you’re doing something malicious, and it doesn’t mean you’re a bad person,” he said. “It means you’re trying to protect your privacy.” “And, in this day and age, you need to,” he added, “because everywhere you look, your privacy is being stripped away.” Keren Elazari, a cybersecurity expert whose 2014 TED Talk has been viewed millions of times, expressed a similar sentiment — that hackers, by fighting to maintain their anonymity, can help push back against the trends of eroding online privacy. But she also described what she calls a “maturing of the industry and the community.” “More and more people who started hacking in the ‘90s are now becoming icons and thought leaders — and, most importantly, role models for the younger generations of hackers,” she said. To help guide younger generations, elder hackers can often still use nicknames, she added. “But sometimes it makes it more powerful when they can speak up in their own voices.” Source
  4. Don't use VPN services. No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer. Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does. Why not? Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging. But my provider doesn't log! There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs. And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over. But a provider would lose business if they did that! I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it. But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs! Doesn't matter. You're still connecting to their service from your own IP, and they can log that. But I want more security! VPNs don't provide security. They are just a glorified proxy. But I want more privacy! VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server). But I want more encryption! Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that. When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic. But I want to confuse trackers by sharing an IP address! Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore. Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this. So when should I use a VPN? There are roughly two usecases where you might want to use a VPN: You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters. In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic. However, in practice, just don't use a VPN provider at all, even for these cases. So, then... what? If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own. I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndBox. But how is that any better than a VPN service? A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be. So why do VPN services exist? Surely they must serve some purpose? Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil. So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you. Article source
  5. The site’s head claims that the policy of not collecting personal information allows people to be “more true to themselves. Steven Huffman, the co-founder and CEO of Reddit Reddit, the self-described “front page of the internet,” may have a key tool in its arsenal as Americans begin to question their relationship with social media: anonymity. According to Steve Huffman, the site’s co-founder and CEO, “privacy is built into Reddit.” All that’s required to create an account and post on any of Reddit’s 1.2 million forums is an email address, a username, and a password. You don’t need to tell the company your birthday, your gender, or even your real name. As Huffman put it on Thursday at the Aspen Ideas Festival, which is co-hosted by the Aspen Institute and The Atlantic, “Reddit doesn’t want the burden of personal information ... and is not selling personal information.” Huffman argued that anonymity on Reddit actually makes using the site “more like a conversation one has in real life” than other exchanges on the internet. “When people detach from their real-world identities, they can be more authentic, more true to themselves,” he claimed. Huffman gave as an example a subreddit called StillTrying, a forum for couples who have had trouble conceiving children. He posited that such a community wouldn’t exist on other platforms. At least one such group does, in fact, exist on Facebook—or at least did in 2015—but, unlike StillTrying, it was visible only to members. Everything on Reddit is visible to anyone with an internet connection, so it’s conceivable that Reddit could be a resource to a greater number of people than groups on other sites. Unlike many other anonymous social networks, including Whisper and the now-defunct Yik Yak, the namelessness of Reddit does have its limits. Redditors maintain one consistent identity through their usernames, with an associated score called “karma” that tells other users how often they’ve been upvoted or downvoted—essentially a proxy for how informative, trustworthy, and civil the community has found them in the past. “People care about their reputations on Reddit,” Huffman said on Thursday. “There’s some stake to it.” He said that, in general, these reputations motivate Redditors to keep their posts more civil than the comment sections of other sites, which he called “toxic,” “agro,” and “off-putting.” Reddit’s favoring of aliases over actual personal information could help it avoid data-breach scandals like those that have befallen Facebook, Yahoo, and Equifax in recent years, or tap into users’ most sensitive identities. But it also undeniably introduces vulnerabilities into the site. Reddit is notorious for hosting trolls and bullies. (Huffman himself once told The New Yorker, “I consider myself a troll at heart.”) A subpar Reddit karma score may not be enough to deter some would-be harassers, especially those posting mostly in groups filled with like-minded users who are happy to upvote offensive content. “We are extremely proud to have created this enriching experience where people can be themselves,” Huffman said. The question is whether these anonymous online personas are really the selves we want to be. Source
  6. Windscribe VPN 1.81 Build 42 / 41 Stable Internet As It Should Be Windscribe is a desktop application and browser extension that work together to block ads and trackers, restore access to blocked content and help you safeguard your privacy online. Learn More. https://assets.windscribe.com/video/windscribe_explainer_480p.mp4 What's New: https://blog.windscribe.com/windscribe-1-81-beta-changelog-b9c557906d60 We’ve been working on this version for quite a while, existing installations should prompt you to update the app over the next 48 hrs. Here is what’s new. Changelog: New features IKEv2 protocol support (manual and automatic mode) Emergency Connect / Secure Login Fixed bugs Wifi-sharing not working after wakeup Forcibly close all TCP sockets after tunnel up Don’t forcibly disconnect if currently connected node is missing from the server list Language detection defaults to English instead of Arabic Reinstall/enable WAN miniport adapters if missing/disabled Adjusted DPI to work with multiple scale factors Other Changes Added “Disconnecting” state Eliminated redundant API calls Reduced the server ping frequency Updated OpenVPN binaries to latest version Don't auto-enable the firewall (in Automatic mode) on computer start up if auto-connect is false Simplified installer flow + additional “custom install” options Async DNS resolver Adjusted node selection algorithm to favor lower latency nodes Forcibly expand certain locations when the country name is clicked Detect if LAN range is RFC-1918 complaint To-do list for next version: CLI interface Favorite locations Dedicated IP support IKEv2 connectivity test SOCKS5 server UDP associate support Fix startup error on multi-user computers Mystery feature 1 Mystery feature 2 Downloads: Windscribe for Your Computer: Windscribe for Your Browser: Windscribe for Your Phone: Windscribe for Your TV: Windscribe for Your Router: Config Generators:
  7. Pirate Tor Browser Pirate Tor Browser is a bundle package of the Updated Tor client Vidalia, Updated FireFox Portable browser (with Updated foxyproxy addon) and some custom configs , all has been revamped and Updated , Self extracting archive For those wanting to reach torrent webpages they cant reach on a normal browser try the updated pirate browser.. portable.. you might have seen the first version that the pirate bay shared http://piratebrowser.com/ now its been updated and revamped.. better updated links added , updated and added some good extensions to hide yourself online , Pirate Tor Browser version 08 build 7.0.8 Better Pirate Browser version 07 build 56.0.2 - New Pirate.Tor.Browser.0.8.(7.0.8) Better Pirate Browser 0.7 (56.0.2) 27/10/2017 - New HOMEPAGE https://lilfellauk.wordpress.com/pirate-tor-browser/ Download - Pirate.Tor.Browser.0.8.(7.0.8): Site: https://mega.nz Sharecode[?]: /#!Z25lAD4T!2OPkWG4lTEqq7kgEyTNs33LmYXR573b-e4sbfeUHk_8 Download - Better Pirate Browser version 07 build 56.0.2: - New Site: https://mega.nz Sharecode[?]: /#!13ATGQ6L!YgDypu2bvimH6qXZFHdMiXdlePPm1KeFceUfUh8xfd4
  8. Windscribe VPN 1.80 Build 28 Stable Internet As It Should Be Windscribe is a desktop application and browser extension that work together to block ads and trackers, restore access to blocked content and help you safeguard your privacy online. Learn More. What's New: https://blog.windscribe.com/windscribe-1-80-changelog-bdc9183bcac4 We’ve been working on this version for quite a while, existing installations should prompt you to update the app over the next 48 hrs. Here is what’s new. Changelog: New features LAN proxy gateway — https://windscribe.com/features/proxy-gateway Secure Hotspot (Experimental) — https://windscribe.com/features/secure-hotspot Variable location drawer height Auto login after signup Ability to choose NDIS5 TAP driver Upgrade to OpenVPN 2.4.x with 2.3.x fallback Service notifications Show Pro data-centers to free users Location latency tool-tips added to signal bars Fixed bugs Always on firewall not working on OS boot on some machines Application crashes after connection attempts are exceeded with “minimize to tray” option checked Application freeze with firewall ON requires reboot API calls not made if app starts with no Internet connectivity Custom installation now allows for non-standard install path Auto-enable disabled TAP adapter 100% CPU when app starts with no Internet connectivity Don’t try UDP protocol if system proxy is configured Constant application window size on variable DPI screens Login form DPI bug On multi-screen computers, tool-tips show on primary monitor Other Changes Leave firewall ON if ran out of free bandwidth to prevent IP leak Increase reconnect timeout from 5 min to 1 hour Server list source changed Moved server location update process to separate thread Only do ping tests while disconnected Update available UI change Output installed anti-virus software into debug log for troubleshooting Open survey on application uninstall Installer command line arg support Black and white top bar icon on MacOS Ping nodes in batches instead of all at the same time Allow for verbose OpenVPN logging via Advanced Parameters screen When beta channel is selected, check for updates right away To-do list for next version: IKEv2 protocol support Emergency Connect Firewall whitelisting overhaul Command line interface Wakeup from hibernation fix Add disconnecting state Async DNS resolver Browser Extensions — New Features Downloads: Windscribe for Your Computer: Windscribe for Your Browser: Windscribe for Your Phone: Windscribe for Your Router:
  9. Loopix is a new anonymity network developed by a group of researchers from University College London (UCL) that comes with all the good parts of previous systems and new additions to improve security. Both Loopix and Tor are based on the concept of mix networks and are meant to provide a way to send anonymous messages through a complex network. The way Tor achieves this is through its circuit-based onion routing protocol. On the other hand, Loopix uses a classic message-based architecture combined with Poisson mixing — adding random time delays to each message. The end result is an anonymity network that is very secure but also fixes the main disadvantage of classic message-based architectures, which is high-latency. As the UCL team points out in their research paper, the Loopix system has a "message latency is on the order of seconds – which is relatively low for a mix-system." How Loopix works The way Loopix works is very similar to Tor, both being based on the same principles of mix networks. A user connects to a provider (ingress provider), the same way Tor users connect to entry guards. The Loopix provider server sends the user's message through the network through random mix nodes, similar to how Tor sends messages through relays. The message arrives at the intended user's provider (egress provider), where it is stored inside a message box until the user comes online. This is where Loopix is different, allowing the storage of offline messages. Similar to Tor, Loopix also uses encryption by encapsulating messages using Sphinx, a cryptographic message format. In addition, it also uses cover traffic for both when data travels inside the network and when users send or receive messages from the providers. Loopix looks good on paper, until now Researchers say that Loopix's trio of encryption, cover traffic, and randomly delayed messages can counter ISP and nation-state level passive surveillance. Tests using a demo Loopix network showed that "mix nodes in Loopix can handle upwards of 300 messages per second, at a small delay overhead of less than 1.5 ms on top of the delays introduced into messages to provide security." Overall, researchers say the latency is low compared to similar message-based mix networks, making Loopix usable for real-time communications, just like Tor. In fact, a comparison table put together by the research team shows that Loopix is not on par with Tor, but also much more suited for anonymous communications, even when compared to other systems such as HORNET, Dissent, Vuvuzela, Stadium, Riposte, Atom, Riffle, or AnonPoP. But there's a downside to Loopix as well. "Loopix is designed as a system for anonymous communication and it’s properties allow it too be used both for high-latency communication applications, like e-mails, and for low-latency communication applications, i.e., instant messaging," Ania Piotrowska told Bleeping Computer via email, "it is not designed to be used as Tor for web browsing." Currently, the Loopix system is still in its infancy, and more research is needed. Nonetheless, researchers say Loopix is resistant to Sybil attacks, currently one of Tor's biggest problems. More technical details are available in a research paper published in March this year and named "The Loopix Anonymity System," available online here, here, or here. Source
  10. Epic is a privacy-centric web browser developed by Hidden Reflex and based on Chromium source code. It is dubbed as the first web browser from India. Features & More Info: Homepage: https://www.epicbrowser.com/ Download Page: https://epicbrowser.com/thank_you.php Download: Win-EXE (1.7 MB): https://winepic-cbe.kxcdn.com/Release/58.0.3029.110/EpicSetup.exe OS X-dmg (92.2 MB): https://macepic-cbe.kxcdn.com/2462/sign/Epic.dmg OS X-dmg (103 MB): https://macepic-cbe.kxcdn.com/Epic_53.0.2785.143.dmg Win-ZIP (1.5 MB): https://winepic-cbe.kxcdn.com/Release/58.0.3029.110/EpicSetup.zip OS X-ZIP (87.5 MB): https://macepic-cbe.kxcdn.com/Epic.zip
  11. When we talk about security and privacy, there are several common acronyms that get thrown around. You’ve likely encountered the privacy and anonymity focused browser Tor. And VPNs frequently feature in mainstream media articles. There is another option to consider, too: I2P. But what privacy acronym suits your needs? Let’s explore what I2P, Tor, and VPNs are, and which one is right for you. Tor The “Tor” name derives from the original software project name: The Onion Router. Tor software directs web traffic through a worldwide system of interconnected relay nodes. This is known as “onion routing” because your data passes through many layers. In addition to the layers, Tor encrypts all network traffic, including the next node IP address. Encrypted data passes through multiple randomly selected relays, with only a single layer containing the IP address for the following node decrypted during transit. The final relay node decrypts the entire package, sending the data to its final destination without revealing — at any point — a source IP address. How Do I Use Tor? The Tor Browser is the easiest way to use Tor software. Download and install the browser as you would any other piece of software. The setup will continue after you open Tor Browser for the first time. Then you browse as normal. It will be slightly slower than normal — sending the data through multiple relays takes time, I’m afraid. Why Should I Use Tor? The Tor Browser encrypts all data transmissions. As such, a huge range of people use it: criminals, journalists, hackers/crackers, law enforcement (to protect communications and solve crimes), government agencies, and much more. In fact, Tor started life as a U.S. Naval Research and DARPA project. We’ve even written a guide on how you can use the hidden web as a research tool. The Tor Browser is also one of the most direct routes to the dark web (not to be confused with the deep web). The dark web is the so-called “dark underbelly” of the regular (sometimes referred to as “surface”) web that we browse daily. Whenever you hear a story about an online marketplace selling illicit substances and goods, they’re talking about a site hosted on the dark net. But Tor isn’t just about crazy secret marketplaces and secret communications. You can use it for other, “normal” things. For instance, airlines use complicated algorithms to keep tabs on interest in their flights, adjusting price with demand. Keep visiting the same site, using the same IP, and the airline knows you’re interested — but the price usually increases. Check the same flights using the Tor Browser and you can find some interesting discounts. Will Tor Protect My Privacy? Yes. The Tor design protects privacy from bottom to top. If you’re just using Tor Browser to browse the internet, you’re not going to alert anyone, anywhere. However, hardcore privacy advocates consider the Tor network compromised. National Security Agency (NSA) program XKeyscore records everyone who visits the Tor webpage and downloads the Tor Browser. Furthermore, they class those that download and install it as “potential extremists.” So, yeah, sorry, you’re on a list now. (They think similarly of those who use Linux, so I wouldn’t worry too much.) Tor only encrypts data sent and received within the Tor Browser (or a different browser using Tor software). It does not encrypt network activity for your entire system. I2P The Invisible Internet Project (I2P) is a garlic routing protocol. This is a variant of the onion routing protocol used by Tor. I2P is an “anonymous overlay network.” The garlic routing protocol encrypts multiple messages together to make data traffic analysis difficult, while simultaneously increasing network traffic speed. Garlic routing takes its name from actual garlic. Each message is a “garlic clove,” with the entire encrypted bundle representing the “bulb.” Each encrypted message has its own specific delivery instruction, and each end-point works as a cryptographic identifier (read one of a pair of public keys). Each I2P client (router) builds a series of inbound and outbound connection “tunnels” — direct peer-to-peer (P2P) networking. A major difference between I2P and other P2P networks you have used is the individual selection of tunnel length. The tunnel length is a factor in anonymity, latency, and personal throughput, and forms part of the individual peer threat model. The result is that the smallest number of peers possible relay messages according to each peer’s sender and receiver threat model. How Do I Use I2P? The easiest way to use I2P is by downloading and installing the official install package. Once installed, open Start I2P (restartable). This will open a locally hosted web page in internet Explorer, the I2P default browser (you can change this later). This is the I2P Router Console, or in other words, the virtual router used to maintain your I2P connection. You’ll also notice the I2P Service command window — ignore this and leave it running in the background. The I2P service can take a few minutes to get up and running, especially during the first boot. Take the time to configure your bandwidth settings. I2P allows its users to create and host hidden websites, known as “eepsites.” If you want to access an eepsite, you’ll need to set your browser to use the specific I2P proxy. You can find the I2P proxy configuration details here. Why Should I Use I2P? I2P and Tor offer similar browsing experiences for most part. Depending on your I2P bandwidth configuration, it is probably slightly faster than Tor Browser, and runs from the comfort of your existing browser. I2P is full of hidden services, many which are faster than their Tor-based equivalents — a massive plus if you’re frustrated with the sometimes infuriating Tor network. I2P runs alongside your regular internet connection, encrypting your browser traffic. However, I2P isn’t the best tool for browsing the open web anonymously. The limited number of outproxies (where your traffic re-joins “regular” internet traffic) mean it is much less anonymous when used this way. Will I2P Protect My Privacy? In a nutshell, yes. It will protect your privacy very well, unless you’re using it for regular web browsing. And even then, it would take significant resources to isolate your web traffic. I2P uses the distributed P2P model to ensure data collection, statistic gathering, and network overviews are difficult to complete. Furthermore, the garlic routing protocol encrypts multiple messages together, making it much more difficult to perform traffic analysis. The I2P tunnels we discussed earlier are uni-directional: data only flows one way. One tunnel in, one tunnel out. This alone provides greater anonymity for all peers. I2P only encrypts data sent and received through a configured browser. It does not encrypt network activity for your entire system. VPN Finally, we have the Virtual Private Network (VPN). A VPN works differently to both Tor and I2P. Instead of focusing solely on the encryption of browser traffic, a VPN encrypts all incoming and outgoing network traffic. In that sense, it offers regular users an easy route to protecting their data, but there are some caveats that we’ll explore in a moment. How a VPN Works Normally, when you send a request (e.g. click a link in your web browser or fire up Skype for a video-call), your request pings to the server holding the specified data, and it returns to you. The data connection is usually unsecured, and anyone with enough knowledge of computers can potentially access it (especially if using standard HTTP rather than HTTPS). A VPN connects to a predefined, privately owned server (or servers), creating a direct connection called a “tunnel” (though with the rise in VPN use, this term isn’t seen as frequently). The direct connection between your system and the VPN server is encrypted, as is all your data. VPNs are accessed through a client that you’ll install on your computer. The majority of VPNs use public-key cryptography. When you open the VPN client and login in with your credentials, it exchanges a public-key, confirming the connection and protecting your network traffic. Why Should I Use a VPN? A VPN encrypts your network traffic. Everything involving an internet connection on your system is safe from prying eyes. There has been a massive surge in VPN popularity, too. They’re exceptionally useful for: Securing your data on a public Wi-Fi connection. Accessing region-restricted content. An additional layer of security when accessing sensitive information. Protecting your privacy from government or other invasive agencies. Will a VPN Protect My Privacy Yes, a VPN will protect your privacy — but here come those caveats I alluded to earlier. Like most things, you pay for what you get. There are numerous free VPN providers, but they don’t always protect you as thoroughly as you think. For instance, many free VPN providers keep a log of all users, and their internet traffic. So while encrypted data is safe coming into and out of your computer, and to and from their server, there is a still a log of what you have been doing. And while the majority of VPN providers aren’t about to turn you into the authorities, they are legally obliged to turn over what they know if presented with a subpoena. If you want a truly secure, logless connection, check out these six privacy-focused VPNs. VPNs are an excellent, easy way to take some privacy back, without having to change from your regular browser, or alter your general browsing habits and internet use. Summary of Tor vs. I2P vs. VPN If you want super-private browsing, access to the darkweb, and don’t mind a slight dip in internet speed, choose Tor. If you want super-private access to hidden services and messaging tools across a distributed network of peers, and still don’t mind a slight dip in internet speed, choose I2P. Finally, if you want to encrypt all your incoming and outgoing network traffic, and really, really don’t mind a slight dip in internet speed, choose a VPN. Some choose to use Tor Browser over a logless VPN. Others simply fire up a free VPN when they want to access their online banking in a local cafe (this is very sensible). Regardless, a VPN is now a vital piece of accessible security and privacy technology that I would advise anyone to consider. Article source
  12. Windscribe VPN 1.70 Build 3 Stable Internet As It Should Be Windscribe is a desktop application and browser extension that work together to block ads and trackers, restore access to blocked content and help you safeguard your privacy online. Learn More. What's New: https://blog.windscribe.com/windscribe-1-7-changelog-8afa50f3b297 We’ve been working on this version for quite a while, existing installations should prompt you to update the app over the next 48 hrs. Here is what’s new. Changelog: Added city level location selection Added Automatic Connection mode Added support for 22 languages Added custom TAP adapter Added “Ignore SSL Errors” option Added notifications when firewall is ON and application not connected Added “Advanced Parameters” screen Added EULA to the installer Added IPv6 connectivity disable button, to prevent WebRTC leaks over IPv6 in some situations Added Touch support Added Beta channel Fixed auto-start bug on some systems Fixed Internet connectivity check Fixed persistent session storage Fixed API connectivity on restrictive networks Fixed unquoted service path Fixed disappearing Best Location Fixed WSD port connectivity while firewall is ON Fixed PlayStation UPNP connectivity while firewall is ON Fixed reconnection bug on computer wake up on some systems Changed the Preferences screens Changed the connecting spinner animation Downloads: Windscribe for Your Computer: Windscribe for Your Browser: Windscribe for Your Phone: Windscribe for Your Router:
  13. Tor 0.3.0.6 released The Tor Project announced that Tor 0.3.0 is now officially the new stable series of the free and open-source software project designed to prevent government agencies from learning your location or Internet browsing habits. After being in development for the past several months, Tor 0.3.0.6 is now the latest stable version of the software, introducing a bunch of new features and improvements. The most prominent one being the revamp of the guard selection algorithm to better resist guard-capture attacks by hostile local networks. The Tor 0.3.0 stable series also deprecates the use of old RSA1024 keys for both relays and clients, which now make use of Ed25519 keys to authenticate their link connections to relays. As such, the default for AuthDirPinKeys is now 1, and it looks like circuit crypto has been Curve25519-authenticated. "By default, this is controlled by a consensus parameter, currently disabled. You can turn this feature on for testing by setting ExtendByEd25519ID in your configuration. This might make your traffic appear different than the traffic generated by other users, however," reads the release announcement. Moreover, Tor 0.3.0 lays more groundwork for the upcoming next-generation hidden services by enabling handling of ESTABLISH_INTRO v3 cells, along with support for the HSDir version 3 protocol for all Tor relays, allowing storing and serving of version 3 descriptors. Tor 0.3.0 stable series to be supported for nine months Among other noteworthy features implemented in Tor 0.3.0.6, we can mention better resist DNS-based correlation attacks, such as the DefecTor attack of Greschbach, Pulls, Roberts, Winter, and Feamster, by changing the algorithm used for determining DNS TTLs on both server and client side. IPv6 traffic is now enabled by default on SocksPort, a "check_existing" mode was injected into the updateFallbackDirs.py script for checking if fallbacks in the hard-coded list work correctly or not, and Tor replays now support a broader range of ciphersuites, including AES-CCM and chacha20-poly1305. A list of ciphersuites that are closer to the ones preferred by the Mozilla Firefox is now advertised by Tor clients, a new protocol version for proposal 224 has been added, and it looks like descriptors that claim to be malformed versions of Tor are now automatically rejected by directory authorities. Two OutboundBindAddressOR and OutboundBindAddressExit options are now used to allow separation of exit and relay traffic to different source IP addresses, the smartlist_add(sl, tor_strdup(str)) function was replaced by smartlist_add_strdup(), and the length of RSA keys used for TLS link authentication was extended to 2048 bits. The geoip and geoip6 databased have been updated to the April 4 2017 Maxmind GeoLite2 Country database. Tor 0.3.0 stable series will be supported for at least nine months starting today, or for three months after the release of the Tor 0.3.1 series. You can download the Tor 0.3.0.6 source tarball right now from our website. Changelog Source
  14. VPN services have become an important tool to counter the growing threat of Internet surveillance. Encrypting one's traffic through a VPN connection helps to keep online communications private, but is your VPN truly anonymous? We take a look at the logging policies of dozens of top VPN providers. Millions of Internet users around the world use a VPN to protect their privacy online. Unfortunately, however, not all VPN services are as private as you might think. In fact, some are known to keep extensive logs that can easily identify specific users on their network. This is the main reason why we have launched a yearly VPN review, asking providers about their respective logging policies as well as other security and privacy aspects. This year’s questions are as follows: 1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user/users of your service? If so, what information do you hold and for how long? 2. What is the registered name of the company and under what jurisdiction(s) does it operate? 3. Do you use any external visitor tracking, email providers or support tools that hold information about your users/visitors? 4. In the event you receive a takedown notice (DMCA or other), how are these handled? 5. What steps are taken when a valid court order or subpoena requires your company to identify an active user of your service? Has this ever happened? 6. Is BitTorrent and other file-sharing traffic allowed (and treated equally to other traffic) on all servers? If not, why? 7. Which payment systems do you use and how are these linked to individual user accounts? 8. What is the most secure VPN connection and encryption algorithm you would recommend to your users? 9. How do you currently handle IPv6 connections and potential IPv6 leaks? Do you provide DNS leak protection and tools such as “kill switches” if a connection drops? 10. Do you offer a custom VPN application to your users? If so, for which platforms? 11. Do you have physical control over your VPN servers and network or are they hosted by/accessible to a third party? Do you use your own DNS servers? 12. What countries are your servers located in? — Below is the list of responses from the VPN services in their own words. Providers who didn’t answer our questions directly or failed by logging extensively were excluded. We specifically chose to leave room for detailed answers where needed. The order of the list holds no value. Continue reading Which VPN Services Keep You Anonymous in 2017?
  15. Millions of BitTorrent downloaders use proxies or VPN services to protect their privacy. These tools offer anonymity by replacing one's residential IP-address with that of the privacy service. But do they really work? Luckily, there's now an open source tool people can use to test their setup. Every day dozens of millions of people share files using BitTorrent, willingly exposing their IP-addresses to the rest of the world. For those who value their privacy this is a problem, so many sign up with a VPN provider or torrent proxy service. This is fine, but some people then forget to check whether their setup is actually working. While it’s easy enough to test your web IP-address through one of the many IP-checking services, checking the IP-address that’s broadcasted via your torrent client is more complex. There are a few services that offer a “torrent IP check” tool, but for the truly paranoid there’s now an Open Source solution as well. The developer, who goes by the nickname “cbdev”, found most of the existing tools to be somewhat “fishy,” so he coded one for himself and those who want to run their own torrent IP checkers. “I’d rather have something I can control entirely,” cbdev tells TF. “So, I wrote a tool people can install on their own servers, with the added bonus of it using magnet links, so ‘Tracking torrent’ files are required,” he adds. The ipMagnet tool allows BitTorrent users to download a magnet link which they can then load into their BitTorrent client. When the magnet link connects to the tracker, the user’s IP-address will be displayed on the site, alongside a time-stamp and the torrent client version. Alternatively, users can check out the tracker tab in their torrent clients, where the IP-address will be displayed as well. For users who are connected to a VPN, the IP-address should be the same as the one they see in their web browser, and different from the IP-address that’s displayed when the VPN is disconnected. Proxy users, on the other hand, should see a different IP-address than their browser displays, since torrent proxies only work through the torrent client. People are free to use the ipMagnet tool demo here, but are encouraged to run a copy on their own server. The whole project is less than 500 lines of code, so those with basic knowledge of PHP, JavaScript and HTML can verify that it’s not doing anything nefarious. If you’re setting up a copy of your own, feel free to promote it in the comments below. Those who want more tips can read up on how to make a VPN more secure, and which VPN providers and torrent proxies really take anonymity seriously. Source: TorrentFreak
×
×
  • Create New...