1 21d-PracticalPersonal

This is a common pattern:
https://www.reddit.com/r/ProgrammerHumor/comments/aloi5v/programmers_know_the_risks_involved/

1.1 Screencasts

• Password for the Vimeo videos is in Zulip chat.
• SP21: https://vimeo.com/545190785
• FS20: https://vimeo.com/416093158
• Tip: If anyone wants to speed up the lecture videos a little, inspect the page, go to the browser console, and paste this in: document.querySelector('video').playbackRate = 1.2

1.2 How to set up a small business or personal computer securely

Not an academic lecture today!
A sample practical activity in setting up a personal computing environment,
for Confidentiality, Integrity, and Availability (the basic CIA of textbook security), for common tasks.

From the bottom up, hardware to high level:

1.3 Computer hardware, firmware, crypto-keys

Hardware in security arms race?
Hardware and higher level compromise?

• Computer hardware (open, secure)
  • Lists of open, and thus at least verifiable, if not trustworthy, hardware:
    • https://www.gnu.org/philosophy/free-hardware-designs.en.html
    • https://www.fsf.org/resources/hw
  • Actually open:
    • https://en.wikipedia.org/wiki/OpenPOWER_Foundation
    • https://www.raptorcs.com/TALOSII/
  • Partially:
    • https://puri.sm/
  • A newcomer in 2019, not mature yet
    • https://en.wikipedia.org/wiki/OpenRISC
• Hardware key tokens: manage passwords, 2-factor, etc.
  • https://onlykey.io/
  • https://www.nitrokey.com/
  • https://solokeys.com/

1.4 BIOS, firmware-level

• BIOS firmware
  • https://en.wikipedia.org/wiki/Libreboot
• Set up a BIOS password
• Disable booting from USB sticks (other than at your first install)
• Secure boot enabled (perhaps…): https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot
• https://www.qubes-os.org/doc/anti-evil-maid/
  • https://en.wikipedia.org/wiki/Trusted_Platform_Module
  • https://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html
  • https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html

1.5 Choose your computer operating system

• https://en.wikipedia.org/wiki/List_of_Linux_distributions
  • General purpose, with decent security emphasis
    • https://www.debian.org/
      • https://en.wikipedia.org/wiki/Debian
    • https://www.opensuse.org/
      • https://en.wikipedia.org/wiki/OpenSUSE
    • https://getfedora.org/
      • https://en.wikipedia.org/wiki/Fedora_(operating_system)
  • https://en.wikipedia.org/wiki/Security-focused_operating_system
    • Offensive
      • https://www.kali.org/
        • https://en.wikipedia.org/wiki/Kali_Linux
      • https://labs.fedoraproject.org/en/security/
      • https://www.blackarch.org/
    • Defensive
      • Server-focus and special purpose (e.g., banking, email server)
        • https://www.openbsd.org/
          • https://en.wikipedia.org/wiki/OpenBSD
        • https://www.centos.org/ (changing focus now)
          • https://en.wikipedia.org/wiki/CentOS
      • Broad or personal computing, anonymity
        • Persistent
          • https://www.whonix.org/
            • https://en.wikipedia.org/wiki/Whonix
            • https://www.whonix.org/wiki/Computer_Security_Education
          • https://www.qubes-os.org/
            • https://en.wikipedia.org/wiki/Qubes_OS
          • https://subgraph.com/ (dead, insecure)
            • https://en.wikipedia.org/wiki/Subgraph_(operating_system)
        • Not persistent (live)
          • https://tails.boum.org/
            • https://en.wikipedia.org/wiki/Tails_(operating_system)

1.6 Securely obtain the image file for your distribution

• Verify the signature
  • https://help.ubuntu.com/community/HowToSHA256SUM
  • https://en.opensuse.org/<SDB:Download_help#Checksums>
    • https://en.opensuse.org/<SDB:Live_USB_stick#Using_commandline_tools>
  • https://www.whonix.org/wiki/VirtualBox/Verify_the_virtual_machine_images_using_the_command_line
  • https://tails.boum.org/install/download/openpgp/index.en.html#command-line
  • https://www.kali.org/downloads/
• If you are installing on your hard drive, make sure you have a clean USB stick

1.7 Install

• Encrypt the whole disk
  • Choose a very long good password
• Encrypt your user directory
  • Choose a very long good password
• Create a user account with sudo access, so you don’t need to use the root account much if at all
• Configure firewall settings (if not connected to a safe network, before updates)
  • Either use an easy GUI (gufw, fedora firewall, etc) or iptables

1.8 Update all software (if not already done)

1.9 Post-install system OS hardening and configuration

• Set up screen lock!
• Elements / basics
  • https://help.ubuntu.com/community/Security
  • https://wiki.ubuntu.com/BasicSecurity
  • https://securityinabox.org/en/guide/basic-security/linux/
• Whole-system / detailed:
  • https://doc.opensuse.org/documentation/leap/security/html/book.security/index.html
    • http://linux-pam.org/Linux-PAM-html/adg-example.html
  • http://www.tldp.org/HOWTO/Security-HOWTO/
  • https://www.debian.org/doc/manuals/securing-debian-howto/
  • https://debian-handbook.info/browse/stable/security.html
  • https://wiki.centos.org/HowTos/OS_Protection
• Networking (more to come later!)
  • How to set up secure remote access to your computer
    • https://wiki.centos.org/HowTos/Network/SecuringSSH
  • https://wiki.centos.org/HowTos/Network/IPTables
• Enable advanced sandboxing and access controls via AppArmorSELinux.html

1.10 Software

• General survey of secure and/or privacy-friendly applications for personal use:
  • https://prism-break.org/en/all/
  • https://www.privacytools.io/
  • https://github.com/Lissy93/personal-security-checklist
• VirtualBox, KVM, virtual machines
  • Use snapshots to keep the updated state clean!
• Web browsing
  • Browser choice
    • https://www.mozilla.org/en-US/firefox/
    • https://www.torproject.org/download/download-easy.html.en
      • https://www.eff.org/pages/tor-and-https (infographic)
      • https://en.wikipedia.org/wiki/Onion_routing
    • https://www.whonix.org/wiki/Comparison_with_Others
  • JavaScript: https://noscript.net/
  • Fingerprinting:
    • https://panopticlick.eff.org/
    • https://coveryourtracks.eff.org/
    • https://privacy.net/analyzer/
  • HTTPS
  • Browse in a virtual machine, and refresh snapshots!
• Communications:
  • Text/data
    • Comparison tables
      • https://en.wikipedia.org/wiki/Comparison_of_instant_messaging_clients#Secure_messengers
      • https://bitmessage.org/wiki/FAQ#How_does_Bitmessage_compare_to_other_messaging_methods
      • http://secushare.org/comparison
    • Email can be secure?
      • gnupg (good, but not PFS: https://en.wikipedia.org/wiki/Forward_secrecy)
        • https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP
        • https://en.wikipedia.org/wiki/GNU_Privacy_Guard
        • https://www.gnupg.org/related_software/frontends.html#sec-1-2
        • https://www.mailvelope.com/
    • Chat-compatible encryption with perfect forward secrecy
      • https://en.wikipedia.org/wiki/Off-the-Record_Messaging
      • https://en.wikipedia.org/wiki/Signal_Protocol
      • https://en.wikipedia.org/wiki/OMEMO
        • https://conversations.im/
      • https://github.com/wireapp/proteus
        • https://wire.com/
    • p2p for A in CIA, (cryptography for the C and I)
      • Bote: https://en.wikipedia.org/wiki/I2P
      • Tox:
        • https://en.wikipedia.org/wiki/Tox_(protocol)
        • https://tox.chat/
  • Voice/video: https://en.wikipedia.org/wiki/Comparison_of_VoIP_software#Secure_VoIP_software
    • https://tox.chat/
    • https://en.wikipedia.org/wiki/ZRTP
      • https://linphone.org/
    • https://wire.com/
    • http://retroshare.net/ (and file sharing, email, etc.)
• Password managers: https://en.wikipedia.org/wiki/Comparison_of_password_managers (not Linux/Unix exclusive)
  • A password manager assists in generating and retrieving complex passwords, potentially storing such passwords in an encrypted database or calculating them on demand. Types of password managers include:
  • locally installed software applications
  • online services accessed through website portals
  • locally accessed hardware devices that serve as keys
  • Remote versus Local
    • Remote, for example: https://lastpass.com
    • Local, for example: https://keepassxc.org/
• Hosting / server for C, I, and A in CIA triad
  • Tor hidden services:
    • Example: https://en.wikipedia.org/wiki/Sci-Hub (scihub22266oqcxt.onion) can only be visited using Tor browser, and can’t easily be located or taken down forcibly (availability)
  • Eepsites: https://geti2p.net/en/
    • https://en.wikipedia.org/wiki/I2P
• File-sharing/transfer:
  • see general links above for secure p2p/direct file transfer methods
  • securing basic rsync
    • https://www.upguard.com/articles/secure-rsync
  • https://syncthing.net/
  • https://onionshare.org/
  • http://retroshare.net/ (and file sharing, email, etc.)
• Remote access:
  • ssh hardening
  • ssh on hidden service server
• Collaboration: see general links above

1.11 Privacy

Personal privacy tools:
https://ssd.eff.org/
https://www.sjpl.org/privacy
http://thgtoa7imksbg7rit4grgijl2ef6kc7b56bp56pmtta4g354lydlzkqd.onion/guide.html

1.12 Operational Security (OpSec)

The most important thing on this list: STFU…

A fun note on modern interent op-sec: https://sive.rs/anon

1.13 Tangent: Phone

Are there any fully open/transparent phones? Not really, but some laudable efforts:

https://www.pine64.org/pinephone/

http://libresmartphone.com/open-hardware-smartphone/

https://en.wikipedia.org/wiki/Openmoko
http://wiki.openmoko.org/wiki/Main_Page

https://puri.sm/shop/librem-5/

https://volla.online