Most secured and private tools.

[SoldierOfCryptoWar]

We live in a world of total surveillance, call me paranoid, but i am sure someone watching us. I have nothing criminal to hide, but surveillance make me feel uncomfortable anyway so i decided use some private tools. I found out about MEGA cloud storage, VeraCrypt disk encryption software, protonmail email service and private vpn. I need a messenger, operating system, browser and many more.

How you do stay anonymous in the internet? What tools do you use?

[rowie]

MESSENGER: signal

OS: Parrotsec (all apps sandboxed & disc full encryption)

MAIL: protonmail & mailbox.org

CHAT: pidgin & revolt

VPN: own OpenvpnAS

PHONE-OS: LineageOS

 

did I forgot something?

[M4sh1lo]

Your best tool for security is yourself...

Edited July 15, 2019 by M4sh1lo

[SoldierOfCryptoWar]

On 7/14/2019 at 7:14 PM, rowie said:

MESSENGER: signal

OS: Parrotsec (all apps sandboxed & disc full encryption)

 MAIL: protonmail & mailbox.org

CHAT: pidgin & revolt

VPN: own OpenvpnAS

PHONE-OS: LineageOS

  

did I forgot something?

Your list look good, from the side you look like total paranoic, i recommend you to check out messenger Utopia at beta.u.is, new secured soft from paranoics like you and me

[theUNK0WN]

On 7/15/2019 at 6:06 PM, M4sh1lo said:

Your best tool for security is yourself...

Yet, the biggest vulnerability in security is yourself. 🤔

On topic ... I use Debian-based OS with my own code and some imported "tools". For emails, I have a lot of them. For all other stuff, let's just say it's "NULL". Don't want to give away my secrets 😉 but for internet privacy - proxy chains.

[articzebra]

The sad reality is, at least from what I've read; most security experts put the emphasis on security on the individual and following pretty much straightforward op sec. I read a research paper by Google which conducted research on both the average user population and security experts around the world to find out what the average user believes is enough to protect them and then what the expert believes is enough. The experts put emphasis on methods like regular software updates, password managers, 2FA and forced HTTPS whilst the average user put emphasis on antivirus and specific software solutions.

Most experts avoided recommended software to protect the user against specific threats. The naivety of modern society implies we can be secure if we download something from the internet and when you think about it it's not so different from how most of the western world believes they can just turn up at hospital to fix their issues in life or seek therapy hoping for a quick fix to their issues. It's never been that simple. I read another article about information security and it pretty much said this; the only way to truly protect yourself is to choose to become completely isolated from any network whatsoever ie have NO connection to the internet, local area networks or utitlize any sort of connectivity whatsoever that connects one machine to another. A simple example of this is how the pros advise on stopping your phone from being compromised; put it into a faraday bag. The only down side to this is you can't use it at all! From what I've read that's pretty much the same for computers like laptops and desktops etc.

In 2012 the "Five Eyes" hacked into a Belgium telecommunications company which gave them unparralled access to a large portion of the worlds telecommunications data from Europe to the US and beyond. One of their intentions was to intercept traffic in order to access it before it was encrypted and/or received by the intended destination address ie a server. In 2014-15  they hacked into the network infrastructure of Iran and had control of pretty much every single critical system in the country. Their real intentions were to stop them from making weapons grade nuclear material but they also had a backup plan if it was to spark a war and their plan was to take down every single system that made the country run; banks, energy plants, the financial economy etc. Such attacks render an app from the Play Store pretty much obsolete I feel. Not just that but then we can talk about the mass surveillance conducted as we speak by the US government. They recently began building their very own data farm to store the world's data they have/are sucking up. I think it's pretty dumb to assume that your phone calls, text messages, email etc have not inadvertingly been intercepted by these programmes and are sitting on a hard drive somewhere. What about MITM attacks the government can do very easily by setting up rogue APs and cell towers? They've been selling hardware like this for years. Whose to say they haven't already used it in your area? You may encrypt communications on your computer but very few are that technically gifted to have specialized cell phones to circumvent surveillance. Then we have the issues with ISPs complying with government surveillance and their requirement to allow the government access to their data whenever these governments wish.

It's pretty naive to assume downloading software is going to save you. Sure, PGP will encrypt your emails for example but whose to say the software you used to encrypt the communications hasn't been backdoored or has an unknown vulnerability? The NSA have a collection of 0 day exploits for endless amounts of software and they also can implant on a whim exploits into software and hardware. I read the other day how a popular PGP software had a flaw whereby an attacker could compromise the encryption of a PGP key rendering it fairly useless and easy to decrypt. The Tor network has had flaws in it and yet people use it often believing it offers the ultimate protection; rogue exit nodes just to name one example. It's now also becoming known that the government can deanonymise users of the Tor network and even websites hosted on the Tor network. Sure a VPN will help but whose to say your VPN provider hasn't been compromised? Whose to say they don't keep logs? Says who? Them? How do you know? HMA ratted out a customer a few years back who was believed to have hacked a number of companies using a HMA VPN account. They were asked to comply and provide details and so they did and the resulting after effects was the individual in question was revealed and later arrested.

Just think about how the government themselves have been hacked in the past. Just think how ransomware has taken over many parts of the US and these attacks have been targetted at the US government, namely in the very area where the NSA works - Baltimore. The government have trouble preventing attacks from happening and sometimes it's as easy as opening a dodgy attachment and you're in. The EternalBlue exploit was known for a long time by the NSA and was only patched some years after when the ShadowBrokers leaked it to the world and the NSA had to in decency report the vulns and subsequently the SMB exploit was patched. Whose the say there are not these sorts of inherent vulns in the very software you are using right now? How can you protect yourself when your system could now be compromised by a bad guy simply executing a particular set of instructions which gives them access to your system? Goodbye to your protection then. VPN won't matter when persistence has been planted and the backdoor firmly opened.

The best security is to get off the grid, disconnect from the WWW and completely isolate yourself and your digital life from the outside world. Even then, look at the attack on the air gapped Iranian nuclear power plant not that long ago. It was air gapped! And all it took was an insider to plug in a USB stick into a computer and the rest is history. Goodbye to your AV, firewall, VPN, encrypted chat software etc. Game over. You lose.

[Ondaly]

The best and most secure Messanger for Phones is the swiss made app threema. https://threema.ch/en.

From their website:

What makes threema secure ?

Threema uses state-of-the-art asymmetric cryptography to protect messages and calls between sender and receiver, as well as the communication between the app and the servers. Threema uses the Open Source NaCl library for encryption, which is open to independent audits. Anyone can validate Threema's correct application of the encryption.

There are two layers of encryption: the end-to-end layer between the conversation participants, and an additional layer to protect against eavesdropping of the connection between the app and the servers. The latter is necessary to ensure that an adversary who captures network packets (e.g. on a public wireless network) cannot even learn who is logging in and who is communicating with whom.

All encryption and decryption happens directly on the device, and the user is in control over the key exchange. This guarantees that no third party — not even the server operators — can decrypt the content of the messages and calls.

Strength of the encryption: The asymmetric ECC based encryption used by Threema has a strength of 255 bits. Accordingto a NIST estimate (page 64), this corresponds at least with the strength provided by 2048 bit RSA. ECDH on Curve25519 is used in conjunction with a hash function and a random nonce to derive a unique 256 bit symmetric key for each message, and the stream cipher XSalsa20 is then used to encrypt the message. A 128 bit message authentication code (MAC) is also added to each message to detect manipulations/forgeries.

Forward secrecy: Threema provides forward secrecy on the network connection (not on the end-to-end layer). Client and server negotiate temporary random keys, which are only stored in RAM and replaced every time the app restarts. An attacker who has captured the network traffic will not be able to decrypt it even if he finds out the long-term secret key of the client or the server after the fact.

 

For detailed technical information about the cryptography in Threema, read the Cryptography Whitepaper.

 

 

https://threema.ch/en/faq