1. Hi there, Guest

    Only registered users can really experience what DLP has to offer. Many forums are only accessible if you have an account. Why don't you register?
    Dismiss Notice
  2. Introducing for your Perusing Pleasure

    New Thread Thursday
    +
    Shit Post Sunday

    READ ME
    Dismiss Notice
  3. Q4 2019 Story Competition is kicking off!

    Prompt:
    Foreign Magical Regions (Setting outside of Britain) Length: 2.5 - 5k
    Get writing Folks!
    Dismiss Notice

How to stay safe/private on the net

Discussion in 'Real Life Discussion' started by Nazgus, Nov 8, 2019 at 5:33 AM.

  1. Nazgus

    Nazgus Supreme Mugwump DLP Supporter DLP Gold Supporter

    Joined:
    Mar 16, 2011
    Messages:
    1,625
    Location:
    USA
    Intro

    In the spirit of New Thread Thursday, I thought I'd make a thread for us to pool our knowledge about Password Managers, VPNs, and assorted browser extensions/software to keep ourselves safe and our data private on the internet.

    The first and most important step (imo), is to freeze all your credit reports.

    But since that requires setting up accounts, the real first thing you should do is choose a password manager.

    Password Managers

    Humans are simply incapable of remembering unique passwords of sufficient entropy for the number of sites we have to create accounts for. A password manager lets you remember a single high entropy (meaning secure) password which you can use to access all your other passwords.

    My password manager of choice is LastPass. A premium account only runs you $36/annually which is very affordable.

    Some other ones that got mentioned on Discord are 1Password, and Norton.

    Only advice is to not get any free shit, because if you're not paying cash you're paying some other way, and the point here is to minimize it.

    Credit Reports

    That settled, back to credit reports. Considering the sheer number of breaches that are reported, and just how many must go unreported, absolutely everyone should have their credit reports permanently frozen at all three major credit bureaus. Whenever you need to use it (opening a new credit card, getting a loan, mortgage, etc), you can do a temporary unfreeze and you'll be good.

    Also, don't fall for any of their 'Credit Lock' bullshit. A credit freeze is defined by law, and they're forced to give it to you for free. Anything else they offer is an attempt to let them keep making money off of your credit reports.

    Here's the links to freezing your credit scores (or checking on current freezes) at each of the three:

    TransUnion - This one I recommend checking in on, because they updated their site and split the log-in for freezes from everything else, and your previous log-in is naturally associated with all their other services even if you only used it for the freeze. So everyone should go in and make sure they have this set up so that if you're in crisis you can just log in and not deal with the verification process while stressed.

    Equifax- These are the morons who got hacked by not patching their servers when they were warned months in advance that there was an incoming critical security patch. Enough said. EDIT: Went in to check on my freeze and they ALSO pulled some shit and made me make a new account. Would also recommend everyone check in on it...

    Experian - This one doesn't seem to have an interface for checking on the status of your freeze, so I'll have to find a customer service number to confirm that some other time.

    VPN

    I currently use VyprVPN, but that's more because I get access to it through my dad's plan and am still a student (i.e. poor). Don't love it because the phone app keeps dying and losing connection without telling me it's done so. Would love to hear more about what others use as I'll soon graduate and make enough money to buy my own VPN service.

    One I'd toss in the ring is ExpressVPN. They're a sponsor on the Security Now podcast which is relatively selective with its sponsors and they say good things about it.

    The other one I'll mention is Blokada(link to their VPN). No idea how good it is, but I use them for their add blocking capabilities on Android so their gets a mention.

    Ad/Tracker Blocking

    Ads suck. There's a number of easy to use browser extensions for blocking them, my go-to is uBlock Origin (Firefox, Chrome).

    Little trickier on the phone, but that's where the above-mentioned Blokada comes into play. This is an app you can install that will run in the background and block all requests for ad domains using your phones VPN API, so you're able to browse the web without seeing any adds ever. More details here. As mentioned above, they also have a VPN which I haven't tried out, along with a DNS configuration service so you can prevent your IPS from gathering data on you through there.

    With those basics settled, let's talk search engine. You should really be using DuckDuckGo. In case you're unaware, Google tracks everything you do and sells your data. DDG is a perfectly fine search engine that does you the courtesy of, you know, not. They also have a Firefox extension that does a number of things from rating the websites you're on on security/privacy, ensuring sites are using the highest encryption possible, and blocking third party trackers.

    EDIT: On the note of Google selling all your data, I recommend switching to Firefox for your browser. I honestly like Chrome a bit better, but Firefox does everything you need, includes its own tracking blocker, and is generally more careful/private with your data than Google is.

    Ghostery is another ad blocking, tracking disabling one I like. And the final one of these I use is Privacy Badger, which does the extra bit of monitoring what is tracking you across different sites, and blocking them.

    Related is the Facebook Container, which makes Facebook run in a container and prevents it from tracking you across the web by limiting their cookies to just the container. This will break embedded Facebook content, but the only place I've noticed it is the funny pictures thread here and I can get around it by right-clicking to copy the link and opening it in a private session (incognito mode for Firefox).

    General Security

    The only browser extension I have to add that didn't fit in anywhere else is HTTPS Everywhere, which does exactly what the name says: force websites to give you the secure version of their site. If none is available, it warns you and lets you proceed at your own risk.

    There's also this wonderful iOS app called OverSight which monitors your mic and webcam, and alerts you when the internal mic is activated, or whenever a process accesses the webcam. You can also tell it to block everything from using it, and just whitelist things as you use it for valid things. This makes it so that even if you're not paying attention you can't somehow miss a notification and not know it's being used.



    And that's it for me. Would love to hear other people's thoughts on this, and add to my list of extensions/software.
     
    Last edited: Nov 8, 2019 at 5:42 AM
  2. Heleor

    Heleor EsperJones

    Joined:
    Mar 3, 2006
    Messages:
    1,148
    Location:
    Seattle, WA
    Firefox on mobile allows extensions (for now?) so you can use ublock origin on Android as well. (iPhone requires the VPN solution, but overall it's better to not have to trust the VPN-based code)
     
  3. Nazgus

    Nazgus Supreme Mugwump DLP Supporter DLP Gold Supporter

    Joined:
    Mar 16, 2011
    Messages:
    1,625
    Location:
    USA
    Nice, didn't know that. Doesn't seem to have the full selection, but I added what I could on it.

    Will keep Blokada running though... just to be sure...
     
  4. Innomine

    Innomine Headmaster ~ Prestige ~ DLP Supporter

    Joined:
    Nov 27, 2007
    Messages:
    1,183
    Gender:
    Male
    Location:
    New Zealand
    High Score:
    4,500
    One thing you did not address, is why should we use a VPN?

    Also, I am assuming that your advice on freezing credit reports is limited to the US? Or do I have to care about this in NZ too?

    Edit: Also, great post idea!
     
  5. Nazgus

    Nazgus Supreme Mugwump DLP Supporter DLP Gold Supporter

    Joined:
    Mar 16, 2011
    Messages:
    1,625
    Location:
    USA
    Lol, great point...

    You should use a VPN because everything everywhere is tracking you to build a perfect profile that will let them sell you whatever they want to sell you, and convince you to vote for whatever they want you to vote for. The sheer amount of information these companies are amassing about us is as disgusting as it is massive, and a VPN prevents a lot of it by routing all your traffic to their servers first, and then having it pop out (anonymized with all the other customer's) the other end and go to your actual destination.

    This also has the added benefit of letting you get around government censorship, because as far as anyone outside your VPN is concerned, their server is the only place you ever go. All the VPNs worth their salt also have a mode that does some extra stuff to get around heavy government blocks like China's.

    A very important note is that whichever one you choose, it must be a paid one. If it's free then your data is the product, and that's exactly what you're using a VPN to avoid.

    A side benefit is that it also lets you watch Netflix/Hulu/etc catalogues from other countries, since you can choose which of the VPNs servers to have your traffic pop out of. As far as the streaming service is concerned, you're off wherever you please.

    To the credit freezing, I think yes, but I'd check on how credit reports work in your country to see if there's something similar you should be doing.
     
  6. Innomine

    Innomine Headmaster ~ Prestige ~ DLP Supporter

    Joined:
    Nov 27, 2007
    Messages:
    1,183
    Gender:
    Male
    Location:
    New Zealand
    High Score:
    4,500
    Ty for that.

    What's your opinion on the brave browser? Does it do all of this for you automatically?
     
  7. theronin

    theronin Order Member

    Joined:
    Jan 17, 2013
    Messages:
    864
    If you don't mind doing a little micromanaging, I recommend uMatrix for ad/tracker blocking. It's a bit of a pain to get working, but once you have the sites you use regularly set up it's fantastic.
     
    Oz
  8. MonkeyEpoxy

    MonkeyEpoxy Prisoner DLP Supporter

    Joined:
    Aug 11, 2011
    Messages:
    2,786
    Gender:
    Male
    Location:
    Colorado
    The HTTPS everywhere addon is something I've never thought of, thanks for that. I'm a NordVPN guy right now even if all the damn advertising they do makes me leery, but I'm with them for a couple more years thanks to that deal. It helps that I've never had a single problem with them on either PC or mobile.
     
  9. Jon

    Jon The Demon Mayor Admin DLP Supporter

    Joined:
    Jun 5, 2006
    Messages:
    7,765
    Location:
    Australia
  10. Jon

    Jon The Demon Mayor Admin DLP Supporter

    Joined:
    Jun 5, 2006
    Messages:
    7,765
    Location:
    Australia
  11. MonkeyEpoxy

    MonkeyEpoxy Prisoner DLP Supporter

    Joined:
    Aug 11, 2011
    Messages:
    2,786
    Gender:
    Male
    Location:
    Colorado
    I mean, the money is already paid.
     
  12. Zombie

    Zombie John Waynes Teeth Moderator DLP Supporter

    Joined:
    Apr 28, 2007
    Messages:
    5,117
    For the takeouts if they allow you to delete the data do so, and do it frequently. On Facebook, Google, discord, etc.

    Alternative to using an ad blocker use host file editing. Essentially the same thing but it doesn't remove the containers from a web page. You can use custom css for that if you want.
     
  13. Genghiz Khan

    Genghiz Khan Order Member

    Joined:
    Mar 21, 2011
    Messages:
    835
    Location:
    Darujistan
    Oh lookie, a thread not related to my work domain in which I can answer with a reasonable degree of assurance.

    Browsing

    So for browsing, I'd recommend Firefox over Chrome, simply because of the presence of about:config. There's loads of configuration options there which can be used to totally lock your browser down (on desktop, of course, not anywhere else as of now to my knowledge). A good set of options can be found in this user.js and this one. Do be aware that if you blindly apply them you're going to go into tinfoil mode and break websites. The first one has a relaxed variant which ought to be okay for most people.

    Continuing on, a bunch of Firefox Extensions which are both privacy oriented and open source:
    • Canvas Blocker: It prevents canvas fingerprinting through javascript by randomising your fingerprint on each site. This can break QR codes, which seem to require canvas fingerprinting to render properly. It works fine with nearly 99% of everything I've encountered on the web, though
    • ClearURLs: It removes tracking elements from URLs. A set and forget extension
    • Cookie Autodelete: Probably one of my most used extensions, it allows you to delete cookies from sites after you're done visiting them. It takes a while to set up, but once done, it's a godsend. It integrates with Firefox Container Tabs addon as well. This can require extensive customisation, so be prepped to add exceptions to sites you wish to stay logged in to. As a bonus, you can read as many news articles from sites which provide you with, say, 3 free articles a month because they keep track of that stuff through cookies
    • CSS Exfil Protection: This sanitises CSS to prevent fingerprinting. It's a set and forget extension
    • Decentraleyes: Another set and forget extension. It serves some CDN (Content Delivery Network) resources locally, saving bandwidth and making sure that the CDNs it supports never get to find out about your browsing habits. It's never broken anything for me
    • ETag Stoppa: ETags are another vector to remove anonymity. This extension strips them from HTTP requests. This is a set and forget extension
    • Firefox Multi Account Containers: This is the best reason to use Firefox. It allows you to separate website data and awareness of each other in the same way Chrome Profiles allow you to, but with a much sleeker UI and much better ease of use. It takes a while to setup, but once you've got a setup rolling, it stays with you forever. Its integration with Cookie Autodelete is pretty darn good
    • HTTPS Everywhere: Uses a bunch of predefined rules to redirect HTTP -> HTTPS (which you should be using wherever possible). A set and forget extension
    • Privacy-Oriented Origin Policy: It prevents Firefox from sending Origin headers when they're not really necessary. This is a set and forget extension
    • Smart Referrer: This hides HTTP Referrer and javascript referrers when clicking links if you go from one domain to another. This prevents the target domain from knowing where you've come from. Another set and forget extension
    • UBlock Origin: The king of privacy extensions, every privacy nut should build their browsing habits around this. Once you've got this, Ghostery, Privacy Possum, even uMatrix (unless you want amazingly fine-grained control) etc. are all superfluous. Ideally this should be run in medium or hard mode (go check that out on the addon wiki) and you can individually whitelist the domains required where needed. However, that takes effort, and easy mode (the default) is quite set and forget
    • Universal Bypass: This bypasses many link shorteners. A set and forget extension
    • ViolentMonkey: I'll plug this in because even though it's not a privacy extension, there's a bunch of good userscripts out there which can be used to better privacy
    A good user.js combined with these extensions ought to be a good way of increasing anonymity while browsing, imo.

    DNS

    In addition, one can use a hosts file (like this one) to block a bunch of trackers for the entire system. Another good recc here would be pi-hole, which does the same for an entire network. You could also use a third-party DNS service to bypass ISP filtering. However, since I don't trust Cloudflare or Google either, I'd like to plug in OpenNIC, which is a set of DNS servers maintained by volunteers.

    VPNs

    As for VPNs, if you're going for a commercial solution, the only one I've used is AirVPN. Definitely quite recommended. I've never heard of them being compromised. However, if you truly want airtight security, I'd suggest using Streisand. This requires your own server somewhere in the cloud (a virtual server is also fine) and a bit of Linux-fu. It gives you the option of running a bunch of different types of VPNs, out of which I'd recommend Wireguard over any of the others because of both the author of the project being Jason Donenfeld as well as it having nearly no overhead performance wise. I've personally setup Wireguard on my server and bypassed the Great Firewall quite cleanly. If that doesn't work for you, it also sets up OpenVPN or a Tor Bridge, whichever one you want.

    Password Managers

    If you've got any linux-fu, use pass. If that doesn't work for you, try using keepassXC. Both of them are open source and can work with standard file syncing tools like Dropbox and all. However, if you don't want to deal with that, I've personally heard great things about Bitwarden. It's free, and can also be self-hosted, if you've got the skills for that. If you've got a phobia of all things free, though, then go for 1Password. The UX is amazing and the team behind it is solid. It is an expensive piece of software, though. I wouldn't recommend Lastpass: the company behind them isn't exactly trustworthy and their browser extensions turn me off.

    Misc points
    • Duckduckgo is a pretty good search engine
    • I'd recommend shifting away from gmail if you can help it. Many people can't because an email id is the fount of your online identity, but if you can, go for a provider who takes money from you like Fastmail or Protonmail. You can buy your own domain and get email at contact [at] <your_name>.com, which is pretty awesome and you can be assured no one's using your email to target spam or worse, profile you using your e-reciepts
    • Out of all file syncing platforms, use iCloud over the others because Apple is a more privacy-friendly company than Google or MS at this stage. If you've got the chops for it, try to host your own Nextcloud instance for contacts, calendars and files
    • Go through privacytools.io and go more in-depth for yourself. Some of it is legit tinfoil hat stuff, but you can pick and choose the bits you like
     
    Last edited: Nov 8, 2019 at 3:13 PM
  14. Mordecai

    Mordecai Drunken Scotsman ~ Prestige ~ DLP Supporter

    Joined:
    Nov 11, 2005
    Messages:
    641
    Location:
    Scotland
    High Score:
    3,485
    One thing to keep in mind for VPNs is that even if you're paying them, you're still handing all your browsing data over to them and you've no guarantee that they won't misuse it. It might be slightly paranoid of me, but you're basically making a choice of who you want to have misusing your data and if you want to pay for the privilege.
     
  15. duplaja

    duplaja First Year DLP Supporter

    Joined:
    May 29, 2007
    Messages:
    35
    Location:
    United States
    Very nice introductory primer. One thing I'd like to see mentioned, or expanded on, is the use of 2FA / Two Factor Authentication where it's offered, as well as the various types. This is just a quick introduction, as lots more could be said about them.

    1. SMS 2FA: Not recommended, due to the many horror stories of people calling and getting a new SIM activated on an account using social engineering with the phone company. Definitely don't use this if you have something worth protecting: primary e-mail accounts, anything involving money (especially crypto), etc.
    2. App-Based 2FA (Authy, Google Authenticator, etc): Authy is the currently recommended option, last time I checked. (someone please correct me if I'm wrong), due to the fact that they offer encrypted backups, so it's possible to recover and continue on a new phone. I haven't looked in a while, but last time I did, Google Authenticator didn't offer backups, so you were mostly out of luck if your phone died and you had to move to a new one (see notes on recovery keys below).
    3. Hardware Keys (Yubikeys, and otherwise): Requires the device to be physically present to either access the account, or to access a paired app-based 2FA code generator (won't generate without the key present). Most secure option, also a bit more technical knowledge required to set up. If you get one to use on the go, make sure you have one that supports NFC, or another interface method with your phone (some can use USB C). I personally like to have 2 key copies, one for my keychain and one that lives at my house.

    Important: Almost all places that let you enable 2FA give you the ability to generate one-time-use recovery keys. Do this, and keep them somewhere safe. Without these, if you lose access to your 2FA method, you WILL NOT be able to access your account (and if you do find a way to, you should immediately move to a different service because that ruins the whole point of 2FA). I usually throw these in a safe deposit box, printed. Shouldn't need to be said, but do NOT leave these laying around, physically or digitally, since they are the keys to the kingdom. (once you use one, you can disable 2FA from within the account).
     
  16. Genghiz Khan

    Genghiz Khan Order Member

    Joined:
    Mar 21, 2011
    Messages:
    835
    Location:
    Darujistan
    I’d say that while 2FA is still useful, especially HOTP, a password manager and randomly generated passwords changed semi-regularly (something a password manager encourages) are almost as safe. The only thing, I think, a TOTP would protect you against here would be a man in the middle/phishing attack. That makes sense for sensitive stuff like your bank and email accounts, where all the security in the world isn’t enough, but overkill nearly everywhere else, where it’s more a matter of convenience than security.

    Of course if you have a Yubikey or any other HOTP generator then use that wherever possible, the costs for doing so are trivial.
     
  17. duplaja

    duplaja First Year DLP Supporter

    Joined:
    May 29, 2007
    Messages:
    35
    Location:
    United States
    I agree that it's probably overkill for some things. I've just gotten to the point that most of the accounts I actually access are in some way sensitive.

    Shopping (especially if there's any kind of linked payments), Online Payments, Emails (password reset risks, etc), Backups (Dropbox or AWS) and then anything client-work related (web-hosting, domains, DNS).

    Edit: Unpaired ) fix, was bothering me too much to leave alone.
     
  18. DR

    DR Secret Squirrel ~ Prestige ~ DLP Supporter

    Joined:
    Mar 13, 2006
    Messages:
    1,716
    Gender:
    Male
    Location:
    Connecticut
    High Score:
    2810
    On the subject of credit scores, it is a good idea, if only from an insurance standpoint, to have comprehensive credit and identity monitoring. Preferably with a service that will monitor your addresses, emails, account numbers, and other elements, not just watch your credit reports. Here's a list of some available services but it's by no means comprehensive, so I recommend doing a bit of research. I use myIDcare, which wasn't in that list.
     
Loading...