You are on page 1of 70

Internet Security Walk-Through

This tutorial walks you through hardening your computer systems for better security and
It does not go into depth about why you should care to do this. It would take an entirely
new write-up for that.
I hope this benefits those of you who care enough to take the time to read it.
It will be a lifestyle change in your awareness and interaction in regards to the internet.
Using all new software might sound intimidating and this process will take some time.
But using better software makes the experience more pleasurable.
And knowing that you cut out most of what potentially tracks you, will leave you less
stressed and more assured.
Remember that no matter what you do to anonymize yourself, if you are logged into your
account on a website, that website has the ability to see what you are doing on that site.
E.G. Youtube can see your youtube comments.
This tutorial walks you through setting up and tuning a new operating system and

If you decide to follow this entirely and install new operating systems, I hope you enjoy all
the great new software.
This tutorial is designed to walk you through getting your devices alike or similarly as

-DNS encrypted via DNSCrypt √
-Mac address spoofed √
-Open-source DD-WRT firmware router √
-Network Traffic wrapped in an encrypted tunnel and IP address location proxied with
Virtual Private Network √
-VPN set-up on router to allow access to all home network devices √
-Tor set-up for optional extra security/anonymity √
-Running all open-source software √
-Security enhancing browser extensions Blur, Interest Based Advertising Opt-outs, Google
Analytics Opt-out, HTTPS Everywhere, & Ublock √
-Blocked third party cookies and site data √
-Encrypted messaging via Telegram, encrypted video chat, audio calls, and messaging via
qTox √
-Secure Email via and providers with Enigmail/GnuPG set up √
-GNU Privacy Assistant GUI GPG Front-end for GPG encryption outside of email √
-Optional extra anonymous torrent downloading through onion routing via Tribler √
-Anonymous searches via Disconnect search √
-Veracrypt installed for future hard disk encryptions √
-Bitcoin wallet installed for Bitcoin use √
-Dark Wallet installed for future bitcoin anonymity √
-2048 character passwords with symbols, numbers, upper, and lower case letters (Not
generated and sent over the internet) √
-Root system password set √
-Running CyanogenMod √
(phone manufacturer bloatware removed, Android Google tracking removed, and root

access removed for apps)
-Running through a VPN √
-DNS encrypted via DNSCrypt √
-Android Privacy Guard to encrypt, decrypt and sign files, messages or emails using Public
Key Encryption (like OpenPGP) or encrypt/decrypt files or messages with symmetric
encryption, securing them with a password. √
-Security enhancing browser extensions Ublock and HTTPS by default √
-Anonymous searches via Disconnect search √
-Encrypted messaging via TextSecure and Telegram √
-Encrypted video chat via √
-Encrypted phone calls with RedPhone √
-App permissons restricted with Privacy Guard √
-Adblock Plus filtering network traffic and blocking Adware √
-Device encrypted; and locked when outside of home network √

Open Source

Open source means that the source code that makes up the software is non-proprietary
and open. This means that communities can and usually collaborate on it. That the code
can be used to share, modify and improve, or base newer projects off of. There is free
licensing which can caveat that the code must be kept free from monetary gain. And
ones which allow people to make monetary gains off of the source code of others, as

long as the freedoms you were given remain with the software. Open source software
evolves much faster because anyone can contribute to it. Many eyes are on the code and
malicious coding like spyware can not be easily hidden in it for long, while vulnerabilities
can be found by anyone to report or patch. You should support the open source
community by using as much open source software as you can.

The major problem with trying to secure your communications is always that, as long as
you are communicating to another person on another computer who doesn't use
encryption, that side of the line will be open and visible/audible.

End-to-End encryption (E2EE),
is a digital communications paradigm of uninterrupted protection of data traveling
between two communicating parties without being intercepted or read by other parties
except for the originating party encrypting data to be readable only by the intended
recipient, and the receiving party decrypting it, with no involvement in said encryption by
third parties. The intention of end-to-end encryption is to prevent intermediaries, such as
Internet providers orapplication service providers, from being able to discover or tamper
with the content of communications. End-to-end encryption generally includes
protections of both confidentiality and integrity.

Edward Snowden said, "Arguing that you don't care about the right to privacy because
you have nothing to hide
is no different than saying you don't care about free speech because you have nothing to

If someone suggests using a messenger that is designed to be encrypted and secure, and
you don't bother using it, or if you don't know how to use or have a single means of
private conversation like a PGP Public Key, then your monkey ass is holding the internet
back from evolving. If you use the internet every day and think this is all much to much,
you have no appreciation of all the technologies that make a computer run, all the coding
that was written by hand. The linux kernel file alone contains 15 million lines of code.

Don't force your friends to have to give up the right to privacy because you only
communicate over Facebook.

Operating System
Ditch Windows. Microsoft has been proven to have backdoors in Windows and Skype.
Microsoft , Aol, Yahoo, Apple, Facebook, and Google have knowingly participated or have
been pressured to comply in the tapping of their servers. Windows is corporate
proprietary closed source software that has a reputation for having holes and
vulnerabilities. It has always been overpriced, insecure, buggy, slow, ugly, bloated

software that I would consistently lose all of my data on once per year and need to wipe,
and reformat. Microsoft was known for a history of monopolizing the market. Of coding
Internet Explorer to different standards than HTML so that websites coded using Internet
Explorer would not work right on other browsers.

Install GNU / Linux. Malware includes viruses, trojans, worms and other types of
malware that affect the operating system. Linux, Unix and other Unix-like computer
operating systems are generally regarded as very well-protected against, but not
immune to, computer viruses. There has not yet been a single widespread Linux virus or
malware infection of the type that is common on Microsoft Windows; this is attributable
generally to the malware's lack of root access and fast updates to most Linux
vulnerabilities. Wikipedia lists only 54 known malware combined. There are over a million
known viruses on Windows. Viruses are not a threat on Linux and an anti-virus is not

Linux is free as in freedom and free monetarily. Linux is open-source. Extremely
customizable. It feels sleek, streamlined, aesthetically beautiful, stable, fast, intuitive and
a more pleasurable experience in my opinion than Windows and Mac. Linux would be
way more popular if any computer manufacturers ever sold pcs with it. There is a world
of operating systems on the internet, all filling different niches, a lot of people enjoy and

maintain the alternative OSs. For the reasons I stated, Linux is more secure because it is
open-source. It's rate of development is unmatched and vulnerabilities are fixed much
more efficiently. It is dominating on mobile devices, enterprise, servers, web
infrastructure, data centers, super computing and more. It also uses a root system
password. This prevents viruses or malicious software to corrupt, spread, or modify
system files in any way. You need to type in your password any time you mess with core
system files. Linux also uses PGP keys to verify the integrity of the software packages in
their community's user repositories. (These are huge repositories of software packages
that work with your Linux Distribution and/or related ones. And updating the system
updates all of your software without needing to reboot. Linux will not reboot unless you
tell it to, and does not need to be restarted frequently because it gets slow, wacky, or has
memory leaks. It stays as fast as the day it was installed.

Ubuntu is the most well-known Linux distribution and is known as the most user-friendly.
It's a good system. I use Antergos Linux. Along with Manjaro, it is a user-friendly fork of
Arch Linux. In software, a project fork happens when developers take a copy of source
code from one software package and start independent development on it, creating a
distinct and separate piece of software. Because they are open-source, Linux
distributions will get popular and then new ones will be based off of them and eventually
become more popular. That's why distros are based off of Debian Linux, Arch, or Fedora,

Antergos has a slightly higher learning curve than Ubuntu. If you are comfortable with
your way around a computer, I recommend it. The only major difference is that Ubuntu
comes with a software center where software may be found just like the Google Play
Store. Pictures, description, reviews, and one status bar that once complete, has

downloaded and installed the software/application you chose. With Antergos things are
installed via a package manager or the terminal. A software center (Gnome's) can be
installed but doesn't have everything. You can search and install/uninstall software in the
package manager. In the terminal tho, it will look like this:
yaourt firefox
will list all packages relating to Firefox
you click the number of the corresponding package and it will begin. you click n for
editing packages and y to continue installing.

Arch systems are bleeding edge while being impressively stable. New software packages
are tested by Arch developers and released. User-friendly Arch-based distros (Antergos &
Manjaro) then test the software again. One thing I love, but may annoy new users is that
there are constantly updates. I sometimes update my computer twice a day. You can turn
notifications for these off but in less than a month you will have 120 updates or so. Even

with this many, it doesn't take too long to update on a decent computer. I recommend
updating at least once a month tho, as this helps you to stay secure from vulnerabilities.

I recommend that first time users install Linux on a separate hardware partition so that
they can dual boot and choose Windows or Linux at startup, until they wean themselves
off of Windows and no longer require it for anything like games, their printer, whatever.
If you choose to wipe your old operating system clean, make sure to back up all your
personal files first on an external hard drive. Download the .iso of the operating system
you choose from their website in 32 or 64-bit edition. (32-bit is for older pcs) Burn the file
to a blank DVD-r cd as an image. Once complete put it in your computers rom and
restart. The installer walks you through this process easily. Don't modify partitions if you
don't know what you are doing.

BSD also deserves a mention but if you were tech-savvy enough to use it you wouldn't
need to be reading this section.

There are also operating systems designed to keep the user completely anonymous like
Tails and Whonix. These operating systems are more restrictive of what you can do and
are not meant to be used as your main operating system. You can keep Tails on a USB
Pen and boot from it if you need absolute anonymity. It is worth mentioning although
this article's focus is to harden the security of your regular computers and phones and
leave you more mindful of how you interact with the internet.

DNS Encryption

Install DNSCrypt. DNSCrypt is an open source protocol that authenticates
communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It
uses cryptographic signatures to verify that responses originate from the chosen DNS
resolver and haven't been tampered with. DNSCrypt turns regular DNS traffic into
encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.
DNSCrypt is one of the most impactful advancements in Internet security that you can
make. It encrypts the “last mile” or the portion of your Internet connection between your
computer and your ISP. Essentially closing their backdoor and ability to see what you are

I only have experience installing this on Arch-based linux distributions and Android, but it
can be installed on Windows, OSX, Unix, Android iOS, and routers. Instructions for
Arch-based systems are as follows:

Once installed start DNSCrypt Proxy:
sudo systemctl enable dnscrypt-proxy.service

sudo systemctl start dnscrypt-proxy.service

Check DNSCrypt status
sudo systemctl status dnscrypt-proxy
Upon which it should state active (running)

Mac Spoofing
MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC)
address of a network interface on a networked device. The MAC address is hard-coded
on a network interface controller (NIC) and cannot be changed. However, there are tools
which can make an operating system believe that the NIC has the MAC address of a
user's choosing. The process of masking a MAC address is known as MAC spoofing.
Essentially, MAC spoofing entails changing a computer's identity, for any reason, and it is
relatively easy.

It is usually beneficial. But in some situations it might also lead to connectivity problems
or make your network activity look suspicious. This documentation explains whether to
use MAC spoofing or not, depending on your situation.

When to spoof MAC address
This is usually beneficial, even if you don't want to hide your geographical location.
Here are a few examples:

● Using your own computer on an public network without registration, for
example a free Wi-Fi service in a restaurant where you don't need to register with
your identity. In this case, MAC address spoofing hides the fact that your
computer is connected to this network.
● Using your own computer on a network that you use frequently, for example
at a friend's place, at work, at university, etc. You already have a strong
relationship with this place but MAC address spoofing hides the fact that your
computer is connected to this network at a particular time. It also hides the fact
that you are running Tor or etc. on this network.

When to disable MAC address spoofing
In some situations MAC address spoofing is not useful but can instead be problematic. In
such cases, you might want to disable MAC address spoofing.
Note that even if MAC spoofing is disabled, your anonymity on the Internet is preserved:
● An adversary on the local network can only see encrypted connections to the Tor
● Your MAC address is not sent over the Internet to the websites that you are
However, disabling MAC address spoofing makes it possible again for the local network
to track your geographical location. If this is problematic, consider using a different
network device or moving to another network.
Here are a few examples:
● Using a public computer, for example in an Internet café or a library. This
computer is regularly used on this local network, and its MAC address is not
associated with your identity. In this case, MAC address spoofing can make it
impossible to connect. It can even look suspicious to the network administrators
to see an unknown MAC address being used on that network.

● On some network interfaces, MAC address spoofing is impossible due to
limitations in the hardware or in Linux.
● Some networks only allow connections from a list of authorized MAC
addresses. In this case, MAC address spoofing makes it impossible to connect to
such networks. If you were granted access to such network in the past, then MAC
address spoofing might prevent you from connecting.
● Using your own computer at home. Your identity and the MAC address of your
computer are already associated to this local network, so MAC address spoofing is
probably useless. But if access to your local network is restricted based on MAC
addresses it might be impossible to connect with a spoofed MAC address.

In Network settings click the settings for each Network you connect to including the wired
connection. Under "Identity", there should be a blank field under MAC Address labeled
something like Cloned Address. Copy your MAC Address into it and change the

If you are running a different operating system check online:

The Tor Browser is open source anonymizing software built on the open source Firefox
browser. It allows you access to the Tor network, a free, worldwide, volunteer network
consisting of more than six thousand relays to conceal a user's location and usage from
anyone conducting network surveillance or traffic analysis.. Hosted on the Tor network
are underground websites inaccessible to regular internet browsers unless you route
your network traffic over tor. It has humanitarian uses for journalists fearing oppressive
governments, for bipassing government control over the internet, e.g. the China firewall,
to access the rest of the internet.
For Example:
Operation Tunisia refers to the actions by internet group Anonymous during the Tunisian
In their traditional manner; Anonymous launched a series of DDoS attacks against
government websites. Additionally, Anonymous provided protesters with documents
required to take down the incumbent government as well as distributing a care package,
among other things, including Tor, and a greasemonkey script to avoid proxy
interception by the government. The providing of information was considered by some a
part of Operation Leakspin. They also aided in passing information about the protests in
and out of the country.
Tor usage at the time was a lifesaver for Tunisians.

Tor uses Onion Routing. Onion routing is a technique for anonymous communication
over a computer network. In an onion network, messages are encapsulated in layers of
encryption, analogous to layers of the vegetable onion. The encrypted data is transmitted
through a series of network nodes called onion routers, each of which "peels" away a
single layer, uncovering the data's next destination. When the final layer is decrypted, the
message arrives at its destination. The sender remains anonymous because each
intermediary knows only the location of the immediately preceding and following nodes.

Install Tor if it's legal for you and your ISP isn't known to send users abuse of service
complaints. You can purchase Bitcoins and visit the underground drug markets like
Agora and buy whatever you like. If it is legal in your country of course, the author does
not encourage you to break any laws.

Never visit addresses ending in "" within tor. This is a gateway to Tor hidden
services for providing convenient access to Tor hidden services. It is a pure proxy that
forwards requests to the respective hidden service. as a gateway cannot offer
any anonymity for the visitor. Just remove the .to

You may use Tor as a poor mans VPN. Like Tor, a VPN is something that encrypts your
internet traffic and proxies your location making it appear that you're in whatever
location the server your connecting from, is located.

Benefits of Tor:

Your ISP can see that you are using it (Unless you have DNSCrypt installed!)
It slows your internet speeds down a significant degree. For me, using a higher-end cable
connection for a home user usually running at 55Mbps without Tor; I sometimes needed
to stop using Tor because my videos would stop to buffer.

But, it is slower than a VPN. To route all of your activity over Tor, you can set Tor Browser
to be launched every time you start up your computer and in your network settings you
set the Socks Host proxy to and the port to 9150. The Tor Browser needs ti be
open or you will not get a connection to the internet, with those proxy settings in place.

If you route your network traffic over Tor, you can view .onion sites through any browser.
Stick with the Tor Browser. It is open source and tweaked for enhanced security. When
downloading Tor, I would avoid using Google or any regular search engines. I will get into
private search engines further down but Tor can be located directly via their website.


A VPN stands for Virtual Private Network. It routes your internet traffic through an
encrypted tunnel and shows your location as coming from the location of the server.
These services cost money and you have to find a VPN that doesn't log users activity and
then trust that their word. With services like secure email and VPN, you optimally want a
service based in a county that is not closely allied with our government and the NSA.
Non-domestic services are termed "off-shore". And you want a service that isn't willing to
just hand your information over to authorities because they ask. For example the VPN
service TorGuard when asked in an interview:
"'How do you generally handle requests from law enforcement and copyright
'We do not communicate with any third party without first receiving a court order to do

so, period. This scenario has never occurred, but if it were to, we would be forced to
explain in more technical terms how we don’t maintain any usage logs.'"

This particular service costs $60 a year and allows you to use it on up to 4 devices at
once. It has software that works on Windows, Mac, Linux (Debian/Ubuntu & Arch), and
Android, and scripts to install on routers with custom firmware (DD-WRT or Tomato). I
recommend going to a convenience store like Walgreens and buying a pre-paid Visa gift
card like the birthday one. Put $60 on it and pay for the service that way, so that a VPN
service is not shown on your bills. It helps keep your purchase anonymous from any
potentially suspicious eyes.

You can use some VPNs on multiple devices at once. (TorGuard(4) and SurfEasy(5) for
instance) You can install the VPN on a router with DD-WRT or Tomato firmware, as one of
the devices. This will allow any computer on your WiFi network to run through the VPN,
allowing many more devices to use it (while connected). Make sure to keep UDP as the
protocol and not to select TCP. Internet speeds while running UDP will be dramatically
faster, while TCP may make the VPN practically useless and slower than routing your
network traffic over Tor.

Running Tor over a VPN is the safest combination possible. But not necessary except for
the most extreme circumstances and is nice for added security when running Tor. I have
heard that there is a vulnerability with government agencies hosting tor exit node servers
within the about 1000 exit node servers. And that if you exit the tor network through one,
that they can see what you've been doing during that particular use. I am unsure of the
extent and details of this. But running Tor over a VPN would keep you anonymous in this

There are free VPN services but I can't recommend any I've tried as they were way too

I recommend having tor installed and routing your network traffic over it or better yet a
VPN. If you do so through tor, on the Linux gnome desktop there's a gnome extension
called "Proxy Switcher" at the gnome extensions site ( that gives
you a taskbar icon to toggle your proxy settings on and off, making it easy to run your
network traffic through tor but then to easily turn it off when speeds are too slow.

Browser and Security-enhancing Extensions
I recommend using an open source browser. The browser is what you navigate the
internet with and using open source software for this is imperative. Firefox and
Chromium are your choices for this. I use Chromium. I will try to cover browser
extensions for each.

•Install HTTPS Everywhere. This makes your browser use the encrypted version of HTTP if
the website offers it. HTTPS makes communications with a website encrypted rather than
open. Most websites offer HTTPS nowadays. HTTP provides no data security.
•uBlock and
•Blur are two browser extensions that block ads and tracking. uBlock is an efficient
blocker. Easy on CPU and memory. I found this better than Adblock Plus and replaced it.

•Google Analytics Opt-out Add-on (by Google) Tells the Google Analytics JavaScript not to
send information to Google Analytics.
•Facebook IBA Opt-out and IBA Opt-out (by Google) Opt out of Facebook and Google's
interest-based ads as you browse the web.
•Cryptocat "is a fun, accessible app for having encrypted chat with your friends, right in
your browser and mobile phone. Everything is encrypted before it leaves your computer.
Even the Cryptocat network itself can't read your messages. (FYI - Cryptocat is early
development, experimental software. (For fail-safe encryption use PGP or GPG.)"
•Dark Wallet is a bitcoin wallet designed to keep bitcoin transactions anonymous. It is in
early stages of development but it will be very important software in the near future for
keeping bitcoin transactions anonymous.
Amir Taaki and Cody Wilson are two co-founders of this project, and two very interesting
people. Cody Wilson is the guy who designed open-source 3D printable guns and
believes in radical equality. Part of bitcoins lure is anonymity but bitcoin is not fully
anonymous. You can use services to generate new bitcoin addresses. By donating a
dollar to they will generate you a new bitcoin address. You can use a new one
for each transaction. There are also services like Bitcoin Fog and Bitcoin Tumbler.

•HTTPtoHTTPS is the Firefox alternative to HTTPS Everywhere.
•uBlock and
•Blur are also available under Firefox.
------- (Blur)

Block Third Party Cookies
In each browser set the option to block third party cookies and site data. (Including your
mobile browser). Cookies are an inherent internet vulnerability but a necessary evil if you
want convenience. Blocking third party cookies blocks cookies that are not directly
related to interaction with the website your visiting but maybe third parties that are
interested in tracking you or interests. To make money off the data via interest-based

Open-source DD-WRT firmware router

Firmware is the software that allows your hardware to properly communicate with your
computer. Open source firmware is sure to not hide malicious coding like spyware. There
are two projects that offer open source firmware for the router. DD-WRT and Tomato. I

think generally Tomato firmware has more features but that DD-WRT is fully open source
whereas Tomato is semi. I use DD-WRT because it is fully open source. Unless you're up
for it I recommend checking out router benchmarks and buying a good 5Ghz router on
ebay that has DD-WRT already installed. It's popular enough that people offer up ones
which they have already installed DD-WRT on. Installing firmware on a router is not
difficult but on my last router I had the issue of a D-Link router not allowing custom
firmware stating that it was wrong or corrupt. And me not being able to access the
"Emergency Room Interface" to force it to accept any firmware. If you choose to do it
yourself be sure to check that there is a stable DD-WRT version available for your
particular router.

Encrypted text, audio, and video apps

Pidgin messenger offers OTC Off-the-Record encryption for certain services that you use.
(AIM, Bonjour, Gadu-Gadu, Google Talk, Groupwise, ICQ, IRC, MSN, MXit, SILC, SIMPLE, Sametime, XMPP, Yahoo!, Zephyr)

But both ends have to be encrypting with OTC for this to work. If contacts haven't set it
up as you have, your chats won't be private.
I've stopped using Pidgin for Telegram messenger which is a messenger and network.
Free. No ads. Security and privacy orientated. Works across platforms, mobile, has web
page and browser app versions. Simple registration using your cell number. Syncs chats
across devices. Destruct messages with a timer. Group messaging. Tons of
downloadable sticker sets. File sharing, no bandwidth limitations, a cloud service.
Open-Source. And which will soon offer video chat and audio Voice over IP calls. (VoIP
just means it uses the internet).

In some articles online, people that study encryption protocols question Telegram's
encryption and prefer they changed it. Instead of using well known and tested
encryption algorithms for instance, they designed their own. They claim:
"The team behind Telegram, led by Nikolai Durov, consists of six ACM champions, half of them
Ph.Ds in math. It took them about two years to roll out the current version of MTProto. Names
and degrees may indeed not mean as much in some fields as they do in others, but this protocol
is the result of thoughtful and prolonged work of professionals."

Others respond: "Math Ph.Ds are not cryptographers. The protocol they invented is flawed. Here is a
nice blog post explaining why. In addition to that, Telegram has issued a rather ridiculous challenge
offering a reward to anyone who can break the protocol. Except that the terms they set makes even the
most ridiculously weak protocol difficult to break. Moxie Marlinspike has a nice blog post explaining
why the challenge is ridiculous."

Another alternative for PC and Android is Wickr. This messenger is a bit bare at the
moment but offers more standard and proven encryption. I'm having an issue getting it
to work with one account synced on PC and Android with a long password. A lot of these
softwares are n their infancy and are part of a new wave of encryption software, sparked
by peoples concerns for internet privacy. In the future their will be a lot of good options,
but at the moment they are being heavily developed.

Mumble is an open source, low-latency, high quality voice chat software primarily
intended for use while gaming.
May be the best VoIP option for use over Tor because of its low latency::
It does not use end-to-end encryption, but encrypts to and from a mumble. So unless
you host your own, use it over Tor or a VPN and nit give out identifying information, like a
CB radio.

If you are not routing over Tor you can try Tox or Jitsi. is also not end-to-end
encrypted. You have to trust the server with your communications.
You could host your own Jitsi videobridge server. But I wouldn't bother attempting this
unless you know what you're doing.

Tox is an encrypted Skype alternative which allows messaging, audio and video chat.

Depending on the operating system there are different versions like uTox, qTox and Tox.
They are Tox messengers in different stages of development. It is the encrypted Skype
alternative. Skype has been proven to have backdoor access.

Jitsi is another secure messenger. Jitsi is an audio/video and chat communicator that
supports protocols such as SIP, XMPP/Jabber, AIM/ICQ, Windows Live, Yahoo! and many
other useful features.
Jitsi is Open Source / Free Software, and is available under the terms of the LGPL.
I find Jitsi to be buggy and to have Java issues on my linux distribution. There is a web
page service by Jitsi, which offers video chat, audio calls, a text
messenger, sending attachments, and screen streaming. It allows any number of people
in rooms of whatever name you choose; admins having the ability to lock rooms with
passwords. I find this a good Tox alternative. It's not better but at the moment has more
cross device/platform compatibility and is without the need to install anything except a
browser extension for desktop streaming.


Secure Email Providers
There are email providers offering off-shore secure email services. The two that I have
trusted enough to use have been, a german based provider.and based in Iceland. At the moment Privatdemail's site seems to be fragmented
with no main page to link the pages. They use their own security certificates which your
email client won't accept unless you choose to, and a site which doesn't have HTTPS
access . I guess they use their own certificates for that as well? Privatdemail is only
accessible through an email client (use open source e.g. Thunderbird) while
can be accessed through their website and an email client.

Another with a good reputation is but it is based within the US.

Email Client
My recommendation for an email client is Thunderbird. Thunderbird is open source and
has two good security extensions.

Thunderbird Extensions
Enigmail is extension that provides built in PGP support for encrypting and

signing/authenticating messages.

This extension by Jacob Appelbaum configures Thunderbird to make connections over
the Tor anonymity network. TorBirdy automatically enhances the privacy settings of
Thunderbird and configures it for use over Tor. TorBirdy requires that a user has Tor

If you are proxying over Tor already, this is not needed. If you are running a VPN, this will
not work. And I recommend doing one of the two, so if you are, this extension is not
really useful. (Privatdemail)

Anonymous Torrent Downloading
If you are routing traffic over Tor or a VPN this is not necessary but Tribler offers
anonymous torrent downloading through Tor-inspired onion routing..


Pretty Good Privacy (PGP) is a data encryption and decryption computer program that
provides cryptographic privacy and authentication for data communication. PGP is often
used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole
disk partitions and to increase the security of e-mail communications. It was created by

Phil Zimmermann in 1991.1

PGP and similar software follow the OpenPGP standard (RFC 4880) for encrypting and
decrypting data.

After a report from RSA Data Security, Inc., who were in a licensing dispute with regard to
the use of the RSA algorithm in PGP, the United States Customs Service started a criminal
investigation of Zimmermann, for allegedly violating the Arms Export Control Act. The
United States Government had long regarded cryptographic software as a munition, and
thus subject to arms trafficking export controls. At that time, the boundary between what
cryptography was permitted ("low-strength") and impermissible ("high-strength") for
export from the United States was placed such that PGP fell on the too-strong-to-export
side of the boundary. The boundary for legal export has since been raised and now
allows PGP to be exported. The investigation lasted three years, but was finally dropped
without filing charges.

GNU Privacy Guard (GnuPG or GPG) is a free software replacement for the Symantec's
PGP cryptographic software suite. GnuPG is compliant with RFC 4880, which is the IETF
standards track specification of OpenPGP. Modern versions of PGP and Veridis' Filecrypt
are interoperable with GnuPG and other OpenPGP-compliant systems.

GnuPG is part of the GNU project, and has received major funding from the German

Install GPG with a graphical user interface and Enigmail for Thunderbird.
Learn how to use:

Anonymous Search Engines
Unlike Google there are search engines which do not log your IP address, your searches,
the time of your visit, and the links you choose.

These search engines are or (Ixquick is known as StartPage in the United States)
simultaneously searches multiple popular search engine. "emphasizes getting information from the best sources rather than the
most sources, generating its search results from key crowdsourced sites such as
Wikipedia and from partnerships with other search engines like Yandex, Yahoo!, Bing,

and Yummly." I find that the image results for duckduckgo are better than startpage.

Disconnect Search searches with Google, Bing, Yahoo, & more. Disconnect seems to
return to me the most favorable results. I thought this was because I had read Google
returns crappier results when they are being requested through another search engine
like duckduckgo and startpage, but that disconnect searches uses a VPN service which
makes their requests appear to Google as coming from a random person.

In Chromium, once you search any sites search it gets added in your list of search
engines. Or by right-clicking within the search bar and selecting "Add as a search
engine...". You can remove the default search engines and add ones you've used as
default search engines. you can set it so that in your address bar u can type a then
whatever you'd like to search Amazon. e for Ebay, d for Duckduckgo, s for Startpage, w
for Wikipedia, and so on. Disconnect Search is made to bu used as a browser app which
requires the extra step of clicking on it. Instead I just went to,
right-clicked, and added as a search engine. The last search engine set as default is the
one that is searched by default when you type what you want to search within your
address bar.


Veracrypt is software that allows you to encrypt your drives. Your personal folder of files
can be encrypted and your passwords especially should be encrypted.

VeraCrypt is a open source freeware utility used for on-the-fly encryption (OTFE). It can
create a virtual encrypted disk within a file or encrypt a partition or (under Microsoft
Windows except Windows 8 with UEFI or GPT) the entire storage device with pre-boot

VeraCrypt is a fork of the discontinued TrueCrypt project. It was initially released on June
22, 2013 and has produced its eighth release (version 1.13) as of August 9, 2015.
According to its developers, security improvements have been implemented and issues
raised by the initial TrueCrypt code audit have been addressed.

Learn the process of using VeraCrypt


Regular passwords using words or phrases you can remember are just not safe
anymore. Run test passwords through a website service like or

and you will see that a powerful computer can crack an average password in just a
few seconds. Use a passwords generator like the one here:
Use open source software or a service like above that does not send a generated
password over the internet, where it can be intercepted, to you.
On the password generator above, I uncheck "Exclude Similar Characters:" as these
passwords are generally always copied and pasted.
● Use the same passwords for multiple accounts. If you do, someone who gets
just one of your passwords will have access to multiple accounts.
● Use words or names as your password. Even with numbers added in. Strings
in your password containing words or names make cracking easier.
● Use standard number substitutions. Think “P455w0rd” is a good password?
N0p3! Cracking tools now have those built in.
● Use a short password—no matter how weird. Today’s processing speeds
mean that even passwords like “h6!r$q” are quickly crackable. Your best
defense is the longest possible password.

● Enable two-factor authentication when offered. Two-Factor Authentication will
send you a text message with a code to confirm. This adds an extra
authentication step.
● Give bogus answers to security questions. Think of them as secondary
passwords. Except that people who know you, may know certain answers to
your security questions, or the information may not be too hard to lookup ,
especially in a surveillance state. You can write in gibberish, and be sure not

to lose your password, or you can keep your answers somewhat memorable
and write them down somewhere. For example:
My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
● Scrub your online presence. One of the easiest ways to hack into an account is
through your email and billing address information. Sites like Spokeo and offer opt-out mechanisms to get your information removed
from their databases.
Use a unique, secure email address for password recoveries. If a hacker knows where
your passwords can be retrieved or reset, that’s a line of attack. You could create a
special email account you never use for communications and make sure to choose a
username that isn’t tied to your name—so it can’t be easily guessed. I would just make
sure to use a secure email service with a very good password.

I recommend passwords at least 32 characters long. But since you cannot remember
every password for all your different accounts, or even one password that is 32
characters or more of mixed symbols, numbers, and letters of mixed case; you might as
well generate passwords as long as possible. Many of my passwords are 2048 characters
long. The only issue with this, is that different services for registration will usually allow
only a certain password length. These services may tell you that near the password input
or after you try to register a very long password. A few sites will cause bugs or inhibit you
from proceeding and you will have to try smaller and smaller passwords until it works.
1024>512>256>128>64>32>16, for example.

Example of bugs:
Jbidwatcher Software:
Any password much over 128 characters causes Jbidwatcher's login

screen to expand width-wise beyond the parameters of the screen, and
will cause a system-crash in Gnome Desktop.
Torguards Arch Linux & Android VPN Software:
VPN password is limited to 64 characters. With a longer one nothing would happen after I
clicked login. No matter the protocol or location it sits at "connecting".
I have reported these bugs.
Another concern to keep in mind is that if you have all of your WiFi passwords super long
and you are setting up a new phone and need internet access, you are not going to be
able to type a super long one out, especially without errors. You can leave one as 16
characters, or you can send the password in a text file over USB storage, or perhaps
access the internet with your cell phone through a neighbors open WiFi or your mobile
provider and send your WiFi password from a computer to yourself through some
encrypted means like Telegram. However you do it, it's something to be aware of.
Once you have generated and registered or changed passwords, how will you store
them? I do allow my open-source browsers (Chromium & Firefox) to store my passwords
for me.
These browsers are open-source and use encryption to store the passwords. Remember
that if you do this, someone with access to your computer can go into your browsers
settings where you can edit saved passwords, and they can click to view the password in
plain text. Long mixed symbol passwords make them impossible to remember even if
one does see them. But a user with access to your computer can copy and send/save
your password. Therefore only let people you trust use your computer. Set a screen lock
password if you see the need. Or perhaps let them use a guest side if the computers

operating system.
There's one application called KeePassX "for people with extremely high demands on
secure personal data management. Saves many different types of information such as
usernames, passwords, urls, attachments and comments in one single database." You
can encrypt your passwords with this.
Besides allowing my browsers to store my web page passwords it is a good idea to keep
all your passwords stored in a text file. You may want to create a few if you have different
categories for your passwords. One category may contain enough passwords to warrant
its own file. For example, it may be easier to keep router related passwords separate.
This may contain:
2 WiFi Bands
2 WiFi Guest Bands
router administrative password
WiFi passwords of friendly locations.
Keep your passwords encrypted. I prefer to keep a backup on a USB pen drive. or

Social Media / Delete Your Facebook
As Richard Stallman says, "Facebook is not your friend, it is a surveillance engine." It
seeks to track and log everything you do. They can use the content you post, if you

choose, for whatever they want. When you delete things you have posted, There is
no guarantee that it is deleted. It is most likely archived of their servers indefinitely.

Facebook Tells the Cops When You Talk About Criminal Activity in Private Messages
Here's what Facebook sends the cops in response to a subpoena
There are social media sites that focus on open-source, privacy, and security:

"You have the right to privacy.
You have the right not to be tracked.
You have the right to control what you see.
Your followers have the right to see everything you post publicly.
You have the right to own what you post.
You have the right to be anyone you want.
You have the right to relationships that won’t be exploited.
You have the right to clear and transparent terms & conditions.
You have the right to see all the data collected about you.
You have the right to permanently delete your account."
more info at

Instead of everyone’s data being contained on huge central servers owned by a large organization, local

servers (“pods”) can be set up anywhere in the world. You choose which pod to register with - perhaps
your local pod - and seamlessly connect with the diaspora* community worldwide.
You can be whoever you want to be in diaspora*. Unlike some networks, you don’t have to use your real
identity. You can interact with whomever you choose in whatever way you want. The only limit is your
imagination. diaspora* is also Free Software, giving you liberty to use it as you wish.
In diaspora* you own your data. You do not sign over any rights to a corporation or other interest who
could use it. With diaspora*, your friends, your habits, and your content is your business ... not ours! In
addition, you choose who sees what you share, using Aspects."
more info at
"No Data Mining: If you value your privacy, this is a good place for you. We don’t allow search engines to
crawl and archive your posts. Once you delete something on Seen, it’s gone for good."
"Seen does not require personal information for account registration.
Some users may opt to register personal information in the signup process, however.
We do not collect, sell, share, or disclose personal information such as we may have.
We do, however, comply by the laws of Iceland, where our company is located, and may under force of
law have to disclose what information we do have.
We do require an email address so that we may contact you for password reset purposes, and possibly
in regard to paid services or subscriptions.
Advertisers may use tracking cookies, but we do not. .
Users of our services at are advised to read the privacy statement for that site."


Root Access

You need to get a phone that is unlocked. Meaning that you have root access. Either by
buying one or doing it yourself. It is bullshit to pay the expensive costs for a nice phone
and to receive something that is locked from your modification. You can find a great
price on a used one that is unlocked and is running a more open linux os like
CyanogenMod, which we will talk about more in the "Operating System" section below.
Tech-savvy people do this themselves and then eventually buy new phones. As the
market for this increases, more will become available. At the moment phones unlocked
with CyanogenMod may be found even cheaper than Android phones since not many
people know what it is.

You may also try to hack/unlock your current phone to gain root access and install the OS
yourself. This can be quite difficult as methods and exploits to gain root access are
usually patched. But CyanogenMod has just come out with an installer that does not
require root access to install the OS. You would just need to make sure that there are
stable versions of CyanogenMod available for your particular phone.
Don't spend money on an unlocked phone before checking that the operating system
you want is available and stable for that phone. If you don't know how to root an Android
device to install a different operating system listed below, you could install CyanogenMod
to gain root access and then install another OS, so long as there are stable versions of
each for your phone. Or you could check the xda-developers forum, which is a good
place to start for info on rooting your phone.

Operating System

For an operating system we want a free and open linux distribution. Google's Chrome OS
for desktops and Android for mobile devices are technically linux. But they are too
proprietary and allow google too much control. Google also keeps some of its source
code private. Some mobile distros of interest include Firefox OS and Ubuntu Touch,
which are open source. There is also Sailfish OS which is mostly open source. None of
these operating systems are 100% open source except for Replicant. Replicant only runs
on a few devices at the moment.

CyanogenMod is looking the best at the current moment. It built off the open source
Android code. It is popular, open source, really cool looking, and security focused. They
plan to integrate DNSCrypt into new releases. And they fix bugs in Android with haste.
They add new features and UI effects to android, and some of their enhancements have
even been incorporated into the official Android code.

By using CyanogenMod or other custom linux distros we do away with the phone
manufacturers bloatware. This is unnecessary software a company, like Samsung for
instance, will add in. We can opt out of all of Google's services which includes Google's
tracking. CyanogenMod also removes root access for apps. This means apps can not run
rampant doing whatever they want to or within your system. You may grant root access
only for whatever you want and for as long as you want. This allows you to grant only to
the very few apps that need it for security. Like Adblock Plus and DNSChanger. and
ClockworkMod temporarily when installing a new OS, an OS update, or applying a

Everything that works on Android works on CyanogenMod, since it is a fork of Android.
The play store is included.

Setting up

For CyanogenMod or stock Android, once your phone is setup, you can long-press click,
hold, and drag apps up to "app data" where you can turn off notifications, clear cache
and data, and stop and uninstall apps. Clean your system and keep apps from running in
the background, and tracking/using permissions. I'm not sure if this is a concern with
CyanogenMod since it's built off of the open-source version of Android that is
"code-dumped" once or twice a year.

I turn everything of Google's off. Even the "Verify apps: Disallow or warn before
installation of apps that may cause harm", under Security in Settings. Google has made a
world of progress for technology and the internet, I just don't believe they do enough for
privacy to use a phone or pc that is so proprietarily theirs. When Google asks to sync my
device, I sync Contacts so that it adds about 70 contacts it has stored from my older
Android device. I then turn Google sync off completely and add the rest in, ceasing to
give them anymore of my contacts.

Apparently Google does not sell users information to third parties unless it's
anonymized. Still, Google has definitely done stuff I disagree with in regards to privacy.

There is a book on the subject by Julian Assange titled When Google Met Wikileaks.
-----------------------------------------------------------------------------------------------------------------If you are using CyanogenMod, it comes with "system profiles" which goes by triggers.
You can have it set up so that when it leaves your wireless network, it turns on the screen
-----------------------------------------------------------------------------------------------------------------You need to allow your device to download apps from sources other than Google Play by
turning on the "Unknown sources" feature.

On your device, open the Settings app


Under "Personal," touch Security.


Turn on Unknown sources.


for Android
Running DNSCrypt on Android currently requires a rooted device.

● Start by downloading a precompiled dnscrypt-proxy package for Android. The
most recent .zip file for Android
● If you want to change the DNSCrypt resolver to use, unzip the archive, edit the
RESOLVER_NAME variable in system/etc/init.d/99dnscrypt. Keep the content as a
ZIP file, with the original structure. (NOT NECESSARY)
● Download from or move the ZIP file to the device, into /sdcard or any location you
can write to.
● Make sure that you have a custom recovery such as TWRP or CWM. The easiest
way is to download and install ClockworkMod or TWRP Manager from the Google
Play Store. DNSCrypt instructions name TWRP first as the easiest option. I used
ClockworkMod since I already have it to update CyanogenMod. It worked quickly
and simply for me. Select reboot into recovery mode within ClockworkMod and
install the ZIP file.
● Reboot.
● Download and install Universal Init.d from the Google Play Store. Follow the
instructions at the bottom to test if your kernel has init.d support. If it does not
click the slider in the Universal Init.d app to turn it on.

● The DNSCrypt proxy should be running at this point, but your device may still use
the previous DNS settings. Download and install DNS Changer from the Google
Play Store. (I used the one by Eddy Pey) In order to actually use DNSCrypt, enter as the primary DNS resolver. In order to stop using DNSCrypt, leave this
field empty.
● DNS changes may not be visible immediately. Android has its own DNS cache, and
web browsers such as Chrome have another layer of DNS caching. In order to
clear Chrome's DNS cache, enter chrome://net-internals/#dns in the URL bar, and
press Clear host cache.
^^^I recommend not even using Chrome, and rebooting once your done. (Download)


Use a VPN that offers Android support. VPNs with Android apps:
TorGuard, VPN Unlimited, VYPR VPN, F-Secure Freedome VPN, Fast Secure VPN, FinchVPN
FlashVPN, Hideman VPN, Hideninja VPN, Hotspot Shield VPN, OpenVPN Connect,
OpenVPN for Android, SpeedVPN, SurfEasy VPN, Tigervpns, TunnelBear VPN
Most of which are in the Google Play Store. Install it and make sure it's set to launch after
each reboot. "Autostart"'s is free/open-source software that does this, also available from
Once you've launched your VPN, log into it, you may have options like your protocol (like
OpenVPN, UDP) and your server location. The farther away your server location is, the
slower your internet speeds may be. Because of this you may want to stay in your own
country. Unless you have restricted access in your country like in China. Which ever

location you choose, is where it will appear that you are located.

Orbot (Tor)

As I explained above, I recommend routing all traffic over Tor or a VPN. If you can't afford
a VPN, you can install Orbot on your phone to route all of your traffic over Tor. You may
need a rooted device and an iptables-capable ROM installed (such as Cyanogen). Check
out installation instructions here:

Orbot is available in the F-Droid repository.

As well as orWall which can force selected applications through Orbot while preventing
unchecked applications to have network access. This application takes care of your
connection, NOT what's your sending or receiving! This means you must use applications
providing enough privacy in order to avoid sending out your complete device
information. You need Orbot installed for this to work.

If you want to visit hidden services (tor websites), please use Orfox. A Tor browser
designed for Android.

Install F-Droid. F-Droid is an installable catalogue of FOSS (Free and Open Source
Software) applications for the Android platform. The client makes it easy to browse,
install, and keep track of updates on your device.

This app is in its early stages and needs to add a lot to its catalogue, which it is doing. I
would normally be concerned with the integrity of Google Play Stores software.
But Google Play Store does offer tampering detection and app certificate signing. For
now I trust them and it is your call on where you'd like to download software from.
Google Play, F-Droid, software developers individual websites, etc.

Browser and Security-enhancing Browser Extensions
Firefox is the only real open source browser option for phones. Chromium is in early
stages and will require some extra effort to install and test.

With Firefox mobile go to
Install "uBlock Origin" and "HTTPS Everywhere".

If you want to visit hidden services, please use Orfox. A Tor browser designed for
Android. You can access the current Orfox release by installing the F-Droid app and
subscribing to our F-Droid Alpha Channel at by clicking on the following link on your

Anonymous Search Engines
This subject was covered in more detail the first time above. There are apps for
Startpage, DuckDuckGo, and Disconnect Search.

Be sure to also set your Firefox default search engine as one. Add any website to your list
of search providers by long-pressing on its search field and then tapping the magnifying
glass+ symbol. Settings>Customize>Search>set it as default. This will allow you to search
using that search engine right in the browsers search bar.

Encrypted text, audio, and video apps
As we mentioned above in the PC section for this subject, Telegram messenger is a great
instant messenger that uses encryption. It works on Android and CyanogenMod.

Make sure to download and install "TextSecure" and "RedPhone :: Private Calls", both by

Open Whisper Systems. TextSecure makes it so that every text message you send is
encrypted so long as BOTH people have it installed. RedPhone encrypts your phone call
conversations so long as both users have it installed.

Like mentioned above is a website which offers video chat, audio calls,
a text messenger, sending attachments, and screen streaming. It is currently very slow
and laggy on my older phone through Firefox Beta. Give it a try.

TextSecure protocol has begun shipping as part of the CyanogenMod OS-level SMS
provider in CM 11 builds , in an effort to provide completely transparent end-to-end text
message encryption between all of their users. (TextSecure and RedPhone developer)


K-9 Mail is a free and open source email client for Android devices, that integrates
seamlessly with Android Privacy Guard.
The use of these two tools allows for easy encrypting and decrypting of email messages.

Android Privacy Guard
Android Privacy Guard (APG) is a free and open source application that lets you encrypt,
decrypt and sign files, messages or emails using Public Key Encryption (like OpenPGP) or
encrypt/decrypt files or messages with symmetric encryption, securing them with a

Android Privacy Guard is not to be confused with Privacy Guard that is integrated into

Privacy Guard
This is not to be confused with Android Privacy Guard for PGP. This Privacy Guard comes
with CyanogenMod.
(Settings>Security>Privacy Guard)
Privacy Guard lets you deny the app certain kinds of information without interfering with
Essentially, Privacy Guard allows you to interrupt the flow of information you agreed to
provide when installing the app. You can remove the ability to provide location data,
disable access to your contacts list, and a whole lot more depending on what the app has
asked for. You activate the toggle within Privacy Guard, and the flow of data stops. This
gets set per app, so you can get as detailed as you want and even choose to activate

certain features temporarily with the all on/all off toggle at the top. You can deny
information to any app on your phone, including the ones made and released by
Cyanogen. If you decide to leave Privacy Guard enabled, you'll also get pop-up
notifications when an app is requesting certain kinds of information.

Adblock Plus

You can download Adblock Plus for Android on their website. Once downloaded go to
downloads, select the file, and install. You May turn "Allow acceptable Ads" off. Once
installed it will give you a further step to get it working. It involves setting your localhost
Proxy port in your networks settings. Adblock will tell you what to do but generic
directions can also be seen at

Encrypt Phone
After everything is completely set-up and a few days have gone by and you're done
tweaking things, it is a good idea to encrypt your phone. All the data inside the phone will
be encrypted and your phone will need to be unlocked with a password or PIN. A PIN is
shorter and less annoying to type in every single time you go to look in your phone.
CyanogenMod allows you the option of encryption/user login password. With lock screen
password every time your screen wakes, being a separate feature. You may choose to do
without this if your phone is kept from the hands of others.

Samourai Wallet

Samourai Wallet is a wallet is a anonymizing Bitcoin wallet for Android. At the time of

writing it's in alpha stages and it's tho only Bitcoin wallet like it for Android.
There's too many features to go on talking about so I'm gonna paste links to two articles
about it.

This article was completed 08/25/2015 and as it relates to technology, will continue
to depreciate as time goes on. Continue to do your own research.​

More Information :​

Linux Action Show (Linux podcast)
TechSNAP (Systems, Network, and Administration Security Podcast)​
hak5 & ThreatWire (hacking/security/privacy)
Security Now​

Honorable Mentions
Richard Stallman​

Dennis Ritchie

Julian Assange

Jacob Appelbaum

Edward Snowden​

Chelsea Manning

Moxie Marlinspike

Amir Taaki

Cody Wilson​

Glenn Greenwald

Laura Poitras

Free Software Foundation
Electronic Frontier Foundation
Open Bitcoin Privacy Project

Privacy International
Defense Distributed
Open Whisper Systems
Freedom of the Press Foundation
Human Rights Watch
Reporters Without Borders
Transparency International
Amnesty International