Security & Privacy while On-line

[mikeslr]

Now that we no longer trade floppy-disks, the Web can be considered the Mother of All malware. How to counter that was the purpose of this post, viewtopic.php?p=10096#p10096. And read Mike Walsh's experience with Adguard immediately following it.
Mike discusses configuring Adguard here, viewtopic.php?p=11631#p11631

I'll add that running your web-browsers as spot is also highly recommended. Feel free to add your own recommendations.

Also, out of curiosity, I attempted to access an online bank account using Tor and also a (albeit free) VPN. The good news was that I wasn't able to which suggest no one else can. The bad news was that I wasn't able to which suggests that potential hackers can see what I'm doing such as entering passwords. Your thoughts?

[s243a]

Now that we no longer trade floppy-disks, the Web can be considered the Mother of All malware. How to counter that was the purpose of this post, viewtopic.php?p=10096#p10096. And read Mike Walsh's experience with Adguard immediately following it.

I'll add that running your web-browsers as spot is also highly recommended. Feel free to add your own recommendations.

Also, out of curiosity, I attempted to access an online bank account using Tor and also a (albeit free) VPN. The good news was that I wasn't able to which suggest no one else can. The bad news was that I wasn't able to which suggests that potential hackers can see what I'm doing such as entering passwords. Your thoughts?

Don't use a VPN to access your banking sites. Some VPNs may be able to man in the middle you because they require you to install their root SSL certificates.

[s243a]

Note, that my suggestion to not use a vpn for banking assumes that you didn't install the root CA on your system. This can be done with openVPN:

You can, however, find VPN client software — such as the OpenVPN client — that are happy to read the VPN’s root certificate from a file and doesn’t rely on it being installed. These programs are often difficult to configure will also be unsupported by the VPN provider’s support team.

https://www.ctrl.blog/entry/vpn-root-ca-trust.html

the site suggests a better alternative:

You can look for a VPN service provider that support IKEv2 EAP/PEAP username/password authentication without requiring you to install a root certificate. Look in their knowledge base/customer support portal for manual IKEv2 setup instructions for your operating system and scan for mentions of installing any certificates.

Please also note that some VPN provides arbitrarily limits IKEv2 usage to iOS only. (Which suggests they prefer you install their certificates … .)

IKEv2/IPsec with EAP user/password authorization is supported in recent versions of Android (third-party app required), iOS, Linux, macOS, and Windows 10 (some extra work needed to work around an EAP

https://www.ctrl.blog/entry/vpn-root-ca-trust.html

Now, I suppose on issue on might have is they are connecting to their banking site from an unsure location. However, in this case a VPN shouldn't be needed to access your banking site because the ssl (i.e. https) protocol should protect you. If you are connecting to a site without ssl (i.e. http) then there is a chance that someone on the insecure network could snoop for your passwords. In such a case a trusted VPN (even if you are using the VPNs ssl cert) is better then directly accessing the insecure site from the insecure network.

All that said, VPNs do provide privacy protection but we still must consider the VPN as a possible privacy threat even if depending on the use case they may be more trustworthy then more official ways of visiting web sites.

[mikeslr]

Well, actually I would never attempt to access my bank from an insecure location; and it requires two-factor authentication or I wouldn't have even configured its online offering. My primary purpose of even doing that was to make it easy to (a) pay credit cards and (b) transfer funds into the debit account associated with paypal. Handling paper money is something I avoid since the start of the pandemic. Plastic can be sanitized.

While exploring I also tried to access my paypal account. I don't recall it even allowing me to get to the "enter password" GUI.

In the context of security addons, it seems malwarebytes offers one. A company with a long and good reputation.

[mikewalsh]

@mikeslr :-

Well, actually I would never attempt to access my bank from an insecure location; and it requires two-factor authentication or I wouldn't have even configured its online offering. My primary purpose of even doing that was to make it easy to (a) pay credit cards and (b) transfer funds into the debit account associated with paypal. Handling paper money is something I avoid since the start of the pandemic. Plastic can be sanitized.

While exploring I also tried to access my paypal account. I don't recall it even allowing me to get to the "enter password" GUI.

In the context of security addons, it seems malwarebytes offers one. A company with a long and good reputation.

With regard to your mention of "handling paper money", Mike, that's not something that's really been an issue for us this side of 'the Pond'. Whether it was prompted by some EU 'directive', I have no idea, but back in 2015 the Royal Mint began issuing polyester banknotes....literally, plastic notes! £5 notes were the first to be replaced, followed by the £10 note a couple of years later. £20 notes received the treatment last year, and if all goes according to plan, the admittedly smaller 'stock' of paper £50 notes should be getting phased out late next year/early 2022.

These things can, if you want, be dropped into a bowl of disinfectant, left to stew for a while, rinsed, dried, and used again.....and it won't hurt them at all. You try doing that with paper..!

I can see the logic behind it. I believe the EU have been using these polyester notes for around a decade; they have a very much longer projected lifespan, compared to paper. £5 notes - the most common - used to be worn out after 5-6 years, and the Mint had a constant, on-going major problem with disposal of the old ones. These new notes show every sign of lasting for their projected lifespan of 20 years.

Mike.

[user1111]

Run any instance of a Google program during a session and ... google is then seeing every keystroke and running in the background. Run iptables to block 80 and 443 outbound traffic ... and you'll still be able to do a google search. Type in individual letters into chrome and at each keystroke google present possible auto-completes.

Many sites use google name servers (8.8.8.8), and google records/retains everything. So they have the capacity to see what site(s) you intended visiting, and any encrypted data flows. If for instance Mr Goggle . . a google employee or someone that hacked into their systems retrieved such data, then for any given communication they might deduce a lot. Often the front page of a site will be relatively static, so a dns request that indicated you were bound towards that site together with the clear text content returned, as well as your encrypted data stream - makes 'cracking' trivial. Given the encrypted content and key, or clear text and encrypted text, or key and encrypted text ... and deducing the missing element (clear text, key, clear text ... respectively) - and google (and the NSA type entities google feeds into), or anyone stealing googles data ... have considerable power.

Most simply don't care about their online safety, which is paramount to not caring about their personal safety. They like the benefits that 'not caring' provides - facebook, youtube ..etc. etc. Any popular holes that google miss, tends to be reeled in, such as by using cookies, that 'for your best experience' permits google visibility, and if popular enough - well then get absorbed under the google umbrella.

There are alternatives, but they're less popular and less snazzy. At times you may still have to enter that spyware arena if you want to do the likes of online paying your monthly credit card bill etc. subject to whether your bank will or wont accept you using the likes of seamonkey web browser and your own ISP's dns for that transaction.

[user1111]

Over time I'm using https less. Just too much google control/spyware for my liking. A ssh tunnel for carrying vnc'd/gui-desktop running seamonkey/duckduck that also provides LibreOffice ...etc. functionality and that is net routed through yet another ssh tunnel - is good enough for me. And for the rest more often I'm not using http/https at all but instead using the likes of a tmux hashbang (ssh server) session with multiple instances of irc running (both weechat and irssi), mutt for email, calcurse for diary; Another ssh into sdf/other 'bulletin board' type systems and some direct BBS systems ... and that is way more than enough to 'keep me busy/connected'. There are multi-user games on many BBS's and sdf provides a extensive range of other functions https://sdfeu.org/w/tutorials:tutorials that mostly I don't use. For gaming at home we have a range of dedicated games consoles.

Personally I think that sort of 'online social circle' is far friendlier/less-intrusive/more-secure. If you care about your security then caring about who you socialise with/through is just part of that. Hang around with (use services of Google etc) those whose primary objective is to monetise you, and you'll obviously be lawfully-mugged - their 'security' claims are just a front.

In Puppy terms, IMO online banking is best performed using a pristine/clean boot, using a non google browser and non google dns (and don't access any google services), where you go straight to your banks web site nowhere else before or after (reboot again when done). A factor is that some banks automatically look to drag in google into that at their end, such as asking you to accept cookies that may be tied into google analytics (spyware). Even the UK government web pages that were excellent beforehand did start including that, but more recently have provided opt out. Why would they add in such google spyware? I suspect because fundamentally that also serves as a feed into state level spyware. Some time back I did email the gov.uk service pointing out that if they were going to attach google analytics by default then I would revert to using paper based tax returns in future. If enough people did contact their bank/whatever likewise then perhaps the message might get through - but I suspect that just ain't-going-to-happen. The current 'front-line' it would seem is the fight to retain the right to have/use physical money and paper based systems, a battle that is also being lost. Once lost, then you'll be left totally at the mercy of whoever has the capacity to turn the electronic switch (conquest by another state simply via the means to take-down/control services).

[mikeslr]

@ Mike Walsh: Government issued plastic. Great idea. On this side of the pond there's a substantial number of people who believe change --other than retrogression-- is the work of demons and shouldn't be facilitated; that incantations and wishful thinking will make bad things go away.

rufwoof: "Many sites use google name servers (8.8.8.8), and google records/retains everything. So they have the capacity to see what site(s) you intended visiting, and any encrypted data flows. If for instance Mr Goggle . . a google employee or someone that hacked into their systems retrieved such data, then for any given communication they might deduce a lot. Often the front page of a site will be relatively static, so a dns request that indicated you were bound towards that site together with the clear text content returned, as well as your encrypted data stream - makes 'cracking' trivial. Given the encrypted content and key, or clear text and encrypted text, or key and encrypted text ... and deducing the missing element (clear text, key, clear text ... respectively) - and google (and the NSA type entities google feeds into), or anyone stealing googles data ... have considerable power."

Wondered what anyone's thoughts are regarding the following:

For online banking and purchases using Paypal I employ firefox run-as-spot (clear everything on shutdown). That browser isn't used for any other purpose and no other web-browser is running while it's in use.

[If I were to conduct searches, Startpage acts as an intermediary for google-searches: Startpage claims that google only knows that Startpage made the inquiry; and that it doesn’t keep records of who asked].

The banking account which funds Paypal is a debit account [which never has more funds than I expect to need] distinct from my regular account. [I know: a different bank would be preferable but the system was set up long before online banking when physical withdrawals and deposits would have eaten into my then precious time. To now set up new Paypal & associated banking accounts is not only a hassle, but involves using a now much riskier internet].

The Login User-Names on these bank accounts, while easy for me to remember, are not quite the name by which I'm generally known. Passwords for these accounts are 16 random symbols generated by a program employing Chacha20 (256-bit key operating on 512-bit blocks). Since not even I can remember them, passwords are on an (albeit plain text) file buried among by now many thousand of files. When needed, with only firefox running, I open the file and use copy-paste to fill in the password box.
[How does copy/paste compare to using an a virtual keyboard? From "home" copy/paste should be preferable as it avoids typing errors. But what about when you’re in a less secure location?]

I have considered using lastpass. But frankly, other than regarding online financial matters, I don't care who knows what I'm doing. And employing lastpass means I'm storing my credentials online and depending on lastpass to be more vigilant than hackers trying to access the records it maintains.

Keypass (Linux version KeypassXC) seems a worthwhile addition to this system. Credentials are locally maintained in an encrypted database. You only have to remember the master password. And where you placed its database. Like my plain text file, you can bury it someplace. You can also copy and transport it to a different computer or USB-Key. It creates databases as hidden (./”dot”) files.

Just read the continuation of the discussion on the Beginner's Thread which inspired me to start this one. s243a has suggested a good reason to use (Chromium & Clones) incognito / (Mozilla etc) Private Window. It affords some protection against XSS attacks. For details read his post viewtopic.php?p=10107#p10107

[mikeslr]

Of course we all know that when you do a 'google-search' Google has more recordable information about you. But you probably think that DuckDuckGo and/or Startpage searches protect your privacy. Think again.
https://restoreprivacy.com/private-search-engine/

By the way, a couple of the Search Engines discussed there, receiving no income from advertisements, depend entirely on donations. Freedom isn't free. If you find yourself using those Search Engines, consider providing them with financial support.

[mikeslr]

According to https://restoreprivacy.com/private-search-engine/
"MetaGer also does well in terms of privacy... MetaGer converts search requests into anonymous queries through a proxy server, which also provides the anonymous viewing option with all results. User IP addresses are truncated for privacy, although user agent info is passed along to their search partners. MetaGer does not utilize cookies or any other tracking methods.

For operation stability and security, MetaGer does keep some logs on their own servers (in Germany), but this data is kept no longer than 96 hours and is automatically erased. MetaGer finances operations from user donations, as well as ads that are served through partner networks, such as Bing, which appear at the top of results. If you purchase a membership, however, you can get completely ad-free search results. (Without memberships and personal donations, MetaGer states they would not be able to continue operations.)

MetaGer runs all of its infrastructure on servers in Germany, which is a good privacy jurisdiction with strict data protection laws... MetaGer is completely open source. For those on the Tor network, MetaGer also hosts a .onion site. You can read more about using MetaGer, as well as their apps, plugins, and features, on their website. We’ll close here with an interesting quote I found on their site (translated from German):

'Did you know that according to the Patriot Act, all internet servers and search engines physically located in the jurisdiction of the United States are obligated to disclose any information to the intelligence services? Your personal data is at risk even if the servers and search engines don’t store any information: it is sufficient if the intelligence agencies read and store everything at the internet point of connection. All MetaGer servers are located in Germany.'"
If you're running firefox metager is an addon. As such it may have all the customization of searches --e.g. just images-- which I found somewhere to be available. But I was running a Chromium based web-browser and you won't find metager in the webstore. (Wonder why? ). But I could go into settings and add it; even designate it as the default search engine. Unless, however, you edit metager's settings you'll probably discover as I did that there's often a reply to your search terms "Website not found".

Attached is a screenshot of settings which seem to do the job.

metager-settings.png (19.64 KiB) Viewed 2825 times

Accomplished after much trial and error. I'd be interested learning of any improvements to them.

[s243a]

. But you probably think that DuckDuckGo and/or Startpage searches protect your privacy. Think again.
https://restoreprivacy.com/private-search-engine/

But if you really want good privacy then you can use duckduckgo over tor with JavaScript disabled. Remember duckduck go has an Onion Address.

[mikewalsh]

@mikeslr :-

I'm going to take a look at YaCy, which is a decentralized, peer-to-peer search engine.

It means running a Java app, and having Java installed on your machine, but it sounds like an interesting way of keeping out the clutches of the search 'giants'. I'll keep y'all posted.

The Linux version can be downloaded from here:-

https://yacy.net/download_installation/

Mike.

[mikeslr]

I'm still working with Ungoogled-Chromium under which extensions can't be added from the Webstore but search engines can be added via the Settings>Manage Search Engines>Add.
https://restoreprivacy.com/private-search-engine/ has this to say about SwissCows:
"Swisscows is a Switzerland-based private search engine that does very well with privacy and security. They promise no tracking or data collection, and even have a “Swiss Fort Knox” data center for their server infrastructure. From their website:

have our own servers and do not work with cloud or third party!
have our Datacenter in the Swiss Alps – THIS is the safest bunker in Europe!
have positioned everything geographically outside of EU and US.

In terms of privacy, Swisscows is one of the top choices, arguably better than many other private search engines. From their privacy policy:

We do not collect any of our visitors’ personal information. None whatsoever. When using Swisscows neither your IP address is recorded nor is the browser you are using (Internet Explorer, Safari, Firefox, Chrome, etc.) collected. No analyses are made, which operating system our users use (Windows, Mac, Linux, etc.); your search are not recorded either. We record absolutely no data from our visitors. The only information we store is the number of search requests entered daily at Swisscows, to measure the total overall traffic on our website and to evaluate a breakdown of this traffic by language and mere overall statistics.

Swisscows completely does away with statistics and analyses on its visitors in order to protect your privacy. Given that we do not collect any information on our visitors, we are also not able to identify your place of residence. Swisscows does not conduct any geo targeting.

Swisscows does not use Cookies which can be used to identify of a user."

Suggest you read the post linked to above to find out more. This Search Engine has some really nice features. It's continued existence may depend on your contributions. One feature is shown and two others hinted at by the attached screenshot.

swisscows.png (53.23 KiB) Viewed 2341 times

It's initial response to your search term displays the Semantic Map shown on the Right. Below the Search box are toggles for Regional Search and Filters. Regional Search seems to be some king of country limitation. "Filters" provides several viewing options.
I used the following to configure SwissCows. It works, but some improvement may be possible. I obtained the arguments by first opening a Swisscows.com as a webpage and conducting a search. Note the "ca" on the Keyword line was generated because before conducting the search I had chosen "Canada-English" from the Region toggle. You may want to use a different default.

p.s. Swisscows is an available addon under firefox-quantum. It is not available at all under Palemoon even thru modifying settings as above, or with Classical Addons loaded. You can, of course, use it thru its website and add that website as a launcher on a 'speed-dial'.

[mikewalsh]

I've come to the conclusion that YaCy is a bit too much like hard work; it needs all kinds of esoteric router settings adjusted to really work correctly. So, I'm giving that one a miss.

I too have been looking at Qwant. I like the look of it, I must admit.

Interesting that my own long-standing search engine of choice, DuckDuckGo, is bang in the middle of that list. "DuckDuckGo remains one of the most popular private search engines to date, and is well-regarded in the privacy community."

I knew there was a reason why I chose it....

Mike.

[mikeslr]

Hi Mike,

There's a reason DuckDuckGo falls in the middle. It's probably fine for conducting most searches. But it's located in the US where under the Patriot Act all internet servers and search engines physically located in the jurisdiction of the United States are obligated to disclose any information to the intelligence services. And it's owned by an advertising company which collects your personal information but promises only to use some of it. [Summary of statements here, https://restoreprivacy.com/private-search-engine/].
There was a time --long gone-- when a promise was a matter of honor and reputation mattered. Duels were fought to preserve them. Lying was a sin and the Hereafter a certainty. But only a couple generations ago a well respected Judge of the highest court in the US explained it's theory of contracts: "A contract is a promise to do something or pay damages". Now everything, even Human Life, is monetarized. Which results in culture, often found when people can hide behind a corporate shield, that when dealing with the public its profitable to employ the tactic known as "Catch me if you can".

[user1111]

Lynx is ok'ish as a search tool, but googler is nicer IMO, easily installed (IIRC you need to have perl installed/available for googler to work) using ...

Code: Select all

curl -o googler https://raw.githubusercontent.com/jarun/googler/v4.3.1/googler && chmod +x googler

.. especially if your terminal supports hover-over-and-click .. to open whatever browser you have associated to that. Sakura does, as does tilda, and full rxvt does as well - but often not the one installed by default (that requires something like 'perl extensions' to be added to support clickable links).

https://github.com/jarun/googler#downlo ... ingle-file

Java/java-script is paramount to running 'other peoples' code on your box (albeit in a 'contained' manner), which can be used to inform them of the fingerprint of that box. Even if that's achieved indirectly such as having a small presence within some other web page that you grant script running permission to.

Run chrome and its pretty much feeding the unique finger print of your box from the offset. Activate scripts on web pages associated to 'google analytics' and likewise. No different to having invited a (or more often stealthily imposed) snoop into your home who reports back all your ongoing activities.

I've 'installed' googler within my hashbang (ssh server) account, and have tllda terminal drop down quake style on pressing F1 (toggles hide/show) - sized to near full screen. So a search sequence is F1 ... to present a hashbang cli prompt (that I'd previously ssh'd into and leave running), type in googler <search term>, review the results, and clicking on any one of those results has my seamonkey browser open to that site (or if I type the search result number and press Enter I have it set to open that link using lynx running on hashbang).

Googler uses google search engine, as does duck duck go, but with ddg you're more at risk at missing giving unwanted permissions to run (java) scripts whereas ssh/cli is more resilient to not having 'unwanted things' copied-to-and-run on your system.

Googler is nicer than just using lynx/w3m/whatever, as it presents the clickable links and search item numbers ready to go, whilst with lynx/w3m its often the case that the actual link (url) will be more obscured.

s.jpg (157.06 KiB) Viewed 2297 times

[kenneth889]

I have been using YaCy for a long time. It is powerful, sophisticated, rich in features, and a customizable search engine. It is simple to install and simple to use but it doesn’t work out of the box which isn’t a big deal. Before using it, you have to make a few decisions like how to use it, for what purpose do you want to use it, and where will you use it. It keeps your privacy intact so there is no need to worry about this. I have used other software too but this one is way too good because all of them slow the speed of my internet and this one doesn’t. I would recommend that if you are using any other search engine, keep checking the speed of your internet here https://www.allspeedtest.com/ It will help you to solve a lot of your problems.

[8Geee]

I always find this subject rather interesting...

Reduction can be greatly improved by;

1.) NO wi-fi
2.) Firefox recent editions esr 60 + or FF65 +
a.) Install uBlock or AdGuard... I would also keep a list of so-called green-light addresses that don't look right. I have 92 mostly from Yahoo loading mini-movies disguised as tracking.
b.) Install Clear URL... because tracking DOES NOT END with cookies, your URL address bar can contain lotsa tracking stuff in that L-O-N-G address.
c.) Install CSS exfil this removes quite a bit of poorly designed/implemented CSS/XSS scripting
3.) Go to mail website and toss mail you don't want.

I have found that also configuring the browser to at least;
1.) false all autocomplete, and look-ahead
2.) only use GCM or CHA-CHA ssl certs, false the others
3.) false the developer tools (devtools)
4.) look for "wallet" and "hello", false both
5.) DON'T use SYNC

Good luck
8Geee