1 21d-PracticalPersonal

Previous: 21c-AppArmorSELinux.html

This is a common pattern:
https://www.reddit.com/r/ProgrammerHumor/comments/aloi5v/programmers_know_the_risks_involved/

1.1 Screencasts

Password for the Vimeo videos is in Zulip chat.
SP21: https://vimeo.com/545190785
FS20: https://vimeo.com/416093158
Tip: If anyone wants to speed up the lecture videos a little, inspect the page, go to the browser console, and paste this in: document.querySelector('video').playbackRate = 1.2

1.2 How to set up a small business or personal computer securely

Review the semester, current assignment
Not an academic lecture today!
A sample practical activity in setting up a personal computing environment for Confidentiality, Integrity, and Availability (the basic CIA of textbook security), for common tasks.

From the bottom up, hardware to high level:

1.3 Computer hardware, firmware, crypto-keys

Hardware in security arms race?
Hardware and higher level compromise?

Computer hardware (open, secure)
- Lists of open, and thus at least verifiable, if not trustworthy, hardware:
  - https://www.gnu.org/philosophy/free-hardware-designs.en.html
  - https://www.fsf.org/resources/hw
- Actually open:
  - https://en.wikipedia.org/wiki/OpenPOWER_Foundation
  - https://www.raptorcs.com/TALOSII/
- Partially:
  - https://puri.sm/
- A newcomer in 2019, not mature yet
  - https://en.wikipedia.org/wiki/OpenRISC
Hardware key tokens: manage passwords, 2-factor, etc.
- https://onlykey.io/
- https://www.nitrokey.com/
- https://solokeys.com/

1.4 BIOS, firmware-level

BIOS firmware
- https://en.wikipedia.org/wiki/Libreboot
Set up a BIOS password
Disable booting from USB sticks (other than at your first install)
Secure boot enabled (perhaps…): https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot
https://www.qubes-os.org/doc/anti-evil-maid/
- https://en.wikipedia.org/wiki/Trusted_Platform_Module
- https://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html
- https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html

1.5 Choose your computer operating system

https://en.wikipedia.org/wiki/List_of_Linux_distributions
- General purpose, with decent security emphasis
  - https://www.debian.org/
    - https://en.wikipedia.org/wiki/Debian
  - https://www.opensuse.org/
    - https://en.wikipedia.org/wiki/OpenSUSE
  - https://getfedora.org/
    - https://en.wikipedia.org/wiki/Fedora_(operating_system)
- https://en.wikipedia.org/wiki/Security-focused_operating_system
  - Offensive
    - https://www.kali.org/
      - https://en.wikipedia.org/wiki/Kali_Linux
    - https://labs.fedoraproject.org/en/security/
    - https://www.blackarch.org/
  - Defensive
    - Server-focus and special purpose (e.g., banking, email server)
      - https://www.openbsd.org/
        
        https://en.wikipedia.org/wiki/OpenBSD
      - https://www.centos.org/ (changing focus now)
        
        https://en.wikipedia.org/wiki/CentOS
    - Broad or personal computing, anonymity
      - Persistent
        
        https://www.whonix.org/
        
        https://en.wikipedia.org/wiki/Whonix
        
        https://www.whonix.org/wiki/Computer_Security_Education
        
        https://www.qubes-os.org/
        
        https://en.wikipedia.org/wiki/Qubes_OS
        
        https://subgraph.com/ (dead, insecure)
        
        https://en.wikipedia.org/wiki/Subgraph_(operating_system)
      - Not persistent (live)
        
        https://tails.boum.org/
        
        https://en.wikipedia.org/wiki/Tails_(operating_system)

1.6 Securely obtain the image file for your distribution

Verify the signature
- https://help.ubuntu.com/community/HowToSHA256SUM
- https://en.opensuse.org/SDB:Download_help#Checksums
  - https://en.opensuse.org/SDB:Live_USB_stick#Using_commandline_tools
- https://www.whonix.org/wiki/VirtualBox/Verify_the_virtual_machine_images_using_the_command_line
- https://tails.boum.org/install/download/openpgp/index.en.html#command-line
- https://www.kali.org/downloads/
If you are installing on your hard drive, make sure you have a clean USB stick

1.7 Install

Encrypt the whole disk
- Choose a very long good password
Encrypt your user directory
- Choose a very long good password
Create a user account with sudo access, so you don’t need to use the root account much if at all
Configure firewall settings (if not connected to a safe network, before updates)
- Either use an easy GUI (gufw, fedora firewall, etc) or iptables

1.8 Update all software (if not already done)

1.9 Post-install system OS hardening and configuration

Set up screen lock!
Elements / basics
- https://help.ubuntu.com/community/Security
- https://wiki.ubuntu.com/BasicSecurity
- https://securityinabox.org/en/guide/basic-security/linux/
Whole-system / detailed:
- https://doc.opensuse.org/documentation/leap/security/html/book.security/index.html
  - http://linux-pam.org/Linux-PAM-html/adg-example.html
- http://www.tldp.org/HOWTO/Security-HOWTO/
- https://www.debian.org/doc/manuals/securing-debian-howto/
- https://debian-handbook.info/browse/stable/security.html
- https://wiki.centos.org/HowTos/OS_Protection
Networking (more to come later!)
- How to set up secure remote access to your computer
  - https://wiki.centos.org/HowTos/Network/SecuringSSH
- https://wiki.centos.org/HowTos/Network/IPTables
Enable advanced sandboxing and access controls via 21c-AppArmorSELinux.html

1.10 Software

* General survey of secure and/or privacy-friendly applications for personal use:
    * https://prism-break.org/en/all/
    * https://www.privacytools.io/
    * https://github.com/Lissy93/personal-security-checklist
* VirtualBox, KVM, virtual machines
    * Use snapshots to keep the updated state clean!
* Web browsing
    * Browser choice
        * https://www.mozilla.org/en-US/firefox/
        * https://www.torproject.org/download/download-easy.html.en
            * https://www.eff.org/pages/tor-and-https (infographic)
            * https://en.wikipedia.org/wiki/Onion_routing
        * https://www.whonix.org/wiki/Comparison_with_Others
    * JavaScript: https://noscript.net/
    * Fingerprinting:
        * https://panopticlick.eff.org/
        * https://coveryourtracks.eff.org/
        * https://privacy.net/analyzer/
    * HTTPS
    * Browse in a virtual machine, and refresh snapshots!
* Communications:
    * Text/data
        * Comparison tables
            * https://en.wikipedia.org/wiki/Comparison_of_instant_messaging_clients#Secure_messengers
            * https://bitmessage.org/wiki/FAQ#How_does_Bitmessage_compare_to_other_messaging_methods
            * http://secushare.org/comparison
        * Email can be secure?
            * gnupg (good, but not PFS: https://en.wikipedia.org/wiki/Forward_secrecy)
                * https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP
                * https://en.wikipedia.org/wiki/GNU_Privacy_Guard
                * https://www.gnupg.org/related_software/frontends.html#sec-1-2
                * https://www.mailvelope.com/
        * Chat-compatible encryption with perfect forward secrecy
            * https://en.wikipedia.org/wiki/Off-the-Record_Messaging
            * https://en.wikipedia.org/wiki/Signal_Protocol
            * https://en.wikipedia.org/wiki/OMEMO
                * https://conversations.im/
            * https://github.com/wireapp/proteus
                * https://wire.com/
        * p2p for A in CIA, (cryptography for the C and I)
            * Bote: https://en.wikipedia.org/wiki/I2P
            * Tox:
                * https://en.wikipedia.org/wiki/Tox_(protocol)
                * https://tox.chat/
    * Voice/video: https://en.wikipedia.org/wiki/Comparison_of_VoIP_software#Secure_VoIP_software
        * https://tox.chat/
        * https://en.wikipedia.org/wiki/ZRTP
            * https://linphone.org/
        * https://wire.com/
        * http://retroshare.net/ (and file sharing, email, etc.)
        Password managers: https://en.wikipedia.org/wiki/Comparison_of_password_managers
    * (not Linux/Unix exclusive)
    * A password manager assists in generating and retrieving complex passwords, potentially storing such passwords in an encrypted database or calculating them on demand. Types of password managers include:
    * locally installed software applications
    * online services accessed through website portals
    * locally accessed hardware devices that serve as keys
    * Remote versus Local
        * Remote, for example: https://lastpass.com
        * Local, for example: https://keepassxc.org/
* Hosting / server for C, I, and A in CIA triad
    * Tor hidden services:
        * Example: https://en.wikipedia.org/wiki/Sci-Hub (scihub22266oqcxt.onion) can only be visited using Tor browser, and can't easily be located or taken down forcibly (availability)
    * Eepsites: https://geti2p.net/en/
        * https://en.wikipedia.org/wiki/I2P
* File-sharing/transfer:
    * see general links above for secure p2p/direct file transfer methods
    * securing basic rsync
        * https://www.upguard.com/articles/secure-rsync
    * https://syncthing.net/
    * https://onionshare.org/
    * http://retroshare.net/ (and file sharing, email, etc.)
* Remote access:
    * ssh hardening
    * ssh on hidden service server
* Collaboration: see general links above

1.11 Privacy

Personal privacy tools:
- https://ssd.eff.org/
- https://www.sjpl.org/privacy
- http://thgtoa7imksbg7rit4grgijl2ef6kc7b56bp56pmtta4g354lydlzkqd.onion/guide.html

1.12 Operational Security (OpSec)

The most important thing on this list: STFU…

A fun note on modern interent op-sec: https://sive.rs/anon

1.13 Tangent: Phone

21d-PracticalPersonal/hippa.jpg
Are there any fully open/transparent phones? Not really, but some laudable efforts:
* https://www.pine64.org/pinephone/
* http://libresmartphone.com/open-hardware-smartphone/
* https://en.wikipedia.org/wiki/Openmoko
* http://wiki.openmoko.org/wiki/Main_Page
* https://puri.sm/shop/librem-5/
* https://volla.online