Hack Liberty Privacy and Security Resources

Guides

• Anonymous Planet [Tor] - a community contributed online guide to anonymity written for activists, journalists, scientists, lawyers, whistle-blowers, and good people being oppressed, censored, harassed anywhere
• Privacy Guides [Tor] - a non-profit, socially motivated website that provides information for protecting your data security and privacy
• Extreme Privacy 4th Edition - Michael Bazzell has helped hundreds of celebrities, billionaires, and everyday citizens disappear completely from public view.
• Nihilism Network [Tor] - ultimately, this blog aims to showcase that technology, when used correctly, can allow one to transcend any limitation. be it to transcend surveillance, centralisation, deanonymization, lack of security. any ability that we have as humans, such as privacy, decentralisation, anonymity, security, plausible deniability can be protected and enhanced by using the correct technology.
• Anonymous Land - a community dedicated to providing anonymity enhancing guides and services
• No Trace Project [Tor] - no trace, no case. a collection of tools to help anarchists and other rebels understand the capabilities of their enemies, undermine surveillance efforts, and ultimately act without getting caught
• Qubes OS for Anarchists [Tor] - Qubes OS is a security-oriented operating system (OS), which means it is an operating system designed from the ground up to be more difficult to hack. Given that anarchists are regularly targeted for hacking in repressive investigations, Qubes OS is an excellent choice
• GrapheneOS for Anarchists - [Tor] - anarchists should not have phones. if you must use a phone, make it as difficult as possible for an adversary to geotrack it, intercept its messages, or hack it. this means using grapheneos
• Tails for Anarchists [Tor] - tails is an operating system that makes anonymous computer use accessible to everyone. tails is designed to leave no trace of your activity on your computer unless you explicitly configure it to save specific data
• Tails Opsec for Anarchists [Tor] - additional precautions you can take that are relevant to an anarchist threat model - operational security for tails
• Make Your Electronics Tamper-Evident [Tor] - if the police ever have physical access to an electronic device like a laptop, even for five minutes, they can install hardware keyloggers, create images of the storage media, or otherwise trivially compromise it at the hardware, firmware, or software level. one way to minimize this risk is to make it tamper-evident
• Encrypted Messaging for Anarchists [Tor] - This article provides an overview and installation instructions for Tails, Qubes OS, and GrapheneOS encrypted messengers
• The Cop in Your Pocket: Your Phone’s Location is tracked at ALL times [Tor] - your phone’s location is tracked at all times, and this data is harvested by private companies, allowing police to bypass laws requiring them to obtain a warrant
• Remove Identifying Metadata From Files [Tor] - metadata is ‘data about data’ or ‘information about information’. in the context of files, this can mean information that is automatically embedded in the file, and this information can be used to deanonymize you
• Defending against Stylometric attacks [Tor] - stylometric fingerprinting analyzes unique writing style (i.e., it uses stylometry) to identify the author of a work. it’s one of the most common techniques for de-anonymization, used by adversaries ranging from trolls to law enforcement
• Prism Break - opt out of global data surveillance programs like prism, xkeyscore and tempora.
• The New Oil [Tor] - the beginner’s guide to data privacy & cybersecurity
• Techlore - a small team educating people about digital rights, privacy, security, digital control, and other important topics to push the world towards a safer internet
• Into the Crypt [Tor] - the art of anti-forensics
• Advanced Privacy and Anonymity Using VMs, VPN’s, Tor - a series of guides that explains how to obtain vastly greater freedom, privacy and anonymity through compartmentalization and isolation through nested chains of VPNs and Tor
• How to create anonymous Telegram and Signal accounts without a phone - a guide for using Whonix & Anbox to create anonymous mobile accounts without a phone
• Security Tips & Devices for Digital Nomads - various tools and gadgets for OpSec, written with a preference for practical usability
• Telegram Security Best Practices - quick tips that will help you sleep better at night when using Telegram
• EFF Surveillance Self-Defense: The Basics - surveillance self-defense is a digital security guide that teaches you how to assess your personal risk from online spying. it can help protect you from surveillance by those who might want to find out your secrets, from petty criminals to nation states
• EFF Surveillance Self-Defense: Tool Guides - step-by-step tutorials to help you install and use handy privacy and security tools
• EFF Street Level Surveillance - EFF’s street-level surveillance project shines a light on the surveillance technologies that law enforcement agencies routinely deploy in our communities

Android

• A brief and informal analysis of F-Droid security - a write-up emphasizing major security issues with F-Droid
• Android Tips - list of tips for buying and using Android phones
• Android - common ways in which people worsen the security model of android

Secure Messengers

• The Guide to Peer-to-Peer, Encryption, and Tor: New Communication Infrastructure for Anarchists - an exhaustive anarchist overview and guide to various apps and tech that utilize peer-to-peer and encryption
• Secure Communications Comparison - communicating securely over the internet is a must. this article compares available and actively-developed projects that are used for secure communications
• Signal Privacy Concerns (2019) - arguments against the popular secure messenger signal
• A security analysis comparison between Signal, WhatsApp and Telegram [PDF] - a security analysis comparison between the three popular instant messaging apps. The analysis will focus on the encryption protocols used by each app and the security features they offer
• Wire (and Signal) use privacy-hostile Amazon AWS - wire (and signal) are centralized on amazon’s aws… there are substantial privacy and ethical issues with this
• XMPP: An Under-appreciated Attack Surface - a demonstration for why XMPP is of interest to penetration testers, security researchers, and defenders
• Wiretapping the largest Russian XMPP server - xmpp (jabber) instant messaging protocol encrypted tls connection wiretapping (man-in-the-middle attack) of jabber[.]ru (aka xmpp[.]ru) service’s servers on hetzner and linode hosting providers in germany
• XMPP: Admin-in-the-middle - in our opinion, you can’t refer to xmpp-based messaging as “privacy-friendly” as long as you don’t control all xmpp servers. an xmpp administrator (or any other server-side party) can inject arbitrary messages, modify address books, and log passwords in cleartext
• What a malicious Matrix homeserver admin can do - potential passive and active attacks from malicious homeserver admins
• Matrix? No, thanks. - matrix keeps growing. even the french government decided to use it. however, many free software activists refuse to use it
• Session’s Lack of Perfect Forward Security - “we don’t have any current plans to reintroduce pfs”
• Matrix Metadata Leakage - exactly what metadata Matrix leaks and why
• Matrix linked Amdocs found tapping South African cell phones - south african agents wrote in a 2009 document that they suspected that israel’s secret service, mossad, was using israeli software giant amdocs to eavesdrop on mobile phone conversations and gather data
• Why Not Matrix? - 22 reasons why not to use matrix

Desktop

• Desktop Linux Hardening - a guide that intermediate to advanced Linux users can reasonably follow to set up and maintain hardened security configurations
• Linux - an article debunking common misunderstandings on desktop Linux’s security model.
• Linux Hardening Guide - how to harden Linux as much as possible for security and privacy
• Choosing Your Desktop Linux Distribution - privacy and security considerations when choosing a Linux distribution
• security-misc - configurations to enhance Linux security
• The Linux Security Circus: On GUI isolation - article detailing the lack of GUI-level isolation in Linux, and how it nullifies all Linux desktop security
• Re: X11 → Root? (Qubes square rooted) - criticisms of the Qubes security model

Tor and VPNs

• VPN - a Very Precarious Narrative - criticisms for VPN use
• Commercial VPN Use Cases - realistics use cases for VPNs
• Don’t use VPN services - a case for ditching VPN use
• You want Tor Browser … not a VPN - use case comparisons betwen Tor and VPN use
• IPVanish “No-Logging” VPN Led Homeland Security to Comcast User - an article detailing the time IPVanish doxed a customer to Homeland Security
• Is Tor Trustworthy and Safe? - an article detailing considerations and cons when using Tor

General

• Security and Privacy Advice - security and privacy advice for desktop, mobile, browser, messengers, email, passwords, 2FA, and social media.
• Despite DoH and ESNI, with OCSP, web activity is insecure and not private - how OCSP responses are a privacy nightmare
• Badness Enumeration - why badness enumeration as a concept is flawed and some examples of its failings in practice
• The Six Dumbest Ideas in Computer Security - default permit, badness enumeration, penetrate and patch, hacking is cool, educating users, action is better than inaction
• Threat Modeling - the first task a person should do when taking steps to protect their privacy and security
• The right thing for the wrong reasons: FLOSS doesn’t imply security - source unavailability doesn’t imply insecurity, and source availability doesn’t imply security
• FLOSS Security - while source code is critical for user autonomy, it isn’t required to evaluate software security or understand run-time behavior
• Two types of privacy - two main approaches to privacy: “tracking reduction” and “tracking evasion”
• Recovering redacted information from pixelated videos - image/video blurring methods and their weaknesses
• Let’s Enhance! How we found @rogerkver’s $1,000 wallet obfuscated private key - by overcoming blurring techniques
• Email (In)security - email is an inherently insecure protocol, conceived at a time when security was an afterthought

Fingerprinting Articles

• NetworkManager Minor Hardening - MAC address randomization, removing static hostname to prevent hostname broadcast, and disabling sending hostname to DHCP server
• How CSS Alone Can Help Track You - how CSS can fingerprint with javascript disabled
• Browser Tracking - misguided ways in which people attempt to improve their privacy when browsing the web
• Don’t update NTP – stop using it - arguements for why NTP has to die

Fingerprinting Tests

• TorZillaPrint - comprehensive, all-in-one, fingerprinting test suite
• No-JS fingerprinting - demonstration of how fingerprinting can occur even in the absence of JavaScript
• CSS Fingerprint - exploiting CSS to collect various characteristics about the visitor
• CreepJS - creepy device and browser fingerprinting
• Kloak - Kloak is a Keystroke Anonymization Tool
• AudioContext Fingerprint - tests browser-fingerprinting using the AudioContext and Canvas API
• Available Fonts - gets available fonts on browser without flash
• Browser Fingerprinting - analysis of Bot Protection systems with available countermeasures
• BrowserLeaks - a gallery of web technologies security testing tools
• Canvas Test - checks if the addon CanvasBlocker can be detected by websites
• CSS Exfil Vulnerability Tester - test to see if your browser is vulnerable to Cascading Style Sheets (CSS) data leakage
• Device Info - a web browser security testing, privacy testing, and troubleshooting tool
• DNS Cookie Demonstration - uses DNS caches as a side-channel to identify related network flows
• EFF: Cover Your Tracks - understand how easy it is to identify and track your browser based on how it appears to websites
• Epic Tracker - fingerprinting demo with some automated lookups using modern Javascript APIs
• Extension Fingerprints - detecting Chrome extensions by fetching web accessible resources
• Firefox Addon Detector - tracking 400+ firefox addons through chrome:// URI trickery!
• Iphey - Browser Fingerprinter
• Mouse Wheel Tracking Test - fingerprint based on tracking your mouse’s wheel
• Nothing Private - proof of concept to show any website can identify and track you
• PicassAuth - canvas fingerprinting
• Pixelscan - basically a bot check
• Privacy Check - this website aims to focus on each fingerprinting technique in detail
• scheme flooding - this vulnerability uses information about installed apps on your computer to assign you a permanent unique identifier even if you switch browsers, use incognito mode, or use a VPN.
• SuperCookie - uses favicons to assign a unique identifier to website visitors. this ID can be stored almost persistently and cannot be easily cleared by the user
• Webgl Fingerprinting - uses different techniques to recognize whether a browser extension is spoofing the webgl fingerprint
• Zardaxt.py - TCP/IP fingerprinting for VPN and Proxy Detection

Surveillance Technology

• Ears and Eyes - searchable database of cases of physical surveillance devices (microphones, cameras, location trackers) hidden by law enforcement and intelligence agencies to surveil people or groups engaged in subversive activities
• Bugged Planet - a wiki about signals intelligence (SIGINT), communication intelligence (COMINT), tactical and strategical measures used to intercept communications and the vendors and governmental and private operators of this technology
• Harris: Wide Area Airborne Motion Imagery - wide-area motion imagery offers persistent, real-time surveillance for enhanced situation awareness through an intelligent, airborne sensor system
• CRI LodeStar Wide Area Motion Imagery (WAMI) - a demonstration of cri lodestar wide area motion imagery (wami) system
• Harris: Airborne Augmented Reality - video with augmented reality overlays enhances situation awareness for teams in the field, analysts and decision makers. overlays poi features, building names, and road names
• Harris: Locate GPS Jamming - harris signal sentry 1000 is a gps interference detection and geolocation solution. it provides a web-based visualization tool to support timely and effective actionable intelligence.
• Harris: Material Identification - harris material identification technology enables remote sensing systems to detect, identify and geolocate the presence of solid materials and gasses – on earth and in the atmosphere
• Elbit Systems / SPECTRO XR - spectro xr integrates a wide range of digital imaging, high-definition optical sensors and advanced lasers, providing simultaneous multi-spectral observation capabilities and enabling ultra-long-range detection.
• Police thermal imaging finds cannabis factory - It was a case of being caught red handed when the West Midlands Police helicopter found this cannabis factory using its thermal imaging camera
• The Stingray: How Law Enforcement Can Track Your Every Move - a “cell site simulator” initially developed for military use, Stingrays have made their way into local police and sheriff’s departments around the country
• How Police Cameras Recognize and Track You - wired spoke with several experts about the explosion of surveillance technology, how police use it, and what the dangers might be. as tech advances, street cameras can now employ facial recognition and even connect to the internet. what does this mean for the future of privacy?
• How China’s Surveillance Is Growing More Invasive - analysis of over 100,000 government bidding documents found that China’s ambition to collect digital and biological data from its citizens is more expansive and invasive than previously known
• Homeland Security Uses AI Tool to Analyze Social Media of U.S. Citizens and Refugees - babel x may provide to analysts a target’s name, date of birth, address, usernames, email address, phone number, social media content, images, IP address, Social Security number, driver’s license number, employment history, and location data based on geolocation tags and also cell phone gps tracking