How to use an Apple Computer and never be tracked

[tebos]

The first starting point for internet privacy (not anonymity!) is using TOR for browsing, but beware it will slow down your connection quite a bit. (I'm using TOR on the most notorious websites I'm visiting )

Apart from that and depending on what browser you're using, you can use browser extensionss to block cookies, javascript, flash, ads and so on.

 

[dddaver]

So I live in fear? PLEASE don't assume. Anchor free.

 

[mojave green]

let's not forget, hidden in plain sight can work as well.

Obscurity is the idea that when information is hard to obtain or understand, it is, to some degree, safe. Safety, here, doesn't mean inaccessible. Competent and determined data hunters armed with the right tools can always find a way to get it. Less committed folks, however, experience great effort as a deterrent.

Online, obscurity is created through a combination of factors. Being invisible to search engines increases obscurity. So does using privacy settings and pseudonyms. Disclosing information in coded ways that only a limited audience will grasp enhances obscurity, too. Since few online disclosures are truly confidential or highly publicized, the lion's share of communication on the social web falls along the expansive continuum of obscurity: a range that runs from completely hidden to totally obvious.

http://www.theatlantic.com/technology/archive/2013/01/how-to-think-about-your-online-data/267283/

and some tips from gemworld!
https://www.schneier.com/blog/archives/2008/06/security_throug_1.html

that was a good read babel. a bit over my head, but a good read.

i run JonDo as well. icmag chat don't work for me with disabled java though.

 

[babelfish]

let's not forget, hidden in plain sight can work as well.
http://www.theatlantic.com/technology/archive/2013/01/how-to-think-about-your-online-data/267283/

and some tips from gemworld!
https://www.schneier.com/blog/archives/2008/06/security_throug_1.html

that was a good read babel. a bit over my head, but a good read.

i run JonDo as well. icmag chat don't work for me with disabled java though.
[URL=https://www.icmag.com/ic/picture.php?albumid=46148&pictureid=1121075&thumb=1]View Image[/URL] [URL=https://www.icmag.com/ic/picture.php?albumid=46148&pictureid=1121076&thumb=1]View Image[/URL]

That's not a good strategy.

http://en.wikipedia.org/wiki/Security_through_obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, then attackers will be unlikely to find them. A system may use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities in those products and versions. An attacker's first step is usually information gathering; this step is delayed by security through obscurity. The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.
Security through obscurity has never achieved engineering acceptance as an approach to securing a system, as it contradicts the principle of "keeping it simple". The United States National Institute of Standards and Technology (NIST) specifically recommends against security through obscurity in more than one document. Quoting from one, "System security should not depend on the secrecy of the implementation or its components."[1]
It is analogous to a homeowner leaving the rear door open, because it cannot be seen by a would-be burglar.

http://redmondmag.com/blogs/doug-barney/2012/04/apple-security-myth-busted.aspx
Apple Security Myth Busted
Many of us are under the impression that Macs are inherently far more secure than Windows PCs, which is why I've bought no less than six Macs for my 4 kids -- even though they cost three times as much as an equivalent PC. I can't be bothered reinstalling Windows every six months, not to mention the time a horrid virus blasted my eight-year-old son with vile, unstoppable pop-ups -- pop-ups that would make Bob Guccione blush.

A theory on why Apple is safer is that there are fewer Macs to attack, so hackers don't bother. And the bad guys simply don't hate the Mac like they do Windows.

Eugene Kaspersky, founder of the security company that bears his name, apparently believes the latter. Now that hackers are taking aim at the Mac, these machines may be more vulnerable than their acolyte owners believe. They may even have to cough up for some security software unless Apple builds it and maintains it for them free like Microsoft now does with Security Essentials.

It may be that Kaspersky is trying to seed the market for Mac security software (his company does has a $40 antivirus package for the Mac), but I think that market will happen or not with or without Eugene's assistance.

First, he sees attacks on the rise and feels it's inevitable that the Mac become a major target.

While Apple does provide updates, it is over a decade behind what Microsoft does with Patch Tuesday, and here's a personal note: A decade ago, Microsoft chairman Bill Gates declared the Trustworthy Computing Initiative. If there's one thing Gates rarely or ever did, it was give lip service. And over the last 10 years, in my opinion, Microsoft has done anything but give lip service to security.

In fact, Kaspersky believes Apple needs to spend the kind of time Microsoft takes checking code for security problems. "Welcome to Microsoft's world, Mac. It's full of malware," Kaspersky says.
... ...

Now lets go for a little more hardcore source:

User: http://security.stackexchange.com/users/655/thomas-pornin
Curriculum Vitae - http://www.bolet.org/~pornin/cv-en.html

The discussion:
http://security.stackexchange.com/q...ite-a-cryptography-security-through-obscurity


up vote
36
down vote
My opinion (and I am a cryptographer -- I have a shiny diploma which says so) is that:

We cannot speculate on unknown algorithms, because they are, well, unknown.
NSA is like all secret services in the World, they really love secrecy and will practice it for the sake of it. So the fact that their algorithms are not published is in no way indicative of some particular strength or weakness of the said algorithms.
It is entirely plausible that the unpublished algorithms are indeed distinct from publicly known algorithms such as AES or RSA.
It is also entirely plausible that "Suite A" and "Suite B" are, in fact, identical. At some point, to use some algorithms, you must have implementations, and these things do not grow on trees. Having your own algorithms is thus expensive.
If I were a US taxpayer, I would be slightly dismayed at the misuse of my tax money, if it turned out that NSA spent it on developing and maintaining custom algorithms instead of reusing perfectly fine ones like the AES.
There most probably are some people with power to decide a lot of things in the NSA, who believe that not publishing algorithms increases their security. Such people exist everywhere. It does not make them right, though.
There is no better security than "cannot break it", which is what we already have with (properly used) AES, RSA, DH, ECC... The NSA could know of faster algorithms which are as secure as the public ones; however, it would be hard to beat the performance of hardware-accelerated AES, unless they have their own CPU foundry.
The danger in security by obscurity is in believing that it works well. It may induce people to feel safe with homemade algorithms, because they would assume that the obscurity will hide the weaknesses of their algorithms. However, if you use good algorithms with published and well-studied protocols (i.e. AES, SSL...) then there is no harm done in not saying that you do.

now admittedly its slightly offtopic (only very slightly), but the point is that the strategy is one that is in general weak. unless other steps are taken for anonymity too many pieces of information are easy to add up. Like just the plugins in your browser.

http://panopticlick.eff.org/

 

[Skip]

Yep, pretty much.
The DEA has access to NSA spy systems, so they can hunt you just like the cia hunts terrorists.
So far.

In the International arena, it's the other way around. The DEA sets up foreign governments with spy technology so they can BOTH can monitor all the communications in that country. They especially like to sell this kind of thing to oppressive regimes.

So the DEA monitors the foreign traffic and sends it to the NSA.

We have the Brits monitoring and recording all traffic in Europe and they also feed the NSA with the data.

This way the NSA can claim they're not monitoring everyone, since they have proxies all over the world doing the monitoring. And somehow, they're convinced this is all legal...

 

[mojave green]

And somehow, they're convinced this is all legal...

unfortunately for usa, our fucking politicians made it legal a while back. this so called war on terror is just like the war on drugs. a power grab to enslave the people. if the people would wise up and at the very least encrypt their internet traffic, it would really make the 3 letter agencies jobs more difficult...and i'm all for that.
heil homeland!

 

[gaiusmarius]

yeah would be awesome if everyone used some open source encryption for all communications, let them spend thousands decoding shit about going out to coffee etc. lol. you could bog them down with trillions of encrypted harmless emails.

how true is it that they look closer at all encrypted traffic? when i read that i was wondering if it's more a scare tactic or not?

 

[babelfish]

In the International arena, it's the other way around. The DEA sets up foreign governments with spy technology so they can BOTH can monitor all the communications in that country. They especially like to sell this kind of thing to oppressive regimes.

So the DEA monitors the foreign traffic and sends it to the NSA.

We have the Brits monitoring and recording all traffic in Europe and they also feed the NSA with the data.

This way the NSA can claim they're not monitoring everyone, since they have proxies all over the world doing the monitoring. And somehow, they're convinced this is all legal...

^-- yup - 110% yup

unfortunately for usa, our fucking politicians made it legal a while back. this so called war on terror is just like the war on drugs. a power grab to enslave the people. if the people would wise up and at the very least encrypt their internet traffic, it would really make the 3 letter agencies jobs more difficult...and i'm all for that.
heil homeland!

its as legal as killing children in the street. all of this goes completely against the constitution, and there's no way that any of the founding fathers would have cosigned any of this crap. its no more legal than 'following orders' for the nazi's during wartime, or 'following orders' when enslaving children in africa for the armies.

yeah would be awesome if everyone used some open source encryption for all communications, let them spend thousands decoding shit about going out to coffee etc. lol. you could bog them down with trillions of encrypted harmless emails.

how true is it that they look closer at all encrypted traffic? when i read that i was wondering if it's more a scare tactic or not?

Well the next step is a brute force attack against a key...

So the idea is that they are only supposed to look at foreign traffic... but encrypted traffic could be from anyone.. so they feel free to look @ it - till they find its not useful. They are not looking for just anything though, otherwise a zillion and a half more filesharers would be caught, all the jails would be full, and half of america would be locked up and guarded by the other half.. till they got caught too.. just to use one example.

 

[tebos]

Well the next step is a brute force attack against a key...

They don't even have do that, the major certificate authorities are actually based in the US, they just ask for their private key and can decrypt all traffic on the fly, it's as easy as that. I already read that they are doing it...

Edit: Here you go: http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/

 

[babelfish]

This does not give them access to keys you generate yourself.

 

[babelfish]

offtopic...

 

[JT McNutty]

Back to the original topic, do not use an apple if you want privacy of any kind. The other suggestions are good for the most part, but if you want an easier way, go to a thrift store, by a windows based laptop, wipe it and put a flavor of Linux on it, the most user friendly one is Ubuntu 13.04. From there, when you want to be anonymous, use a free wifi connection and do what you need to do on there. I would also set up a new email address or that box. Take a look at hushmailing for that. NEVER go to your new email address on any box that can lead back to you.

 

[dddaver]

Back to the original topic, do not use an apple if you want privacy of any kind. The other suggestions are good for the most part, but if you want an easier way, go to a thrift store, by a windows based laptop, wipe it and put a flavor of Linux on it, the most user friendly one is Ubuntu 13.04. From there, when you want to be anonymous, use a free wifi connection and do what you need to do on there. I would also set up a new email address or that box. Take a look at hushmailing for that. NEVER go to your new email address on any box that can lead back to you.

I had a hard drive fail on a laptop so I ordered a 160GB on ebay for $30 delivered and put Ubuntu on it. Mean, clean, fighting machine.

My ISP still gets all my data through it though.

 

[babelfish]

Back to the original topic, do not use an apple if you want privacy of any kind. The other suggestions are good for the most part, but if you want an easier way, go to a thrift store, by a windows based laptop, wipe it and put a flavor of Linux on it, the most user friendly one is Ubuntu 13.04. From there, when you want to be anonymous, use a free wifi connection and do what you need to do on there. I would also set up a new email address or that box. Take a look at hushmailing for that. NEVER go to your new email address on any box that can lead back to you.

dood. did you even read my post?

I had a hard drive fail on a laptop so I ordered a 160GB on ebay for $30 delivered and put Ubuntu on it. Mean, clean, fighting machine.

My ISP still gets all my data through it though.

You can only do so much.

Here's some fairly secure email practices:
http://gigaom.com/2013/06/15/how-to-prevent-the-nsa-from-reading-your-email/

 

[gaiusmarius]

at least your traffic with this site is not seen by your isp, it's ssl encrypted.

 

[Bababooey]

Take a look at hushmailing for that.

Yeah dude. Hushmail will respond to govt subpoenas or court orders. Thats why Osama didnt use it. He used PGP. I think.

 

[mojave green]

at least your traffic with this site is not seen by your isp, it's ssl encrypted.

and if one uses vpn, to connect with this site, it gets double encrypted! chew on that 3 leetter agency muthafukers! i got a right to privacy yet?

 

[babelfish]

https://www.eff.org/deeplinks/2013/...ward-secrecy-important-web-privacy-protection

Pushing for Perfect Forward Secrecy, an Important Web Privacy Protection
When you access a Web site over an encrypted connection, you're using a protocol called HTTPS. But not all HTTPS connections are created equal. In the first few milliseconds after a browser connects securely to a server, an important choice is made: the browser sends a list of preferences for what kind of encryption it's willing to support, and the server replies with a verification certificate and picks a choice for encryption from the browser's list. These different encryption choices are called "cipher suites." Most of the time, users don't have to worry about which suite the browsers and servers are using, but in some cases it can make a big difference.

One important property is called "perfect forward secrecy," but only some servers and only some browsers are configured to support it. Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is being monitored and recorded by a third party. That particular threat may have once seemed unlikely, but we now know that the NSA does exactly this kind of long-term storage of at least some encrypted communications as they flow through telecommunications hubs, in a collection effort it calls "upstream."

How can perfect forward secrecy help protect user privacy against that kind of threat? In order to understand that, it's helpful to have a basic idea of how HTTPS works in general. Every Web server that uses HTTPS has its own secret key that it uses to encrypt data that it sends to users. Specifically, it uses that secret key to generate a new "session key" that only the server and the browser know. Without that secret key, the traffic traveling back and forth between the user and the server is incomprehensible, to the NSA and to any other eavesdroppers.

But imagine that some of that incomprehensible data is being recorded anyway—as leaked NSA documents confirm the agency is doing. An eavesdropper who gets the secret key at any time in the future—even years later—can use it to decrypt all of the stored data! That means that the encrypted data, once stored, is only as secure as the secret key, which may be vulnerable to compromised server security or disclosure by the service provider.

That's where perfect forward secrecy comes in. When an encrypted connection uses perfect forward secrecy, that means that the session keys the server generates are truly ephemeral, and even somebody with access to the secret key can't later derive the relevant session key that would allow her to decrypt any particular HTTPS session. So intercepted encrypted data is protected from prying eyes long into the future, even if the website's secret key is later compromised.

It's important to note that no flavor of HTTPS, on its own, will protect the data once it's on the server. Web services should definitely take precautions to protect that data, too. Services should give user data the strongest legal protection possible, and minimize what they collect and store in the first place. But against the known threat of "upstream" data collection, supporting perfect forward secrecy is an essential step.

So who protects long-term privacy by supporting perfect forward secrecy? Unfortunately, it's not a very long list—but it's growing. Google made headlines when it became the first major web player to enable the feature in November of 2011. Facebook announced last month that, as part of security efforts that included turning on HTTPS by default for all users, it would enable perfect forward secrecy soon. And while it doesn't serve the same volume as those other sites, www.eff.org is also configured to use perfect forward secrecy. Outside of the web, emails encrypted using the OpenPGP standard do not have forward secrecy, but instant messages (or text messages) encrypted using the OTR protocol do.

Supporting the right cipher suites—and today, for the Web, that means ones that support perfect forward secrecy—is an important component of doing security correctly. But sites may need encouragement from users because, like HTTPS generally, supporting perfect forward secrecy doesn't come completely without a cost. In particular, it requires more computational resources to calculate the truly ephemeral session keys required.

It may not be as obvious a step as simply enabling HTTPS, but turning on perfect forward secrecy is an important improvement that protects users. More sites should enable it, and more users should demand it of the sites they trust with their private data.

 

[babelfish]

tl;dr: this is why you should download the latest browser bundle package. and really you should run it from a booted linux install rather than mac or windows.

http://arstechnica.com/security/201...-keys-could-be-broken-by-nsa-researcher-says/
Majority of Tor crypto keys could be broken by NSA, researcher says
Got elliptical curve?

by Dan Goodin - Sept 6 2013, 4:15pm PDT
PRIVACY
42
The majority of devices connected to the Tor privacy service may be using encryption keys that can be broken by the National Security Agency, a security researcher has speculated.

Rob Graham, CEO of penetration testing firm Errata Security, arrived at that conclusion by running his own "hostile" exit node on Tor and surveying the encryption algorithms established by incoming connections. About 76 percent of the 22,920 connections he polled used some form of 1024-bit Diffie-Hellman key. The analysis came a day after revelations the NSA can circumvent much of the encryption used on the Internet. While no one knows for sure exactly what the NSA is capable of cracking, educated speculation has long made a case that the keys Graham observed are within reach of the US spy agency.

"Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys," Graham wrote in a blog post published Friday. "Assuming no 'breakthroughs,' the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they've got fairly public deals with IBM foundries to build chips."

He went on to cite official Tor statistics to observe that only 10 percent of Tor servers are using version 2.4 of the software. That's the only Tor release that implements elliptical curve Diffie-Hellman crypto, which cryptographers believe is much harder to break. The remaining versions use keys that are presumed to be weaker.

Graham called on Tor Project leaders to do a better job of getting end users to upgrade to version 2.4, but he also couched his findings with a word of caution.

"Of course, this is just guessing about the NSA's capabilities," he wrote. "As it turns out, the newer elliptical keys may turn out to be relatively easier to crack than people thought, meaning that older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I'd assume that it's that, rather than curves, [it's 1024 RSA/DH] that the NSA is best at cracking."

PROMOTED COMMENTS
SmegheadArs Praefectus jump to post
Quote:
Graham called on Tor Project leaders to do a better job of getting end users to upgrade to version 0.2.4, but he also couched his findings with a word of caution.

It's not necessarily Tor's fault.

For example, Ubuntu 13.04 currently offers up Tor 0.2.3.5. The next version looks as if it'll do the same. Debian isn't necessarily any better; only the experimental version offers 0.2.4.x, and everything else is 0.2.3.x. 'testing' is still the defacto recommendation these days for anyone wanting to try Debian, right?

Fedora is no better. Gentoo offers 0.2.4.x if you're on an unstable version, otherwise it's 0.2.3.x for you, too.

Many linux distributions out there are woefully out of date on this stuff; it's not really surprising that the latest version has such little penetration.

 

[cactusjack]

... go to a thrift store, by a windows based laptop, wipe it and put a flavor of Linux on it, the most user friendly one is Ubuntu 13.04. From there, when you want to be anonymous, use a free wifi connection and do what you need to do on there.

Best advice in this thread. I've been doing this (with various Linux flavors) for about a decade now, anytime I want to connect anonymously. I never use this particular laptop for any other connections.