cross-posted from: https://hexbear.net/post/2646239
Many of you may or may not wonder what software to use. People may provide walls of text as a response, but you may just want something to reference without having to look into how the software works. I hope this can be that reference for all of you and anybody else who stumbles upon it. This is up for discussion and change, but I hope this can be a good baseline, as I myself have been making the changes to FOSS for a long time now, and it would be a good idea to have a recommended software/services page on Hexbear.
(The [*] marks the better option)
Workstations:
- OS: Linux, I reccomend Fedora with GNOME (for a new, but efficient and simple feel) or KDE (similar to Windows with more customization), but I know some people like Mint for new users. Install as much software as possible on flatpaks.
For maximum anonimity and safety, use Tails. Runs on USB, wipes data when removed.
- Browser: Firefox with Arkenfox, Tor Browser (For reliable anonimity; DO NOT ADD EXTENSIONS TO TOR BROWSER)
Mull can also be a good browser option with better content blocking. It is also not chromium, which while avoiding the monopoly, does leave it without site isolation (security feature) like other firefox mobile browsers.
- Browser Extensions: Ublock Origin (add Adguard URL Tracking Protection and Easylist Cookies blocklists), Libredirect.
- Office Suite: Libreoffice, OnlyOffice
- Password Management: Secrets on GNOME, KeepassDX on KDE. DO NOT REUSE PASSWORDS OR IGNORE THIS STEP!!!
- Music Downloading: Nicotine+ (Soulseek Client), make sure to use VPN
- Music Listening: Gnome Music (GNOME), Elisa (KDE)
- Network Permissions: Flatseal on GNOME, System Settings on KDE (search for “flatpak”).
- BitTorrent: Fragments (GNOME), Qbittorrent(KDE)
Mobile Devices:
- Phone: Google Pixel + Graphene OS*, Divest OS
- Browser: Vanadium*(Only on GrapheneOS), Mulch, Tor Browser* (For reliable anonimity; DO NOT ADD EXTENSIONS TO TOR BROWSER)
- App Stores: Fdroid Basic*, Aurora Store (Google Play replacement, use as needed)
- Password Management: Keepass DX, DO NOT REUSE PASSWORDS OR IGNORE THIS STEP!!!
- 2-Factor Authentication: Aegis (Android, 6 digit codes), Hardware Keys ($$$). SMS Verification is better than nothing, but avoid it if you can. DO NOT USE GOOGLE AUTHENTICATOR OR MICROSOFT EQUIVALENT
- Music Streaming: Harmony Music
- Music Listening: Auxio, Fossify Music
- Network Permission: Graphene OS is the only OS that has this functionality, find it in permissions settings.
- Camera: Graphene OS Secure Camera*, OpenCamera
- Notes/To Do: Fossify Notes
- Weather: Breezy Weather (Fdroid Version)
- Navigation: Organic Maps
- Voice Recordings: Fossify Voice Recorder
- Keyboard: Helioboard
- Lemmy: Jerboa
- Youtube Front End: Libretube, Poketube (Web App)
Proprietary Apps (Social Media, Banking, etc.) are best used as Web Apps, as privacy and security benefit from the browser sandboxing.
General:
- Search Engine: DuckDuckGo (more consistent, proprietary), SearXNG (open-source, less consistent).
- Chats:
- Large Groups (Like Discord, DO NOT USE DISCORD): Jami, Matrix
- Small Groups/Individuals: Briar* (only on Android), Signal (Struggle Session on Signal, I know there might be something wrong but at the same time Signal seems to encrypt everything)
- Email: Proton Mail + SimpleLogin Aliasing, try to avoid email as much as possible, Chat options are more private and secure.
- File Sharing and Syncing: Syncthing, but don’t forget that you can directly transfer files from devices with usb-c and usb-a cables.
- File Storage: Store files locally, sync between devices with Syncthing as needed. If you really need cloud storage, use Proton Drive.
- Password Management: Bitwarden, more convinient than keepass, while eliminating the risk of losing the file or having to manually sync. Only downside is that data is stored on their servers if not self-hosting, meaning it’s a bit more vulnerable to data breaches.
- VPN: Proton VPN for free, keep an account for each device as the free tier is limited to one device, Mullvad VPN* at a premium for reduced hassle and faster speeds(5 Euros per month)
- Social Media: Cut down on big social media as much as possible. Relocate to the fediverse, and be careful with what you post, it’s still public. Do not post too much identifiable information, do not dox yourself.
- Front Ends: Invidious (Youtube), Poketube (Youtube), Redlib (Reddit), and many others for a ton of different websites, all avaliable with the libredirect extension. I feel like the “datura.network” are pretty private and reliable, with a rotating IP to bypass blockage.
Got a lot of my info from here privacyguides.org, though some of this is based on my own experiences and suspicions.
If anything can be added, let me know! Love you all
UPDATE: I’m bad at titles, so that’s up for a struggle session.
This isn’t a guide to opsec as much as it is a guide to paranoia. Step 1 of OPSEC is figuring out your threat model, knowing who is trying to surveil you and why.
If you are simply trying to avoid being doxxed online by right wingers, pretty much every software you listed is extremely excessive. Just don’t reuse usernames or passwords on different website and you are fine pretty much. Don’t post your real name.
If you are trying to avoid surveillance by google or amazon, this is extremely difficult to the extent that you have to avoid most social media, block javascript on most websites making them nonfunctional, and even if you use a VPN, most people probably configure it incorrectly so that it’s still leaking DNS or something.
If you are trying to avoid being surveilled by the government, your first mistake is owning a computer and a cellphone. Pretty much every computer and cellphone is known to have hardware backdoors since at least 2009. If you think you are going to avoid government surveillance, you’re going to have to be using some pre-2008 computer and rotating out burner phones.
Besides that, pretty much everything you listed is a waste of time and effort. It’s a fun hobby maybe. It’s like when chuds spend thousands of dollars to buy some “zombie survival kit”.
Posts like this operate on the premise that you should be hiding that you are a Leftist. Socialism is only going to come through public-facing organizing of the working class.
What does real opsec look like? Knowing that you are being surveilled when you use any electronic device and not saying things that could incriminate you. Treat electronic devices like you are in a public space. When you shop at Walmart, you know that there are cameras that are recording you while you shop. Does that stop you from shopping at Walmart? No you just take in consideration that you are being recorded.
What does real opsec look like? Knowing that you are being surveilled when you use any electronic device and not saying things that could incriminate you. Treat electronic devices like you are in a public space
This the the unfortunate reality that most privacy focused individuals inevitably realize as they narrow down their threat model.
The lengths that you need to go to to even attempt to have true anonymity are intensely identifying in and of themself because you will be an exceptionally unique user. It’s the same fallacy as burning your fingerprints off and it makes you more uniquely recognizable than before under scrutiny.
If you are trying to avoid being surveilled by the government, your first mistake is owning a computer and a cellphone. Pretty much every computer and cellphone is known to have hardware backdoors since at least 2009. If you think you are going to avoid government surveillance, you’re going to have to be using some pre-2008 computer and rotating out burner phones.
Intel ME can be neutered on some post-2009 systems using me_cleaner. When that’s not possible, you can run a carefully configured firewall on an external trusted device (e.g. an open-hardware SBC with Ethernet input and output), or just use a reasonably powerful SBC as a standalone system for secure communication
Besides that, pretty much everything you listed is a waste of time and effort. It’s a fun hobby maybe. It’s like when chuds spend thousands of dollars to buy some “zombie survival kit”.
Posts like this operate on the premise that you should be hiding that you are a Leftist. Socialism is only going to come through public-facing organizing of the working class.
Privacy isn’t just about hiding that you’re a communist (which is perfectly valid in some cases), it’s also important for secure communication within revolutionary organizations. I disagree that it’s a waste of time, as long as you’re thorough (which this guide isn’t, but it’s still useful to some extent)
The “neutered” state of IME is not a full removal and it is not known whether neutering ME could open you up to new vulnerabilities because the IME still loads up but in a lesser form. Also to neuter IME, you have to attach a eeprom programmer to your motherboard. (I have done this before. I tried the IME neuter.) Normal people don’t know how to do an IME neuter. Did you just like link the github and think any person could neuter their IME by running some software? You have to physically rewrite the BIOS chip on your motherboard, potentially damaging your motherboard in the process. Only giganerds have attempted to do this.
IME was just one example. Modern computers have firmwares within each part of the hardware which act independently from the operating system. An SSD has it’s own firmware which thinks independently from your OS and could be potentially doing malicious things without you knowing it. Even “open hardware SBCs” use proprietary firmware blobs in the GPU and networking components. Electronic devices can not be trusted from government surveillance.
Privacy is a different thing from OPSEC. The OP of this thread changed the thread title after I made my reply. Originally it had said OPSEC. As I wrote in my post, OPSEC requires you to analyze your threat model to determine the level of OPSEC that you need. An org using GPG encryption to secure their communications is great. If an org were trying avoid government surveillance, they should likely meet in person for communications. Using TAILS with Tor to shitpost on hexbear is a waste of time.
I’m not arguing against privacy or OPSEC or Free Software. I love the EFF and FSF. I’ve used Debian for over 15 years now. I just don’t think that using Debian prevents the government from surveilling me. This post was originally called “Hexbear guide to opsec”, which I thought was misleading and the OP changed it to something else. I think OPSEC is important but the most important part of OPSEC is knowing your threat model.
Also to neuter IME, you have to attach a eeprom programmer to your motherboard. (I have done this before. I tried the IME neuter.) Normal people don’t know how to do an IME neuter. Did you just like link the github and think any person could neuter their IME by running some software? You have to physically rewrite the BIOS chip on your motherboard, potentially damaging your motherboard in the process.
no, it’s possible to overwrite the BIOS chip without an external programmer on some devices
Even “open hardware SBCs” use proprietary firmware blobs in the GPU and networking components.
not all of them, no
If an org were trying avoid government surveillance, they should likely meet in person for communications.
meeting in person involves plenty of different risks that don’t exist for electronic communication, and vice versa
no, it’s possible to overwrite the BIOS chip without an external programmer on some devices
Comrade, it has not been possible to overwrite a bios chip without an external programmer since like 2006. When you update your BIOS’s firmware, the existing BIOS verifies the new BIOS file using a PGP signature to check if the file has been approved by the manufacturer. This is in some ways a good thing because otherwise getting a computer virus would brick your PC by hijacking your BIOS.
are you claiming that it’s impossible to flash a third-party BIOS on post-2006 systems without an external programmer?
2006 was a date from my own personal experience. However, here is a document from the National Institute of Standards and Technology (NIST) US government agency. The document is called 800-147 Bios Protection Guidelines, published in April 2011. I am not positive that every manufacturer follows these guidelines but I did see that Dell and ASUS say on their website that all products comply with this document. It is at the very least an industry standard.
https://www.nist.gov/publications/bios-protection-guidelines
If you go to page 6 of the document, it says “Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture. A malicious BIOS modification could be part of a sophisticated, targeted attack on an organization—either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware).”
The document then recommends the following guidelines for computer manufacturers to secure the BIOS, which as I mentioned in my previous post, prevents the installation of bios files which do not match the manufacturer’s digital signature.
Security guidelines are specified for four system BIOS features:
• The authenticated BIOS update mechanism, where digital signatures prevent the installation of BIOS update images that are not authentic.
• An optional secure local update mechanism, where physical presence authorizes installation of BIOS update images.
• Integrity protection features, to prevent unintended or malicious modification of the BIOS outside the authenticated BIOS update process.
• Non-bypassability features, to ensure that there are no mechanisms that allow the system processor or any other system component to bypass the authenticated update mechanism.So yes, I am claiming that is impossible to flash a third-party BIOS without an external programmer on most computers. Considering this was the industry standard in 2011, many computers had this protection before 2011, and even more protections have been added since then.
your argument wasn’t that it was impossible on most computers (I’ve already agreed that it’s only possible on certain devices released after the point where BIOS flashing protection became widespread), it was that
it has not been possible to overwrite a bios chip without an external programmer since like 2006
and even if you update that to 2011, it’s entirely possible to do on certain systems manufactured after that date using exploits
deleted by creator
The example I use is Intel Management Engine (IME), which began being added to computers in late 2008. The stated purpose of IME is so that corporate offices can remotely control every computer in an office building. However pretty much every Intel computer has this and it can’t be technically disabled. AMD has a similar feature called AMD PSP.
https://en.wikipedia.org/wiki/Intel_Management_Engine#Assertions_that_ME_is_a_backdoor
deleted by creator
It could! And they’ll get the ol’ solar panels and electric cars treatment with 100% tariffs, making them functionally unbuyable.
My opsec is to post all about my life and really dump my nuts on the table
The most common way for internet sleuths to doxx you is by identifying reused usernames or emails. Never reuse a username. Turn it into an improv game where you get better at coming up with usernames on the spot. Use throwaway emails when possible.
Also, I would add a section on threat modeling. None of this stuff is anything you can adopt all at once overnight. It’s a gradual process that will drive you mad as you learn more about how impossible it is to keep your setup “pure”. Threat modeling is important because it turns your vibe-based assessments and anxieties into tangible goals. What do you want to protect? How might it be attacked? How can those attacks be mitigated? Are those mitigations worth their costs?
Add bitwarden for password management as it works even if you lose the device
Yeah, especially if self-hosted it seems like a good option. Was a bit hesitant to add it since it’s online, but I realize now Keepass can be a bit of an inconvinience to a disaster if you lose the file.
Passwords aren’t data you can lose so I don’t recommend self hosting bitwarden unless you are a sysadmin by trade. It’s not that hard to lose data on something you run yourself.
That’s why I just run Keepass, self-hosting Bitwarden seems like a pain. I do see the use case for Bitwarden though, especially as a drop-in replacement for something like Lastpass, or even cases where files get moved around a lot (and possibly lost).
Not for everyday use but I feel everybody who cares should know about Tails and possibly even have a bootable USB drive setup just in case they ever need to use it
True, will add
Maybe add links to all these too just for convenience and clarity
uhm, ackshually, this is COMMSEC not OPSEC
I’m no expert, to be honest. I’ll probably change the name though, there may have been some confusion.
Front Ends: Invidious (Youtube), Poketube (Youtube), Redlib (Reddit), and many others for a ton of different websites, all avaliable with the libredirect extension. I feel like the “datura.network” are pretty private and reliable, with a rotating IP to bypass blockage.
There’s also Freetube. Freetube also has the added benefit of being able to block Youtube channels. This is extraordinarily beneficial if you’re tired of a million clickbait videos about how China will collapse.
That’s interesting, I was under the impression that Freetube was just an invidious client. I’ll add it, blocking certain content is good 👍
I steal music off nicotine+ and everyone gets mad at me
who gets mad?
Good list. It’s great to show that there are free software that can be used to replace ones dependency on nonfree software.
On the phone front, do I end up in the same position if I buy a phone direct from the manufacturer versus getting one with a discount through my carrier? Do the carrier phones have extra security to keep their bloatware in place no matter what or is an unlocked bootloader an unlocked bootloader and none of that stuff will matter?
Thoughts on Fairphone?
I’m not super knowledgeable on the subject, but one issue I do know is that certain carriers will prevent you from unlocking the bootloader on their carrier version of phones, preventing you from installing a different OS on them. A few of them do this iirc, but Verizon is particularly notorious for this. Getting an unlocked/carrier-agnostic phone is the safest bet for getting around that problem.
Fairphones are good, and last a long time. I wished GrapheneOS supported them, but I think DivestOS does.