Results 1 to 7 of 7

Thread: The Skadi Practical Online Privacy & Security Guide

  1. #1
    Spirit of the Reich "Friend of Germanics"
    Skadi Funding Member

    Ahnenerbe's Avatar
    Join Date
    Mar 2004
    Last Online
    European Union European Union
    Gau Westmark
    Zodiac Sign
    Ecological Geniocracy
    Thanks Thanks Given 
    Thanks Thanks Received 
    Thanked in
    102 Posts

    Exclamation The Skadi Practical Online Privacy & Security Guide

    UPDATED 01.04.2010

    This is the most comprehensive and easy to use privacy and security tutorial for the privacy-seeker and freedom-loving individual. As a majority of users have a Windows operating system, we'll use for this Guide a Windows operating system, i.e. XP, Vista, or Windows 7 as an example. Windows is a closed source operating system which is a law to itself. Each new update that is released by Microsoft seems to need further updates to fix the security holes discovered in the previous releases. It has been an ongoing process over many years with no end in sight. These weaknesses can manifest themselves as security holes when on the Net.

    A further problem with this operating system is its seeming determination to write to your hard disk all sorts of information that may be hidden from your view in all sorts of places that could be found by a forensic examination of your computer. The problem of Windows having the potential of security holes that might be exploited by snoops and hackers using the Net and a different security problem of writing all sorts of information to sometimes hidden folders that might not be obvious from a cursory check by you, but easily found by a forensic examination. To protect yourself from these potential weaknesses, follow the steps indicated in this guide. This information is meant to be used!

    Introduction: A Quick Overview of the Situation

    A few good reasons why you need privacy:

    Internet records are stored for a year in all European Union countries (2009)

    "Electronic Police State" international rankings

    EU Data Retention Directive

    We Lost the War. Welcome the World of Tomorrow

    We're not going to waste any more of your time by explaining all the possible dangers online. Basically, you have to assume that everything that isn't efficiently protected, configured or encrypted is recorded and stored forever. Don't bother to learn the ever-changing privacy laws; both the government and criminals ignore the laws and if they can technically get a grasp on your data and communications - they will. You just have to make sure that they cannot.

    Third parties like your phone company, your Internet service provider, the web sites you visit or the search engine that you use regularly collect a great deal of sensitive information about how you use the phone system and the Internet, such as information about who you're calling, who's emailing or messenging you, what web pages you're reading, what you're searching for online, etc. Many sites, such as Google, also build up a profile of your activity based upon your IP address, "cookies" (data stored from earlier visits), search requests and other factors, which can be retained indefinitely. Forums and blogs will always record your IP address along with your comments and retain them for years.

    Surveillance is even more intense in large corporate or government environments, where you may also have trouble visiting certain "unapproved" sites. All this results in accumulated profiling by Big Brother in order to identify dissenters, protesters, tax escapees and political opponents.

    Enough said. Now, skip directly to the next section to know all you need to do to protect your online privacy.

    I - Clean your computer

    It all starts with a secure and clean computer. Many PCs are riddled with viruses, spyware, toolbars, "helpers" etc.

    Get a reliable free Antivirus

    1) Get rid of anti-viruses such as Norton/Mcafee or similar bloat-ware and restart.
    2) Run "msconfig" as in this tutorial (Vista users just type "msconfig" in the Search box). Restart.
    3) Now install the free Avira Antivir which is currently one of the best and leanest antivirus.

    Get rid of Spywares and Malwares

    Malware is a catch-all term refering to software that runs on a computer and operates against the interests of the computer's owner. Computer viruses, worms, trojan horses, "spyware", rootkits and key loggers are often cited as subcategories of malware. Note that some programs may belong to more than one of those categories.

    Malware may be capable of stealing account details and passwords, reading the documents on a computer (including encrypted documents, if the user has typed in the password), defeating attempts to access the Internet anonymously, taking screenshots of your desktop, and hiding itself from other programs. Malware is even capable of using your computer's microphone, webcam, or other peripherals against you. Once installed, it can potentially nullify the benefits of other security precautions. For example, malware can be used to bypass the protections of encryption software even if this software is otherwise used properly. On the other hand, the majority of malware is mainly designed to do other things, like popping up advertisements or hijacking a computer to send spam.

    The majority of malwares are targeted at Windows operating systems so operating on any other system reduces your risk of being infected. Regularly updating your software to ensure defects that are discovered are repaired is helpful. Never running software of unknown origin is the best way to avoid being tricked into installing malware. Limiting the number of users on a computer with sensitive information is helpful. And most importantly running antivirus and antispyware software will help protect against most malware.

    A trojan is a background program that monitors your key-strokes and then either copies them to a secret folder for later recovery or sends them to a server when you next go online. Sometimes referred to as spyware. This may be done without your knowledge. Such a trojan may be secretly physically placed on your computer or picked up on your travels on the Net. Perhaps sent by someone hacking into your computer whilst you are online, or whilst visiting a Website.

    First of all you must have a truly effective firewall. It is not sufficient for a firewall to simply monitor downloaded data, but to also monitor all attempts by programs within your computer that may try and send data out. Download Comodo, which is one of the best free firewalls.

    You will also need to run weekly or monthly manual scans with Spybot (un-tick all options except Desktop Icon on install). In case of a stubborn problem, try a Malwarebytes one-off scan. If problems persist, then a backup and system reinstall is needed.

    Easy-to-use, simple, and effective anti-malware application. Whether you know it or not your computer is always at risk of becoming infected with viruses, worms, trojans, rootkits, dialers, spyware, and malware that are constantly evolving and becoming harder to detect and remove. Only the most sophisticated anti-malware techniques can detect and remove these malicious programs from your computer. Malwarebytes' Anti-Malware is considered to be the next step in the detection and removal of malware.

    PC Decrapifier
    Uninstall “craplets” and their preferences from a new Windows machine. PC Decrapifier is designed to remove from a new Windows PC all of the unneeded trial programs, add-on programs and advertising come-ons that PC makers typically cram onto the computer that are collectively known as “craplets.” These items can slow down a new machine and occupy disk space better used for programs and files you actually want.

    Full Computer Integrity Check up.
    The Belarc Advisor builds a detailed profile of your installed software and hardware, missing Microsoft hotfixes, anti-virus status, CIS (Center for Internet Security) benchmarks, and displays the results in your Web browser. All of your PC profile information is kept private on your PC and is not sent to any web server.

    Delete unwanted background programs to speed up your computer

    Go to Start, then run “msconfig”, then, with dialogue box that appears go to “startup” to see all the programs that you are automatically loading. To know what you can safely delete, & what you must retain, try this website:, Click on “Task List.”

    Get rid of Rootkits

    Free rootkit detective by Mcafee
    McAfee Rootkit Detective Beta is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system. Allows the user to clean/remove the malicious objects from the system by renaming/deleting the hidden files/registry and terminate the malicious processes.

    Get rid of previous activity traces
    Is necessary to clear your computer of data retained from previous activity. On a PC, get the free CCleaner (un-tick everything except Desktop and Start menu shortcuts on install). Ideally, run CCleaner just before and just after any private browsing is required. The standard settings are fine – except be sure everything is un-ticked under Options > Advanced. Expect the first run to take a while and to be surprised how much junk there was. After that it will usually be instant.

    Clean, Repair and Defrag your Registry

    A quick search in your computer's registry will most likely reveal long ago deleted programs. These folders and sub keys should be deleted if they are left over from uninstalled programs and are no longer needed by you or any of the programs currently being used.

    1) Install a free program like Free Windows Registry Repair that will repair a clean your registry of the paths that are not used anymore.

    2) During the normal operation of a Windows system, registry data is constantly being written to and removed from the registry. Over time this data becomes scattered within the registry file and when information is deleted from the registry holes are left which fragment the data within the registry. Registry compacting optimizes your registry by removing gaps and wasted space, thus improves the whole system performance. Use Free Registry Defrag/Compact for this.

    Clean your Hard Drive

    Windows leaves all kinds of tracks behind, all over your hard drive, all the time. Download and install Eraser.

    "This program gives you secure file deletion, making sure that deleted files cannot be undeleted again. Deleting a file normally just removes the file's directory entry, but the data itself remains on the disk. This program completely eliminates the contents of deleted files. The highly acclaimed Gutmann disk cleaning method is now available as an option. This program can also clean the Window's swap file, and can optionally clean unneeded temporary files from your hard disk, such as your Internet browser cache, files in your system's Recycle Bin, and can clear the ‘recent files’ list. Comes with a direct disk viewer for discovering exactly what is on your hard disk."

    II - Erase the unwanted files on your system

    Okay so you've cleared your internet cache and deleted your online and most computer traces. However there are still loads of data, files, attachments and even email addresses that are left on your PC that you probably never realized and most certainly wouldn't want anyone else snooping around seeing, to learn or know about.

    Disable the Windows hibernation

    You must disable the Windows hibernation (power saving) feature. This is to ensure that you do not leave traces of unwanted plaintext files on your system. When Windows goes into hibernation it will dump everything that is in RAM memory onto the boot drive, by-passing the Truecrypt drivers. By-passing these drivers means it writes everything to disk in plaintext including the keyfile data which unlocks your most secret partition. This will defeat the whole purpose of having encryption. To disable hibernation, right click on your Desktop > Click on Properties > Screen Saver tab > Power Settings > click Hibernate > uncheck "Enable hibernation" > OK > OK.

    Flush the RAM

    Even if you use strong encryption on your hard drive, your operating system (Windows) might still give you away! When an encryption software starts, it will need the key and the passphrase for decryption. Per default many, if not most, simply store the key on your hard drive. And even if you keep your key in a safe place that no one would ever find it (like a portable encrypted drive), it will still need to be loaded to memory in order to decrypt.

    The same goes for the password. While it might only exist in your head at the time of boot up, the second you type in that password , chance are it's going into RAM. Now, what happens to things in RAM? They get swapped to disk. Also do you have any idea what temp files your encryption software makes? And what they contain. Are they properly erased or just removed from the allocation table (leaving the actual data still on the drive)?

    For all you know, the encrypted file might be written in plain text to the disk, then after you close the encryption software, the file either stays in place or is just deleted in the regular fashion, meaning that the unencrypted data is still intact and can be retrieved using "undelete" software
    . Someone who wants to seize a computer for evidence gathering (forensics) or to steal your secrets (espionage) could for instance run a small program that would bluescreen (BSOD) your windows box.

    Then the box would be powered off, opened, and the hdd would be extracted and hooked to a gizmo or computer that does a bit to bit copy, very much like the dd command on *nixion would. There are handheld devices made just for this, with IDE (or whatever) connectors and a fast hard drive. They can copy a disk perfectly in minutes.
    This could leave the intruder with a complete dump of your RAM and an exact copy of the entire file system. If the key and password are available in any way, shape or form, assume THEY will find it. And that will make your secure encryption scheme nothing more than an amusing puzzle for the spy or forensic expert - even though you memorized a 40 random character password and used a key length that even NSA would consider overkill.

    So what can you do to safe guard against this? Although there is no "solve all" solution, there are some simple steps however that can improve the odds:

    1. When opening an encrypted file or volume, do the changes you need to do, then close it and reboot.Make Sure you completely flush the RAM, using a program like NitroRAM and overwrite your disk cache. Don't leave the software running or the file or volume open when you're not using it. 2. Turn off hibernation as stated above. Make sure there are no processes dumping your RAM to disk or making "backup" copies of any relevant system files or the files associated with the encryption scheme.

    3. In Windows XP, there is per default one (albeit) small memory dump from each of the countless BSODs you surely have had since installed. Go turn the thing off in My Computer > Properties > Advanced > Startup and recovery settings.

    4. Move your temp/tmp folders to a proper place if you use Windows. Make sure you properly delete your temp files each boot and/or shutdown, using a secure deletion program like Eraser.

    5. Turn on complete memory dumping set:

    a) Go tot Start > Run > type regedit > look for the following key:
    b) HKEY_LOCAL_MACHINES?SYSTEMS\Current-ControlSet\services\i8042prt\Parameters\ CrashOnCtrlScoll

    c) Set the key value to 1,
    d) Hit CTRL+SCRLCK SCRLCK and Windows will dump the memory.

    Clean your "AppData" folder!

    On most Windows OS (operating systems,) the default settings hide the "AppData "folder and many other files, folders, ini files and other items as well. To view and locate your "AppData" folder:

    Click on "Control Panel" > Tools > Folder Options > View > AdvancedSettings > Hidden Files and Folders.

    There are several options under that heading. Tick inside the "Show hidden, folders and drives" circle. Then click okay and close your control panel. Now you should then be able to see your formerly hidden "AppData" folder as well as numerous other items, i.e. .ini files, etc. All will appear faded, but that's because they are "Hidden" files and folders revealed.

    To see the AppData folder, go back to your start menu and click on it. Then click on "My Computer > Local Disk (C > "Users"

    Open the "USERS" folder then locate the folder that has the same name as your computer name. As an example, when you installed your operating system you were probably asked what name you wanted your computer or laptop called and known as. You might have called your PC "My Computer Name." Inside your "MY Computer Name" folder, you will see a slightly faded folder called "AppData." Click on and open the "AppData" folder. Inside you will see several folders, one of which should be called "Roaming." Open the "Roaming" folder.

    Inside your "Roaming" folder you'll see numerous folders with the names of programs you're currently using, and quite possibly some folders containing the names of programs you thought you uninstalled, perhaps some time ago.

    If you use PGP (and you really should), you will see a folder called "PGP Corporation." Open that "PGP Corporation" folder. Inside you'll see another folder called "PGP." Open the "PGP" folder. Inside the "PGP" folder, you'll see a "Cache" folder and several other funny looking files and such. Some of those items will/should be one or more text files called "PGPlog.txt", "PGPlog1.txt", etc. and so on. Open those text files and read what's in them. Chances are there will be a list, a record of pgp emails you've sent or received along with the EMAIL ADDRESSES attached to the pgp keys you've used for 'secure' communications. That's not Pretty Good Privacy in our book!

    In the, hopefully, unlikely event your laptop or PC is compromised, that information in the hands of another person or authority could be dangerous to your health. Therefore it might be a good idea to get into the habit of deleting your "PGPlog.txt" files every day for greater privacy!

    In the event you uninstalled any unwanted program such as an email program, you'll probably see a folder in your "AppData Roaming" folder with the name of that uninstalled program. E.g. you uninstalled "Poco Mail" sometime back. Open the folder "Poco Mail" and see what traces have been left behind. You'll be shocked to see what's been left in that folder AFTER you thought you uninstalled that email program. You probably assumed that the uninstall deleted all former folders and content in your email program. You might even find long deleted attachments that could be embarrassing or worse for you!

    III - Secure deletion

    When you "delete" a file — for instance, by putting the file in your computer's trash folder and emptying the trash — you may think you've deleted that file. But you really haven't! Instead, the computer has just made the file invisible to the user, and marked the part of the disk drive that it is stored on as "empty," meaning that it can be overwritten with new data. But it may be weeks, months, or even years before that data is overwritten, and the computer forensics experts can often even retrieve data that has been overwritten by newer files. Indeed, computers normally don't "delete" data; they just allow it to be overwritten over time, and overwritten again. The best way to keep those "deleted" files hidden is to make sure they get overwritten immediately. Secure deletion involves the use of special software to ensure that when you delete a file, there really is no way to get it back again.

    Wipe unused disk space

    Install Eraser to wipe unused space on your drive and secure delete your sensitive files (passwords, personal information, classified documents from work, financial records). Eraser is an advanced security tool for Windows which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.

    Tip: Do not use it on your encrypted drive or it may be a pointer to where the hidden container lies (see tutorial about how to setup an encrypted drive below in this guide)!

    A Warning About the Limitations of Secure Deletion Tools

    Even if you follow the advice above, there is a chance that certain traces of deleted files may persist on your computer, not because the files themselves haven't been properly deleted, but because some part of the operating system or some other program keeps a deliberate record of them.

    For example, on Windows, a copy of Microsoft Office may retain a reference to the name of a file in the "Recent Documents" menu, even if the file has been deleted (office might sometimes even keep temporary files containing the contents of the file). OpenOffice may keep as many records as Microsoft Office. In practice, there may be dozens of programs that behave like this. Using CCleaner and th Free Registry Cleaner (described above) may reduce this risk.

    Secure Deletion When Discarding Old Hardware

    If you want to finally throw a piece of hardware away or sell it on eBay, you'll want to make sure no one can retrieve your data from it. Studies have repeatedly found that computer owners usually fail to do this — and hard drives are resold chock-full of highly sensitive information. So, before selling or recycling a computer, be sure to overwrite its storage media with gibberish first. Even if you're not getting rid of it right away, if you have a computer that's reached the end of its useful life and is no longer in use, it's also safer to wipe the hard drive before stashing the machine in a corner or a closet. Darik's Boot and Nuke is an excellent free tool for this purpose. Another, paying solution is Applied Magnetics Laboratory (Military security and data destruction equipment for sensitive, classified and secret data of all kinds).

    Some full-disk encryption software has the ability to destroy the master key, rendering a hard drive's encrypted contents permanently incomprehensible. Since the key is a tiny amount of data and can be destroyed almost instantaneously, this represents a much faster alternative to overwriting with software like Darik's Boot and Nuke, which can be quite time-consuming for larger drives. However, this option is only feasible if the hard drive was always encrypted. If you weren't using full-disk encryption ahead of time, you'll need to overwrite the whole drive before getting rid of it.

    Discarding CD-ROMS

    When it comes to CD-ROMs, you should do the same thing you do with paper — shred them. There are inexpensive shredders that will chew up CD-ROMs. Never just toss a CD-ROM out in the garbage unless you're absolutely sure there's nothing sensitive on it.

    IV - Secure your Data: Create an Encrypted Drive

    There are many commercial encryption products, but one of the best is TrueCrypt, known as an OTF (On-The-Fly) type program. OTF means the encrypted data is only decrypted into RAM (Random Access Memory) and remains at all times encrypted on the drive. Thus a computer crash will not leave packets of plaintext on your drive. A very important feature.

    TrueCrypt is a free and open source program. It does not display any file header info to help a snooper identify the file's purpose. The header is encrypted and shows as random garbage. It also allows encryption of a whole partition or drive and again does not display any info to help an attacker. The source code is freely available so it means anyone with the ability can compile the same program. The importance of this cannot be too strongly stressed. It means the risk of a hidden back-door is virtually eliminated. TrueCrypt also offers strong plausible deniability. TrueCrypt only encrypt data files, not the Windows operating system.

    - it creates a virtual encrypted disk within a file and mounts it as a real disk.
    - it encrypts an entire partition or storage device such as USB flash drive or hard drive.
    - it encrypts a partition or drive where Windows is installed (pre-boot authentication).
    - encryption is automatic, real-time (on-the-fly) and transparent.
    - it provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
    Hidden volume (steganography) and hidden operating system.
    2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).

    Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS.
    Further information regarding features of the software may be found in the documentation.

    What programs do I put in my newly Encrypted Drive?

    All your sensitive files and documents, plus the portable version of the specialized programs you use to help you achieve anonymity and privacy. See further down this Guide, "How to Setup a Portable Virtual Encrypted Environment".

    How difficult is it to break into one of these programs?

    Very difficult, in fact for all practical purposes, it is considered impossible. In most cases, the weakest link will be your pass phrase, or being compromised by a keylogger.

    Your pass phrase should be long. Every extra character you enter makes a dictionary search for the right phrase twice as long. Each time a bit is added it doubles the number crunching time to crack into the program. Each keyboard character roughly equates to 8 bits, and is represented on the drive as two hexadecimal characters. This suggests a 20 character pass phrase is roughly equal strength to the encryption. In practice, probably not. A keyboard has around 96 different combinations of key strokes, thus multiplying this number by itself 20 times is a hugely large combination, ensuring a high probability of defeat at guessing a pass phrase. But few people can remember a truly random 20 character pass phrase. So most people use a less than random one. This means it should be longer to help compensate for this lack of entropy.

    In some countries, even this might not be enough. Such countries can force you to hand over your pass phrases to these encrypted drives by threatening imprisonment. As more and more judicial systems seem to be leaning ever closer to this sort of injustice, it is more and more important for the individual to protect himself, for example using plausible deniability.

    Use Plausible deniability

    The purpose of Plaubsible Deniability is to offer users a way to not only encrypt their files, but to prevent an attacker from being able to even deduce the existence of some of the encrypted files. The user will have a way to "plausibly deny" that the files exist.

    One example of this concept is TrueCrypt's ability to have an encrypted partition (which can be hidden as any file on your hard drive) and within that partition hide another partition. One password will reveal the outer partition and another separate password will reveal the inner one. Because of the way TrueCrypt encrypts the partition table itself, an observer cannot detect a hidden partition even if she has access to the "regular" encrypted share. The idea is to give the user something to decrypt if a law enforcement officer or Customs official asks, while keeping the rest of their information secure.

    Plausible deniability is the ability to offer irrefutable justification for every single file, folder, container, partition and drive that might contain encrypted data. Truecrypt allows dual booting into either of two entirely separate encrypted drives, each invisible to the other with both using the same drive partition. One of these may be called your "honeypot" encrypted drive, meaning it contains encrypted data that you are prepared to show under duress.

    The second (hidden) operating system will contain your most secret data that you never release. Its presence can only be known by correctly guessing the second most secret pass phrase for that operating system. No other way exists to prove there is a second secret encrypted drive. Examination by forensics of your encrypted boot drive can only show the usual random data that is associated with an encrypted drive. Nothing else. This means excellent plausible deniability. Read the TrueCrypt tutorials for more information on how to setup a hidden volume inside your "official", honeypot encrypted drive.

    In practice, TrueCrypt's first attempt to implement this feature was shown to be ineffective because operating systems and applications leave so many traces of the files they work with, that a forensic investigator would have many avenues by which to determine that the inner partition existed. The TrueCrypt developers have responded to this research by offering a way to install and boot from an entire separate operating system within the inner partition. It is too soon to know whether their new approach will turn out to offer secure plausible deniability.

    Technical issues aside, remember that lying to a federal law enforcement officer about material facts is a crime, so if a person chose to answer a question about whether there were additional encrypted partitions on a computer, they would be legally obligated to answer truthfully.

    What if encryption is illegal in my country?

    You can still use TrueCrypt. You will need to ensure it is installed at the end of a drive. By ensuring there is some space at the end of a partition, Truecrypt can use this space, despite it not necessarily being allocated a drive letter by Windows. It will have to be run off a floppy and you will still need to hide the floppy effectively in the case of a search. The rest is up to your own initiative.

    Disk Encryption is of Little Use in Civil Lawsuits

    It is extremely important to note that disk encryption is unlikely to offer much protection against civil litigation. Many of the procedural obstacles which might apply to law enforcement attempts to obtain encrypted data during a criminal investigation would not apply in a civil case. If an adversary in a civil case persuades a judge to issue a subpoena for your data, a failure to decrypt and disclose the data would be held against you in the case.

    If your threat model involves civil litigation, it is essential to simply not have the data on a computer in the first place, or to have secure deletion practices in place long before any lawsuit is filed. Once a lawsuit is filed, you will be obliged to preserve any pertinent documents, and the presence of forensic evidence that you deleted data after a suit was filed would have dire consequences.

    Secure your Passwords

    Save all your passwords in this encrypted file. With this tool, you’ll only need to remember one password to get into the software:

    KeePass Password Safe
    Keep track of all your different PIN-codes and passphrases. KeePassis a free, open source, light-weight and easy-to-use password manager. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page. KeePass is really free, and more than that: it is open source (OSI certified). You can have a look at its full source and check whether the encryption algorithms are implemented correctly.

    V - Secure your online activities

    You should definitely keep "two sets of books" with your internet provider: one consisting of all your unencrypted, plain text communications, the other consisting of an entirely secure and anonymous Virtual Private Network (VPN) connection to your websites, chat, voice, video and email communications.

    A VPN is easy to set up and maintain. It makes every transmission sent from a computer in the network encrypted. The VPN does all the coding and decoding for you. A VPN also hides your IP address when you leave the network and use Google or any other online search engine. Using a VPN is easy and will protect you from competitors, the government, criminals, telecom operators or anyone else seeking to access your sensitive information.

    Whenever your browser fetches a page, image or script from a website, you should expect the website to record the IP address of the computer you're using. Your ISP, or anybody with the power to subpoena your ISP, could tie those records to the Internet account subscription you are connected through. Use a secure VPN if you wish to prevent these records from being created.

    Get a Secure VPN

    Never surf naked. Always, always use a secure connection. One other way would be to use the TOR anonymous internet system. The only problem here is the unreliable browsing speed and inconvenient setup, and rumors of probable government agencies implications in the Tor nodes. But there are easier ways.

    For a permanent, reliable solution you need access to a Virtual Private Network or VPN service. VPNs are routinely used by businesses to securely log in to office networks from home. A VPN privacy service can completely hide your IP address from the sites you visit, as well as obscuring and encrypting the content, sites and servers you visit from your internet provider, government and spies. Basically, it will tunnel everything you do to another computer in another part of the world of your choice. It does mean trusting the VPN provider to some degree (the best providers keep no logs at all) and it does mean paying a subscription. But you will get fast or even full internet speeds. Besides, a professional VPN is is quite easy to install and to use for both Mac and Windows users. You can compare all kinds of VPNs here. One of the best is Perfect Privacy. Another good one is

    There are also free VPNs around for your low-privacy needs. Those free VPN are not so secure because they are based in the US or in Germany, which are both among the worst police states:

    CyberGhost VPN (free and premium)
    This VPN is from Germany and it is very efficient. It offers you free 1GB traffic/month. With 1GB I say you can do alot of stuff. This VPN is very fast, as fast as 500KB/s. You need to download their software and register an account. We don’t recommend you to connect to your account and go full around watching youtube videos or downloading stuff with it, depleting your traffic on useless things. Use VPNs only to forward our WN/NS ideals. If you want more traffic you can register a premium account with CyberGhost. If you need more GBs and have no money to buy premium, just make more accounts, you only need more emails which are free anyway. Here are a few free VPN services:

    AlonWeb. AlonWeb is not a software but a server. First you need to download OpenVPN free software, register a free account on AlonWeb and you’re all set.

    UltraVPN. UltraVPN is just another free server for OpenVPN. It works just as AlonWeb.

    ItsHidden. This VPN from Netherlands it’s not based on a software but a setup from inside your Windows or Mac, which is very simple. First you need to register a free account from here. After you register an account, you must setup your Windows.

    By channeling your internet traffic through anonymous proxy servers outside of Europe and the United States, law enforcement or any other spy can only trace a stream of traffic from your computer to a proxy server. Since your traffic is encrypted, it is impossible to find out what kind of traffic you have generated. Through an "encrypted tunnel" (a VPN or an SSH-connection), you can connect to a server on the other side of the world. From that server, the internet traffic can then be forwarded anonymously to its destination (the website you want to visit). By hiding the data inside of another protocol and encrypting it once more, even in case of live interception it would be almost impossible to retrieve the actual content.

    Note: As private VPN services are membership-only, they are operated as a closed service (open only for certain people). Because not everybody can obtain access to it, legally it is not a public telecommunication service. Thus they are not obliged to retain any logfiles!

    A VPN will build automatically and transparently to the client (you) an anonymous and encrypted route across the Net. A web proxy is only a service that will hide your IP address to the websites you visit. Good VPN providers accept many anonymous types of payment, including cash and e-currencies.

    To maximize your security, you can sign up anonymously and only ever access their servers via another VPN, or using Tor. This hides your IP address from them. If you really need strong privacy, don't forget to use an anonymous email address as well.

    Important! How to configure your VPN

    There is a technical warning about "DNS leaks": These can possibly bypass your VPN protection if not properly configured. Although the actual content of your traffic is kept secure at all times, the addresses of sites visited could be visible and therefore logged. The fix does require extra steps but is reasonably easy: full instructions and a test here.

    To check out if you're properly protected behind your VPN connection, use an IP locator service such as InfoSniper. It will geolocate your IP addresses so that you can verify that you are effectively connected to the right proxy server.

    A VPN provider allows you to choose between anonymous servers in different jurisdictions. It is thus preferable to use servers in the most secure jurisdcitions and avoid those in Big Brother countries. The Electronic Frontier Foundation ranked the top 10 electronic police states as North Korea, China, Belarus, Russia, UK, France, Germany, and of course, the United States. On the other hand, countries that respect electronic privacy include Panama, Costa Rica, most developed Caribbean nations like the Bahamas, Brazil, the Philippines, and Switzerland.

    Secure your Wi-Fi communications

    Listening in on unencrypted Wi-Fi communications is easy. Almost any computer can do it with simple packet-sniffing software. Special expertise or equipment isn't necessary. If you want to protect your wireless communications from the government or anyone else, you must use encryption!

    Almost all wireless Internet access points come with WEP (Wired Equivalent Privacy) or WPA (Wi-Fi Protected Access) encryption software installed to encrypt the messages between your computer and the access point, but you have to read the manual and figure out how to use it. WEP is not great encryption and practiced hackers can defeat it very quickly. WPA is much stronger than WEP, but it still only covers the first step your packets will take across the Internet.

    If you're using someone else's "open" (unencrypted) wireless access point, like the one at the coffee shop, you will have to take care of your own encryption using a VPN such as described above.

    Because of the threat of password sniffing, it is crucially important that you do not use the same password for all your accounts! For example, requires a username and password to log in, but the site does not use encryption. However, web sites for banks, like always use encryption due to the sensitive nature of the transactions people make with banks. If you use the same passwords for the two sites, an eavesdropper could see your unencrypted password traveling to the newspaper site, and guess that you were using the same password for your bank account.

    Bypass Compulsory Registration. Find and share logins for websites that force you to register!

    VI - Secure your Web Browser

    A warning about MS Internet Explorer

    MSIE is a dangerous program designed by MS to allow remote servers to access your computer's registry. Although designed for use by MS to allow easy updating of the Windows Operating System, this feature could be used by any site to access your IP address, even your machine ID and your personal Credit Card details or worse, far worse, your saved pass phrases! This can be done even if you have logged onto a site through a chain of proxies. In other words Microsoft Internet Explorer is an absolute no-no as far as anonymity is concerned.

    Be wary also of Windows Media Player. It creates a unique ID number in the form of a 128-bit GUID (Globally Unique Identifier) which will uniquely identify your computer to the world at large. It is stored in the Windows Registry (Start > Run > type regedit) here: HKEY_CURRENT_USER\Software\Microsoft\Win dowsMedia\ WMSDK\General\UniqueID.

    This ID number can be retrieved by any web site through the use of JavaScript. Hence the reason why it MUST be disabled. The ID number is called a super cookie because it can be retrieved by any web site. This super cookie can be retrieved by any site to track you and web sites can share this information with each other, allowing them to create a sophisticated profile about your Internet usage. Worse, cookie blockers cannot block its use!

    The easy way to fix the problem is in Windows Media Player > Tools > Options > Player. In the "Internet settings" section, uncheck the box next to "Allow Internet sites to uniquely identify your Player." Or you can ensure that Windows Media Player is not enabled at all. To do this go Start > Settings > Control Panel > Add/Remove Programs > Set Program Access and Defaults > Custom > clear the button for both Real Player (another bad one) and Windows Media Player and also clear the button where it says "Enable access to this player" for both of them. I choose both of the above methods as I believe in belts and braces when it comes to privacy.

    Controlling and Limiting the Logs Kept by Your Browser

    Using a web browser causes data to be stored on your computer and logs to be stored on the web servers you visit, and frequently transmits unencrypted information. Until you have understood the mechanisms by which this occurs (and taken steps to prevent them) it is best to assume that anything you do with a web browser could be recorded by your own machine, by the web servers you're communicating with, or by any adversary that is able to monitor your network connection.

    Web browsers often retain a large amount of information about the way they are used. A browser typically keeps a history of the web pages it visits. Browsers also often retain cached copies of the pages you've visited, information about which accounts you log into on web servers, names and other data you enter into web forms, and cookies that record preferences and link your browser to records on third party web servers. Fortunately, browsers also include features for managing these records. In general, the features are getting better, so it's getting easier to control browser records.

    Web servers usually see and retain a large amount of information about what you do when you surf to them. For instance, if you type any information into a form on a web page (such as a search engine), the server will record not only what you sent it, but also information that might identify you: your IP address, the browser and operating system you are using, whether you followed a link from another web page to get to the page, what that previous site/page was, your account if you are logged in to the site, and cookies that were created when you previously looked at pages on the site.

    Beware of Cookies

    Cookies are pieces of information that a web site can send to your browser. If your browser "accepts" them, they will be sent back to the site every time the browser accepts a page, image or script from the site. A cookie set by the page/site you're visiting is a "second party" cookie. A cookie set by another site that's just providing an image or script (an advertiser, for instance), is called a "third party" cookie.

    Cookies are the most common mechanisms used to record the fact that a particular visitor has logged in to an account on a site, and to track the state of a multi-step transaction such as a reservation or shopping cart purchase. As a result, it is not possible to block all cookies without losing the ability to log into many sites and perform transactions with others. Unfortunately, cookies are also used for other purposes that are less clearly in users' interests, such as recording their usage of a site over a long period of time, or even tracking and correlating their visits to many separate sites (via cookies associated with advertisements, for instance).

    You can manage your cookies preferences in the "Privacy" tab of Firefox "Preferences" panel.

    Recent Cookie-Like Features in Web Browsers

    In addition to the regular cookies that web browsers send and receive, and which users have begun to be aware of and manage for privacy, companies have continued to implement new "features" which behave like cookies but which aren't managed in the same way. Adobe has created "Local Stored Objects" (also known as "Flash Cookies") as a part of its Flash plug-ins. Mozilla has incorporated a feature called "DOM storage" in recent versions of Firefox. Web sites could use either or both of these in addition to cookies to track visitors. We recommend that users take steps to prevent this.

    Managing Mozilla/Firefox DOM Storage Privacy: If you use a Mozilla browser, you can disable DOM Storage pseudo-cookies by typing about:config into the URL bar. That will bring up an extensive list of internal browser configuration options. Type "storage" into the filter box, and press return. You should see an option called Change it to "false".

    Managing Adobe Flash Privacy:
    Adobe lists advice on how to disable Flash cookies here. There are some problems with the options Adobe offers (for instance, there is no "session only" option), so it's probably best to globally set Local Stored Object space to 0 and only change that for sites which you're willing to have tracking you.

    Read more: Delete Flash Cookies to Stop Web Sites from Secretly Tracking You

    Blocking Javascript for Browser Security and Privacy

    Javascript is a simple programming language which is part of modern web browsers. Unlike HTML, javascript allows a page to make the browser perform complicated and conditional calculations in determining what a page will look like and how it will function.

    Javascript has many uses. Sometimes it is simply used to make webpages look flashier by having them respond as the mouse moves around or change themselves continually. In other cases, javascript adds significantly to a page's functionality, allowing it to respond to user interactions without the need to click on a "submit" button and wait for the web server to send back a new page in response.

    Unfortunately, javascript also contributes to many security and privacy problems with the web. If a malicious party can find a way to have their javascript included in a page, they can use it for all kinds of evil: making links change as the user clicks them; sending usernames and passwords to the wrong places; reporting lots of information about the users browser back to a site. Javascript is frequently a part of schemes to track people across the web, or worse, to install malware on people's computers.

    For this reason, sophisticated users with strict security and privacy requirements may wish to consider selectively blocking javascript in their browser. There is a Mozilla/Firefox plugin called NoScript which is very useful for this purpose. Noscript (1) allows you to see the sources of any javascript in a page (many pages include javascript from third parties); (2) blocks javascript by default and (3) allows javascript from particular sources to be temporarily or permanently reenabled. Surfing the web with NoScript is more work (because when you visit new sites, you may have to enable some javascript sources to make them work properly), but surfing the web with NoScript is also much more secure.

    Install Firefox

    Firefox is one of the most convenient and safest browsers around. You can download it here.

    Configure Firefox

    Select Privacy Options: Tools > Options > Privacy. Set all of these options the way you want them, clear them as desired. In general, less is better here. Build a whitelist (exceptions) for desired website cookies (if any) since you just disabled cookies above. Tools > Options > Privacy > Cookies > Exceptions.

    Allow websites to install software: Tools > Options > Web Features > Allowed Sites. Build your whitelist of trusted websites, if desired.

    Enable javascript: Tools > Options > Web Features. NoScript will override this Javascript selection, allowing you to selectively enable Javascript on trusted websites, by right-clicking and selecting your preferred option, one website at a time.

    Note: If a web page appears to not be working, it’s because it requires Javascript (or cookies) to be enabled to function correctly, but some web pages may not tell you this. If you temporarily enable Javascript using NoScript (right-click on the page > select temporarily) and then reload the page, it should work correctly. (Permanently enabling Javascript for a website adds it to the Javascript whitelist.) If the web page still doesn't work correctly, you may need to add the website to the cookie whitelist (exceptions). You may be pleasantly surprised to discover how few cookies you really need to surf normally. Still other websites require Java to be enabled, but they are relatively rare. In general, leave Java disabled until you need it, then disable it afterward.

    Install the Best Firefox Security add-ons

    The ability to choose among hundreds of Add-ons for security and convenience are one of the best reasons to use Firefox. Here are the best current Firefox security add-ons. Just click on install and restart your browser to install them!

    KeyScrambler Personal
    Encrypts your keystrokes at the kernel driver level to protect your information from keyloggers. Extremely useful.

    SecurePassword Generator
    Helps you create truly unique and secure passwords. Access it from the Tools.

    External IP
    Displays your current external IP address in the browsers status bar. Especially useful to check if you're really connected to your VPN/proxy server.

    Protects users against search data profiling.

    NoScript - The best security you can get in a web browser! Allow active content to run only from sites you trust, and protect yourself against XSS attacks.


    BetterPrivacy is a safeguard which protects from usually not deletable LSO's on Google, YouTube, Ebay, etc.

    Google-anon is a CNAME pointing to Using this CNAME you can stay logged into your favorite Google apps (e.g. Google Mail, Google Code, etc.) without having your search traffic tied to your cookie.

    Deceive search engines to protect user privacy. Queries are generated using personalized keywords and clicks are randomly simulated on non-sponsored results.

    FoxyProxy is an advanced proxy management tool. It offers more features than SwitchProxy, ProxyButton, ProxyTex, etc.

    VII - Protect Your Search Privacy

    Google, MSN Search, Yahoo!, AOL, and most other search engines collect and store records of all your search queries. If these records are revealed to others, they can be embarrassing or even cause great harm. Would you want strangers to see searches that reference your online reading habits, medical history, finances, sexual orientation, or political affiliation?

    Recent events highlight the danger that search logs pose. In August 2006, AOL published 650,000 users' search histories on its website.1 Though each user's logs were only associated with a random ID number, several users' identities were readily discovered based on their search queries. For instance, the New York Times connected the logs of user No. 4417749 with 62 year-old Thelma Arnold. These records exposed, as she put it, her "whole personal life."

    Disclosures like AOL's are not the only threats to your privacy. Unfortunately, it may be all too easy for the government or individual litigants to subpoena your search provider and get access to your search history. For example, in January 2006, Yahoo!, AOL, and Microsoft reportedly cooperated with a broad Justice Department request for millions of search records.

    Google CEO Eric Schmidt even admitted in an interview that Google is in bed with the government. Google archives everything about a user– web searches (google), email and contact lists (gmail), online office documents (google docs), photographs (picasa), text and voice messages (google voice), and even a user’s current location (google maps). As Schmidt indicates, Google is obliged to hand it over upon simple request from the US government.

    Don't use your ISP's search engine. Because your ISP knows who you are, it will be able to link your identity to your searches. It will also be able to link all your individual search queries into a single search history.

    Don't login to your search engine or related tools. Search engines sometimes give you the opportunity to create a personal account and login. In addition, many engines are affiliated with other services -- Google with Gmail and Google Chat; MSN with Hotmail and MSN Messenger; A9 with Amazon, and so on. When you log into the search engine or one of those other services, your searches can be linked to each other and to your personal account. So, if you have accounts with services like Google GMail or Hotmail, do not search through the corresponding search engine (Google or MSN Search, respectively), especially not while logged in.

    If you must use the same company's search engine and webmail (or other service), it will be significantly harder to protect your search privacy. You will need to do one of the following:

    Install two different web browsers to separate your search activities from your other accounts with the search provider. For example, use Mozilla Firefox for searching through Yahoo!, and Internet Explorer for Yahoo! Mail and other Yahoo! service accounts.6 You must also follow Tip 6 for at least one of the two browsers.

    For Google and its services, you can use the Mozilla Firefox web browser and the CustomizeGoogle add-on. Select "CustomizeGoogle Options" from the "Tools" menu. Click on the "Privacy" tab and turn on "Anonymize the Google cookie UID." You must remember to quit your browser after using GMail and before using the Google search engine. In addition, be sure not to select the "remember me on this computer" option when you log into a Google service.

    If you are using a browser other than Firefox, you can use the GoogleAnon add-on. You will need to quit your browser every time you finish with a Google service. Unfortunately, we currently do not know of similar plugins for other search providers.

    Block "cookies" from your search engine. If you've gone through the steps above, your search history should no longer have personally identifying information all over it. However, your search engine can still link your searches together using cookies and IP addresses. Cookies are small chunks of information that websites can put on your computer when you visit them. Among other things, cookies enable websites to link all of your visits and activities at the site. Since cookies are stored on your computer, they can let sites track you even when you are using different Internet connections in different locations. But when you use a different computer, your cookies don't come with you.

    From a privacy-protection perspective, it would be best to block all cookies. However, because cookies are necessary for accessing many websites, it may be more convenient (though less privacy-protective) to allow short-lived "session" cookies. These cookies last only as long as your browser is open; therefore, if you quit your browser, re-open it, and then go back to your search engine, your search provider will not be able to connect your current searches with previous ones via your cookies.

    Use the following steps to allow only "session cookies," and remember to quit your browser at least once a day but ideally after each visit to your search provider's site. We recommend that you use Mozilla Firefox and apply these settings:

    1. From the "Edit" menu, select "Preferences"
    2. Click on "Privacy"
    3. Select the "Cookies" tab
    4. Set "Keep Cookies" to "until I close Firefox"
    5. Click on "Exceptions," type in the domains of all of your search sites, and choose "Block" for all of them

    Vary your IP address. When you connect to the Internet, your ISP assigns your computer an "IP address". Search providers and other services you interact with online can see your IP address and use that number to link together all of your searches. IP addresses are particularly sensitive because they can be directly linked to your ISP account via your ISP's logs. Unlike cookies, your IP address does not follow your computer wherever it goes. This shouldn't be an issue if you're using a secure VPN.

    You can also use alternate search engines that are specifically designed for privacy such as IXquick ("The world's most private search engine") or Scroogle. Every time you use a regular search engine, your search data are recorded. Your search terms, the time of your visit, the links you choose, your IP address and your User ID cookies all get stored in a database. The identity profiles that can be constructed from this cloud of information represent modern day gold for marketers. But government officials, hackers and even criminals also have an interest in getting their hands on your personal search data. And sooner or later they will.

    Scroogle SSL search
    You're probably using Google when you surf the net. Google logs all your searches and keeps a profile on you, plus if you do a Google search, your search words will show up as an address and be stored in logs at your internet provider's, so you actually have 2 leaks snooping at Google. Instead, you can use Scroogle. You can also add it as your default search engine in Firefox.

    VIII - Secure your Email Communications

    For moderately sensitive email content, both sender and recipient could use temporary Hushmail accounts. Beware, though: Hushmail's servers are actually based in the UK, the worse police state together with the US. According to UK's laws, internet providers are required to keep all logs for 4 years! (officially, and probably indefinitely in the facts).

    With a VPN setup, you can be less concerned about trusting email providers and using encryption. Just get a free web-based email address in another country and always use the VPN to access it. However, be careful not to include identifiable personal info in the email content (both Hotmail and Yahoo insist on you having both Java and Javascript enabled before they allow you to open an account. Never use any Email service with such a requirement!

    Even with a VPN it is much advised to use an free offshore email service located in a jurisdiction that has especially strong data privacy laws such as Switzerland
    (, or Panama (Offshore Inbox). Hong Kong is another choice (Chinglish).

    You could still need to have a Yahoo address to be able to use Yahoo Messenger. A way around this is to sign up for an offshore Yahoo address such as (Yahoo Singapore), which servers are actually in Hong Kong. Install Flagfox to make sure where the actual server is. For instance has its server in the UK but the server is located in Hong Kong.

    There are other free secure email providers including Mailvault, Cryptomail, Privatdemail, etc but we don't trust any of them. Unless you encrypt your own email, remember you are placing trust in an unknown service provider. Rumors abound for example that the popular Safe-Mail and Mailvault are Mossad honeypots!

    You can use MuteMail which is an excellent email provider with servers in the Bahamas (the Bahamas have strong data protection laws, like Switzerland and Panama) but it is a paying service.

    End-to-End Email Encryption

    It is much safer to learn how to use highly secure PGP encryption with any email provider. Encrypting emails all the way from the sender to the receiver has historically been difficult, although the tools for achieving this kind of end-to-end encryption are getting better and easier to use. Pretty Good Privacy (PGP) and its free cousin GNU Privacy Guard (GnuPG) are the standard tools for doing this. Both of these programs can provide protection for your email in transit and also protect your stored data. The great thing about end-to-end encryption is that it ensures that the contents of your emails will be protected not only against interception on the wire, but also against some of the threats to the contents of copies of your emails stored on your machine or third party machines.

    There are two catches with GnuPG/PGP. The first is that they only work if the other parties you are corresponding with also use them. Inevitably, many of the people you exchange email with will not use GPG/PGP, though it can be deployed amongst your friends or within an organization. The second catch is that you need to find and verify public keys for the people you are sending email to, to ensure that eavesdroppers cannot trick you into using the wrong key. This trickery is known as a "man in the middle" attack.

    The easiest way to start using GnuPG is to use the free open-source Mozilla Thunderbird email client (much better than Microsoft Outlook for instance) with the Enigmail plugin. Here you can find the quick start guide for installing and configuring Enigmail. Mozilla Thunderbird can be perfectly configured to work smoothly with encryption software, making it a simple matter of clicking a button to sign, verify, encrypt and decrypt email messages! Read also this good tutorial: How to Start Using PGP/GPG to Encrypt Your Email

    Make sure to use the Thunderbird Add-on MinimizeToTray Plus 1.0.7 to minimize your Thunderbird client in the system tray! How to install it in Thunderbird:

    1. Download and save the file to your hard disk.
    2. In Mozilla Thunderbird, open Add-ons from the Tools menu.
    3. Click the Install button, and locate/select the file you downloaded and click "OK".

    Server-to-Server Encrypted Transit

    After you press "send", emails are typically relayed along a chain of SMTP mail servers before reaching their destination. You can use your mail client to look at the headers of any email you've received to see the chain of servers the message traveled along. In most cases, messages are passed between mail servers without encryption. But there is a standard called SMTP over TLS which allows encryption when the sending and receiving servers for a given hop of the chain support it.

    If you or your organization operates a mail server, you should ensure that it supports TLS encryption when talking to other mail servers. Consult the documentation for your SMTP server software to find out how to enable TLS.

    Client-to-Mail Server Encryption

    If you use POP or IMAP to fetch your email, make sure it is encrypted POP or IMAP. If your mail server doesn't support the encrypted version of that protocol, get your service provider or systems administrator to fix that. If you use a webmail service, ensure that you only access it using HTTPS rather than HTTP. Hushmail is a webmail service provider that always uses HTTPS, and also offers some end-to-end encryption facilities (though they are not immune to warrants).

    Many webmail service providers only use HTTPS for the login page, and then revert to HTTP. This isn't secure. Look for an account configuration option (or a browser plugin) to ensure that your webmail account always uses HTTPS. If you use a web mail service make sure you access it using HTTPS rather than HTTP. If you can't find a way to ensure that you only see your webmail through HTTPS, switch to a different web mail provider!

    Gmail also offers the option of always using HTTPS but you have to select that option on the “general” tab of the Gmail settings page. Gmail logs everything you do forever, so this is more of a personal privacy than a real security level.

    Data Stored on Second- and Third-Party Machines

    Your emails will be stored on computers controlled by third parties:

    1. Storage by your Service Provider

    If you don't run your own mail server, then there is a third party who obtains (and may store) copies of all of your emails. This would commonly be an ISP, an employer, or a webmail provider. Copies of messages will also be scattered across computers controlled by the ISPs, employers and webmail hosts of those you correspond with. Make sure your email software is configured so that it deletes messages off of your ISP's mail server after it downloads them. This is the most common arrangement if you're using POP to fetch your email, but it is common for people to use IMAP or webmail to leave copies of messages on the server.

    If you use webmail or IMAP, make sure you delete messages immediately after you read them. Keep in mind that with major webmail services, it may be a long time – maybe a matter of months – before the message is really deleted, regardless of whether you still have access to it or not. With smaller IMAP or webmail servers, it is possible that forensically accessible copies of messages could be subpoenaed years after the user deleted them.

    The content of PGP/GnuPG encrypted emails will not be accessible through these third parties, although the email headers (such as the To: and Subject: lines) will be. Running your own mail server with an encrypted drive, or using end-to-end encryption for sensitive communications, are the best ways of mitigating these risks.

    2. Storage by Those You Correspond With

    Most people and organizations save all of the email they send and receive. Therefore, almost every email you send and receive will be stored in at least one other place, regardless of the practices and procedures you follow. In addition to the personal machine of the person you sent/received the message to/from, copies might be made on their ISP or firm's mail or backup servers. You should take these copies into consideration, and if the threat model you have for sensitive communications includes an adversary that might gain access to those copies, then you should either use PGP to encrypt those messages, or send them by some means other than email. Be aware that even if you use PGP, those you communicate with could be subject to subpoenas or requests from law enforcement to decrypt your correspondence.

    One tip for the occasional confidential communication is to pre-share the details of a newly created free secure webmail address. You both log in (one after the other) using your VPN and the browser based SSL (https) of the webmail. Communications are stored as saved drafts and never actually emailed at all. When you both are finished, one of you deletes the drafts and the account will eventually be closed, unless you decide to use it again.

    Additional tools:

    Stunnel: This universal SSL wrapper encrypts POP, IMAP, LDAP, and other emails without changing the daemon’s code. You’ll need to use OpenSSL with this tool.

    Packman: With Packman, you can encrypt email and attachments as well as files on private servers.

    Freenigma: To encrypt web-based email, use Freenigma. It’s a free Firefox plugin, and it supports systems like Gmail, Yahoo! and Hotmail.

    Paying Secure Email services

    A good paying Email service should have servers located out of both the USA and the European Union. There is only one we know of which fits this requirement: MuteMail with servers in the Bahamas. Bahamas Data Protection Act (2003). Another good one is provided by Rayservers in Panama (secure email with PGP feature embedded).

    - VoIP (Voice over IP) Privacy

    Because a VPN connection is a secure tunnel, there can be less concern also with voice, video and chat services. Most VoIP clients use their own encryption, but unless you use a VPN, voice and email encryption only prevents wiretapping of content and does not prevent tracking who you are and who your contacts are.

    Besides, you should not rely on the encryption from your VoIP client provider. For example, Skype encryption will conceal content from casual eavesdroppers, but many suspect a "backdoor" and your activity is logged by their software. You need third-party strong encryption provider to really secure your VoiIP comminications, such as Zfone, which encrypts voice communication, using PGP encryption.

    Zfone allows you to make encrypted phone calls online. It’s available as a plugin for existing VoIP clients. It has been tested with these VoIP clients: X-Lite, Gizmo5 (audio, no video yet), XMeeting, Google Talk VoIP client, Yahoo Messenger's VoIP client (for audio), Magic Jack, and SJphone. It does not work with Skype. Zfone runs on Windows XP and Vista, both 32-bit and 64-bit versions.

    Zfone detects when the call starts, and initiates a cryptographic key agreement between the two parties, and then proceeds to encrypt and decrypt the voice packets on the fly. It has its own little separate GUI, telling the user if the call is secure. It's as if Zfone were a "bump on the wire", sitting between the VoIP client and the Internet. It has perfect forward secrecy, meaning the keys are destroyed at the end of the call, which precludes retroactively compromising the call by future disclosures of key material.

    SIP Communicator is a one-stop secure video/IM/chat solution with encryption (including Zfone) built in.

    Internet Call Providers

    For internet phone calls, you will need a call provider. Layers of privacy here can include: private payment, calls routed through another country or political region, privacy standards within that country, using a VPN service with no logs, and optionally, further call content encryption.

    For both sides of the Atlantic, I like the call provider Link2Voip. They are Panama owned, with a base in Canada and offices in the US. They have call servers in Canada, Dallas, Panama and Amsterdam (okay for northeastern US). Call prices are very good. They do have to log outgoing calls to charge you, but there may be some protection in the Panama legal base. However, for real privacy, pay with a money order and be virtually anonymous. is Swiss-based and like Nomado in Belgium, you can pay for calls using an anonymous "Paysafecard" voucher, obtainable across Europe (and in Mexico). "UKash" is a similar European (and Canadian) payment service that can be used for a number of internet call providers. Most are "Betamax" resellers, but Xeloq is one good independent service based in Amsterdam.

    Most VoIP services in Switzerland (like Peoplefone, Sipcall, NetVoip) can be paid over the counter at any Swiss Post Office. A day trip to Switzerland might be well worthwhile to fund a private number, outside the EU. (Note that "Switzernet" actually uses French call servers.) Switzerland does have a surveillance system called Onyx but, at least officially, it is not tied to the EU or Echelon.

    With the premium version of X-Lite ("Eyebeam") and other software or IP phones, you can have two or more lines. That means one account with a phone number could be used for incoming calls, while another without a number, could call out.

    So, if you obtained a free US (alt.), UK, IT or worldwide (alt.) incoming number, you could then use any other outgoing call provider. Operation is seamless in practice, and the separation offers even greater privacy. Often you can set your own outgoing caller ID – or turn it off completely.

    X - Secure your Instant Messenger

    Instant messaging is a convenient way to communicate with people online. In privacy terms, it's a bit better and easier to secure than email but in some situations a telephone call will offer you better privacy. Instant messaging software creates data stored on your computer (logs of your communications), transmits communications over the network (the messages traveling back and forth), and leaves communications stored on other computers (logs kept by the people you talk to, and sometimes logs kept by the IM provider).

    If you use IM without taking special precautions, you can assume that all of these records will be available to adversaries. The easiest way for an adversary to obtain the contents of your communications is from you, your correspondent, or your service provider, if any of those parties logs (stores) the messages. The more difficult way is to intercept the messages as they travel over the network.

    Encrypt Your Instant Messaging Conversations as They Travel

    To protect messages from interception as they travel over the network, you need to use encryption. Fortunately, there is an excellent instant messaging encryption system called OTR (Off The Record). Confusingly, Google has a different instant messaging privacy feature which is also called "Off The Record". To disambiguate them, this page will talk bout "OTR encryption" and "Google OTR". It's actually possible to be using them both at the same time.

    If you and the person you are talking to both use OTR encryption, you have excellent protection for communications on the network, and you will prevent your IM provider from storing the content of your communications (though they may still keep records of who you talk to). The easiest way to use OTR encryption is to use Pidgin for your IMs.

    Pidgin is an universal IM client program that will allow you to use your MSN, Yahoo!, Google, Jabber, and AIM networks IDs from the same interface! Install Pidgin, then install the the OTR encryption plugin for that client. Once installed, go to Tools > Plugins > find Off-the-Record-Messaging and click it > Configure Plugin. Then, generate a key that will be used to identify yourself with your contacts.

    With OTR encryption installed, you will need to make sure the people you are talking to also use OTR encryption, and make sure it's active (check for OTR:private or OTR:unverfied in the bottom right corner). Follow OTR encryption's instructions to "Confirm" any person you need to have sensitive conversations with. This reduces the risk of an interloper (including the government with a warrant) being able to trick you into talking to them instead of the person you meant to talk to. Recent versions of OTR encryption allow you to do this just by agreeing on a shared secret word that you both have to type ("what was the name of the friend who introduced us?"). Older versions required that both users check that their client reported the right fingerprint for the other client.

    Note: Pidgin with OTR is much more secure than Trillian with Secure IM. In case you were using Trillian, you should definitely switch to Pidgin.

    Configure Your IM Client to use SSL/TLS

    This step is complementary to using OTR encryption. It will prevent someone watching the network from seeing who you are chatting to, and will offer partial protection of your chats even if the other party isn't using OTR.

    If you are using Pidgin, you can ensure SSL is enabled by going to Manage Accounts, selecting Modify for an account, selecting the Advanced tab, and ticking Require SSL/TLS.

    Understand and Control IM Logging on Your Machine

    To protect the privacy of your IM conversations, you need to configure your IM client not to keep logs. Don't forget to delete previous logs using secure deletion software.

    Be Aware of Logging on Others' Machines

    Using OTR encryption will ensure that your IM service provider should be unable to log the contents of your communications. They will, however, be in a position to record who you talk to, and possibly record the timing and length of the messages you exchange.

    OTR encryption does not stop the people you are talking to from logging your conversations. Unless you trust that they have disabled logging in their client or that they encrypt their hard disk and will not turn over its contents, you should assume that an adversary could obtain records of your conversations from the other party, either voluntarily or through subpoena or search.

    Google OTR

    Google OTR is a feature of the Google instant messaging service that allows you to request that neither Google nor the people your talk to should be able to log your conversations. Unfortunately, there is no plausible enforcement mechanism for this feature. The people you talk to could be using a different IM client (like Pidgin or Adium) that can log regardless of whether Google OTR is enabled — or they could take screenshots of your conversations. Your client might be able to tell you whether they are using a client that follows the OTR rules (such as Gmail or Gchat), but that won't tell you whether they are taking screenshots. The bottom line is that Google OTR is nice in theory but insecure in practice. Turn it on, but don't expect it to work if the other party uses a non-Google client or actively wants to record the converstion.

    XI - Phone Privacy

    Cell Phone Spying: Is Your Life Being Monitored? Of course it is!

    For interaction with regular telephones you really need a "SIP" account" – which is a bit like an email address for voice/video. These can also be assigned a regular phone number. Get a free SIP account from IPTel, AntiSIP, SIP2SIP or PBXes. VoipUser will also give you a free incoming and outgoing UK telephone number. You can get a free US incoming number from IPKall. An incoming local number could be forwarded and used in conjunction with an "offshore" outgoing provider (e.g., Link2Voip, Switzernet, Peoplefone, Voipgate) for call records privacy.

    Note that "IAX" is a better but less common alternative to the SIP standard (see IAXterminator, EuroIAX,, Voipgate). The popular but US-based CallWithUs offers calls (only) via their own OpenVPN connection, as do Brujula. Link2Voip offer "IPSec" VPN access for calls, useable with some dedicated routers, from computer desktops, with the iPhone/iPod Touch, and with most Windows CE smart-phones and PDAs (IPaq, HTC etc).

    If you do not have an incoming phone number for your SIP account, with some providers you can still be called using the free SipBroker service. This service has local numbers in many countries and you are contactable via an "extension" number after the local number has been dialed. Making calls through a VPN does reduce the need for call encryption. But, on top of that, free software like Qutecom and MiniSIP have end-to-end encryption built in. SIP Communicator includes encryption not only for SIP calls, but also secure video/IM/chat. XLite does not include encryption, but is very popular and will work with Zphone. Also see Zoiper for both IAX and SIP.

    In practical use, there is no need to be bound to computer speakers and microphone: you can easily use USB, wireless "Bluetooth" (inc. mobile phones) and other headsets or handsets. A SIP account will also work without the need for a computer via special standalone "IP phones" or with regular telephones via SIP adapters. These plug in to your home broadband router. But if you want them to go through a VPN, there are then two options: You could set up "Internet Connection Sharing" on a dedicated computer with a VPN connection. Or (for the tech-minded only) here is the setup for a specially modified home router. For offices, the Draytek 2820 looks like a one-stop broadband/VPN/SIP solution.

    When on the move, Wi-Fi and SIP capable mobile phones, PDAs, or netbooks can offer more privacy than a regular landline or mobile call, even without a VPN connection. But it is possible to use a VPN through public wireless networks from many smart mobiles. The iPhone and the iPod Touch offer an easy solution by including VPN software. The Apple app store offers SipPhone to make calls. Third-party offerings like Fring and Gizmo5 also work, but with less privacy and more lag (search for Youtube tutorials). You will need a microphone or hands-free set for the iPod Touch. "Jailbreaking" the iPhone/iPod Touch opens up other options, including Siphon – obtainable through the alternative "Cydia" download source. 2G iPod Touch models can easily be set free in less than 5 minutes, older models in less than a minute. You can be sure of a solution from the same sources after new updates.

    Using the iPhone with Wi-fi remains a favourite option – preferably with GPRS and the cell connection disabled. There are some new apps available to make SIP calls: Check out iPico, Acrobits, and note that SipPhone has been renamed to iSip. Hp iPaqs can work well also, and the newer 210 series can be used as a normal handset. The front speaker/earpiece it is not officially supported, so it needs a simple fix, which also solves other reported audio problems.

    Several new Android smartphones are set to break on the scene this year. Android does include a VPN client and SIPdroid is free SIP internet calling software. Remember, unless at a random Wi-fi hotspot, you would use these phones only after connecting with their internal VPN. Be sure to take the more basic precautions also.

    The IPaq and other "Windows Mobile" phones and PDAs include VPN connection software. OpenVPN is also available for some. For making SIP phone calls, SJPhone is popular, PortSip is another. Nokia or other "Symbian" models need SymVPN – also check that particular models have a SIP dialer inbuilt (e.g., Nokia E51). But overall, a tiny netbook could be the stylish, all-in-one privacy option for home, office and on the move. For voice calls, it might be most convenient when used with a handset, or linked via Bluetooth (wireless) to a headset or mobile phone. You might consider the excellent Asus EeePC 1000HE with 9.5-hour battery life, or the popular Samsung NC10.

    Problems with Cellular Device Privacy

    No Anonymity. Every cell phone has several unique identifying numbers. Nearly all Mobile phones sold in Western Europe and North America contain a 15 digit International Mobile Identity code, i.e. an IMEI number. It can also be displayed on the screen of the phone by entering *#06# into the keypad on most phones. That's not taking into account the very real possibility of a mobile having a GPS tracking chip or a clipper [spy] chip inside as well.

    Even worse, most mobiles sold in America have the ability to be turned on remotely by the authorities EVEN when your mobile phone is turned off. In that event your conversation can be heard whilst your mobile is off. This technology has been possible for many years now with your landline phone. Even with your telephone on the hook, the authorities have the ability to turn on your landline phone and listen in on your sensitive conversations and what you do in the 'privacy' of your home.

    A 15-digit IMEI number can be used to identify a handset on an operator's network, allowing individual calls to be traced to the phone it came from. Phones without a valid IMEI are usually inexpensive, unbranded handsets manufactured in China. The only way to prevent any of the above from happening is to unplug your landline phone from the wall socket and take the battery out of your mobile when you're not using your mobile. Alternatively use a non spy chip mobile.

    Data Stored by Your Phone

    Your phone will store the contents of the text messages you send and receive, the times and numbers of the calls you make and receive, and possibly other information such as location-related data. Secure deletion of this data poses a challenge. On most mobile devices your best strategy is to manually delete these records using the phone's user interface, and then hope that new records will overwrite them. If you have deleted all your text messages and calls, and waited long enough for the phone's memory to fill, there is a chance that later forensic investigation would not find the original data.

    There are a couple of drive encryption programs available for devices that run the Windows Mobile operating system. Proprietary drive encryption that has not been audited by the computer security community should always be treated with caution; it is probably better than no protection at all, although even that is not guaranteed.

    We are hopeful that the arrival of open Linux-based phones (notably OpenMoko and those using the Google Android code) will offer users better control over stored data in the future.

    The undeleted data could be accessible to anyone who takes physical possession of the phone, including thieves or an arresting officer.

    Prepaid GSM (Pay as you go)

    Another way of surfing the web is by using a mobile phone, that actually can serve you with high speed Internet. As soon as your located in a public place and switch on your phone at that location it is virtually impossible to connect that session to you as an individual (as long as you don't start calling your family and friends or have your regular phone on at the same time). Some countries like Hong Kong, the Philippines or Panama still sell SIM cards that can be purchased anonymously. You will have to use the roaming to use them in your own country. Of course you do need a new phone, since every device has a unique identifying code (IMEI).

    The Best is Not to Use Your Cell Phone!

    The only way to avoid cell phone records from being used to track your locations is not to use a cell phone to make or receive calls.

    A partial solution may be to use prepaid cell phones purchased with cash. Cell phone communications are highly venerable to interception both technically and legally. The calls and text messages made and received from your cell phone can be intercepted by almost anyone without the cooperation of the cell phone provider. Cell phones can be used by your adversaries to track your location in some cases this can be done even if the phone is turned off.

    This tracking can be done without the providers assistance and in the government’s case can be done with a pen/trap order rather than the legally more difficult to obtain wiretap order. This makes the threat of an adversary using your cell phone to pinpoint your location easy to do and the risk of location tracking fairly high. The best way to eliminate the risk is not to carry a cell phone. The trade off here is convenience versus security. A compromise may be to carry a cell phone but remove the battery except when the cell phone is needed.

    Transmitted Data

    The control data and actual voice conversations sent by cellular devices may be encrypted using various standard encryption protocols. There is no guarantee that this will occur — phones do not usually offer users a way to refuse to operate in unencrypted mode, and many don't indicate whether they are using encryption. As a result, it is largely up to the network operator to decide if its users will receive any cryptographic defense against eavesdropping.

    Carrier-provided encryption can be good protection against eavesdropping by third parties. However, if it is the carrier that wants to listen in, or the government with a warrant ordering the carrier to allow wiretapping access to your calls, then that encryption will not protect you because the carrier has the means to decrypt.

    Even if your cell phone is communicating in an encrypted fashion, it turns out that most of the standard cryptography used in cell networks has been broken. This means that an adversary that is motivated and able to intercept radio communications and cryptanalyze them will be able to listen to your phone calls.

    It would be technologically possible to use strong end-to-end encryption with voice calls, but this technology is not yet widely available. The German company GMSK has begun selling a GSM-based "Cryptophone"; as with computer encryption, both users would need to be using the technology in order to make it work. Some third parties have produced software to encrypt SMS text messages; here, again, both the sender and recipient of a message would need to use compatible software.
    Data Stored by Other Parties

    A great deal of data pertaining to your use of your phone will be stored by the telephone company or companies that are providing you with service. A more diffuse set of records will also be stored by the phones of the people you communicate with.

    Expect your telephone company to keep a record of: who you talk to and when; who you exchange messages with and when; what data you send and receive using wireless data services; information revealing your physical location at any time when your phone is on; and whether your phone is on or off.

    The text messages exchanged by your phone — as well as summary information for the calls you sent and receive from other cell phones — are likely to be stored by those other cell phones. As anyone who follows celebrity gossip should know, the people you are communicating with can disclose the contents of your communications. Other adversaries may use subpoenas or other legal process to obtain text messages or call information.

    XII - Back up your Data

    Copy your encrypted TrueCrypt container on an external hard drive. Open this partition and copy some innocuous data from your normal plaintext drive. Now close this container and create a hidden container, following the instructions in the documentation that comes with TrueCrypt. Now copy all your secret data across into this secret container.

    Make copies of all your PGP keys, a text file of all your secret account numbers and passwords and the other details for your E-gold accounts, full details of your Virtual Debit Card account, copies of INI files for critical programs, your anonymous Email account details plus anything else that is so critical your life would be inconvenienced if it were lost. All these details should now be stored in a folder called "Safe" on your encrypted drive. A copy of this folder should be stored on an encrypted CD, preferably within the hidden part of a TrueCrypt container and stored off-site. If you are going to rely on any variation of the ploys suggested here, then you should keep this Faq within your hidden encrypted drive. You will need to take further precautions whilst you are online against threats from hackers and snoops.

    Special steps are needed for storing and transporting data privately, including through customs checkpoints, where your laptop could be seized:

    Tiny micro SD cards are currently available up to at least 16 Gb. These can be tucked into a lapel, collar, hair clip etc. Or, an ideal, discreet and radiation proof solution would be inside a covert coin. Another option is to encrypt your data and upload it to the very useful, free Stashbox service, which will immediately return a web address to download it from later. Of course, there is always the old, "send it as an email attachment to yourself" method for smaller data backups.

    XIII - Optimize Windows Performance

    Right-click on the Start menu button > Properties > Start Menu > Classic Start menu > Customize > Advanced Start > scroll down to "Show Small Icons in Start menu" and uncheck the box. Click OK, again OK. Now right-click on your Desktop > Properties > Appearance > effects. Uncheck everything. Click OK in the Display Properties dialog and OK again. You have just got rid of much of the Windows kludge. It will run faster and will seem more enthusiastic about everything.

    A further small improvement in securing your hard drive is to disable Write Behind Disk Cache, if allowed. My version of Windows XP Pro does not now allow it. If yours does, do this: go > Start > Control Panel > System > Hardware > Device Manager > Disk Drives - show devices > open the appropriate disk > Policies > Uncheck Enable write caching on the disk. Click OK, close the boxes. And that's it!

    Write behind disk caching is just another kludge thing from Windows. Theoretically it will speed things up, but at the cost of causing more program crashes and certainly to reduce your security, so disable it.

    XIV - Payments Privacy

    One big problem is the lack of internet payment privacy. This has strengthened the now pervasive custom of demanding personal, private information with every transaction. Here are some solutions to look at:

    In the US, you could check out the various over-the-counter Mall Cards available. While in the UK and Europe, Paysafecard (e.g., for Amazon vouchers), UKash, and the Prime Card or Payzone prepaid debit cards are the nearest equivalents to cash online I have found. UnLinq is a worldwide (US-based) card option. There are also "virtual card" resellers with varying degrees of privacy. Debitcards4all currently have a good reputation at the TalkGold Forum, where you can also find other available options. For sending and receiving small payments, consider ePayarea.

    You could also look at gold or fiat-backed e-currencies. However, stability is a concern as is the intrusive information demanded by most exchangers – even if you pay in cash. Of all e-currencies, the soundest may be Pecunix. The most widely accepted – since the fall of e-gold – is probably the fiat-based Liberty Reserve.

    In addition to money orders and (on the UK/European side) Paysafecard and UKash, prepaid cards can also be private but may require some time, effort, and involve fees. However, there are gift vouchers easily available which make private online purchases possible without any extra fees. An iTunes voucher, for example, would be the ideal way to credit or register a new iPhone, via an iTunes account (see YouTube).

    Amazon is another good example: First set up a new account via your VPN. Then Amazon can be funded privately using gift cards available in supermarkets and other stores. Local "Coinstar" coin changing machines also issue various vouchers – some will even take notes. Western Union offices do charge a small fee.

    Get a Prepaid Debit Card

    Go here:

    They will accept many forms of payment. E-Gold is my preferred way using two different E-gold accounts back to back. Why? Because it is much more difficult to do a back trace.

    The Debit Card is acceptable to many more web sites, especially news providers, than E-gold. Note this card is solely for Net use. It is a virtual card. You get Emailed the card details, you do not receive a physical card through snail mail. Thus the name and address you supply need only match the name and address you have used when creating your second E-gold account. Naturally, this is the same address you must use when using your card to subscribe to a Web site. But this name and address is your choice! If in the United states, the Zip code must match your area. But so far as I can tell, that is the only check that is made. Just take an address out of the phone book, but change the name and street to something innocuous.

    Of course the Email address you offer, must be accurate, secure and most importantly, anonymous.

    Use Digital Gold Currencies (DGC) when needed

    Join the new non-regulated online electronic economy. You can escape the highly taxed and over-regulated Big Brother financial Systems. Familiarize yourself first. Then invest very small amounts to start. We suggest you buy some Digital Gold Currencies like e-Dinar, GoldExchange, MoldMoney, Pecunix or LibertyReserve easily from any of numerous reputable exchange providers such as,,,,, etc.

    Paper USA dollars, Pounds, Yen or Euros are only worth something because buyers and sellers accept them on faith. It is the same with cyber currencies and cyber shares. Some will eventually, one hopes, become an acceptable alternative [maybe because they are gold-backed], even better than national currencies. Dip your toes in, and see how it works out. Educate yourself. Every particle of value we extricate from "the system" makes Big Brother weaker and freedom stronger.

    This can be a disadvantage if you choose a market maker unwisely. Some will want to identify you as per the latest Government homeland security bills. However, if you choose an Asian market maker, you can pay directly into one of their branches with a fake identity. Remember this is your initial E-currency account. The name you should use must be different to your second E-currency account. The second E-currency account receives its funding by you transferring money from one account to another. To the other E-currency system it would seem as if you were sending money to someone else with no connection with you. Always use CCleaner between accessing these accounts, to ensure there can be no connection between them by the different E-currency's use of cookies.

    XV - Identity Privacy

    Under the present system, if you want to avoid identity theft, hacker attacks, profiling and more, you need to be cautious about giving out personal information.

    Wherever possible, refuse, confuse or completely separate your name, address, date of birth and any other identifying numbers. Understand that you do not have a moral obligation to help a stranger track you against your will. Legally, at least in common law countries, you can call yourself whatever you like. I also do not recommend you supply, for example, your actual date of birth – just to open a free email account. Some online privacy suggestions:

    - Always "enhance" your date of birth;
    - If you must supply your name or, for a delivery, your home address, then not both together;
    - Make use of junk email services like Mailinator or Dodgeit;
    - If possible, don’t register – use logins from bugmenot.
    - Create throw-away email addresses for minor online registration/confirmation;
    - Maintain separate, completely isolated email addresses for important functions;
    - Use aliases or alternate spellings of your surname and make use of your middle name/s;
    - Google multiple occupancy or serviced office addresses when a verifiable address is demanded;
    - Make sure any supplied address matches the VPN country you are using;
    - Consider setting up a mail-drop – near and/or far;
    - Develop alternate signatures for forms, packages etc. and compartmentalize their use; Incorporating an LLC or using a business name can have privacy advantages;
    - Make special efforts regarding the personal details held by your ISP and/or Telco;
    - Consider posting well-wrapped cash or money orders for purchases.
    - Whenever supplying information online, assume it will be incorporated into a database forever. Assume that this will then be incorporated into a bigger search engine that merges multiple databases with all information about you. Assume that this will be available instantly to friend or foe, for free or a small fee.

    One way to register online with some privacy is to use generic details and look up a serviced office, apartment block or motel address. But there is an alternative: Check out the FakeNameGenerator, which makes it even easier. This site randomly gives you a whole identity in a number of countries, including accurately formatted (unused) ID numbers and a working email address.

    XVI - Setup Your Own Portable Virtual Encrypted Environment

    The privacy and anonymity provided by a Secure VPN can actually be jeopardized or made useless if you're surfing using a non-secure environment. Below I will describe how to setup a sterile Portable Virtual Encrypted Environment for free - or at very low cost.

    It is not enough to oppose strong encryption to those who want to attack your privacy. They could always use brute force against you or use other coercive methods to force you to reveal your passwords and break into your personal/business life. The idea is to become truly invisible or at least make your online activity look not any more suspicious than the one of the average user.

    1. Get A Portable Drive

    All of your sensitive data and the software you need to run it must be able to work from a portable device such as a USB flash drive. That way you reduce to the minimum the amount of indices left on your home/work computer or laptop. You can use any USB flash drive. One of the best is the unbreakable Cruzer Titanium from SanDisk but you can use any other drive that you will get for free as well. CD-R are not recommended because rewriting is not as practical and the support is physically weak.

    2. Create a Virtual Encrypted Disk

    Most USB flash drive come with their proprietary encryption software. However it is better to use open-source encryption than proprietary encryption which is barely as strong and as safe as Truecrypt.

    Truecrypt is a free, open-source encryption software that enables you to transform any file such as a Word or audio document into an invisible encrypted drive. It is better than PGP for disk encryption because it transforms a regular file into a disk of any size while keeping the original extension of the file (.doc, .mp3, .mpeg, ...).

    Download Truecrypt, install it and use it to create your virtual drive which will become your true hard drive for secure everyday use. Your USB flash drive serves only as a physical support. See the TrueCrypt Tutorial Video.

    3. Use Portable Applications

    Once your Virtual Encrypted Environment is created, here are the essential Portable Applications that you may need:

    - Browsing: Portable Firefox. If you use Portable Firefox on a host computer that doesn't have Firefox already installed, it creates two directories on the host, but your settings, cookies, and other private files remain on the thumb drive. Don't forget to select and add the most useful add-ons to your Firefox browser.

    - Email Client: Portable Thunderbird works without problems on a USB drive. You'll get the best results if you have an IMAP account that lets you leave messages on the server instead of transferring them to your drive, as you normally do with conventional POP mailboxes.

    - Instant Messenging: Universal Chat Client Pidgin. The free Pidgin instant messaging allows you to use your different messenger IDs within one single application: it works with AIM, ICQ, MSN, Yahoo! Jabber, ... you name it. Make sure to use the Portable Pidgin version. The result is a trouble-free universal IM client that leaves no traces on the host computer.

    - Password Manager: Portable KeePass is a free, secure open-source, light-weight and easy-to-use password manager for Windows. It is entierly portable.

    You should use open-source software whenever possible. Commercial software 1) Is not free 2) Their developer may have been corrupted by governments or other malevolent organizations to install "backdoors" in the program, which annihilates your security and privacy. There are plenty of free, open-source applications that are created or progressively re-developped to become portable. You can keep up to date with the latest Free Portable Applications on

    It's also very practical: you can work from any computer instantly with your own customized environment everywhere you go even if the PC you're using don't have your applications installed. You eliminate any risks to forget to log off your email, messenger, etc or to have your logins and passwords recorded by accident on your host computer, whether it is a public computer, work computer or a friend's computer. You leave no clues about your browsing activities on the remote computer, etc.

    The only risk remaining is of course keyloggers and trojan horses (programs that secretly records the integrality of your keystrokes and take regular snapshots of your activity).

    4. Create Plausible Deniability

    Your Truecrypt volume is already encrypted within an innocent .mp3 or another very common file type. Make sure to give an equally innocent name to this file (the title of a dumb pop music song, a birthday video, etc and not "truecrypt volume", "secret hard drive" or whatever related to your real activity...). Make also sure to copy a few files of the same type on your USB flash drive so an eventual intruder will think there is only one document which happens to be corrupted. You can as well fill your home computer or laptop with loads of harmless data and software, to let the intruder think you're really running your applications, surfing the internet and doing everything else directly from your computer and not from a flash drive.

    It's a lot preferable to create your virtual drive into an existing audio or video document for several reasons. Your Truecrypt volume is likely to be rather huge (at least a few tens of MB) so for this size it's more plausible to use a .wav or .mpeg file. A single Word (.doc) document of 135 MB will look suspicious. Another reason to use audio or video documents as a support for your Truecrypt drive is that the fact it won't open with a click could also be due to the local Media player (Windows Media Player often creates problems) that is missing or not working. This will seem more normal than a text document which doesn't open itself (Word documents normally open in the Notepad even if MS Word is not installed on the computer).

    Copy a handful of other documents also. Create artificial folders, etc. Anything you can find that is very common and boring will fit. Your purpose is to make any observer think you're just a regular person with nothing to hide and make him pass his way.

    5. Secure A Backup

    Your Truecrypt drive is all set up on your USB flash drive in a secure manner, equipped with plausible deniability as explained above and ready to be used daily. But a flash drive is a physical device so it can still 1) Attract attention on your data in the most extreme cases (if you want to be absolutely invisible, which means even not having your encrypted drive on your body), 2) Be lost which is the main problem you face when all your vital data is contained in your drive.

    So it is necessary that you make a regular backup of your encrypted virtual drive to your computer, or store it online. You can create a free account on Megaupload where the file could be stored for 3 months.

    You could also upload it on a server to which you have access (most likely your own website's server), on a free web-based mail account (like Gmail or Yahoo - created and accessed with secure SSH tunnel/VPN), on a file-sharing network (like eMule) or in any place where your file will be conserved with no limit of time and be accessible from anywhere in the world. Of course it is better to make a duplicate backup, in two or more different secure online locations.

    After you have uploaded your backup online, in the eventuality you lose your physical drive, you will be left with nothing in your hands regarding your data. Ultimately, the key to your Portable Virtual Encrypted Environment has to be in your own mind. But it's not likely that you will be remembering the address, login and password to your FTP very long as you will use it only in case emergency. That's why you should write down the credentials for access to your backup (login and information about your FTP, anonymous email account or else) in an encrypted email which will remain in the archive of your personal email account - the one you use every day. If you're using a secure web-based email account with SSL access like Hushmail (and you definitely should) then your data is safe.

    Many companies offer more or less the equivalent as what's described above, for as much as $500.... You should be able to set up yourself a Portable Virtual Encrypted Environment which will work just as fine for free!

    XVII - Important: Don't trust your Printer

    "On Nov. 22, 2004, PC World published an article stating that "several printer companies quietly encode the serial number and the manufacturing code of their color laser printers and color copiers on every document those machines produce. Governments, including the United States, already use the hidden markings to track counterfeiters." According to the article, the high fidelity of outputs from color machines to their original documents suggests that counterfeiters can potentially succeed in creating high-quality counterfeited currency and government documents using these machines. At the request of the United States Secret Service, manufacturers developed mechanisms that print in an encoded form the serial number and the manufacturer's name as indiscernible markings on color documents. The Secret Service and manufacturers would be able to decode these values from the markings and in the event a color machine was used to print a suspected counterfeited document, these values would be used with customer information to discover the identity of the machine's owner." [from:]

    More information:

    XVIII - Secure Web Hosting

    Using anonymity software is not enough! You are still visible to everyone. First of all, all websites can be read by using WHO IS websites which are free. Here’s an example. Visit this free website and type in a website address, then press on the button Search. The WhoIs website will show you who registered that website, it will tell you it’s email address, home address and even phone number!

    So, website owner, you can hide your info by using Domains By Proxy for example. However, Domains by Proxy does not offer true anonymity. In most countries they are legally obliged to collect personal information from domain owners. They also require little persuasion to release domain owners’ contact information, in some cases requiring only a phone request, certified letter to the domain owner, or a cease and desist letter.

    Truly secure web hosting should be located outside of the US/EU and accept private payment methods such as e-currencies.

    Offers offshore web and application hosting on servers located in datacenters in Hong Kong, Malaysia and Texas, USA. Site hosting starts with Budget Accounts from as little as $3.49 per month and tops out with 10GB Web Service Provider accounts for $49.95* per month.


    Provide anonymous hosting, anonymous domain name registration. With low cost, powerfull and good support. Accepting: E-gold

    First Alpina

    Offshore hosting and anonymous domain registrations.

    Webhosts around the world, ranked by size

    International Private Domain Name Registrations

    Etc, etc. Do a Google search to find even better offshore providers.

    XIX - Clean your online traces

    Avoid social networking websites

    The CIA is a stockholder in Facebook. The NSA has specific tools designed to gather all personal information from social networkign sites and match them with other databases. Stay clear from social networking sites, or at least never register to them with your real name or main email address.

    Clean your Google records

    You can take control of your "data trail" or "data dossier"– the sum total of what converging databases, retained logs, and available government and private records hold about your life. With Google (backed by the NSA/CIA), Facebook, banks, cards, telcos and internet providers all helping to build up that profile for the state anyway – you can choose what they get and what they don’t.

    Google. The following link provides information about removing information from appearing within a Google search result:

    InfoSpace. Consumers can update or delete their personal listings by searching the InfoSpace database and following the steps that are provided.

    XX - Data Backup Privacy (Online Storage of Encrypted Backup Files)

    Computers and all electronic devices are now routinely searched at airports. Here is a privacy tip for international travel: Maybe you don’t need to transport sensitive data at all.

    With UltraVNC installed, you can access your main computer from a normal web browser anywhere in the world, on any computer. Just enter the main computer’s IP address, followed by your chosen password, to use it via the remote computer’s keyboard, mouse and screen. The connection can easily be encrypted, you can transfer files and you can chat. It is quite easy to set up, but non-tech users might need tech help to set up their router (tech-talk: forward port 5800 – that’s it).

    Another tip in case a computer with sensitive data is stolen, including by customs, is to remember that deleted files remain intact on your free disk space for some time, and are easily recovered. To prevent this, CCleaner has a setting to securely empty your recycle bin (Options>Settings). Also, the main window has a tick box for an occasional secure wipe of all free disk space. A single or three-pass secure wipe should be more than enough – any more will take ages. The "geek mythology" that more are needed at least seems to be busted.

    With Windows, Mac, or Linux, encrypting the whole system disk can be done – but is inconvenient, degrades performance, and increases the risk of data loss in the event of system or disk problems. There is also the trend in the US, UK and other places of demanding passwords under penalty of imprisonment. Instead, you could work on or save critical data only on removeable storage. Windows users can encrypt using Truecrypt. CCleaner can securely delete files on both system and backup drives. For backup, the tiny concealable "microSD" cards are ideal – here are inexpensive 8Gb or 16Gb options, with USB adapter kit included.

    Encryption is grand but sometimes a Judge can insist you provide appropriate passwords. If you don't you may get a free room to repent and reflect. To avoid this problem, there are many low cost or "free" places in cyberspace where you can secretly store your files in plaintext or encrypted form. No one will know they are there unless you tell them. Go to Google and look for "File storage." There are over a million websites offering confidential file storage. This also provides privacy for your files when crossing borders where your PC could be confiscated & searched.

    Get 2 GB of full featured Online Backup for free. Features includeAutomatic Backup, True Archiving, Versioning, Continuous Backup,Mapped Drive Backup and more. It doesn't mean they don't have a backdoor, so anything sensitive should be encrypted BEFORE backing up. The drill would be: Backup to internet before traveling, delete all sensitive files clean computer travel, download needed files from internet. repeat before traveling again.

    For those who don't like to trust anyone else with their data, I've recently switched to using Clonezilla - which works on local, external, LAN and remote disks (latter via SSH! Fantastic free and open-source product, which also comes with an edition allowing you to massively clone your entire system (like, mutiple systems/your whole LAN). I use the live CD to do one machine at a time ATM but am so happy I will be moving over to the server/automated process in the New Year).

    XXI - Bypassing Censorship and Firewalls

    Military, government and big corporate environments often block access to unapproved websites – with Australia, China and some other governments even filtering their whole countries. On a public or shared computer in some of these places, you may not be able to install a VPN connection. So here are some other practical ways around censorship:

    Website names work very much like a phone directory – the name is used to look up the actual number ("IP address"). Censorship often targets these directories (called Domain Name Servers – "DNS"). So, one trick is to access a website directly through its IP address and not use the name. To bust the censors is to visit and enter the banned website address there. Click on Translate, from English to English, and there you are – the "translated" website appears, links and all, with nobody any the wiser. Try other translators if that one stops working.

    Ultrareach is fast, and does get through – one click and a new censor-busting browser window will open. All tracks – at least at your end – are wiped when you close.
    HTML clipboard
    Freegate is software that enables internet users from mainland China, Iran, Syria, Tunisia, Turkey and United Arab Emirates, among others, to view websites blocked by their governments. The program takes advantage of a range of open proxies, which allow users to penetrate firewalls used to block web sites.

    HTTP Tunnel
    HTTP Tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a covert channel that the network protocol being tunneled uses to communicate.

    GTunnel is a Windows application that works as a local HTTP or SOCKS proxy server. After setting proxy to GTunnel in web browser or other Internet applications, the traffic will go through GTunnel and our server farm before it reaches its original destination. It offers encryption and IP change.

    XXII - Surveillance Technologies

    When you need to know what's going on...

    Security and Surveillance Technology. Spy equipments, surveillance equipment and security systems. Want to know what the latest spy equipment is capable of & where to buy it?

    Spy equipment and off-beat products for would-be private detectives, mercenaries, etc.

    Security, Surveillance & Counter-surveillance.

    Remote spy software. Records chat conversations, web sites, keystrokes and more on your your remote computer.

    Let you use data from cell phone towers and GPS systems to pinpoint anyone’s exact whereabouts, any time — as long as they’ve got their phone on them. All you have to do is log on to the web site and enter the target phone number. The site sends a single text message to the phone that requires one response for confirmation. Once the response is sent, you are locked in to their location and can track them step-by-step. The response is only required the first time the phone is contacted, so you can imagine how easily it could be handled without the phone’s owner even knowing. Once connected, the service shows you the exact location of the phone by the minute, conveniently pinpointed on a Google Map. So far, the service is only available in the UK, but the company has indicated plans to expand its service to other countries soon.

    The service promises to let you “catch cheating wives or cheating husbands” and even “bug meeting rooms.” Its tools use a phone’s microphone to let you hear essentially any conversations within earshot. Once the program is installed, all you have to do is dial a number to tap into the phone’s mic and hear everything going on. The phone won’t even ring, and its owner will have no idea you are virtually there at his side. Warning: Once you get into listening in to private conversations without either party’s consent, you’re treading rough water that could sweep you straight into jail. Whether it’s an employee or a spouse on the receiving end of your mission, neither federal nor state privacy laws take violations lightly in America. Getting caught could cost you several years behind bars, among other serious penalties.

    XXIII - Bypass a possible Internet Shutdown

    In the US, a bill is being pushed right now to enable a complete internet shutdown. Other governments have bestowed on themselves similar "emergency powers". However, this would also hurt government and associated big corporate interests. Therefore, except in a very worst-case scenario, blanket shutdowns are likely to be temporary, or only targeted at certain areas. In which case, one answer might be satellite access – billed to an outside address, of course.

    Or, if landline phones still work, there are numerous free (call cost only) dial-up internet numbers. These are accessible internationally, often with no signup needed. It is outdated, slow and costly but does work, even with a VPN – making it also a privacy option of last resort.

    An alternative might be a wireless mesh network linking wireless routers, either independent of any broadband provider or sharing a single satellite uplink. Directional antennas can extend wireless range to a half mile – or even much more. Wireless amplifiers are also available, or routers like the Linksys WRT54GL can be upgraded with firmware to boost power output.


    Remember that governments are not omnipotent, though they would like to be. In reality, they are relatively few in number and there are many practical, economic and technological limitations. Also keep in mind sheer information overload – there can only be so many watchers. But there is a real threat, particularly if you are targeted. In these perilous times I hope these privacy techniques will encourage you to speak out more freely and help you maintain more financial and personal security!

    Surely all this is totally over the top for the majority of users?

    It is certainly over the top for 99 per cent of users for 99 per cent of the time. If, however, you are the one in a hundredth and you do not much like the idea of being at risk for 1 per cent of the time, then no, it is not over the top at all. In any case, using these tactics helps create smoke which in turn helps protect those who really do need all the protection and security they can get.

  2. #2
    Funding Member
    "Friend of Germanics"
    Skadi Funding Member

    Mouse Shadow's Avatar
    Join Date
    Mar 2010
    Last Online
    Wednesday, November 1st, 2017 @ 06:38 AM
    Australia Australia
    Queensland Queensland
    Not here anymore
    Has Left Skadi
    Has Left Skadi
    Has Left Skadi
    Thanks Thanks Given 
    Thanks Thanks Received 
    Thanked in
    1 Post

    Thumbs Up

    So important to know when you are trying to take over the world nowadays. Thanks for this. Are there any updates to this list as the post seems a few years old.

  3. #3
    New Member
    Join Date
    Mar 2010
    Last Online
    Wednesday, March 10th, 2010 @ 11:33 AM
    Canada Canada
    In a steady relationship
    Thanks Thanks Given 
    Thanks Thanks Received 
    Thanked in
    0 Posts
    Wow what a list. I leave things like this for my boyfriend to take care of. Computers have never been my sort of thing.

  4. #4
    Spirit of the Reich "Friend of Germanics"
    Skadi Funding Member

    Ahnenerbe's Avatar
    Join Date
    Mar 2004
    Last Online
    European Union European Union
    Gau Westmark
    Zodiac Sign
    Ecological Geniocracy
    Thanks Thanks Given 
    Thanks Thanks Received 
    Thanked in
    102 Posts
    Quote Originally Posted by Mouse Shadow View Post
    Are there any updates to this list as the post seems a few years old.
    Yes, this Guide has been completely updated very recently (as of 01.04.2010) .

  5. #5
    Funding Member
    "Friend of Germanics"
    Skadi Funding Member

    Mouse Shadow's Avatar
    Join Date
    Mar 2010
    Last Online
    Wednesday, November 1st, 2017 @ 06:38 AM
    Australia Australia
    Queensland Queensland
    Not here anymore
    Has Left Skadi
    Has Left Skadi
    Has Left Skadi
    Thanks Thanks Given 
    Thanks Thanks Received 
    Thanked in
    1 Post

    Grin Legendary

    Thanks Ahnenerbe. Keeping us safe from the overlords with genocidic agendas!

  6. #6
    Senior Member Germaid's Avatar
    Join Date
    May 2011
    Last Online
    Saturday, August 25th, 2012 @ 01:25 PM
    Württemberg, Franconia and I recently discovered old ancestors in Saxony
    Germany Germany
    Baden-Wuerttemberg Baden-Wuerttemberg
    Thanks Thanks Given 
    Thanks Thanks Received 
    Thanked in
    0 Posts
    Damn it, this an extensive list of security measures!
    I see, I'm a complete noob to this. I definitely have to work myself through, I guess I used to be quite careless on the web.

    Thanks for this list, I would have never known on my own.

  7. #7
    Hundhedensk "Friend of Germanics"
    Skadi Funding Member

    Hersir's Avatar
    Join Date
    Apr 2007
    Last Online
    Norway Norway
    South Trondelag South Trondelag
    Zodiac Sign
    Thanks Thanks Given 
    Thanks Thanks Received 
    Thanked in
    158 Posts
    Quote Originally Posted by Germaid View Post
    Damn it, this an extensive list of security measures!
    I see, I'm a complete noob to this. I definitely have to work myself through, I guess I used to be quite careless on the web.

    Thanks for this list, I would have never known on my own.
    Also take a look at Alot of good stuff there.

Similar Threads

  1. Replies: 9
    Last Post: Monday, October 10th, 2011, 03:21 AM
  2. Online Guide to the Subraces?
    By Goomer in forum Anthropological Taxonomy
    Replies: 1
    Last Post: Wednesday, June 8th, 2011, 04:48 AM
  3. PGP & GPG: Email for the Practical Paranoid
    By Patria in forum Internet, Security, & Privacy
    Replies: 0
    Last Post: Tuesday, March 28th, 2006, 12:24 PM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts