Wilson Wilson
Bluelighter
I offered to write this and @PrincessDiz was interested and I’m sure others will be too, so here it is.
I will focus this guide mainly on things anyone can do if they follow simple instructions regardless of technical skill. I will make brief mention of projects techies might be interested in, but I won’t focus on talking about them in detail as nerds can do their own reading from the project websites and I want to make this as accessible as possible.
The goal of this is to help anyone with any type of setup improve their privacy and security in some type of way. Those who are properly dedicated can even set up a super secure locked down smartphone without much skill required, but money may need to be spent for compatible hardware. A sufficiently powerful laptop or desktop can also run an ultra secure OS. I will focus primarily on things that should work on any modern device, then discuss the more specialised stuff further down for those who are interested.
Privacy vs. security
First thing’s first. I want to explain the difference between privacy and security. These are often used interchangeably but they’re in reality very different.
Security means a system is safe from external threats. If I set up a computer in such a way that hacking into it is very difficult, it is a secure system. But a secure system is not necessarily private. For example: Windows 10 has many good anti-exploit features, built in antivirus and firewall, and automatic security updates. However it also has a built in keylogger, it sends info on what software you use, what websites you visit, who you talk to, what your voice sounds like (if you use Cortana), and even your location back to Microsoft by default. It is also closed source, making it impossible to independently verify what the code is doing. This makes it very bad for privacy even though it has decent security.
Privacy means that no one is snooping on what you’re doing. A private system is not necessarily a secure one. For example, custom Android ROMs such as Lineage OS (Cyanogen) do not contain Google Play Services by default and therefore nothing in the OS is tracking you. However, in order to install it, you must unlock your bootloader, inherently making your device less secure. Most phones on custom ROMs are also rooted, which is again inherently insecure as it bypasses the Android permission system. So you can have a setup that’s good for privacy, but makes compromises in security.
Ideally what you want is both. But as the above examples demonstrate, this is more difficult than you might assume.
There are ways to improve your privacy if you insist on using Windows, but you will have a hard time gaining full privacy on Windows 10 by design. Downgrading to older versions of Windows is very bad for security as they’re no longer patched (and most new computers don’t have Windows 7 drivers anymore). So if you want a private and secure OS you need to really look at alternatives in the Linux world.
I’ll get onto that later. What I’ll start with first is how to improve security and privacy in small ways no matter what your setup is.
Home network security and privacy enhancements
Your DNS server
A DNS server is the service that turns websites into IP addresses. For example if you enter “pornhub.com” into your browser, the DNS server will be sent that URL and return the IP address. The IP address is what your computer actually uses to find the website. This happens in the background so you don’t see it. By default you probably use your ISP’s DNS server. ISP DNS is often not the best and doesn’t take advantage of latest technology (think of it like ISP email accounts) and in some cases, especially in more oppressive countries, ISPs even use their DNS for censorship.
The easiest changes to make are to your home network. By simply going into your router settings you can change the DNS server for pretty much all devices on your WiFi. For the most low effort approach possible, you can use an existing service such as AdGuard DNS.
This will do two things: take the responsibility of handling DNS queries away from your ISP, and block requests to ad and tracking servers. This makes it a decent privacy and security enhancement as ad networks track your online activity and most in the wild exploits abuse ads. This will also provide ad blocking for all devices on your network!
The process is very simple. The exact location of menus will depend on your router, but any router should allow you to manually enter DNS servers. If in doubt just look up the name of your router + how to change DNS.
If your router allows for DNS-over-TLS, which may be called “secure DNS” or something similar in the menus, you should enable that and enter “dns.adguard.com” as your DNS server. This performs the same function as entering the IP addresses manually except it means your DNS requests are encrypted for some extra security (it makes MITM attacks more difficult which is good for security, but doesn’t necessarily provide privacy as TLS leaks the target domain name).
If the option for DNS-over-TLS isn’t there, and you just have the classic DNS menu where you’re asked to enter two IP addresses, then put in 176.103.130.130 and 176.103.130.131 then save your changes.
Now any device on the network set to use the DHCP allocated DNS servers will automatically update to those. Most devices are set like this by default so you shouldn’t have to change anything else. Those devices will get your DNS from your router automatically.
Some devices have hardcoded DNS servers for example the Google Chromecast always uses Google’s DNS servers (8.8.8.8 and 8.8.4.4). Not much to be done there. But this won’t be the case for your phone, tablet, laptop etc.
If you have an Android phone, I recommend using the “private DNS” option to set AdGuard DNS on that as well. The benefit of this, aside from using DNS-over-TLS, is the DNS server entered there will work on WiFi and mobile data. So even if you’re on the mobile network, the DNS server will be the one you enter, not your network one. This means you get encrypted DNS and ad blocking.
Yes this is a method of ad blocking without having to install any apps! It will block all ads in all apps across your whole Android phone without rooting or even installing anything.
Just go to settings > network settings > private DNS > select “custom” > enter “dns.adguard.com” > save.
Done!
Unfortunately it’s not possible to set the DNS server for your mobile network on an iPhone without using a VPN. I’ll get to VPNs later.
DNS the nerdy way
If you feel like getting your hands dirty you can do what I’ve done and set up your own local recursive DNS server using a Raspberry Pi. To do this you simply install Unbound and Pi Hole on a lightweight Linux server - a regular Pi 3 running the command line version of Raspbian does the job perfectly - give a fixed local IP, then set that IP as your DNS server. This means all DNS queries from within your LAN go through your own local DNS server, not a remote server, and you can customise the block lists - for example if you hate Facebook you can block all Facebook domains from working in your LAN.
If you are comfortable with Linux and the terminal it will be very easy and shouldn’t take more than an hour max to get set up as you like it. There is a full tutorial here:
Please note this covers your LAN only. If you want something that works remotely, outside the local network, use the AdGuard DNS. If you want a DIY solution you could also set up your own VPN using a cheap VPS and run Pi Hole on that. But since you are trusting a third party server either way, I recommend the simple AdGuard option unless you really want customisation or simply enjoy having a project. Keep in mind that any public cloud provider is pretty much certain to be backdoored by the usual suspects (see: PRISM).
Do NOT open a DNS server you create yourself directly to the internet as open resolvers set up on random networks are used for DNS amplification attacks, a form of DDoSing.
Other router settings
There are other router settings that are worth changing to provide extra network security. Often these are “convenience” features but many are outdated as new standards no longer require them, so disabling them should not affect anything negatively. If it does, you can always change settings back.
Can’t really give exact instructions here as it once again differs by router model, but again Google (or DuckDuckGo) is your friend.
Disable UPnP.
Disable port forwarding unless you absolutely need it and know what you’re doing.
Ensure the firewall is on and set to block all incoming connections.
Run a test to ensure all ports are closed:
www.grc.com
The router itself
Some ISP routers keep certain ports open as a backdoor for customer support to remote in. Like any backdoor, this can also be used by black hats (the people you think of as "hackers") looking to exploit your network. All ports should be closed. If the test above finds open ports even though your firewall is set to block all incoming connections, I am guessing it’s an ISP router, and you should get rid of it.
ISP routers may also remove settings such as those allowing you to toggle UPnP or change your DNS. Sometimes this can be fixed by flashing new firmware, but this carries a risk of bricking the device and it’s easier to just buy another router.
It is also rare for ISPs to provide frequent and timely updates to routers, and running outdated software on a router is high risk as the router is at the edge of your network and protects the devices within your LAN. If your router is exploitable, every device in your network is vulnerable. If your router hasn’t been updated for a long time (you should be able to check the firmware build date in the settings) you should replace it. Router malware is a growing real world problem.
Finally, ISP routers are often just plain old shit. That’s why they can give them away for “free” when you sign up. They’re unreliable and often a proper router will provide a much better experience.
Personally I use an Asus router running the Merlin custom firmware, these have treated me well over the years. You can also get routers with preinstalled custom firmware that blocks ads or provides VPN access. For example AdGuard and Private Internet Access both sell routers integrated with their respective services. But for most people stock firmware is likely fine and certainly much less hassle as long as it doesn’t come from an ISP.
You may need to keep your ISP router to use as a simple modem. In most cases you should be able to change a setting to put the ISP router into modem mode. Then all it does is provide internet access to your own router, and the router is what manages and secures your actual network. You can also buy a router with a built in modem or buy a standalone modem. Just make sure it’s compatible with your connection (e.g. for fibre optic broadband you need either a VDSL or VDSL2 modem depending on your service). Your ISP might give you a preconfigured standalone modem if you ask but most want you using their shitty routers so have little incentive to do this. You can however often find ISP modems on eBay cheaply. My setup is an ISP modem plugged into an Asus router.
Improving privacy on a Windows system
Use Brave Browser instead of Chrome, Edge, Firefox, etc.
Set DuckDuckGo as your default search engine.
Disable Cortana.
Under settings > privacy > diagnostics and feedback, set it to “basic” instead of “full.” This cannot be disabled properly unless you use Windows 10 Enterprise so it’s just limiting the info being beamed out.
Go through the privacy settings and disable anything you’re uncomfortable with.
If you don’t use the webcam, put tape over it. No, seriously.
Be careful what antivirus software you trust. Big names have been caught collecting user data and selling it to advertisers, with the only mention of this hidden in the small print. Poor antivirus software can also make it easier to hack your computer. My personal recommendation would be MalwareBytes, but the built in Windows Defender is really good enough in most cases. Avoid Kaspersky as it’s been linked to breaches. Avoid AVG and Avast as they’re known to collect data. Avoid McAfee because it’s just bad.
An enlightening quote:
www.nytimes.com
About zero day exploits
I’m going to talk about something called “zero days” getting into security. A zero day exploit is simply an exploit, in the latest version of some software, that is known only to the hacker(s) who found it and vitally is not known to the software vendor responsible for patching it.
So if you were a hacker who found an exploit in the latest version of iOS that no one including Apple else knew about, that exploit is a zero day. It’s called a zero day after how many days have passed since a patch was released.
A zero day exploit is high value as it allows any device running the target software to be attacked even if it’s fully updated. Just how high value? Read on and find out.
Smartphone security
As far as security goes, the best thing you can do is keep your OS up to date. If you have an old phone that no longer gets OS updates, replace it. If you have an Android phone you can go to settings > about phone > software information to check the security patch level. If this says something like Jan 2018, your device is hella exploitable and you really need a new one.
You could install a custom ROM which would display a higher patch level, but a custom ROM cannot really do anything for a device no longer supported by the OEM since the firmware won’t be getting updates anymore. Patching OS level exploits without the required firmware patches gives you pretty much nothing but a false sense of security. And most custom ROMs reduce your security anyway - the moment you unlock your bootloader your security is decreased, the moment you root your phone your security is pretty much out the window.
If you have an iPhone, you’re in luck on this front as Apple will provide security patches for 5 years to all iPhones. And if your phone is over 5 years old you probably want a new one anyway.
Assuming you have the latest version of iOS or Android, and you continue to get updates, you have solid security. The current market value for a zero day exploit chain allowing remote code execution, privilege escalation, and persistence is $2,000,000 for an iPhone and $2,500,000 for Android 10.
No, really.
zerodium.com
So yes, if you happen to be any good at this hacking malarky, and you don’t have much of a moral compass, you could make a cool two mil from a single exploit chain. Specific clients are not disclosed by exploit brokers but selling zero days to the “grey market” usually means they will find themselves in the hands of nation state attackers. This could be the US, UK, the UAE, Saudi Arabia, China, Russia, North Korea… whoever is the highest bidder. Reuters did a great article on the UAE’s recent hacking operations, but note that pretty much every country does the same thing and the NSA’s are definitely 10x worse (see: Equation Group).
The reason these exploits are worth so much and used almost exclusively by nation state attackers is because they’re very difficult to find and in high demand. When a high value zero day is found, it is likely to be used only in targeted attacks, else it will become “burned” very quickly - meaning the attacks will be noticed if performed openly on random devices and the software vendor will patch the exploit, making it worthless except on outdated software.
A device running outdated software does not require a zero day for a successful attack. There are always public exploits known for old software, and using those to attack unpatched devices is very easy.
This should really hammer in just how important updates are. Software updates can make the difference between a device that can only be hacked by a nation state attacker with a few mil to burn, and a device that can be hacked by any bored nerd with Kali running on their laptop.
If you happen to own a Samsung, then Knox also provides additional security on top of what is already provided by Android, but this is not a substitute for security patches. Luckily Samsung is one of the better OEMs for providing patches.
Privacy on the other hand is a lot more complex.
Why iPhones and Androids are both shit for privacy
Both Android and iOS have some solid security (assuming you still get patches) but have big problems with privacy. Yes even Apple.
The reason Android is “free” is the same reason anything Google makes is “free” - you pay with your data. Google services track every app you install and how often you use it, they track your location, they collect your contacts and scan the contents of your emails (if you use Gmail), and if you enable Google Assistant they learn literally everything about you. Ever had a pop up on your phone related to a shop you walked past, or telling you there’s traffic on your normal route to work? This is how they do that, by collecting everything. Google will have a log of your location at all times if you’ve opted in to full Assistant functionality.
Many popular Android phones, e.g. Samsungs, come preinstalled with Facebook system apps too. This effectively means Facebook has root access to your device. I’ll tell you how to remove those without rooting in a minute by simply using the adb shell.
“But Apple doesn’t make money from collecting data!” I hear you say. Perhaps not, but they do enable iCloud backups by default, meaning unless you manually go into your phone settings and turn it all off, iPhones (and iPads) upload everything on your device to “the cloud.” This is done in such a way that Apple can read the data and they provide it to authorities when asked, including in oppressive regimes such as China. They did plan to introduce encrypted iCloud backups that would have been impossible for Apple to read, but they cancelled this plan because the FBI told them to stop it. iCloud data is stored on Google and AWS servers (NSA has these pwned) and they use GCBD servers in China (hello CCP). You may also be interested to know that despite their claims to the contrary, Apple has the ability to read iMessages of any user. Additionally, there are hidden data collection mechanisms within iOS and increasingly in macOS - this article goes into loads of detail about these.
Like Windows, iOS is closed source, so you have to blindly trust Apple when they say they protect your privacy. Likewise with Google, although the base Android OS is open source, an increasing number of functions now require proprietary Google software, and any off-the-shelf Android device will contain Google services that track everything ya do.
How to improve your smartphone privacy
There are some things you can do to minimise the data leakage. Ad blockers are once again a good suggestion. Follow the DNS instructions for Android. For iOS, there are many free ad blockers available in the App Store. These only work in Safari but they’re very good. There are simple ones like BlockBear and more customisable ones like AdGuard. You can choose what is best for you.
Disable location services when you are not using it. Be very careful which apps you give location access to. When you do grant location access to an app, when possible allow it only when the app is open, not in the background. These tips apply to both Android and iOS.
Disable any cloud backup services such as iCloud backups.
Only install apps you use. If you don’t use apps anymore, uninstall them. This is good general system maintenance but it also makes sure nothing is tracking you even though you aren’t using it, and it reduces your attack surface for potential exploits.
Consider installing Brave as your browser. It has ad blocking, tracker blocking, and HTTPS Everywhere built in. It’s able to block specific page elements which DNS level ad blocks cannot.
Set DuckDuckGo as your default search engine. On an iPhone you can do this in Safari settings. On Android you can install the DuckDuckGo app. If you use a third party browser such as Brave, you will have an option in the settings to change your default search engine there.
Android: removing Facebook system apps
If your phone came with Facebook preinstalled it will have likely also come with other system level apps that do things like update Facebook outside of the Play Store (for what reason, I don’t know) and could do in theory whatever they want because system apps have a lot of extra privileges in Android. When Facebook is preinstalled as a system app it has root access to your device, effectively giving it the freedom to own your system.
Luckily removing it is easy and does not require root. You just need to install adb on your computer first. The instructions for this differ depending on your OS.
Installing adb on Windows
Get the Android platform-tools from Google.
developer.android.com
Now extract the zip somewhere you’ll remember and follow this guide:
www.howtogeek.com
On Windows 10 this process is actually pretty simple, but if you’re feeling lazy you can just run from the path. For example if it’s in your downloads folder then in cmd you would run something like:
If this gives you version info and a list of commands it works and you can just use this lazy method.
Installing adb on Mac OS
Get the Mac platform-tools from the Google link above.
Extract them somewhere you’ll remember and follow this guide:
coolestguidesontheplanet.com
If that looks a bit daunting to you (it is a bit of a complex process just to make a command work) you can instead just run from the path platform-tools is in. For example if it’s on your Downloads folder you can run something like:
Which should bring up some version info and a list of commands. If so, it works and you can just use this instead of adding to the system path.
Installing adb on Linux
A good old “
If you do get any problems, uninstall the distro’s build (“
The easy bit: running the commands on your phone
You’ve done the difficult bit now, the rest is easy.
First bring up a terminal on your computer and have it ready. On Windows open the start menu and type “cmd” then hit the Command Prompt app. On Mac or Linux, open Terminal. Make sure adb runs as described above.
On your phone go to settings > about > software information and tap on the build number 7 times. It should confirm “You are now a developer!” On Samsung phones you can go back to the main settings menu and developer options is now right at the bottom. The exact location of the menu may differ by device but it’ll be in settings. If you can’t find it just search “developer options + your device make”.
Once in the developer options scroll to USB debugging and turn it on.
Plug your phone into your computer. The phone should ask if you trust the computer for USB debugging. Hit allow.
Now type in these commands:
To make sure you got everything, you can also enter:
If anything else comes up, you can remove it the same way. For example if a package called com.facebook.skynet comes up, you can enter:
Note that if you didn’t add platform-tools to your system path, you will need to run the adb command by manually entering (or copy/pasting) the path to the executable. For example in Windows:
Once you’re actually in the shell you can just run the rest of the commands as usual, because the shell runs within adb which is now running in the terminal, so you don’t need to tell the computer where it is again.
Once this is all done, simply type exit and unplug your phone. Now on your phone, disable USB debugging in developer options. You can turn off developer options itself if you wish.
The apps should be gone now. Reboot your phone to be certain.
How to talk to people securely
Regular phone calls and SMS are insecure. Period. They use 90’s encryption that hasn’t been improved upon since. Anyone can crack it with cheap antenna equipment. Police are known to use “stingray” devices to passively hoover up text and call data and track the location of phones. This is done by imitating a phone mast. It’s very easy because, again, this is 90’s tech with shit security. Additionally, your network likely keeps a log of all your calls and texts for at least a year.
Not much can be done about the above as GSM is inherently insecure and the MITM attack performed by the stingray can be replicated by anyone with a bit of simple transmission equipment. The only thing to do is treat the network as potentially hostile and ensure you are not relying on GSM for encryption. Your communications should be encrypted before they leave your device. Which brings me nicely onto…
Install Signal. Tell all your friends to install Signal. It’s the most secure messenger in existence. It allows for E2E encrypted text, voice, and video chats. Texts can be set to automatically delete themselves on both devices after a timer has been set. The NSA really really don’t like it when people use Signal because they cannot crack the encryption. Edward Snowden uses it.
Do not trust WhatsApp. Its long history of severe exploits aside, it’s closed source and owned by Facebook. The cloud backups also undermine the encryption. I wrote a thread detailing why WhatsApp cannot be trusted here:
www.bluelight.org
It should go without saying that Facebook Messenger shouldn’t be trusted either.
iMessage’s design allows Apple to read your messages whenever they want (see link above under “why iPhones and Androids are both shit for privacy”). The fundamental issue with iMessage is that Apple controls the keys used to encrypt your messages and can change them whenever they want without you noticing. This also allows them to add a secret participant to the conversation, unknown to you, who could be anyone e.g. FBI agent. It’s also closed source. It’s better than using something owned by Facebook but well that’s not saying much is it?
Telegram has a lot of flashy bells and whistles but by default all chats are stored in the cloud so you are just trusting Telegram to secure them and not share them. It’s unlikely they’re selling your data, but security breaches happen all the time. Signal on the other hand is designed so the servers literally cannot even read your messages, let alone store them, as they don’t have the keys. Telegram does have E2E “secret chats” but the cryptography is questionable and the secret chat function doesn’t allow for group chats.
Signal is the one. Use it. Make everyone you talk to use it. Your privacy will be increased significantly.
A note on VPNs
A VPN will hide your browsing activity from anyone logging your internet use, including your ISP and lower level parts of the government, but you have to trust the VPN service you use. It is very easy for someone running a VPN server to log all traffic from all users. Most will advertise a zero log policy, so you simply have to trust them to keep to their word. Some have been caught lying about this.
The country a VPN runs from is also important. You should avoid ones run from a member of the Five Eyes. This includes the related agreements expanding to the Six Eyes, Nine Eyes, and Fourteen Eyes. These countries perform mass surveillance and share intelligence with each other. Members of the Five Eyes can use XKeyscore, the NSA’s PRISM search tool.
You might think this type of concern is being too paranoid, but consider that countries such as the US, UK, Germany, Australia, Russia, and many more have laws in place that allow law enforcement to compel companies to backdoor their services, and this will also come with a gag order. In the US these are known as national security letters (NSLs) and are handed out by the FBI. Australia’s law takes it a step further and allows the government to compel individuals to backdoor the company they work for. So the country your VPN is based in is very important.
Pretty much every big US company has been served with an NSL so use of these by the FBI appears commonplace. A warrant or other oversight from a judge is not necessary to grant one. Remember unless an NSL has later been declassified, a company cannot tell you if they’ve been served with one.
www.zdnet.com
Big companies often have the resources to fight such things, but VPN providers are small businesses without the resources of Apple or Microsoft. Such companies have to choose between accepting the NSL or shutting down the whole business. The Lavabit case is a good example of how this whole Kalfkaesque process works.
www.theguardian.com
In that Lavabit case, the NSL would have given the FBI access to the emails of every single user had it been followed through. It's hard to speculate on other cases, but keep in mind this shows NSLs are not limited to selective surveillance.
ProtonVPN is good. It’s run by trustworthy people (CERN scientists) from a trustworthy country (Switzerland) which is not a member of any intelligence sharing arrangement and has pretty strong privacy protections in law.
You can set up your own OpenVPN server on a VPS if you have some basic Linux skills, but the question comes back to how much can you trust your web host with your data? Pretty much all big web hosts can be assumed to have backdoors. It’s hard to say with smaller fish, but small web hosts are small businesses so again, even if they have idealistic leaders, they’re unlikely to be able to fight the FBI if they do come knocking.
How to make the most secure smartphone possible
This is a bit more hands-on but it’s something that only requires following a simple tutorial and typing a few commands into a terminal. You will however need to buy a Pixel 3 or 3a. If those two prerequisites are not an issue, read on.
The US Secret Service provides modified Android-based smartphones with a specially created locked down OS. The president uses such a phone for state business. This is probably not private, since we can guess the state security services keep logs of what the president does on his phone, but it’s likely very secure.
This isn’t an option for us (and even if it was, would you trust an OS made by the US government?) but we do have a locked down Android fork for the masses.
GrapheneOS is an open source project dedicated to creating a hardened version of Android. It is focused on privacy and security, with a particular emphasis on enhanced security and exploit mitigation. It has a hardened kernel, hardened memory allocation, hardened browser engine, extra SELinux policies, more sandboxing, a modified permissions system, and a lot more.
Basically they’ve added a lot of extra security to the OS as well as taking the existing security measures and improving them. There is also no Google services and no other trackers inside the OS. It doesn’t watch you, it has no built in cloud services, and it protects you heavily from intrusions. It’s excellent for both privacy and security.
The primary goal is exploit mitigation, which means that even if a known exploit or a zero day exists to attack Android, it should be much more difficult to use such an exploit on GrapheneOS compared to normal Android. This means even nation state attackers who buy and stockpile zero days would have a harder time hacking into your phone. The NSA probably won’t target your phone, but you can rest assured that if even they’d have a hard time getting in, so would an average hacker.
It is probably the most secure mobile OS the public can get. Edward Snowden has said that: “If I were configuring a smartphone today, I'd use Daniel Micay's GrapheneOS as the base operating system.” A very strong endorsement for a project focused solely on privacy and security.
The usual concerns about custom ROMs do not apply here as, unlike an average custom ROM, GrapheneOS uses the same install process as official Android builds and doesn’t require a custom recovery or an unlocked bootloader after the initial installation is complete. In fact they tell you to lock it again once you install the OS and the install process includes installing their key to ensure the phone only installs future updates that are cryptographically signed. There is also protection against attempted downgrades and OS integrity verification - in other words the bootloader checks no one has tampered with the OS whenever you turn the phone on.
How to install it
Since it has strict requirements for the hardware it supports, requiring that it have various security features, GrapheneOS currently supports only the Pixel 3 (XL) and Pixel 3a (XL). It does also sort of support the Pixel 2 but only as a legacy device and support will be dropped soon as it lacks important hardware security features. So you should use a Pixel 3 or 3a. The cheapest option is the 3a which costs around $300 brand new. eBay prices are even less. Get a factory unlocked one, not a carrier one.
Backup anything from the phone you want to keep then follow their instructions.
grapheneos.org
You can adapt the adb instructions above to the fastboot ones required for this. Both are included in platform-tools.
How to set it up
When you first boot it up you’ll probably realise it’s very sparse. It only comes with a basic set of mostly barebones AOSP apps. The project says this is so they can keep their focus on the core security of the OS and let users install the apps they want. Which is fair enough, but it does seem like F-Droid should be on there by default.
So you can install F-Droid from here. After doing this, it’s a good idea to go into the browser app settings and disable the permission to install unknown apps, which you had to enable previously to get F-Droid. You will have to also grant this permission to F-Droid itself, but it needs it, so you can keep it on.
It is best practice to install apps from F-Droid whenever possible as they’re open source and don’t contain ads and trackers that most apps are full of. But you probably will want apps from the Play Store too. So in F-Droid search for Aurora Store and install that. Select anonymous login when it asks. Now you can install apps from the Play Store without actually having the Play Store, using a Google account, or having any Google services running. Check back to both F-Droid and Aurora for updates and make sure you keep all your apps up to date.
One especially useful user facing feature in GrapheneOS is the “network” permission. If you turn this off for any given app, it will be unable to access the internet. So if you have a free game that keeps throwing ads at you and bugs you for your location, you can deny it network access and it won’t have an internet connection. Any app that doesn’t actually need internet access should have this permission disabled.
If you run this OS and communicate via Signal, you have what is probably the most private and secure smartphone setup on the consumer market.
How to improve your laptop’s privacy and security
Replacing Windows with a user friendly Linux distro such as Ubuntu or Elementary is the easiest way to secure your laptop and make it more private. I’ve installed those two Linux distros on computers of people I know are not technical and they had no trouble adapting - in fact they have fewer problems with their computers than they did with Windows.
Moving away from Windows is the biggest step you can take towards increasing privacy on your computer. Linux is the only viable alternative and it is far superior for privacy. Security is also very solid assuming you’re sensible about what you install and you keep everything up to date.
There are two ways you can go here. The first is to install a regular user friendly distro like Ubuntu or Elementary. These are easy to use, lightweight, and reasonably secure. They will work on almost any computer.
The second is to install a specialist secure distro such as Qubes. This uses fancy witchcraft (aka the Xen hypervisor) to separate your system into different VMs. Because it’s based on VMs it can even integrate with Windows, so you can use Windows software inside Qubes without WINE, as well as Linux software across multiple Linux distros.
It will lock you down tighter than Fort Knox, but it is less user friendly and requires some knowledge to use it to its full potential. It also has stricter hardware requirements, since running multiple VMs requires a powerful computer. Some security features also require specific hardware support.
As with GrapheneOS, Qubes is endorsed by Edward Snowden: “If you're serious about security, QubesOS is the best OS available today. It's what I use, and free. Nobody does VM isolation better. It's not bulletproof -- nothing is -- but it's as close as you can get right now.”
If you are already familiar with Linux and have a powerful enough machine I direct you to check out Qubes.
However since I’m targeting this at normies I will focus on the mainstream Linux distros. They provide plenty of privacy and security enhancements over Windows making it worthwhile doing for the average user.
Ubuntu is the most popular, while others are usually based on Ubuntu. Ubuntu is a fine choice if you want a basic user friendly Linux system. When installing, I recommend using the light install option rather than the full one. This is simply because less software you don’t need means a smaller attack surface.
ubuntu.com
Elementary is also very lightweight while also having a real nice interface. Perfect for the average user. Based on Ubuntu but with its own set of packages. This also means any software made for Ubuntu will run perfectly on Elementary. Even my gran can happily use this OS.
elementary.io
Note that despite how the page is set up, you don’t have to pay for it. Just enter 0 into the custom box.
Mint is easy to use and looks a lot like Windows, but it comes with a lot of packages you probably don’t need, including poorly secured stuff like Flash, and as of right now has no “light” install option. You could manually remove unwanted packages, but the whole point is to make this easy and accessible. So I recommend one of the other two.
The actual installation process is easy. You can create a bootable USB by downloading the ISO and burning it using a Windows tool called Rufus. Back up anything you want to keep from your computer, boot from the USB stick, and you will be booted into a live session. You can try out the OS to make sure it works properly on your computer before installing. When you’re ready just choose install and follow instructions. Make sure you turn encryption on when prompted.
The ease of enabling full disk encryption on Linux is itself a vital security and privacy upgrade. To encrypt your disk on Windows you either need to pay for Windows 10 Pro and set up BitLocker which is closed source and backdoored, or use third party software such as VeraCrypt which is an excellent open source project, but requires a third party bootloader and is not officially supported by Microsoft, meaning it isn’t guaranteed to work and future OS updates could break it. And it still won’t help with the other privacy issues of Windows.
If you want to keep your current Windows setup as well as your Linux install, you can partition the drive during installation for a dual boot system. This means when your computer turns on it asks if you want to use Linux or Windows. Your drive will be split between the two OSs. You will need to decide how to split the drive - for example do you want to make it 50/50 or give one OS more space? Changing this later can be tricky so consider it beforehand.
If you do partition your drive, still back everything up just in case something goes wrong. It usually doesn’t, but if it does you’ll kick yourself for not having a backup.
Once Linux is installed, usually Firefox is the default browser. It’s best to install Chromium or a Chromium based browser such as Brave instead. Chromium is a more secure engine than Firefox (way better sandboxing), has more compatibility with various websites, and projects like Brave build extra privacy protection on top. Avoid Google Chrome as it contains proprietary Google code.
To install Chromium:
Once you open it you can (and should) install uBlock Origin as well.
Set up automatic updates in your distro and reboot it now and then so kernel upgrades can take effect. Enable the firewall and set it to block all incoming connections. Strictly speaking, an out of the box Linux install should be very “quiet” and not open ports unnecessarily anyway, but it’s good to have extra layers of security.
You can also increase sandboxing by opening a terminal and entering “
WINE can often run Windows software inside Linux but it’s not perfect. You can also use VirtualBox to just run Windows in a virtual machine. This will run all Windows software fine, but it requires a Windows license (you can get one for $5-10 on Amazon or eBay) and the performance of a VM depends on how powerful your computer is. If you have a recent laptop with an i5, at least 8GB RAM, and an SSD, you will probably have no trouble at all. But an older or low spec machine will struggle to run a VM and in those cases it’s best to use the dual boot option.
How to make the most secure laptop possible
If you really wanna go hard, install Qubes. I won’t write a full guide to that here since their site has good documentation and if you understand the benefit of running it you probably don’t need a tutorial.
Using it to its full potential requires changes in how you use your computer, for example by putting sensitive software and files in their own VMs, so it won’t just magically do everything in the background. Keep this in mind.
And as it is running multiple VMs you do need decently high end hardware. It won’t run on your shitty Pentium.
Some final notes
The practises you choose to follow will depend on your threat model. I’ve mentioned the NSA a few times but it’s important to be aware that trying to outsmart the NSA is unlikely to be successful. You can generally assume they’re tapping your connection at some point down the line.
But what you can do is decrease exposure to the dragnet, so for instance if you use Signal on a locked down OS that isn’t sending out tracking data, there’s no personal info being leaked out of your phone for the NSA to grab in the first place. They could grab your Signal messages, but they’ll just look like a bunch of garbled nonsense as breaking the encryption would require more time than the universe has existed for.
security.stackexchange.com
Basically the best way to keep your shit private is to limit the amount of info being sent out in the first place. And to ensure any info that is sent out is end-to-end encrypted with modern encryption standards.
Other elements of a threat model are important to work out what you’re trying to defend against and what tools are needed. If you want to protect yourself against hackers, a locked down, up to date OS is the best way to do it. If you just want to limit the amount of tracking across the internet, AdGuard and Brave Browser will do a good job and are far more simple to set up.
It should also go without saying that absolutely nothing is 100% secure. What you can do however is make your systems as secure as possible, so any attackers are likely to get bored and move onto easier targets. And you can definitely avoid the use of software and services that invade your privacy and are known to use poor security practises (e.g. WhatsApp, Zoom).
This topic can also get a lot more complex if you have more technical skill. For example I haven’t talked about creating your own custom build of Linux or Android, which is pretty easy to do these days once you complete the initial setup. You don’t need to be some mega-genius to roll a custom OS build these days, just a standard issue nerd.
For those who are curious, look at RattlesnakeOS for a good toolchain that will automate custom AOSP Android builds. The default chain is designed to run on AWS though, so if you want the security of a local build environment, you can look at one of the forked projects set up to do RattlesnakeOS builds locally. You will need powerful hardware to do this though - and when I say powerful hardware I mean ideally an actual server machine, but if not, at least a recent i7 with 32GB RAM and a very fast SSD. If you have an average laptop you’ll have a very frustrating time trying to build AOSP and it will take days at best. This is why the main project uses AWS. You get cheap compute power, but risk a compromise in security.
For a custom OS on your computer you can set up Arch Linux however you want, with only the packages you need, but I don’t recommend this to anyone who isn’t already familiar with Linux unless they want to become familiar with Linux and like a challenge. In fact if you want to dive head first into Linux on hard mode, fire up a VM or a spare computer and install Arch, you will learn a lot about how Linux works. This does not require powerful hardware at all, you could do it on a 10 year old machine if you wanted.
wiki.archlinux.org
These custom solutions are not hardened like Graphene or Qubes but the benefit here comes from having full control over your system, only having the packages you choose, and ultimately a small attack surface. You can also install a hardened Linux kernel for Arch as well as various sandboxing software, so you can configure an Arch install to be hardened if you’re willing to do that work.
Hope this was informative!
I will focus this guide mainly on things anyone can do if they follow simple instructions regardless of technical skill. I will make brief mention of projects techies might be interested in, but I won’t focus on talking about them in detail as nerds can do their own reading from the project websites and I want to make this as accessible as possible.
The goal of this is to help anyone with any type of setup improve their privacy and security in some type of way. Those who are properly dedicated can even set up a super secure locked down smartphone without much skill required, but money may need to be spent for compatible hardware. A sufficiently powerful laptop or desktop can also run an ultra secure OS. I will focus primarily on things that should work on any modern device, then discuss the more specialised stuff further down for those who are interested.
Privacy vs. security
First thing’s first. I want to explain the difference between privacy and security. These are often used interchangeably but they’re in reality very different.
Security means a system is safe from external threats. If I set up a computer in such a way that hacking into it is very difficult, it is a secure system. But a secure system is not necessarily private. For example: Windows 10 has many good anti-exploit features, built in antivirus and firewall, and automatic security updates. However it also has a built in keylogger, it sends info on what software you use, what websites you visit, who you talk to, what your voice sounds like (if you use Cortana), and even your location back to Microsoft by default. It is also closed source, making it impossible to independently verify what the code is doing. This makes it very bad for privacy even though it has decent security.
Privacy means that no one is snooping on what you’re doing. A private system is not necessarily a secure one. For example, custom Android ROMs such as Lineage OS (Cyanogen) do not contain Google Play Services by default and therefore nothing in the OS is tracking you. However, in order to install it, you must unlock your bootloader, inherently making your device less secure. Most phones on custom ROMs are also rooted, which is again inherently insecure as it bypasses the Android permission system. So you can have a setup that’s good for privacy, but makes compromises in security.
Ideally what you want is both. But as the above examples demonstrate, this is more difficult than you might assume.
There are ways to improve your privacy if you insist on using Windows, but you will have a hard time gaining full privacy on Windows 10 by design. Downgrading to older versions of Windows is very bad for security as they’re no longer patched (and most new computers don’t have Windows 7 drivers anymore). So if you want a private and secure OS you need to really look at alternatives in the Linux world.
I’ll get onto that later. What I’ll start with first is how to improve security and privacy in small ways no matter what your setup is.
Home network security and privacy enhancements
Your DNS server
A DNS server is the service that turns websites into IP addresses. For example if you enter “pornhub.com” into your browser, the DNS server will be sent that URL and return the IP address. The IP address is what your computer actually uses to find the website. This happens in the background so you don’t see it. By default you probably use your ISP’s DNS server. ISP DNS is often not the best and doesn’t take advantage of latest technology (think of it like ISP email accounts) and in some cases, especially in more oppressive countries, ISPs even use their DNS for censorship.
The easiest changes to make are to your home network. By simply going into your router settings you can change the DNS server for pretty much all devices on your WiFi. For the most low effort approach possible, you can use an existing service such as AdGuard DNS.
This will do two things: take the responsibility of handling DNS queries away from your ISP, and block requests to ad and tracking servers. This makes it a decent privacy and security enhancement as ad networks track your online activity and most in the wild exploits abuse ads. This will also provide ad blocking for all devices on your network!
The process is very simple. The exact location of menus will depend on your router, but any router should allow you to manually enter DNS servers. If in doubt just look up the name of your router + how to change DNS.
If your router allows for DNS-over-TLS, which may be called “secure DNS” or something similar in the menus, you should enable that and enter “dns.adguard.com” as your DNS server. This performs the same function as entering the IP addresses manually except it means your DNS requests are encrypted for some extra security (it makes MITM attacks more difficult which is good for security, but doesn’t necessarily provide privacy as TLS leaks the target domain name).
If the option for DNS-over-TLS isn’t there, and you just have the classic DNS menu where you’re asked to enter two IP addresses, then put in 176.103.130.130 and 176.103.130.131 then save your changes.
Now any device on the network set to use the DHCP allocated DNS servers will automatically update to those. Most devices are set like this by default so you shouldn’t have to change anything else. Those devices will get your DNS from your router automatically.
Some devices have hardcoded DNS servers for example the Google Chromecast always uses Google’s DNS servers (8.8.8.8 and 8.8.4.4). Not much to be done there. But this won’t be the case for your phone, tablet, laptop etc.
If you have an Android phone, I recommend using the “private DNS” option to set AdGuard DNS on that as well. The benefit of this, aside from using DNS-over-TLS, is the DNS server entered there will work on WiFi and mobile data. So even if you’re on the mobile network, the DNS server will be the one you enter, not your network one. This means you get encrypted DNS and ad blocking.
Yes this is a method of ad blocking without having to install any apps! It will block all ads in all apps across your whole Android phone without rooting or even installing anything.
Just go to settings > network settings > private DNS > select “custom” > enter “dns.adguard.com” > save.
Done!
Unfortunately it’s not possible to set the DNS server for your mobile network on an iPhone without using a VPN. I’ll get to VPNs later.
DNS the nerdy way
If you feel like getting your hands dirty you can do what I’ve done and set up your own local recursive DNS server using a Raspberry Pi. To do this you simply install Unbound and Pi Hole on a lightweight Linux server - a regular Pi 3 running the command line version of Raspbian does the job perfectly - give a fixed local IP, then set that IP as your DNS server. This means all DNS queries from within your LAN go through your own local DNS server, not a remote server, and you can customise the block lists - for example if you hate Facebook you can block all Facebook domains from working in your LAN.
If you are comfortable with Linux and the terminal it will be very easy and shouldn’t take more than an hour max to get set up as you like it. There is a full tutorial here:
Please note this covers your LAN only. If you want something that works remotely, outside the local network, use the AdGuard DNS. If you want a DIY solution you could also set up your own VPN using a cheap VPS and run Pi Hole on that. But since you are trusting a third party server either way, I recommend the simple AdGuard option unless you really want customisation or simply enjoy having a project. Keep in mind that any public cloud provider is pretty much certain to be backdoored by the usual suspects (see: PRISM).
Do NOT open a DNS server you create yourself directly to the internet as open resolvers set up on random networks are used for DNS amplification attacks, a form of DDoSing.
Other router settings
There are other router settings that are worth changing to provide extra network security. Often these are “convenience” features but many are outdated as new standards no longer require them, so disabling them should not affect anything negatively. If it does, you can always change settings back.
Can’t really give exact instructions here as it once again differs by router model, but again Google (or DuckDuckGo) is your friend.
Disable UPnP.
Disable port forwarding unless you absolutely need it and know what you’re doing.
Ensure the firewall is on and set to block all incoming connections.
Run a test to ensure all ports are closed:
GRC | ShieldsUP! — Internet Vulnerability Profiling
GRC Internet Security Detection System
The router itself
Some ISP routers keep certain ports open as a backdoor for customer support to remote in. Like any backdoor, this can also be used by black hats (the people you think of as "hackers") looking to exploit your network. All ports should be closed. If the test above finds open ports even though your firewall is set to block all incoming connections, I am guessing it’s an ISP router, and you should get rid of it.
ISP routers may also remove settings such as those allowing you to toggle UPnP or change your DNS. Sometimes this can be fixed by flashing new firmware, but this carries a risk of bricking the device and it’s easier to just buy another router.
It is also rare for ISPs to provide frequent and timely updates to routers, and running outdated software on a router is high risk as the router is at the edge of your network and protects the devices within your LAN. If your router is exploitable, every device in your network is vulnerable. If your router hasn’t been updated for a long time (you should be able to check the firmware build date in the settings) you should replace it. Router malware is a growing real world problem.
Finally, ISP routers are often just plain old shit. That’s why they can give them away for “free” when you sign up. They’re unreliable and often a proper router will provide a much better experience.
Personally I use an Asus router running the Merlin custom firmware, these have treated me well over the years. You can also get routers with preinstalled custom firmware that blocks ads or provides VPN access. For example AdGuard and Private Internet Access both sell routers integrated with their respective services. But for most people stock firmware is likely fine and certainly much less hassle as long as it doesn’t come from an ISP.
You may need to keep your ISP router to use as a simple modem. In most cases you should be able to change a setting to put the ISP router into modem mode. Then all it does is provide internet access to your own router, and the router is what manages and secures your actual network. You can also buy a router with a built in modem or buy a standalone modem. Just make sure it’s compatible with your connection (e.g. for fibre optic broadband you need either a VDSL or VDSL2 modem depending on your service). Your ISP might give you a preconfigured standalone modem if you ask but most want you using their shitty routers so have little incentive to do this. You can however often find ISP modems on eBay cheaply. My setup is an ISP modem plugged into an Asus router.
Improving privacy on a Windows system
Use Brave Browser instead of Chrome, Edge, Firefox, etc.
Set DuckDuckGo as your default search engine.
Disable Cortana.
Under settings > privacy > diagnostics and feedback, set it to “basic” instead of “full.” This cannot be disabled properly unless you use Windows 10 Enterprise so it’s just limiting the info being beamed out.
Go through the privacy settings and disable anything you’re uncomfortable with.
If you don’t use the webcam, put tape over it. No, seriously.
Be careful what antivirus software you trust. Big names have been caught collecting user data and selling it to advertisers, with the only mention of this hidden in the small print. Poor antivirus software can also make it easier to hack your computer. My personal recommendation would be MalwareBytes, but the built in Windows Defender is really good enough in most cases. Avoid Kaspersky as it’s been linked to breaches. Avoid AVG and Avast as they’re known to collect data. Avoid McAfee because it’s just bad.
An enlightening quote:
How Israel Caught Russian Hackers Scouring the World for U.S. Secrets (Published 2017)
Exploiting the popular Kaspersky antivirus software, Russian hackers searched millions of computers for American intelligence keywords. Israeli intelligence tipped off American officials.
About zero day exploits
I’m going to talk about something called “zero days” getting into security. A zero day exploit is simply an exploit, in the latest version of some software, that is known only to the hacker(s) who found it and vitally is not known to the software vendor responsible for patching it.
So if you were a hacker who found an exploit in the latest version of iOS that no one including Apple else knew about, that exploit is a zero day. It’s called a zero day after how many days have passed since a patch was released.
A zero day exploit is high value as it allows any device running the target software to be attacked even if it’s fully updated. Just how high value? Read on and find out.
Smartphone security
As far as security goes, the best thing you can do is keep your OS up to date. If you have an old phone that no longer gets OS updates, replace it. If you have an Android phone you can go to settings > about phone > software information to check the security patch level. If this says something like Jan 2018, your device is hella exploitable and you really need a new one.
You could install a custom ROM which would display a higher patch level, but a custom ROM cannot really do anything for a device no longer supported by the OEM since the firmware won’t be getting updates anymore. Patching OS level exploits without the required firmware patches gives you pretty much nothing but a false sense of security. And most custom ROMs reduce your security anyway - the moment you unlock your bootloader your security is decreased, the moment you root your phone your security is pretty much out the window.
If you have an iPhone, you’re in luck on this front as Apple will provide security patches for 5 years to all iPhones. And if your phone is over 5 years old you probably want a new one anyway.
Assuming you have the latest version of iOS or Android, and you continue to get updates, you have solid security. The current market value for a zero day exploit chain allowing remote code execution, privilege escalation, and persistence is $2,000,000 for an iPhone and $2,500,000 for Android 10.
No, really.
ZERODIUM - How to Sell Your 0day Exploit to ZERODIUM
ZERODIUM is the leading exploit acquisition platform for premium zero-days and advanced cybersecurity research. Our program allows security researchers to sell their 0day (zero-day) exploits for the highest rewards.
zerodium.com
So yes, if you happen to be any good at this hacking malarky, and you don’t have much of a moral compass, you could make a cool two mil from a single exploit chain. Specific clients are not disclosed by exploit brokers but selling zero days to the “grey market” usually means they will find themselves in the hands of nation state attackers. This could be the US, UK, the UAE, Saudi Arabia, China, Russia, North Korea… whoever is the highest bidder. Reuters did a great article on the UAE’s recent hacking operations, but note that pretty much every country does the same thing and the NSA’s are definitely 10x worse (see: Equation Group).
The reason these exploits are worth so much and used almost exclusively by nation state attackers is because they’re very difficult to find and in high demand. When a high value zero day is found, it is likely to be used only in targeted attacks, else it will become “burned” very quickly - meaning the attacks will be noticed if performed openly on random devices and the software vendor will patch the exploit, making it worthless except on outdated software.
A device running outdated software does not require a zero day for a successful attack. There are always public exploits known for old software, and using those to attack unpatched devices is very easy.
This should really hammer in just how important updates are. Software updates can make the difference between a device that can only be hacked by a nation state attacker with a few mil to burn, and a device that can be hacked by any bored nerd with Kali running on their laptop.
If you happen to own a Samsung, then Knox also provides additional security on top of what is already provided by Android, but this is not a substitute for security patches. Luckily Samsung is one of the better OEMs for providing patches.
Privacy on the other hand is a lot more complex.
Why iPhones and Androids are both shit for privacy
Both Android and iOS have some solid security (assuming you still get patches) but have big problems with privacy. Yes even Apple.
The reason Android is “free” is the same reason anything Google makes is “free” - you pay with your data. Google services track every app you install and how often you use it, they track your location, they collect your contacts and scan the contents of your emails (if you use Gmail), and if you enable Google Assistant they learn literally everything about you. Ever had a pop up on your phone related to a shop you walked past, or telling you there’s traffic on your normal route to work? This is how they do that, by collecting everything. Google will have a log of your location at all times if you’ve opted in to full Assistant functionality.
Many popular Android phones, e.g. Samsungs, come preinstalled with Facebook system apps too. This effectively means Facebook has root access to your device. I’ll tell you how to remove those without rooting in a minute by simply using the adb shell.
“But Apple doesn’t make money from collecting data!” I hear you say. Perhaps not, but they do enable iCloud backups by default, meaning unless you manually go into your phone settings and turn it all off, iPhones (and iPads) upload everything on your device to “the cloud.” This is done in such a way that Apple can read the data and they provide it to authorities when asked, including in oppressive regimes such as China. They did plan to introduce encrypted iCloud backups that would have been impossible for Apple to read, but they cancelled this plan because the FBI told them to stop it. iCloud data is stored on Google and AWS servers (NSA has these pwned) and they use GCBD servers in China (hello CCP). You may also be interested to know that despite their claims to the contrary, Apple has the ability to read iMessages of any user. Additionally, there are hidden data collection mechanisms within iOS and increasingly in macOS - this article goes into loads of detail about these.
Like Windows, iOS is closed source, so you have to blindly trust Apple when they say they protect your privacy. Likewise with Google, although the base Android OS is open source, an increasing number of functions now require proprietary Google software, and any off-the-shelf Android device will contain Google services that track everything ya do.
How to improve your smartphone privacy
There are some things you can do to minimise the data leakage. Ad blockers are once again a good suggestion. Follow the DNS instructions for Android. For iOS, there are many free ad blockers available in the App Store. These only work in Safari but they’re very good. There are simple ones like BlockBear and more customisable ones like AdGuard. You can choose what is best for you.
Disable location services when you are not using it. Be very careful which apps you give location access to. When you do grant location access to an app, when possible allow it only when the app is open, not in the background. These tips apply to both Android and iOS.
Disable any cloud backup services such as iCloud backups.
Only install apps you use. If you don’t use apps anymore, uninstall them. This is good general system maintenance but it also makes sure nothing is tracking you even though you aren’t using it, and it reduces your attack surface for potential exploits.
Consider installing Brave as your browser. It has ad blocking, tracker blocking, and HTTPS Everywhere built in. It’s able to block specific page elements which DNS level ad blocks cannot.
Set DuckDuckGo as your default search engine. On an iPhone you can do this in Safari settings. On Android you can install the DuckDuckGo app. If you use a third party browser such as Brave, you will have an option in the settings to change your default search engine there.
Android: removing Facebook system apps
If your phone came with Facebook preinstalled it will have likely also come with other system level apps that do things like update Facebook outside of the Play Store (for what reason, I don’t know) and could do in theory whatever they want because system apps have a lot of extra privileges in Android. When Facebook is preinstalled as a system app it has root access to your device, effectively giving it the freedom to own your system.
Luckily removing it is easy and does not require root. You just need to install adb on your computer first. The instructions for this differ depending on your OS.
Installing adb on Windows
Get the Android platform-tools from Google.
SDK Platform Tools release notes | Android Developers
Android SDK Platform-Tools is a component for the Android SDK.
developer.android.com
Now extract the zip somewhere you’ll remember and follow this guide:
How to Edit Your System PATH for Easy Command Line Access in Windows
Have you ever wondered why you can just type ipconfig into a command prompt and it works, but when you want to use a command line program you downloaded you have to navigate to its directory first? Here’s how to fix that using the Windows System PATH.
www.howtogeek.com
On Windows 10 this process is actually pretty simple, but if you’re feeling lazy you can just run from the path. For example if it’s in your downloads folder then in cmd you would run something like:
C:\Users\Wilson\Downloads\platform-tools\adb.exeIf this gives you version info and a list of commands it works and you can just use this lazy method.
Installing adb on Mac OS
Get the Mac platform-tools from the Google link above.
Extract them somewhere you’ll remember and follow this guide:
How to Add to the Shell Path in macOS Big Sur or Catalina using Terminal
What is the shell path in macOS Big Sur or Catalina and how to add extra location paths to it using a .zshrc config file
coolestguidesontheplanet.com
If that looks a bit daunting to you (it is a bit of a complex process just to make a command work) you can instead just run from the path platform-tools is in. For example if it’s on your Downloads folder you can run something like:
~/Downloads/platform-tools/adbWhich should bring up some version info and a list of commands. If so, it works and you can just use this instead of adding to the system path.
Installing adb on Linux
A good old “
sudo apt install platform-tools” in the terminal should do the trick. I say should because most distros have outdated platform-tools binaries in their repos, but as we’re running such simple commands this shouldn’t matter.If you do get any problems, uninstall the distro’s build (“
sudo apt remove platform-tools”) and download the latest Linux binaries direct from Google above. As with Mac OS you can add these to your system path or just run them from the directory. The process is much the same as both are UNIX systems. A Linux specific guide is here if you want to add to your path.The easy bit: running the commands on your phone
You’ve done the difficult bit now, the rest is easy.
First bring up a terminal on your computer and have it ready. On Windows open the start menu and type “cmd” then hit the Command Prompt app. On Mac or Linux, open Terminal. Make sure adb runs as described above.
On your phone go to settings > about > software information and tap on the build number 7 times. It should confirm “You are now a developer!” On Samsung phones you can go back to the main settings menu and developer options is now right at the bottom. The exact location of the menu may differ by device but it’ll be in settings. If you can’t find it just search “developer options + your device make”.
Once in the developer options scroll to USB debugging and turn it on.
Plug your phone into your computer. The phone should ask if you trust the computer for USB debugging. Hit allow.
Now type in these commands:
adb shell
pm uninstall --user 0 com.facebook.services
pm uninstall --user 0 com.facebook.katana
pm uninstall --user 0 com.facebook.system
pm uninstall --user 0 com.facebook.appmanagerTo make sure you got everything, you can also enter:
pm list packages | grep facebookIf anything else comes up, you can remove it the same way. For example if a package called com.facebook.skynet comes up, you can enter:
pm uninstall --user 0 com.facebook.skynetNote that if you didn’t add platform-tools to your system path, you will need to run the adb command by manually entering (or copy/pasting) the path to the executable. For example in Windows:
C:\Users\Wilson\Downloads\platform-tools\adb.exe shellOnce you’re actually in the shell you can just run the rest of the commands as usual, because the shell runs within adb which is now running in the terminal, so you don’t need to tell the computer where it is again.
Once this is all done, simply type exit and unplug your phone. Now on your phone, disable USB debugging in developer options. You can turn off developer options itself if you wish.
The apps should be gone now. Reboot your phone to be certain.
How to talk to people securely
Regular phone calls and SMS are insecure. Period. They use 90’s encryption that hasn’t been improved upon since. Anyone can crack it with cheap antenna equipment. Police are known to use “stingray” devices to passively hoover up text and call data and track the location of phones. This is done by imitating a phone mast. It’s very easy because, again, this is 90’s tech with shit security. Additionally, your network likely keeps a log of all your calls and texts for at least a year.
Not much can be done about the above as GSM is inherently insecure and the MITM attack performed by the stingray can be replicated by anyone with a bit of simple transmission equipment. The only thing to do is treat the network as potentially hostile and ensure you are not relying on GSM for encryption. Your communications should be encrypted before they leave your device. Which brings me nicely onto…
Install Signal. Tell all your friends to install Signal. It’s the most secure messenger in existence. It allows for E2E encrypted text, voice, and video chats. Texts can be set to automatically delete themselves on both devices after a timer has been set. The NSA really really don’t like it when people use Signal because they cannot crack the encryption. Edward Snowden uses it.
Do not trust WhatsApp. Its long history of severe exploits aside, it’s closed source and owned by Facebook. The cloud backups also undermine the encryption. I wrote a thread detailing why WhatsApp cannot be trusted here:
Tech - WhatsApp and (lack of) security
This has been in the news yet again recently in the wake of new info about Jeff Bezos having his phone hacked, most likely via WhatsApp by the Saudi prince. It's not the first time a WhatsApp vulnerability has been used to plant malware on a phone and it will not be the last. Facebook recently...
www.bluelight.org
It should go without saying that Facebook Messenger shouldn’t be trusted either.
iMessage’s design allows Apple to read your messages whenever they want (see link above under “why iPhones and Androids are both shit for privacy”). The fundamental issue with iMessage is that Apple controls the keys used to encrypt your messages and can change them whenever they want without you noticing. This also allows them to add a secret participant to the conversation, unknown to you, who could be anyone e.g. FBI agent. It’s also closed source. It’s better than using something owned by Facebook but well that’s not saying much is it?
Telegram has a lot of flashy bells and whistles but by default all chats are stored in the cloud so you are just trusting Telegram to secure them and not share them. It’s unlikely they’re selling your data, but security breaches happen all the time. Signal on the other hand is designed so the servers literally cannot even read your messages, let alone store them, as they don’t have the keys. Telegram does have E2E “secret chats” but the cryptography is questionable and the secret chat function doesn’t allow for group chats.
Signal is the one. Use it. Make everyone you talk to use it. Your privacy will be increased significantly.
A note on VPNs
A VPN will hide your browsing activity from anyone logging your internet use, including your ISP and lower level parts of the government, but you have to trust the VPN service you use. It is very easy for someone running a VPN server to log all traffic from all users. Most will advertise a zero log policy, so you simply have to trust them to keep to their word. Some have been caught lying about this.
The country a VPN runs from is also important. You should avoid ones run from a member of the Five Eyes. This includes the related agreements expanding to the Six Eyes, Nine Eyes, and Fourteen Eyes. These countries perform mass surveillance and share intelligence with each other. Members of the Five Eyes can use XKeyscore, the NSA’s PRISM search tool.
You might think this type of concern is being too paranoid, but consider that countries such as the US, UK, Germany, Australia, Russia, and many more have laws in place that allow law enforcement to compel companies to backdoor their services, and this will also come with a gag order. In the US these are known as national security letters (NSLs) and are handed out by the FBI. Australia’s law takes it a step further and allows the government to compel individuals to backdoor the company they work for. So the country your VPN is based in is very important.
Pretty much every big US company has been served with an NSL so use of these by the FBI appears commonplace. A warrant or other oversight from a judge is not necessary to grant one. Remember unless an NSL has later been declassified, a company cannot tell you if they’ve been served with one.
FBI uses "national security letters" all the time — but what are they?
Here's everything you need to know about the secretive FBI's investigative powers.
www.zdnet.com
Big companies often have the resources to fight such things, but VPN providers are small businesses without the resources of Apple or Microsoft. Such companies have to choose between accepting the NSL or shutting down the whole business. The Lavabit case is a good example of how this whole Kalfkaesque process works.
Secrets, lies and Snowden's email: why I was forced to shut down Lavabit
Ladar Levison: For the first time, the founder of an encrypted email startup reveals how the FBI and the US legal system made sure we don't have the right to much privacy in the first place
In that Lavabit case, the NSL would have given the FBI access to the emails of every single user had it been followed through. It's hard to speculate on other cases, but keep in mind this shows NSLs are not limited to selective surveillance.
ProtonVPN is good. It’s run by trustworthy people (CERN scientists) from a trustworthy country (Switzerland) which is not a member of any intelligence sharing arrangement and has pretty strong privacy protections in law.
You can set up your own OpenVPN server on a VPS if you have some basic Linux skills, but the question comes back to how much can you trust your web host with your data? Pretty much all big web hosts can be assumed to have backdoors. It’s hard to say with smaller fish, but small web hosts are small businesses so again, even if they have idealistic leaders, they’re unlikely to be able to fight the FBI if they do come knocking.
How to make the most secure smartphone possible
This is a bit more hands-on but it’s something that only requires following a simple tutorial and typing a few commands into a terminal. You will however need to buy a Pixel 3 or 3a. If those two prerequisites are not an issue, read on.
The US Secret Service provides modified Android-based smartphones with a specially created locked down OS. The president uses such a phone for state business. This is probably not private, since we can guess the state security services keep logs of what the president does on his phone, but it’s likely very secure.
This isn’t an option for us (and even if it was, would you trust an OS made by the US government?) but we do have a locked down Android fork for the masses.
GrapheneOS is an open source project dedicated to creating a hardened version of Android. It is focused on privacy and security, with a particular emphasis on enhanced security and exploit mitigation. It has a hardened kernel, hardened memory allocation, hardened browser engine, extra SELinux policies, more sandboxing, a modified permissions system, and a lot more.
Basically they’ve added a lot of extra security to the OS as well as taking the existing security measures and improving them. There is also no Google services and no other trackers inside the OS. It doesn’t watch you, it has no built in cloud services, and it protects you heavily from intrusions. It’s excellent for both privacy and security.
The primary goal is exploit mitigation, which means that even if a known exploit or a zero day exists to attack Android, it should be much more difficult to use such an exploit on GrapheneOS compared to normal Android. This means even nation state attackers who buy and stockpile zero days would have a harder time hacking into your phone. The NSA probably won’t target your phone, but you can rest assured that if even they’d have a hard time getting in, so would an average hacker.
It is probably the most secure mobile OS the public can get. Edward Snowden has said that: “If I were configuring a smartphone today, I'd use Daniel Micay's GrapheneOS as the base operating system.” A very strong endorsement for a project focused solely on privacy and security.
The usual concerns about custom ROMs do not apply here as, unlike an average custom ROM, GrapheneOS uses the same install process as official Android builds and doesn’t require a custom recovery or an unlocked bootloader after the initial installation is complete. In fact they tell you to lock it again once you install the OS and the install process includes installing their key to ensure the phone only installs future updates that are cryptographically signed. There is also protection against attempted downgrades and OS integrity verification - in other words the bootloader checks no one has tampered with the OS whenever you turn the phone on.
How to install it
Since it has strict requirements for the hardware it supports, requiring that it have various security features, GrapheneOS currently supports only the Pixel 3 (XL) and Pixel 3a (XL). It does also sort of support the Pixel 2 but only as a legacy device and support will be dropped soon as it lacks important hardware security features. So you should use a Pixel 3 or 3a. The cheapest option is the 3a which costs around $300 brand new. eBay prices are even less. Get a factory unlocked one, not a carrier one.
Backup anything from the phone you want to keep then follow their instructions.
GrapheneOS installation
Installation instructions for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.
You can adapt the adb instructions above to the fastboot ones required for this. Both are included in platform-tools.
How to set it up
When you first boot it up you’ll probably realise it’s very sparse. It only comes with a basic set of mostly barebones AOSP apps. The project says this is so they can keep their focus on the core security of the OS and let users install the apps they want. Which is fair enough, but it does seem like F-Droid should be on there by default.
So you can install F-Droid from here. After doing this, it’s a good idea to go into the browser app settings and disable the permission to install unknown apps, which you had to enable previously to get F-Droid. You will have to also grant this permission to F-Droid itself, but it needs it, so you can keep it on.
It is best practice to install apps from F-Droid whenever possible as they’re open source and don’t contain ads and trackers that most apps are full of. But you probably will want apps from the Play Store too. So in F-Droid search for Aurora Store and install that. Select anonymous login when it asks. Now you can install apps from the Play Store without actually having the Play Store, using a Google account, or having any Google services running. Check back to both F-Droid and Aurora for updates and make sure you keep all your apps up to date.
One especially useful user facing feature in GrapheneOS is the “network” permission. If you turn this off for any given app, it will be unable to access the internet. So if you have a free game that keeps throwing ads at you and bugs you for your location, you can deny it network access and it won’t have an internet connection. Any app that doesn’t actually need internet access should have this permission disabled.
If you run this OS and communicate via Signal, you have what is probably the most private and secure smartphone setup on the consumer market.
How to improve your laptop’s privacy and security
Replacing Windows with a user friendly Linux distro such as Ubuntu or Elementary is the easiest way to secure your laptop and make it more private. I’ve installed those two Linux distros on computers of people I know are not technical and they had no trouble adapting - in fact they have fewer problems with their computers than they did with Windows.
Moving away from Windows is the biggest step you can take towards increasing privacy on your computer. Linux is the only viable alternative and it is far superior for privacy. Security is also very solid assuming you’re sensible about what you install and you keep everything up to date.
There are two ways you can go here. The first is to install a regular user friendly distro like Ubuntu or Elementary. These are easy to use, lightweight, and reasonably secure. They will work on almost any computer.
The second is to install a specialist secure distro such as Qubes. This uses fancy witchcraft (aka the Xen hypervisor) to separate your system into different VMs. Because it’s based on VMs it can even integrate with Windows, so you can use Windows software inside Qubes without WINE, as well as Linux software across multiple Linux distros.
It will lock you down tighter than Fort Knox, but it is less user friendly and requires some knowledge to use it to its full potential. It also has stricter hardware requirements, since running multiple VMs requires a powerful computer. Some security features also require specific hardware support.
As with GrapheneOS, Qubes is endorsed by Edward Snowden: “If you're serious about security, QubesOS is the best OS available today. It's what I use, and free. Nobody does VM isolation better. It's not bulletproof -- nothing is -- but it's as close as you can get right now.”
If you are already familiar with Linux and have a powerful enough machine I direct you to check out Qubes.
However since I’m targeting this at normies I will focus on the mainstream Linux distros. They provide plenty of privacy and security enhancements over Windows making it worthwhile doing for the average user.
Ubuntu is the most popular, while others are usually based on Ubuntu. Ubuntu is a fine choice if you want a basic user friendly Linux system. When installing, I recommend using the light install option rather than the full one. This is simply because less software you don’t need means a smaller attack surface.
Download Ubuntu Desktop | Download | Ubuntu
Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.
ubuntu.com
Elementary is also very lightweight while also having a real nice interface. Perfect for the average user. Based on Ubuntu but with its own set of packages. This also means any software made for Ubuntu will run perfectly on Elementary. Even my gran can happily use this OS.
The fast, open, and privacy-respecting replacement for Windows and macOS ⋅ elementary OS
The fast, open, and privacy-respecting replacement for Windows and macOS
elementary.io
Note that despite how the page is set up, you don’t have to pay for it. Just enter 0 into the custom box.
Mint is easy to use and looks a lot like Windows, but it comes with a lot of packages you probably don’t need, including poorly secured stuff like Flash, and as of right now has no “light” install option. You could manually remove unwanted packages, but the whole point is to make this easy and accessible. So I recommend one of the other two.
The actual installation process is easy. You can create a bootable USB by downloading the ISO and burning it using a Windows tool called Rufus. Back up anything you want to keep from your computer, boot from the USB stick, and you will be booted into a live session. You can try out the OS to make sure it works properly on your computer before installing. When you’re ready just choose install and follow instructions. Make sure you turn encryption on when prompted.
The ease of enabling full disk encryption on Linux is itself a vital security and privacy upgrade. To encrypt your disk on Windows you either need to pay for Windows 10 Pro and set up BitLocker which is closed source and backdoored, or use third party software such as VeraCrypt which is an excellent open source project, but requires a third party bootloader and is not officially supported by Microsoft, meaning it isn’t guaranteed to work and future OS updates could break it. And it still won’t help with the other privacy issues of Windows.
If you want to keep your current Windows setup as well as your Linux install, you can partition the drive during installation for a dual boot system. This means when your computer turns on it asks if you want to use Linux or Windows. Your drive will be split between the two OSs. You will need to decide how to split the drive - for example do you want to make it 50/50 or give one OS more space? Changing this later can be tricky so consider it beforehand.
If you do partition your drive, still back everything up just in case something goes wrong. It usually doesn’t, but if it does you’ll kick yourself for not having a backup.
Once Linux is installed, usually Firefox is the default browser. It’s best to install Chromium or a Chromium based browser such as Brave instead. Chromium is a more secure engine than Firefox (way better sandboxing), has more compatibility with various websites, and projects like Brave build extra privacy protection on top. Avoid Google Chrome as it contains proprietary Google code.
To install Chromium:
sudo apt install chromium-browserOnce you open it you can (and should) install uBlock Origin as well.
Set up automatic updates in your distro and reboot it now and then so kernel upgrades can take effect. Enable the firewall and set it to block all incoming connections. Strictly speaking, an out of the box Linux install should be very “quiet” and not open ports unnecessarily anyway, but it’s good to have extra layers of security.
You can also increase sandboxing by opening a terminal and entering “
sudo apt install apparmor-profiles apparmor-profiles-extra”. Ubuntu based distros come with AppArmor installed already, those two packages just expand the amount of services and apps that it protects. As with anything else it’s no silver bullet but it provides an extra layer of security.WINE can often run Windows software inside Linux but it’s not perfect. You can also use VirtualBox to just run Windows in a virtual machine. This will run all Windows software fine, but it requires a Windows license (you can get one for $5-10 on Amazon or eBay) and the performance of a VM depends on how powerful your computer is. If you have a recent laptop with an i5, at least 8GB RAM, and an SSD, you will probably have no trouble at all. But an older or low spec machine will struggle to run a VM and in those cases it’s best to use the dual boot option.
How to make the most secure laptop possible
If you really wanna go hard, install Qubes. I won’t write a full guide to that here since their site has good documentation and if you understand the benefit of running it you probably don’t need a tutorial.
Using it to its full potential requires changes in how you use your computer, for example by putting sensitive software and files in their own VMs, so it won’t just magically do everything in the background. Keep this in mind.
And as it is running multiple VMs you do need decently high end hardware. It won’t run on your shitty Pentium.
Some final notes
The practises you choose to follow will depend on your threat model. I’ve mentioned the NSA a few times but it’s important to be aware that trying to outsmart the NSA is unlikely to be successful. You can generally assume they’re tapping your connection at some point down the line.
But what you can do is decrease exposure to the dragnet, so for instance if you use Signal on a locked down OS that isn’t sending out tracking data, there’s no personal info being leaked out of your phone for the NSA to grab in the first place. They could grab your Signal messages, but they’ll just look like a bunch of garbled nonsense as breaking the encryption would require more time than the universe has existed for.
Calculate time taken to break AES key
A 256 bit AES key is required to be broken using the brute force method on a 2GHz computer. How long would it take to break the key in the best case and in the worst case situations? Assume that 1000
Basically the best way to keep your shit private is to limit the amount of info being sent out in the first place. And to ensure any info that is sent out is end-to-end encrypted with modern encryption standards.
Other elements of a threat model are important to work out what you’re trying to defend against and what tools are needed. If you want to protect yourself against hackers, a locked down, up to date OS is the best way to do it. If you just want to limit the amount of tracking across the internet, AdGuard and Brave Browser will do a good job and are far more simple to set up.
It should also go without saying that absolutely nothing is 100% secure. What you can do however is make your systems as secure as possible, so any attackers are likely to get bored and move onto easier targets. And you can definitely avoid the use of software and services that invade your privacy and are known to use poor security practises (e.g. WhatsApp, Zoom).
This topic can also get a lot more complex if you have more technical skill. For example I haven’t talked about creating your own custom build of Linux or Android, which is pretty easy to do these days once you complete the initial setup. You don’t need to be some mega-genius to roll a custom OS build these days, just a standard issue nerd.
For those who are curious, look at RattlesnakeOS for a good toolchain that will automate custom AOSP Android builds. The default chain is designed to run on AWS though, so if you want the security of a local build environment, you can look at one of the forked projects set up to do RattlesnakeOS builds locally. You will need powerful hardware to do this though - and when I say powerful hardware I mean ideally an actual server machine, but if not, at least a recent i7 with 32GB RAM and a very fast SSD. If you have an average laptop you’ll have a very frustrating time trying to build AOSP and it will take days at best. This is why the main project uses AWS. You get cheap compute power, but risk a compromise in security.
For a custom OS on your computer you can set up Arch Linux however you want, with only the packages you need, but I don’t recommend this to anyone who isn’t already familiar with Linux unless they want to become familiar with Linux and like a challenge. In fact if you want to dive head first into Linux on hard mode, fire up a VM or a spare computer and install Arch, you will learn a lot about how Linux works. This does not require powerful hardware at all, you could do it on a 10 year old machine if you wanted.
Installation guide - ArchWiki
These custom solutions are not hardened like Graphene or Qubes but the benefit here comes from having full control over your system, only having the packages you choose, and ultimately a small attack surface. You can also install a hardened Linux kernel for Arch as well as various sandboxing software, so you can configure an Arch install to be hardened if you’re willing to do that work.
Hope this was informative!
