Template:U Trusty/Privacy


Jump to: navigation, search



  • An interesting perspective on Internet privacy techniques can be found here.
  • Message encryption does not protect email file attachments. It is important to encrypt files that are meant to be sent as attachments as well. Any file encrypter (used for encrypting files on disk) can be used (such as ccrypt, TrueCrypt, or EncFS), but a different encryption tool / password should be used for attachments than the one used for private encryption of important files on the hard drive.

Text obfuscation

Companies routinely monitor the email and IM of its workers, governments of countries (even those founded by intellectuals and "revolutionaries" like Thomas Jefferson, who advocated strong privacy rights) routinely spy on its own citizenry, and even ISPs monitor unencrypted internet traffic for their own entertainment (I have personally watched this happen). Due to the volume of email and texts over the internet, word recognition algorithms are generally required in order to accomplish meaningful data-mining of text messages.

For purposes that do not require encryption (but for which there is a desire to limit the text data-mining techniques commonly used today), a few methods are available (but not foolproof).

  • One method of text obfuscation is to translate your article into another language (using Google Translate, for example, or Babelfish (now owned by Yahoo and without SSL encryption available), or Bing Translator (owned by Microsoft and without SSL encryption available) -- or even all three in series) and then to translate it back. This introduces random grammar, word choice, and spelling errors that obscures both the writing style of the original author and sometimes the text to the point of poor recognition by text-mining scanners. The more languages into which the message is serially translated, the greater the unrecognizability.
  • Anonymouth is a Java-based project for anonymizing writing styles (in English). Also see here.


FauxCrypt is a small program with an alhroitgm for modifictaion of a planitext documnet (written in English) taht laeves it gneerally raedable by a person but not raedily saercehd or idnexed by macihne. the alhroitgm empyols a dicitnoary subtsituiton of selected wrods, and an obfusctanig trnasposition of lteters in ohter wrods. the obfusctaion is dseigned to laeve the wrods udnertsnadable, aghtuolh tehy are badly slelpde. fauxcrypt is fere, open suorce sfotwaer, with suorce code available. Downloads are available at the website.

  • Download the Linux binary:
wget http://fauxcrypt.org/fauxcrypt
  • To convert a text file to a faux-encrypted text file:
fauxcrypt <input.txt> <output.txt>

Message and file encryption

PGP (Message Encryption)

PGP (OpenPGP and GnuPG) is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it.

Enigmail with Thunderbird

By far the easiest method for encrypting email is using the Enigmail add-on for the Thunderbird email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.


Seahorse is the GUI for Gnome to manage the key pairs and other options of GnuPG. It can also manage your SSH keys. For more info see this tutorial. Run:

Menu -> Applications -> Accessories --> Passwords and Encryption Keys

scrypt (Message Encryption)

scrypt encrypts / decrypts messages with a strong algorithm. Using a 10-character password combining random alphanumeric and special characters, an enormous amount of computing power is required to decode messages by someone that does not have the password. See the website for usage parameters. Install:

sudo apt-get install scrypt

bcrypt (Message Encryption)

bcrypt encrypts / decrypts messages with a strong blowfish algorithm. It is also able to overwrite the original message with a garbage-appearing replacement, further obscuring traces of the original message. See the website for usage instructions. Install:

sudo apt-get install bcrypt

File archival and encryption

Archives with Passwords

EncFS (File and Disk encryption)

EncFS is a free, open-source tool to encrypt files and store them in a secondary directory. See the Wikipedia article. Additional installation steps can be found on Ubuntu Forums. Install:

sudo apt-get install encfs libpam-encfs
  • A Gnome-based front-end named Cryptkeeper is available:
sudo apt-get install cryptkeeper

ccrypt (File and Attachment Encryption)

ccrypt is a command-line utility to encrypt files using the AES encryption algorithm with a password. Install:

sudo apt-get install ccrypt
  • Encrypt a file:
ccrpyt test.odt
which will yield the encrypted file test.odt.cpt after prompting for a password
  • Decrypt a file:
ccrypt -d test.odt.cpt
  • Several available GUIs for ccrypt are listed here.

TrueCrypt (File and Attachment Encryption)

TrueCrypt is a free, open-source application that allows encryption of files using a 256-bit AES encryption algorithm with a password. Download and Linux installation instructions are here.

Disk and Storage Encryption

Passwords and file authentication

Random password generator

  • Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
  • Run pwgen:
  • UUIDgen is a default utility to generate a random UUID (using only hex-digits). Run:

The random UUID can also be used as a 32-digit password, if desired.

Password checker and enforcement

John the Ripper is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:

sudo apt-get install john
  • Passwdqc is a module to enforce password strength. Install:
sudo apt-get install passwdqc


To check the MD5 sum of a file, use this command in the command line:

md5sum filename

Web browsing

Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer (even when you turn off the cookies in your browser). It is highly recommended to configure your web browser to erase your cookies and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:

Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: Use custom settings for history
-> Always use private browsing mode (or customise the settings to your desired level of privacy)
  • In addition, both Adblock Plus and NoScript are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

DNS Servers and Search engines

  • Most users rely on the DNS server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as OpenDNS, Comodo, Google (though slightly less secure due to Google's own tracking mechanisms), another free DNS service, or (for maximum security) a publicly-available international DNS server. For example, a Verizon customer could use the AT&T DNS servers or the OpenDNS servers. An AT&T customer could use one of the Verizon servers or the Comodo servers. It is important to use a reliable DNS provider, however, as man-in-the-middle DNS redirection and DNS cache poisoning attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the CCI) on behalf of the MPAA and RIAA. If using one of these ISPs, take extra efforts to ensure your privacy. (It is also important to note that major ISPs now often censor content using filters such as Cleanfeed. Choose your DNS and search providers carefully.)

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
  • Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. DuckDuckGo.com is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. It can be used with Tor turned on. Another search engine with similar privacy claims is Startpage / Ixquick.
  • Many censorship/filtering/tracking techniques (that use deep packet inspection) cannot be used with secure (SSL/TLS encrypted) websites (denoted by https:// ). Use them whenever possible. For example, use the secure Wikimedia portal for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).
  • Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see this info.
  • It is possible to filter undesirable zones and countries entirely from DNS searches using the GeoDNS patch to the BIND module (see this info on installing a BIND DNS server). See here.
  • ModSecurity is a free web application layer firewall that can be used in conjunction with Apache, IIS, and NGINX servers to enhance request filtering (and other security features). Here are some configuration tips. (Comparable commercial services such as CloudFlare and Incapsula also exist.)

Changing a MAC address

The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and many tracking methods now use the MAC address to record user habits. (See this informative blog post.) To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

  • It is possible to set the MAC address to a random selection in the Network Manager configuration:
Network Manager -> Manage Connections... -> connection -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok
  • Macchanger is a utility to change a MAC address. Install:
sudo apt-get install macchanger

Certificate verification

  • CAcert.org is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not (Canonical was originally founded with funds earned from Thawte, a certifying authority founded by Mark Shuttleworth.)

Tor (Network Privacy)

Tor is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read this.) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)

  • Install Tor by following the instructions here. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the Tor installation guide for details.
  • By default Tor (once it is running) acts as a Socks5 proxy on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.
  • Also see these additional tips.

Vidalia (Tor interface)

Vidalia is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:

sudo apt-get install vidalia

Using Tor with Firefox and Thunderbird

Recent versions of Firefox and Thunderbird allow direct use of Tor as a Socks5 proxy, both for traffic and DNS resolution. See this section for information on configuring this for Firefox and this section for information on configuring this for Thunderbird.

Using Tor with other programs

  • Other programs can also be used with Tor as a proxy. For an overview see these tips.


  • Tails is a free, complete GNOME-based Debian Linux operating system with Tor enabled by default. (Here is a 2014 review.) Iceweasel (the free Debian version of Firefox) and other Internet tools are cryptographically-enhanced, and, for privacy, browsing and other Internet usage traces are minimised. Components (which can be individually installed in (K)Ubuntu) include:
  • LUKS for disk-encryption (sudo apt-get install cryptsetup)
  • Nautilus Wipe for erasing disk traces using the Nautilus file manager (sudo apt-get install nautilus-wipe)
  • KeePassX for password generation and encyrypted password storage (sudo apt-get install keepassx or sudo apt-get install keepass2)
  • HTTPS Everywhere, a Firefox plug-in to ensure the usage of encrypted website portals
  • Off-the-Record_Messaging for Internet Message encryption (for example, sudo apt-get install pidgin-otr with the Pidgin app)
  • other security utilities
Personal tools