You are not logged in.

#1 2016-02-09 09:13:25

dot|not
Member
From: /dev/urandom
Registered: 2016-02-04
Posts: 93
Website

The (paranoid) Bunsenlabs Security Guide

Important: As of now this whole post is to be treated as stub, that means it's not of any practical value.
logo
As a result of discussion in this thread the decision was made to resurrect the "The paranoid #! Security Guide". While all the credits for the original guide go to sorcerer's_apprentice on the old forums (If you read this: thanks for all the work done!) it isn't directly based on it but instead a rewrite from scratch to avoid some lingering caveats.

The initial goal is to create a simple, easy-to-follow guide for the average Bunsenlabs user to be able to improve his system's security with the long-term goal of creating an in-depth, as comprehensive as possible list of possibilities to positively influence your system's security and to protect your privacy online. Please bear in mind that this is a constant work-in-progress, and while the intentions of the authors are nothing than the best, always do your own research before applying any of the suggestions in this guide.

A word of warning: This guide includes tools and tips to protect you against data theft by common thieves, helps against data brokers and protects you from invasive ad-networks. If you are worried that you might be targeted by a state-sponsored adversary and have to rely on this guide for protection you are pretty screwed. In that highly unlikely case you should do a lot of reading, the EFF's surveillance self defense guide being an acceptable start. But again, you are pretty much screwed then.

Questions? Suggestions!
The easiest way for you to bring up questions or suggestions would be simply replying to this very thread, that way criticism can be kept centralized. If there's anything you'd want to not discuss publicly - send a private message to the active contributors directly via the board's PM-function.

Contributors

Table of contents

  • Encryption (disk / file)

  • RBAC (grsecurity)

  • Browser security (Mozilla Firefox, Google Chrome / Chromium)

Disk encryption

Many people disregard the idea of encrypting their disks because 'they have nothing to hide anyway'. We'd like to bring up a quote Glenn Greenwald used in a TED talk he gave:

Over the last 16 months, as I've debated this issue around the world, every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide." I always say the same thing to them. I get out a pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer.

At the same time, there are tons of people that swear by encryption because that's how they protect themselves from law enforcement and other prying eyes. We'd like to dedicate the following xkcd-classic to that group of people:
**FIXME**
security.png
**FIXME**

Both 'extreme' ends are wrong here. It's not, in most cases, the government being after your personal information (They are the government, chances are they have enough of it anyway!) and it's not encryption that will protect you when law enforcement comes knocking at your door (Not having sold drugs on the other hand is!). The main thing full-disk encryption protects you from is having to worry about your device being stolen. Yes, it still sucks. But at least you don't have to worry about a criminal snooping around in your personal information.

We'll explain three separate ways of encrypting your hard disk or the information on it.

  • Installing Bunsenlabs on a fully encrypted disk

  • Encrypting and automatically mounting a partition

  • Encrypting single files with the help of gnupg and a symmetric cipher

Bunsenlabs, full disk encryption

If you follow the next two dozen steps you'll have a freshly installed Bunsenlabs on a fully encrypted disk. We're assuming that you have burned the appropriate image on a CD, DVD, USB-stick or any other medium you can boot from. Insert it into your computer, boot it and choose "Install: in the boot menu:
bootmenu.th.png

After that you need to choose your language, location, keyboard and locale:
1_language.th.png

2_location.th.png

3_locales.th.png

4_keyboard.th.png

Now comes the part of the installation where your network configuration is done. This heavily depends on your setup, but if you are connected to the device the ISP gave you with a cable this should not require any interaction because DHCP would automatically handle the negotiation of a proper network configuration. For more information take a look at the Debian Handbook. Afterwards, configure your hostname, domainname, username and password

5_hostname.th.png

6_domainname.th.png

7_username.th.png

8_password.th.png

When that's done, it's time to partition and encrypt your hard disk, utilizing the powers of LVM. Following the pictures will get you to your goal, however it's quite basic and leaves little room for alternative partitioning needs. If you have those, or want more detailed information you should, once again, check the corresponding section in the Debian Handbook.

9_partitionmenu.th.png

10_partitionhddchoice.th.png

11_partition_allhdd.th.png

12_partition_agree.th.png

13_partition_wait.th.png

14_partition_password.th.png

15_partition_password_repeat.th.png

16_partition_final.th.png

17_partition_final_yes.th.png

Afterwards all the necessary packages will installed; as a last step, you need to install GRUB.

17_grub_install.th.png

After a reboot, you'll see this:

21_password_ask.th.png

Congratulations, you are now the proud 'owner' of an encrypted installation of Bunsenlabs!

grsecurity

Chances are that you probably haven't heard about this set of patches for the Linux kernel. Wikipedia knows a little bit about it:

grsecurity is a set of patches for the Linux kernel which emphasizes security enhancements.[2] It is typically used by computer systems which accept remote connections from untrusted locations, such as web servers and systems offering shell access to its users.

STUB STUB STUB STUB

Browsers

There are tons of browsers out there in the wild, from closed-source examples like Vivaldi to ultra-minimalist command-line browsers like elinks. Trying to cover all these would not just go far beyond the character limit of this post, it would be outright impossible. So we settled for informations on the 'big two', Firefox and Chrome / Chromium, because they are most likely to have to biggest userbase.

Important: A lot of guides and tricks talk about modifying the cipher-settings in the file user.js to make cryptographic connections (e.g. TLS) more secure. While this is definitely an understandable approach it's also not unproblematic. We may have finally gotten rid of SSLv3 for most of the websites out there, but there might be people using Bunsenlabs who have to deal with automation systems or legacy Java-applets who need SSLv3. Given that Java-applets are notorious for their absolutely useless error messages this would be very hard to debug. Additionally, lots of governmental sites still suffer from not being able to use anything greater than SSLv3. Same goes for configuring the allowed variants of DH. Generally speaking: Most sane websites will use a secure algorithm, so you shouldn't be bit by allowing, for example, SSLv3 or slightly weaker DH-parameters. In the few cases where the websites aren't sane, disabling old settings would only cause a lot of problems.

We had to make a decision between potential problems and slight security gain, and the problems are definitely bigger here. If you still want to tweak around yourself, use the following group of configuration switches for Firefox:

  • security.ssl.*

And the following configuration switches for Chrome/Chromium:
-- INSERT --

General security considerations

There is the urban legend that you'll catch malware while visiting shady sites, Warez or pornography for example. If you just browse Yahoo for news, read some TMZ or buy goods on eBay you don't need to worry about getting infected with malware. To spell it out clearly: This is bullshit and a dangerous myth.

Firefox

The following settings can (and should) be changed in Firefox' configuration manager, reachable by entering "about:config" into the URL-bar and clicking the "I'll be careful, I promise!"-button.

Recommended configuration changes

  • dom.battery.enabled = false - otherwise, sites could potentially read the battery status of your computer

  • dom.event.clipboardevents.enabled = false - otherwise, sites could potentially get a lot of information about what you copy or cut from it, which can even include sensitive information

  • browser.send_pings = false - this disables sending browser-pings

The following two settings should be combined with one of the recommended Add-Ons mentioned below, Self-Destructing Cookies.

  • network.cookie.lifetimePolicy = 2 - so that all cookies will be deleted once you close your browser

  • network.cookie.cookieBehavior = 1 - so that cookies will only be accepted from the site you are visiting, not from third-parties such as ad-networks

The following setting should be combined with one of the recommended Add-Ons mentioned below, Disconnect.

  • privacy.trackingprotection.enabled = true - this enables Firefox' built-in tracking protection

  • geo.enabled = false - this disables geolocation

Complementary configuration changes

Firefox utilizes Google Safebrowsing, a blacklist service provided by Google that provides lists of URLs for web resources that contain malware or phishing content. While using it somewhat (they do suffer from a certain value of false positives / false negatives) helps security there are some, potentially serious, privacy implications.

Google published a whitepaper about Chrome / Security which includes the following statement:

Google Safe Browsing "conducts client-side checks. If a website looks suspicious, it sends a subset of likely phishing and social engineering terms found on the page to Google to obtain additional information available from Google's servers on whether the website should be considered malicious". Logs, "including an IP address and one or more cookies" are kept for two weeks. They are "tied to the other Safe Browsing requests made from the same device."

In addition to that it also stores a mandatory preferences cookie on the computer. If you feel that the risk outweighs the benefit you can disable the use of safebrowsing with the following configuration-switches:

  • browser.safebrowsing.enabled = false

  • browser.safebrowsing.malware.enabled = false

The same thing applies to WebRTC, which is partially supported by Firefox. As with Safe Browsing the concerns are not directly related to security matters (even though there is some concern about connection-security of WebRTC-calls), but rather privacy related - it's technically possible to unveil the 'real' IP-adress behind a VPN-connection utilizing WebRTC, thus endangering your privacy. Since there is no broad market for WebRTC yet it's safe to disable without facing functionality losses. WebRTC-support can completely disabled by the following configuration switches:

  • media.peerconnection.turn.disable = true

  • media.peerconnection.use_document_iceservers = false

  • media.peerconnection.video.enabled = false

  • media.peerconnection.identity.timeout = 1

Sidenote: There are several extensions out there that claim to avoid these attacks. These weren't tested by the authors; we strongly suggest that you use the aforementioned method to disable WebRTC.

By default, Firefox has support for WebGL enabled, which is something that has been heavily discussed by 'big players' in the industry. Microsoft considers WebGL harmful while Mozilla claims the existing defense mechanisms (such as a strict same-origin policy) are enough to prevent all possible attacks. While the technical possibilities for attacks definitely exist it's unclear how easy executing such an attack would be; additionally there have been no WebGL-related attacks in the wild that are publicly known. But since WebGL is rarely needed either it should be safe to disable.

If you decide that you want to disable WebGL-support just set:

  • webgl.disabled = true

Recommended extensions / Add-Ons

  • Disconnect - social networks, analyzing, widgets. All those things slow your browser down and are a potential security threat, Disconnect blocks all those. It also blocks ads, but is fully compatible with tradition ad-blockers who tend to do a better job.

  • uBlock Origin - ad-blocker with additional support for blocking known malicious domains as well as the possibility to add your own blocklists.Very light on ressources in comparison to other ad-blockers.

  • HTTPS Everywhere - if a website supports a secure connection via HTTPs, this plugin will automatically switch to the secure version of a site. It comes with a built-in function called "SSL observatory" which checks certificates to make sure a user is not vulnerable for Man-in-the-Middle attacks. Since this is potentially harmful for your privacy and not very effective (since the dataset used for these checks is more than half a decade old) this part should be disabled.

  • Self-Destructing Cookies - This gets rid of a site's cookies and LocalStorage as soon as you close its tabs, including the more sneakier tracking cookes. If you want a site, such as Bunsenlabs for example, to be allowed to store cookies, so you can stay logged in, it's as simple as a mouse-click.

Complementary extensions / Add-Ons

  1. NoScript - this does exactly what the name says it does, block things like Javascript, Flash, Java and so on from being executed. It works based on a whitelist-approach, with the possibility to temporarily or permanently allow scripts for whole domains, subdomains or even very specific scripts. The security gains by using this are enormous, but it's definitely not for everyone because it takes a lot of fine-tuning and a lot of self-discipline to not just allow everything. We suggest you at least give it a try.

  2. TrackMeNot - If you are regularly using the same search engine you are very likely to end up living in a so-called "Filter Bubble", which limits your scope for researching on topics. By issuing randomized queries to common search-engines, TrackMeNot obfuscates your search profile, thus making it a lot harder for search engines to profile you. The primary target for this is, of course, Google, but it works perfectly well for other search engines, such as Yahoo or even DuckDuckGo.

No-Go-extensions / Add-Ons
The following extensions are often recommended, even by popular media, but considered as absolutely not usable by the authors for the reasons mentioned.

  • Ghostery - Ghostery is very popular, but plays a double-sided game. Ghostery blocks marketing companies from gathering website user information, but it makes money from selling page visit, blocking and advertising statistics to corporations globally, including corporations that are actively engaged in collecting user information to target ads and other marketing messages to consumers.

Chrome / Chromium

Please take the privacy implications into consideration when using Google Chrome in combination with a Google-account.

Recommended extensions / Add-Ons

  • Disconnect - social networks, analyzing, widgets. All those things slow your browser down and are a potential security threat, Disconnect blocks all those. It also blocks ads, but is fully compatible with tradition ad-blockers who tend to do a better job.

  • HTTPS Everywhere - if a website supports a secure connection via HTTPs, this plugin will automatically switch to the secure version of a site. It comes with a built-in function called "SSL observatory" which checks certificates to make sure a user is not vulnerable for Man-in-the-Middle attacks. Since this is potentially harmful for your privacy and not very effective (since the dataset used for these checks is more than half a decade old) this part should be disabled.

-- style test --







Version history:
(Format: Version number / changes / date of change)

  • 0.00000008 / Table of content, grsec stub / (March 6th, 2016)

  • 0.00000007 / Finalized guide for full disk encryption / (March 1st, 2016)

  • 0.00000006 / Started guide for full disk encryption / (February 17th, 2016)

  • 0.00000005 / Added some context and general information about disk encryption / (February 17th, 2016)

  • 0.00000004 / General rules of thumb and informations for browsers, started section about full disk encryption / (February 15th, 2016)

  • 0.00000003 / WebGL for Firefox, clarification on crypto-decision / (February 10th, 2016)

  • 0.00000002 / Started section about browsers / (February 9th, 2016)

  • 0.00000001 / Created stub / (February 9th, 2016)

Last edited by dot|not (2016-03-06 21:21:25)

Offline

#2 2016-02-09 21:08:23

Anaconda
crypto-anarchist
From: Quesnel BC Canada
Registered: 2015-09-29
Posts: 192

Re: The (paranoid) Bunsenlabs Security Guide

Glad to see you just go ahead and get things started.

Next comes all the fun additions,  editing, and maintenance.  tongue

PM sent.


“The university is well structured, well tooled, to turn out people with all the sharp edges worn off...." Mario Savio
"Protections for anonymous speech are vital to democratic discourse". Help enforce our right to free and anonymous speech by running a Tor relay.

Offline

#3 2016-03-06 21:22:13

dot|not
Member
From: /dev/urandom
Registered: 2016-02-04
Posts: 93
Website

Re: The (paranoid) Bunsenlabs Security Guide

This is still alive, and slowly expanding. I've been getting some results with getting Openbox to play nicely with grsec. But since I lack time, this takes a while. Any and all contributions welcome.

Offline

#4 2016-04-18 19:57:09

arti
Member
Registered: 2015-12-02
Posts: 73

Re: The (paranoid) Bunsenlabs Security Guide

So, is all of this information bunk? because I was considering a reinstall to take these steps. Let me know. Cheers

Offline

#5 2016-04-19 06:07:56

dot|not
Member
From: /dev/urandom
Registered: 2016-02-04
Posts: 93
Website

Re: The (paranoid) Bunsenlabs Security Guide

arti wrote:

So, is all of this information bunk? because I was considering a reinstall to take these steps. Let me know. Cheers

Sorry that nobody answered in IRC yesterday. It tends to be a very quiet place in the evening. You absolutely could (and maybe even should) follow some of the advice that's contained in this guide. There is nothing in there that would have a negative effect on your computing experience. It's just that this guide is absolutely unfinished and this the disclaimer, to avoid people just copypasting stuff and then thinking they are secure.

I'm currently lacking time to finish or even contribute to this. sad

Offline

#6 2016-04-19 07:51:39

arti
Member
Registered: 2015-12-02
Posts: 73

Re: The (paranoid) Bunsenlabs Security Guide

dot|not wrote:

Sorry that nobody answered in IRC yesterday. It tends to be a very quiet place in the evening. You absolutely could (and maybe even should) follow some of the advice that's contained in this guide. There is nothing in there that would have a negative effect on your computing experience. It's just that this guide is absolutely unfinished and this the disclaimer, to avoid people just copypasting stuff and then thinking they are secure.

I'm currently lacking time to finish or even contribute to this. sad

I wasn't sure if it was a case of obsolescence or incompleteness. I'm quite glad it's the latter.
I'll be reinstalling rc1 with full disk encryption enabled later.

I've set LVM up on a net-install of debian in virtualbox to see what to do and not to do with the partition scheme...
Thank Odin for virtual machines, I would have Borked my system at least 3 times in a row by now without using it.

I'll pop into the IRC channel from time to time, I have many questions I don't want answered. wink

Thank you tree dweller.

Offline

#7 2016-04-19 12:48:11

damo
....moderator....
Registered: 2015-08-20
Posts: 4,966

Re: The (paranoid) Bunsenlabs Security Guide

arti wrote:

....
I'll be reinstalling rc1 with full disk encryption enabled later.
.....

rc2 would be better, surely?


Be Excellent to Each Other...

FORUM RULES and posting guidelines «» Help page for forum post formatting
Artwork on DeviantArt  «» BunsenLabs on DeviantArt

Offline

#8 2016-04-19 12:52:49

arti
Member
Registered: 2015-12-02
Posts: 73

Re: The (paranoid) Bunsenlabs Security Guide

damo wrote:
arti wrote:

....
I'll be reinstalling rc1 with full disk encryption enabled later.
.....

rc2 would be better, surely?

Whoops! typo spotted.

Offline

#9 2016-04-19 16:09:04

dot|not
Member
From: /dev/urandom
Registered: 2016-02-04
Posts: 93
Website

Re: The (paranoid) Bunsenlabs Security Guide

I've set LVM up on a net-install of debian in virtualbox to see what to do and not to do with the partition scheme...
Thank Odin for virtual machines, I would have Borked my system at least 3 times in a row by now without using it.

For 'average' needs the installer is pretty darn good at partitioning. I regularly semi-break stuff while manually encrypting partitions or hard drives.

I'll pop into the IRC channel from time to time, I have many questions I don't want answered.

Activity is highly fluctuating there, I myself won't be there for work-related reasons for the next couple of days. If there is anything pressing, feel free to drop me a private message.

Offline

#10 2016-04-19 19:14:16

arti
Member
Registered: 2015-12-02
Posts: 73

Re: The (paranoid) Bunsenlabs Security Guide

^ If anything gets broken I'll drop you pm. I'm sure it'll be fine. <- famous last words.

Offline

#11 2016-04-30 19:42:21

martix
Kim Jong-un Stunt Double
Registered: 2016-02-19
Posts: 1,267

Re: The (paranoid) Bunsenlabs Security Guide

This is a promising thread. There are lots of topics to cover though. Well, even the longest journey begins with a single step.

I noticed that the add-on "self destructing cookies" was recommended. I've been using it and basically it's great. However I read about an issue and tried to verify it. I was surprised.

After creating a new profile just install "self destructing cookies". If you install an other cookie add-on, like "cookies manager", which shows all the cookies at one click, it'll make things easier (cookies can be also checked via preferences/privacy/remove individual cookies).

After you installed those add-ons (nothing else), check the cookies. There'll be some google cookies. Delete them. Wait 3-4 minutes. Check the cookies again.

Or just visit any major news site. There will be lots of cookies. Close the tab. If you check the cookies, "self destructing cookies" will NOT delete all the cookies. In fact, even if you delete all the cookies and just wait, there might be new cookies again (often from google). I noticed that the add-on even pops up a message, but the cookie will not get deleted.

Offline

Board footer

Powered by FluxBB