The purpose of this document is to give the reader a basic overview of safety measures one can take to keep your data private, remain anonymous online, and keep your drives clean. The measures are a combination of free software, online services, and safe practices. This document also examines the level of free speech allowed for European Indigenous Rights activists on several online services.
HTTPS stands for HTTP Secure. If the entire session uses HTTPS, your connection is encrypted and extremely secure. Anyone monitoring your connection would still be able to see that you connect to for example sites.google.com, but won't be able to see what specific webpage on sites.google.com you are viewing.
Some sites allow HTTPS for the entire session, some for parts of the session, while others only use HTTPS to transmit your password.
Some sites support HTTPS but don't automatically enable it; I will call this passive support. In these cases you have to use https when connecting to the site for it to be enabled. Sometimes HTTPS tends to get disabled while browsing the site, I will call this partial support.
HTTPS Everywhere is an extension for the Firefox and Chrome browsers that tries to make websites with passive HTTPS support behave like sites with automatic support.
PFS (Perfect Forward Secrecy) is a variant of HTTPS that encrypts each session with a unique key. The typical HTTPS enabled server has one master key for all encrypted communication, meaning that if an intelligence agency gains access to this master key it can decrypt the data stream from the client to the server. You can determine if a server supports PFS in the Chrome browser by clicking the https lock and selecting the Connection tab. If the key exchange mechanism is ECDHE_ECDSA or DHE_RSA your connection uses PFS. Keep in mind that Google, which uses PFS, can be forced by court order to remember all encryption keys, and surrender them by court order.
SSL Labs allows you to enter a URL of a website and have it rate the SSL implementation. It does not currently take PFS into consideration, subsequently a website with PFS and a B rating might be more secure than a website without PFS and an A rating.
Secure email is the most crucial of all. Governments are able to analyze emails that are transmitted over the internet and generate alerts based on keywords they are interested in. The only way to communicate securely is to use a website that uses https to encrypt your entire session (not just the part where you enter your password) and have it transmit the data over its local network, or have it transmit the data in encrypted form.
Many services require an email address to register, so if your email is compromised all related services (twitter, facebook, etc) will be compromised.
Gmail is one of the few anonymous email services that supports https; emails between gmail accounts can typically not be intercepted by governments because they are sent over Google's local network.
Hushmail is a potential alternative, but it locks you out of your account if you don't use it for three weeks, and it's based in Canada, which has no constitutional protection of free speech like the USA. One advantage is that it encrypts your inbox, but this can be disabled if Hushmail gets a court order to do so.
As Canada is a Cultural Marxist nation Hushmail should be avoided, and the same goes for services hosted in most European nations, especially France, Germany and the United Kingdom.
American services are protected by the American constitution, which guarantees almost unrestricted freedom of speech. So American companies are definitely the way to go.
Yandex offers an email service that supports https and is located in Russia. An English version can be accessed by visiting mail.yandex.com. The rift between Eastern and Western Europe might allow a greater extent of privacy on Russian servers for West Europeans.
Keep in mind that emails sent from Yandex to Gmail or Zoho are sent in unencrypted form and are likely to travel through Western Europe and be analyzed by intelligence agencies.
Zoho provides an alternative to Google Apps. It's unclear to what degree they enforce their speech codes. It is privately owned by an Indian and it's unknown where their loyalties lie. The owner might support our anti-Islamic sentiments, or oppose our anti-multiculturalist agenda.
In case Google turns out to be hostile, Zoho is an alternative. Keep in mind that emails sent between Gmail and Zoho Mail accounts can be intercepted.
Due to the significantly restricted size of messages, micro blogging sites aren't very interesting.
Twitter supports https, has no speech codes, and only bans specific threats of violence.
Blogger recently disabled its support for https. As it's part Jewish-owned (Google) it's unclear how the speech codes and violence clause are interpreted. If Google supports Ultra-Zionism it is likely to acknowledge our anti-supremacist views and support our struggle for indigenous rights. If Google supports multiculturalism they are likely to take down European Indigenous Rights blogs when pressured to do so.
Google Sites has a primitive blogging interface and full https support.
Jux has full https support, which makes it noteworthy. It's unclear if the organization supports free speech, though they claim to be politically neutral. The interface is highly impractical.
Tumblr has so far been tolerant of European Indigenous Rights blogs and its support for global tags makes it easy to create a network.
Wordpress has no speech codes but it banned a Counter Jihad blog for violating the violence clause. It only has partial https support.
Diaspora is one of the new distributed social networks. It is quite similar to Google+ and has a clean yet stylish interface. The problem of these distributed social networks is that each server is privately owned, and it may be difficult to find a server that supports European Indigenous Rights. Diaspora supports https, though your data shouldn't be considered safe unless you fully trust the server owner.
Facebook is particularly hostile to opponents of multiculturalism. Facebook also has a policy requiring people to use their real name. The only logical option is to boycott Facebook and support networks that allow free speech and anonymity. VK might be a suitable alternative.
Freenet is a decentralized encrypted network. If all else fails Freenet will likely be the last option for free and anonymous speech. Freenet uses an https equivalent and all participants need to run the freenet software making the network separate from the world wide web.
Friendica is another distributed social network. It has a stronger focus on running your own server. It's unclear if servers friendly to the European Indigenous Rights movement would be targeted by hackers and vandals. The threat of hacktivism might make this option unfeasible, besides that the server would need to be hosted in the USA or another free speech haven.
Google Plus has speech codes and a button to report political incorrectness, but does allow pseudonyms and supports https. Its concept of placing contacts in circles is quite useful. The interface for making posts is very limited, though there is a certain appeal to a barebone interface. It's unclear if Google Plus will be as totalitarian as Facebook in the enforcement of speech codes.
VK is a Russian social network that is a clone of Facebook, without blatant Cultural Marxist censorship. It supports English, Russian, and Ukrainian. VK requires activation with a text message to a mobile phone, if paranoid use an unregistered cell phone and leave the battery out unless you are at a location that does not reveal your identity. Enable 'Always use secure connection' in your settings on VK. Do not link a non-Russian email address, Yandex is suggested. Disable most if not all notifications as emails can be intercepted. Always connect to https://vk.com rather than http://vk.com.
Twitter can be used to create a private micro-network by creating a private list of contacts. Twitter requires an email address, which is a weakness for creating an independent network. If your email account becomes compromised, everything linked to it will be compromised as well. This being the case, you should never use the password for your email account on another website.
Pheed is like twitter though it allows slightly larger messages.
Google Groups allows the creation of private forums. Ideal for larger networks. Members must use a gmail account or correspondence will not be secure.
Notepub is very basic and does not automatically enable https. It can be used to create a private wiki and a primitive private message board.
Riseup is run by Marxists and the site appears intended to give anti-fascists a secure base of operations for activism and acts of terrorism. As radical activities appear to be the primary goal of the service it does not record identifying data about its visitors, and stores data in encrypted form. Visits to this site may be monitored by governments. Given its high level of security two or more people with a riseup account can use this to establish a private network. Gmail can be used in a similar fashion.
Google Talk can be used with the 'off the record' setting enabled for secure private messaging. You can easily use Google Talk from within Gmail. Google Talk in turn encrypts the actual messages as they are transmitted using SSL, so it's very secure.
Zoho Chat can be used as an alternative to Google Talk, though unlike Google Talk it automatically saves your conversations, forcing you to manually delete the logs.
It's generally unclear who owns free internet proxies, and it's a possibility several are owned by intelligence agencies. Proxies are useful when you don't want the website you are visiting to know who you are, but aren't concerned with a random proxy having this information. It's best not to visit anything that links to your identity when using any of these proxies, so don't login on Facebook or Youtube, and especially not your email. There are plenty of free proxies out there, here are a couple.
StartPage is a proxy for Google searches which does not keep any logs and supports https. The search results in turn can be viewed directly or through the proxy. Can be set as your browser's default search provider. Owned by a Dutch company.
ProxFree has passive https support. Keeps logs and uses Google Analytics.
SSL Proxy has active https support. Keeps logs and uses Google Analytics.
Proxify has active https support. Keeps logs for 3 days.
When engaging in online activism it's important not to have your browser automatically remember passwords and cookies. Having safe habits is very important. You can use a different browser for online activism and configure it to automatically erase all data on exit.
Chrome is a popular browser that has an incognito browsing mode, though it can't be configured to erase all data on exit. You can alter the Chrome shortcut to start in incognito mode by adding -incognito to the path name. There are Chrome extensions that will remove all browsing data on exit.
Firefox is a popular browser that has an incognito browsing mode and can be configured to erase most data when you exit the browser.
Comodo Dragon is a browser based on Chrome with some additional safety features; most notably, it claims to provide better security alerts for HTTPS connections.
Opera is a popular browser that provides a turbo mode that allows you to automatically browse through a compressed proxy connection. Opera will report your IP address to the website you visit, but as not all sites will record or recognize this information, especially in low-level server logs, so it adds an additional layer of security.
Tor Browser is a self-contained browser bundled with anonymizing software. Ideal for fully anonymous incognito web surfing.
If you have password-protected files and the police confiscates your computer they will either try to crack the encryption or the password. If the encryption is 256 bits they won't bother with cracking the encryption and go after the password with a brute force approach, attempting all possible combinations of letters and numbers. If your password is 'Europe7' this will take less than an hour.
If your password is sufficiently complex the police will demand that you tell them the password; fortunately, complex passwords are easy to forget. Use the services below to figure out how to create strong passwords, never enter any of your actual passwords.
Passfault examines passwords and determines how long it would take to crack it.
Gibson Research Corporation has a page that examines passwords and determines how long it would take to crack it.
Governments have the ability to detect you when you visit a suspicious site. If you visit the Stormfront website from Belgium, for example, and login with your username and password, this data will pass through the United Kingdom. The UK secret service may detect that you just logged in to Stormfront and may store your username and password, next it can keep a log of all other sites you visit from the same IP address. If you login on Tumblr next the SS (Secret Service) won't know your password because Tumblr will encrypt your password submission, but as encryption ends after you login the SS can obtain the name of your Tumblr blog. By analyzing your internet traffic the SS can create a list of usernames, email addresses, and passwords.
Taking your blog down by juridical means is difficult and time-consuming. If you use the same password on Stormfront and Tumblr it's possible for the SS to hijack your Tumblr account, or worse, your email account and every service related to it. When the SS hijacks your accounts you'll simply be unable to login as they'll change the password, associated email address, and leave the account in a frozen state. They'll do so from behind an anonymous proxy so they have complete deniability. If an actual hacker hijacked your page they would likely vandalize the page and leave offending messages, the SS is unlikely to do so as they want to draw as little attention as possible.
To minimize your risk, you should avoid websites that do not fully encrypt the entire connection using https. If you need an email address, make sure the email provider is hosted in the same nation as the service you are using. So if you make an account on Jux do so from a Gmail, Hotmail, or Zoho email address. If you link an email address to VK do so from a Yandex email address as the Yandex server is in Russia. Doing so will make it harder for governments to intercept password retrieval email messages. Never use the same password for different accounts.
There is reason to believe the Austrian, German, Norwegian, and UK governments subject their citizens to this treatment for ultra-nationalist content. There is an almost universal ban on ultra-islamic content by means of self-censorship, legal threats, hacking, and on rare occasion assassination.
AxCrypt is a free and open-source file encrypter that integrates well with Windows. It supports self-decrypting files so the recipient of an email with an encrypted file does not need to install the software, though they will obviously need to know the password. It uses 128-bit encryption, which should be strong enough until the end of the century.
7-Zip is a free and open-source file archiver that supports the creation of password-protected archives with 256-bit encryption. If you use the .7z standard, the filenames and files are encrypted, but if you use the .zip standard, only the files are encrypted.
PeaZip is a free and open-source file archiver that supports the creation of password-protected archives with 256-bit encryption. It supports the .7z encryption standard.
Adobe sells an overpriced software suite that allows the creation of PDF files. PDF files created with Adobe include private information that the computer grabs from your computer. The PDF files themselves can be viewed with a free PDF reader. Avoid if possible and make sure no private information is stored.
Google Drive is Google's online document editing suite. An interesting feature is that you can share documents with other Google users, meaning files never need to be physically copied to your or the recipient's hard drive. Google Drive supports https. Documents can be converted and downloaded to your computer in several formats.
Microsoft Word is Microsoft's document editor. It's not free software and it automatically includes private information, like the name you gave during installation, username, company name, and possibly more. Avoid if possible and make sure no private information is stored.
Notepad++ is a free text editor that is useful for creating simple documents or editing HTML files. HTML files can be viewed by anyone with a browser. Using base64 encoding, you can embed images in the HTML file itself, and the HTML markup language is easy to learn.
Open Office is a free alternative to Microsoft Word and should not reveal private information unless you include it yourself.
It's important to understand that when you delete a file it is not actually deleted, it's merely forgotten about by the operating system. Filenames and file content can be fully or partially recovered using file recovery software. Formatting your drive does not work either, and you will need specialized software.
AxCrypt is a free and open-source file encrypter that comes with an option to erase a file. It doesn't remove the filename from the Master File Table so the name and size of the file remain available.
CCleaner is a free disk cleaning utility that provides a 'drive wiper' in the 'tool' tab, which will overwrite all free data. It also cleans up the Master File Table. It can take several hours for the drive wiper to finish.
Eraser is a free file eraser that allows you to right-click files to permanently delete them. You can change the settings so it does 1 pass (sufficient) instead of 35 to improve execution speed.
Recuva is a free file recovery program that allows you to scan a drive for deleted files, and recover them. Alternatively, it can permanently erase the data of deleted files. Recuva doesn't remove the filenames of erased files from the Master File Table so the name and size of the file remain available.
IronKey manufactures secure USB flash drives and hosts a network of anonymization servers. It's more secure than Tor, though the company could be forced to compromise anonymity and privacy by court order.
SpotFlux hosts a network of proxies. SpotFlux claims to log as little as possible but does not guarantee anonymity against a US court order. A useful alternative if Tor is too slow for practical use.
Tails is a software suite affiliated with the Tor Project that allows you to boot up a secure operating system from a DVD or an encrypted USB drive. It comes with Tor support and other privacy and anonymity utilities. This allows you to use any computer without leaving a trace, though it requires the ability to reboot the computer. As it's a large file it's best to download Tails using uTorrent.
The Tor Project offers free software that allows you to anonymously surf the internet. The increased anonymity comes at the cost of decreased privacy as your traffic is directed through several servers ran by volunteers. It's strongly suggested to use HTTPS-enabled websites while using the Tor network, and to be on the lookout for Man in the Middle attacks where HTTPS is either disabled or a fake certificate is issued. If you use HTTPS Everywhere you should receive a warning when HTTPS support is unexpectedly disabled, while browsers like Chrome try to detect fake certificates.
SpiderOak provides 2 GB of free online file storage. It supports https and stores the files using 256-bit encryption. It's mainly intended as a backup service and requires the installation of the SpiderOak program. The company itself cannot access your files, unlike most other free storage alternatives.
TrueCrypt is a free utility that allows the creation of encrypted virtual drives, with support for hidden volumes. It also supports encrypting your entire drive. There is a wide selection of encryption software, but TrueCrypt appears to be the most advanced and polished product that is available for free.
Wuala is a Swiss company and provides 5 GB of free online file storage. It requires the installation of the Wuala program. It has support for sharing and collaboration. The company itself cannot access your files, unlike most other free storage alternatives.
There's the very real possibility a government manages to install spyware on your computer. For example, the NSA may force Google to help them install spyware on your computer as a matter of national security. One reason to encrypt your system drive is to prevent a government from installing spyware directly, though system drive encryption is of no help if you leave your computer running when you leave your residence. If you're very paranoid you should consider running Linux or Mac OS X, which will make you less vulnerable to these types of attacks.
Regardless of the reality of being directly monitored it's important to practice data obfuscation where possible. The goal is to transfer data in a way that is not readable by machines, which means it'll take a human to categorize and transcribe the data, which can quickly become a very costly affair.
Handwriting can be scanned and converted to an image, and be difficult to transcribe by computer software if the handwriting is messy or a-typical.
Captcha Software can be used to turn typed text into a hard-to-read image. I'm not aware of specific software, but you can load a picture containing static into MS Paint, create a text field, enter your text, next save the result a jpg image.
Sign Language can be used over a video chat connection. It can be a useful and fun skill to learn and time-consuming to transcribe for intelligence agencies.
Dialects can be used over a voice chat connection. Mixing words from multiple languages, or frequently switching between multiple languages can complicate things. Consider learning a foreign language together.
Signal to Noise methods can be used to add confusion. Try to think of keywords intelligence agencies might be looking for, and use those randomly in innocent conversations and emails. Do not delete your spam mail but save it, mix in innocent emails you'd normally delete, and subsequently make life difficult for someone who wants to know everything that you are doing. Play music while voice chatting. Leave a voice or video connection open with some kind of background noise as long and often as possible, forcing monitoring agencies to store large volumes of data, whether it is a ceiling fan, talkshow radio, or both. Have non-sensical discussions which may or may not contain secret encoded messages. Send large encrypted files with 256 bit passwords (32 random characters long) and suspicious filenames that an intelligence agency might spend a year of computing power on trying to crack. Never delete anything uninteresting.
Logical Operators can be introduced allowing the recipient to interpret a message different than someone who is not aware of the operant. For example, ending a message with ;) typically indicates that the person is kidding. Smileys can be introduced that indicate that the person is lying, means the exact opposite of what he says, means something more extreme, is spouting pure nonsense, has communicated a password within the sentence, that the line of communication is not safe, etc.
Key strokes can be logged by attaching a small device to your keyboard that stores all key strokes on embedded flash memory, these devices can be very small. Governments will likely want to install these devices in your keyboard, so make sure to put superglue or epoxy in the screwholes to make disassembling the keyboard impossible. Also consider making a distinct enscription on your keyboard with an engraving tool and to remove the serial number and brand name, this will make it more difficult for governments to quickly swap your keyboard with a bugged look-alike.
The next place to install a keylogger would be inside your computer. Most computers come with a simple seal which voids the warranty when broken. Check the seal from time to time and store a picture of the seal so you double check if something looks suspicious. Consider adding an additional seal, which can be as pragmatic as running a line of duct tape around your computer and drawing and writing on the tape to make it more difficult to break the seal without leaving a trace.
The final place to install a keylogger would be on the wire leading to the keyboard, or using a connector inbetween your computer and the plug. Check the wire and where the keyboard plugs into the computer from time to time. If you find a keylogger you should destroy it as quickly as possible.
To make installing keylogging software more difficult remove the brand and serial number from your computer using a knife or sandpaper, this because intelligence agencies can easily crack your BIOS password if they know the serial number of your computer's motherboard. Encrypt your harddrive to make installing software impossible if your BIOS password is by-passed. Run a Linux-based operating system. Exclusively connect to Internet services in friendly nations, or connect through a proxy and avoid signing into services with a username. The last options may not be feasible, which makes it important to focus on developing English-language Internet services in friendly nations.
A common method of tracking someone is by sending them an email with an embedded image. In certain scenarios the image will automatically be displayed, so the browser connects to the server where that image is hosted, and the server will log at what time the image was viewed, by what browser, and by what IP address. Images hosted on large image hosting servers are generally safe, especially when they have a generic filename, and the image is indexed on Google. Also be careful when given links to webpages that are not indexed by Google.
Modern email providers like gmail automatically hide pictures in emails from strangers and will ask you if you want to display images. If you have TOR enabled there is no huge risk in viewing a picture. If you aren't using TOR or simply are paranoid you can enable the following setting in gmail to never embed pictures:
Settings -> General -> External content: Ask before displaying external content
It's also possible to embed tracking bugs in HTML, PDF, Excell, Word, and PowerPoint documents. If you have a file you don't trust you can disable your internet connection entirely, though TOR should mask your IP address when opening a bugged document.
If you click a link the typical web browser will tell the website what web page the click originated from. A link can be modified to instruct the browser not to send along referrer information by including the rel='noreferrer' in the tag.
In Firefox you can disable the sending of referrer data by going to about:config and setting network.http.sendRefererHeader to 0. In Chrome you can disable the sending of referrer data by changing the Chrome shortcut to execute: path\chrome.exe -incognito --no-referrers which will launch Chrome with incognito and no-referrers mode enabled. Acknowledge that Firefox spells the word as 'referer' and Chrome as 'referrer'.
You probably want to figure out a way to check if you are indeed no longer sending referrer data.
Your computer does not magically know where to find 'google.com' and has to look up this address on a DNS server. Browsers that prefetch links can in theory allow profiling software to determine what webpage you are looking at. Disable prefetching in your browser configuration. Some browsers will go as far as to visit the actual webpage and load the webpage behind the scenes, which in turn allows analytical software like Google Analytics to record your activities. Be mindful of websites that use Google Analytics, as this means every single click is stored, and this data can be retrieved with a court order. Responsible webmasters who use analytical software (sometimes for valid reasons) should periodically clear the data.
Your browser can be uniquely identified. Never install a new font. Avoid uncommon plugins. Keep plugins up to date. It appears to be a lost cause to prevent fingerprinting however. You could use two computers and exclusively use them for separate activities. Software like Tails makes it more difficult to finger print. The Tor browser is helpful as well. HTTPs stops fingerprinting by network profilers, though Google automatically stores one month worth of such information by default and it may store this data indefinitely, though it's unclear if Google stores identifying information other than the kind shown on Google Analytics. Keep in mind that using services like TOR is part of your fingerprint (as you'll have a TOR IP) so if you have the discipline you should exclusively use the TOR Browser for specific activities.
Hiding Folders is possible on Windows by right-clicking the folder and checking 'Hidden' in the properties menu. You can visit the folder by clicking the address bar while in the parent folder, and typing a \ followed by the name of the hidden folder.
Hiding Desktops is possible using software like VirtuaWin which allows you to create 2 or more virtual desktops, and switching between them with a keyboard shortcut or mouse click.