Encryption

• Kleopatra (GPG manager)
• Picocrypt (text and files in XChaCha20)
• ShuffleCake (Hiding volumes/filesystems while encrypting in AES256)

Data protection/removal

• Obfuscate (tool to censor private informations)
• Metadata Cleaner
• Raider (file/data shredder)

Clients

• Pidgin (XMPP, IRC & Google)
• 64Gram (Telegram client)
• Thunderbird (email, XMPP)
• Transmission (BitTorrent client)

This post will show you how to avoid leaving the same informations online again and again, by leaving the same informations on all sites you browsed, you can leak your life history trough multiple data leaks where threat actors find what service you used by using your personnal informations as search terms.

Put the less information possible online or avoid doing it with a public exposure.

Make private accounts and alt-accounts, if you can share your things to your friends & family, without shitposing 24h/24 your toughts and private lifestyle you'll be fine.

Never use the same pseudonym

Be creative or just generate a pseudonym. here's a site for

Do not leave your Date Of Birth

If you need to prove you're an adult, show your year of birth, but never give your date of birth.

Never use the same password

You're harming your security and privacy at the same time by doing this. People can search the hash of your password trough leaks or just logging to other sites with your password because it's always the same. Use a password manager to protect yourself from that by having one password per account.

Do not use the same mail address again and again.

You can use skiff, altaddress, msgsafe, anonaddy and other mail services offering mail aliases to not leave the same mail.

Do not use the same phone number

Take a SMS verification service if a site/service is asking for your phone number. (available list here)

Do not use a VPN having a dedicated IP.

Change your VPN provider (use this list) each year or each end of subscription. If your VPN is having large lease sets, it may attributed a specific IP like your ISP can do. Then, if sites were logging the IPs of your sessions and theses were stored in their databases, it came possible to find accounts possibly belonging to you by searching the IP address.

Use Monero, gift-cards or prepaid cards for online payments.

We're going to see how staying anonymous online on multiple points:

First rule

• Don't be stupid, never talk about your life, your interest points, your name, in fact everything directly tied to your identity. (an example here of why)

What configuration ?

An easy one: buy a cheap laptop and a privacy screen filter to protect your screen against cameras and voyeurists, install TailsOS on a USB key. Because you want to stay anonymous, do not create a persistance on so every session is fully ephemeral.

You can buy a mini-leash to tie your USB key to your wrist then if someone tries to steal your latpop (example here), the session will be corrupted because the USB key were removed by force with the leash (example here). (it's a killswitch in a nutshell)

How do i connect to Internet ?

If you can, do not use your own Internet Service Provider. Go outside and find an open WiFi hotspot (Wigle can help you). You also can buy 4G hotspot keys but be sure they aren't tied to your identity and take some cheap because you have to throw them after a long usage due to the static's IMEI number.

Tor OpSec ?

If you use Tor for usages might be punished and under targeted surveillance, you should use Tor bridges. If it's not the case you can normally use the Tor network. Do no "Tor over VPN" you'll just deanonymize your Tor entries trough the VPN. When you're using Tor, you have deniability on your sessions. So you can admit having used Tor while hiding your deniablility by saying you were browsing something other than what you're accused. But, if you're not accused of having used Tor, say nothing about it (first rule).

Tor browser security parameters ?

Select the Strict security level (here) to protect your browser against malicious JavaScript content and more methods for trying to deanonymize or exploit your network browser. You also can put all the uBlock available filters to protect yourself against other types of tracking.

Tor browser hygiena ?

You have a new identity icon at the top right of your browser you should use to clean your Tor session. Example: I searched and found a cookie recipe, now I want to buy ingredients I should click on new identity, then previous session is forgot.

General internet hygiena (on-site)

• Don't create / use an account to browse content or interact with the service if they allows you to do it in a accountless way.
• If you have to make one, be sure you're using Mail, SMS ect.. provider who's not requiring your informations. Check this list
• Do one account per interaction, one SMS and one mail per registration (never reuse an information, here's an example of why.)
• Use Monero when you have to pay online or your payment will be transparent or tied to your identity.
• If you're uploading files, remove metadata before simply by doing a right-click (here's an example of why), use OnionShare when possible to keep the transfer in peer-to-peer over Tor.

Explain me SimpleXChat like i'm five

The SimpleX network protocol (SMP)

It's a protocol (SMP) using relays in a unidirectional way to proxify the P2P activity of users.

It also does content padding (message of random sizes) to make difficult attacks by a inspecting packet size for doing traffic correlation.

Encryption

• Client to Server connections are encrypted in TLS and verified with Ed448.
• Client to Client messages are encrypted in Double Ratchet with Curve448 to agree shared secrets for the double ratchet initialization.

How to use SimpleXChat

1 - Installation

In first, install SimpleXChat | Tor hidden-service.

2 - Launching the app

You need nothing more than launching the app. If you want to share your contact link, click on "Your SimpleX address" and create one.

2.1 Using SimpleXChat over Tor

Go in the connection settings and turn-on the Socks proxy switch (be sure you're running Tor in background before activating it.) You also can use hidden-service connection with relays made it available.

3 - Receive messages

Turn on the auto-accept switch if you want to automatically accept message requests and accept incognito if you want to keep a random username per user contacting you. Or click on + and on generate a one-time invitation link to not share your contact address.

4 - Send messages

To contact someone, click on + and on contact via a link or scan a QRCode. Paste it's contact link, for example here's mine

5 - Conversation initialization

You'll have a connecting... conversation appearing once you create one or when someone is contacting you, during this phase you're doing a key-exchange for double ratchet so make sure you and the other part are online. Why not letting the application running in the background (not on iOS because apple push servers are will know your SimpleX usage, see here why) with the notifications periodically or instantly.

5 - Verify the conversation security

Now the conversation has started, click on the profile of who you're talking, now on verify the security code and verify the fingerprint is the same, with the QRCode or by signing it with your PGP Key as we seen before. Now the conversation is verified, you can talk with the user or setting up an ephemeral conversation in the settings.

6 - Backup your Database

Conversations are only queued on relays, so you're hosting your own data in a local database. Put the database in pause mode, add a passphrase and export it to the new device where you want to restore it. Beware, you can't have a "multi-device" usage like running the same database on two devices at the same time because of Double Ratchet protection (you "fork" the perfect forwarded secrecy on different sessions)

PGP Introduction

PGP means: Pretty Good Privacy. It's an asymetric-encryption program, for encrypting or signing data made by Phil Zimmermann. When you're using PGP, you have a public-key and a private-key.

The public-key is like a mail address but cryptographically made you can share to anyone, people can encrypt data to your public-key or verify signed data to know it's authenticity.

Step 1 - Find a PGP manager

• Kleopatra (Linux)
• GPG4Win (Windows)
• GPGTools (MacOS)
• OpenKeychain (Android)

Step 2 - Make your keypair

Find a generate a new keypair function in your manager. It'll asks you a name and a mail (it's optionnal).

2.1 Selecting what asymmetric cryptography protocol to use

You can you with what protocol you use for your keypairs, for example: RSA, ECC, ed25519.

2.2 Adding a passphrase

The manager will ask you a passphrase (an additionnal private-key protection) you should not loose or you loose the access of the private-key.

Step 3 - Export your public-key

Click on your keypair, and find a share or export public-key function. The manager will display or export in a text-file your public-key (long string of data starting with ---BEGIN PGP PUBLIC KEY---). You can share this key to anyone.

Step 4 - Export/Backup your private-key

4.1 Exportation

Click on your keypair, and find a backup or export private-key function. The manager will display or export in a text-file your private-key (long string of data starting with ---BEGIN PGP PRIVATE KEY---). DO NOT SHARE THIS KEY.

4.2 Restore the private key

Find a "import" function and import the private-key file. You also can go in the notepad function (of your manager ONLY) and paste it the private-key. Put the passphrase when it's prompted, you'll again have the full access to your keypair.

Step 5 - Import a public-key

Ask a public-key (or generate an other one if you don't have friends like me lol), open the notepad and paste it the public-key. Click on import, and verify the fingerprint is the good one (someone can make a public-key with your name to impersonate you, impersonator's key will not have the same fingerprint than yours) before certifying the key.

• Here's my fingerprint for example: EDD9 6775 F105 E467 3DF9 F32F 0D2E F07A BD7E 18BD

Step 6 - Sign/Verify data

To sign, find a sign function in your manager, select the file you want to sign select your key to sign, you'll have a .sig file. For signing text, go to the notepad, put text and select the key for signing, you'll have a string of data starting by -----BEGIN PGP SIGNED MESSAGE-----

To verify, find a verify function, select the .sig file and you'll know if the signature and the file is valid. For verifying text, put the string of data starting by -----BEGIN PGP SIGNED MESSAGE----- in the notepad and find a verify button

Step 7 - Encrypt/Decrypt data to a public-key

To encrypt, you just have to mention the key of someone with the encrypt for/to function in the notepad, or find a sign/encrypt function in the manager and select a file. You also can encrypt to your key and sign the message so people knows it's really from you. You'll have a .pgp file or a string of data starting by -----BEGIN PGP MESSAGE----- meaning encryption is complete.

To decrypt, find a decrypt function, select the file and it will be decrypted if the file was encrypted to your public-key. Or put the string of data starting by -----BEGIN PGP MESSAGE----- in your notepad and find a decrypt function.

Operating Systems

• GrapheneOS is a custom ROM focused on security & privacy.

Store applications

• F-Droid is a federated application store
• AuroraStore is an unofficial FOSS client to Google Play.
• Obtainium is a package installer where you can set different sources like github apkpure fdroid (even HTML).

"System apps"

• Insular is a good sandbox where you can clone or freeze apps.
• VLC is a good media player.
• Simple Notes (litteraly it's name)
• Secure File Manager is a file manager supporting AES to encrypt files.
• Open Keychain is a PGP manager.
• Password Store is a android implementation of the unix password manager

Networking

• Invizible is a good Tor + DNSCrypt wrapper with a tunnel (VPN feature).
• Mull is a secure and privacy focused Firefox fork.
• SimpleXChat is a encrypted and anonymous instant-messaging protocol and client.

Privacy-focused clients

• NewPipe is a ad-less and lightweight Youtube SoundCloud and PeerTube client. (it's really worth it to use)
• Barinsta privacy focused Instagram client.
• NekogramX privacy focused telegram client supporting PGP.
• K9-Mail is a secure mail client supporting PGP.
• Conversations is a XMPP client supporting OMEMO encryption.
• Silence is a encrypted SMS client.

Best forks

• LibreWolf (For Windows/Linux/MacOS)
• Mull (For Android)

Best extensions

• uBlock Origin (A good tracker/ads blocker)
• Decentraleyes (Blocking CDN content if possible)
• NoScript (Blocking JavaScript, medias and XSS content)
• User-Agent Switcher and Manager (modifying your fingerprint to look like an other device)
• CanvasBlocker (blocking fingerprinting tough screen resolution and more methods exploited by JS APIs)
• Libredirect (Always redirecting you to privacy focused front-ends if possible)
• FoxyProxy (Changes your proxy settings very fastly)