قالب وردپرس درنا توس
Home / Tips and Tricks / How to secure your identity and become anonymous online in 2019 «Zero Byte :: WonderHowTo

How to secure your identity and become anonymous online in 2019 «Zero Byte :: WonderHowTo

Your social security number, credit card information and medical history may fall into the wrong hands if you are not careful about how and where you share your data online. If you really care about your data, there are tools and techniques that you can use to protect yourself from cyberstalkers, advertisers and hackers at a time when digital life is a high product.

Why Privacy and Security Issues

While you may not have anything to hide, there are still many things in your digital and personal life you should want to protect. Your phone number, your computer, your smartphone, your online accounts, your bank accounts, your email address, your home security system, even your home ̵

1; these are all things you want to secure with passwords, biometrics and other tools available to you.

In 2018 there were a number of significant data violations. Overall, they hit hundreds of millions of people worldwide, and you may have been one of them. Below are some of the biggest hackers in 2018, which include compromised phone companies, e-commerce sites and social media giants – all of whom have access to your personal information.

Website databases are not the only way hackers can try to compromise your digital privacy and security. It may not always seem that your digital identity has much value, but hackers and criminals can find ways to target your friends and family through your online profiles. They can also find other ways to abuse information that you have shared online in recent years.

"Private Browser Mode Doesn't Protect You

In a recent study owned by DuckDuckGo, the company asked 87 volunteers in the United States to do identical keywords in Google while they were private browsers and logged out of their Google accounts "Now, according to Google's requirements, without the help of browser cookies, everyone (if not most) of the volunteers should have produced the same search results. DuckDuckGo researchers, however, found that:

  • Most volunteers received results that are unique to them.
  • Whole sites were omitted from search results for some volunteers.
  • Results in news, video, responses, shopping, excerpts, and knowledge Graphics boxes also varied significantly.

The result of this research is significant because it shows that Google uses more than browser cookies to target their users and create filter bubbles, the Google Search algorithm also takes into account our IP address, browser type, operating system, and more. No one should feel protected or anonymous when in private browser mode or when using Google Search.

Getting started with privacy and anonymity

You can easily terminate all your personal accounts and use the Internet as little as possible. It would create a small digital fingerprint, if it did not exist, but it is not the meaning of this article. Instead, you should be able to enjoy the internet without completely abolishing your digital freedom or confusing your digital identity to profit-driven companies such as Google and Facebook.

Simply switching to a Linux distribution is not the solution either. Also open source organizations and integrity related organizations are on the news site . In times like this, it is important to proactively protect yourself from hackers, cyberstalkers, advertisers and money-hungry organizations.

Free Audiobook on Amazon: "The Art of Invisibility" by Kevin Mitnick

When you talk about security, almost defensive action almost always creates a hassle for the attacker but also the user. That is why, these security and anonymity actions have been separated into four different categories that vary in difficulty: Light, Moderate, Hard and Extreme.

Simple: Best safety practice

The safety instructions in this category can and should be implemented by everyone. These tips will not interfere with most of you but will likely counter basic hackers.

In later hard and extreme categories, readers will learn to use free and open source code, as well as anonymity tools and techniques. These sections focus on those who do not mind being unable to dramatically improve your privacy, security, and anonymity.

1. Use Two Factor Authentication

Two Factor Authentication (2FA) adds an extra layer of security to online accounts. It allows you to create a one-time account login code. The security codes are generated locally on your phone, which means that a hacker who has successfully received your login information will also need physical access to the 2FA app or SMS text on your phone before they can do any harm.

Two-factor authentication should be enabled on as many websites and apps as possible. TwoFactorAuth.org has a comprehensive list of sites that currently support 2FA, including Apple, Binance, IFTTT, Instagram and Snapchat are just a few. However, do not use SMS-based 2FA codes. It is an uncertain exercise. Both Gmail and Bitcoin accounts have been compromised, even though secured via SMS-based 2FA.

2nd Don't Discard Social Media Information

Hackers can easily collect pieces of personal information about you collected on all your social media. While sending your birth date on a website and your phone number on another may seem harmless, hackers can collect and use that information for the social engineer for their other accounts.

Generally send in as little personal information to social media as possible. If a particular site does not absolutely require your actual information to be recorded, do not include it. A general rule of thumb here, ask yourself: "Does this site absolutely need my real name and real information?" If it is not important for how the site works (eg bank accounts), do not send personal information.

Avoid strangers online. Try to avoid communicating or sharing any kind of information about yourself – no matter how harmless the information may seem. A conversation with someone about your school teacher's name may be that all hackers need to circumvent a login security issue. Patient hackers and cyberstalkers will gradually be able to collect small pieces of personal information that you compromise accounts or discover your home address. Remember, people can easily be socially constructed and tricked into revealing their passwords and security issues.

Recommended on Amazon: "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World" by Bruce Schneier [19659043] 3. Get rid of unnecessary friends on social media

Some people holds too many "friends" on Facebook. We talk about friends of friends and people whom we have never met in the real life that serendipitously happened in a public Facebook conversation you were part of and later awaited you. These interactions can be easily constructed by a hacker trying to infiltrate your private accounts.

Cyberstalkers on social media can follow you to follow up your whereabouts and activities. However, you cannot always be the primary target because attacks can use you to turn to one of your children, friends or relatives. Similarly, catfish can follow you online to steal your images for fraudulent activities that can lead to penalties again.

As a good method, take an afternoon to go through all your social media. Do not follow people you do not actually know in real life and minimize the number of photos you upload to websites.

4. Use these Smartphone Best Practices

Smartphone security is a complex subject. Currently, we are looking at general best practices that can make it harder for hackers to compromise your mobile devices.

Another good exercise is to clear too allowed smartphone apps. This game app does not need your GPS coordinates. The video streaming app does not need access to your call history. If an app externally tries to access sensitive parts of the device, you have several actions:

  • Install the app anyway . This is extremely uncertain. Many apps should not require access to call logs, contacts, text messages or the ability to change your phone settings. It is a large red flag if the app requests these permissions.
  • Don't use the app at all . As uncomfortable as it can be, this is the safest option. The app in question can be a social media application that your friends, family and / or colleagues use regularly. Refraining from using the app would mean that you isolate yourself (digitally) from people you know and care about – which is terribly inconvenient and an unfortunate consequence of some (more extreme) readers handling each day.
  • Use a virtual Android operating system . This is less inconvenient and a safer solution that installs a shady app directly to your device. Creating a virtual Android OS is pretty easy. These VMs can easily clone and be deleted if the app turns out to be malicious and is used anonymously when connected to Whonix. Isolating an app to a virtual machine helps to isolate and minimize damage. For example, the malicious app does not have access to photos, call logs, text messages and personal files outside of the World Cup.

5th Use Passwords for Strong Passwords Everywhere

In a recent survey of LastPass, it was revealed that at least "53% of respondents confessed that they did not change their passwords in the last 12 months … despite news of a breach of the password compromise data."

This is an unfortunate fact that needs to be changed. The use of a complex password is crucial to the security of your online accounts. If a website has its user database leaked to the internet, a strong password can prevent broken violence attacks against encrypted hash. This type of data breach can lead to compromises with other online profiles that you own and are often offset by complicated passwords and two-factor authentication.

If a site requires your mother's mother's name or first pet as a security question, use a randomly generated string as the answer and store it in the password manager. Never use real security issues. Password Manager is good for this.

KeePassX is an open source password manager for MacOS, Windows and Linux that allows anyone to easily secure their passwords and personal information locally. An attacker first needs to hack the target computer's computer to compromise the KeePassX database.

If most of your web browsing is done on mobile devices, you can try a password manager like LastPass. With LastPass, your data is stored in the cloud, which can be dangerous. It's still better than nothing.

6th Using Virtual Private Networks

VPNs Don't Make You Anonymous on the Internet. VPNs are far from a collision-resistant solution but are recommended as a basic line of defense in this Easy category. In later categories where we cannot afford to trust their "no logs" policies, VPN is not recommended. Below are some advantages and disadvantages that readers should consider.

VPN Benefits

  • Improve local network security by preventing man-in-center attacks.
  • Open websites without revealing genuine IP addresses to site administrators. [19659020]
  • VPN Disadvantages
    • The supplier knows who and where you are.

Forwarding of Internet Service Providers from Internet Service Providers (eg 19659020] The provider can log web traffic without your knowledge or consent.
  • Do not make yourself inaccessible or completely anonymous on the Internet.
  • Lower speeds (usually
  • May be difficult to install and install.
  • Forced to put blind trust in the VPN provider
  • VPN may be beneficial in some cases, most notably, they prevent Internet service providers and attackers on your network from manipulating And collecting your web traffic The unfortunate side effect of VPN is that we have to rely on third parties (VPNs) over popular Internet service providers like Verizon, the face of which is: We know for a fact that companies like Verizon do not have the best The intentions of customer data. With VPN providers, there is a chance the supplier we choose does not share Verinson's methods.

    Grat ice VPN solutions should be avoided as they can inject advertisements and cryptoware workers into the customer's web traffic. Gadget Hacks recommends Windscribe for iOS and Opera for Android.

    7th Use these best router security routines

    Securing Wi-Fi routers can be difficult because they are all designed with different features and unique graphical interfaces. Instead of showing how to secure a single type of router, we describe a non-exhaustive number of safety recommendations that everyone should follow.

    • Update firmware . Router companies often issue errors and exploit spots. It is important to keep the router firmware updated and have it check for updates automatically, if possible.
    • Disable Remote Administration . Some routers allow remote access by default. Without knowing it, hackers can find your router on the internet and take control of it.
    • Change the default password . Never use the default password. This applies to Wi-Fi passwords that other devices use to connect to the router, but also the admin portal that allows you to change the sensitive router's settings. There are many websites dedicated to sharing standard administrative passwords.
    • WPA2 Encryption . Use only WPA2 encryption. Weaker encryption options such as WEP will allow your router to be extremely vulnerable to attackers.
    • Disable WPS . WPS is a feature designed for most routers designed to make secure access to your router without a password more convenient. Unfortunately, this feature is usually enabled by default and can be easily exploited by hackers.
    • Was persistent . Change your Wi-Fi password every few months. Restoring the Wi-Fi password to all your devices is a pain, but this tactic will keep hackers guessing … literally. If a hacker has taken a WPA2 handshake and spends several weeks trying to crack it, it will catch the handshake being unusable.

    Moderate: Take back your privacy

    Welcome to the category Moderate . This section is intended for readers who want to keep private communications and scrub their unwanted digital profiles outside the internet. Increasing your overall online privacy while working in secure environments is the goal of this category.

    1. Secure text communication is private

    The text messages were not designed for secure or private communication. All types of data can be viewed by mobile providers when we send text messages, including location data, timestamps and user IDs, but more importantly the messages themselves, which may include passwords and 2FA codes, packet tracking information, meeting reminders, and other sensitive information.

    Facebook Messanger is just as bad, if not worse. Facebook collects a list of running apps and email accounts linked to your smartphone, it can access your contacts and calendars, and it can also send emails to your contacts without your knowledge. It is for these reasons that uninstalling Facebook Messanger is highly recommended.

    There are several encrypted messenger options:

    2. Make sure e-mail communication is private

    Standard e-mail methods are possibly one of the least private forms of communication today. To make matters worse, changing email providers can be an extremely difficult task.

    This is especially true if we talk about moving from a five or even ten year relationship with a particular email address. During full diving, Gmail is not required in this category Moderate it's a good idea to start transferring your most valued accounts to a secure email provider. It's also good to have a secure email option at hand when we need to share account information or personal documents with friends and family.

    There are a handful of privacy-related email providers, but ProtonMail stands out over them all. It is an encrypted email provider that uses open source cryptography. Its encryption makes it difficult for anyone other than reading the messages in your mailbox. In a blog post, ProtonMail describes the many reasons why their service is safer than Gmail.

    Readers who want to switch from Gmail can begin completely by going through primary online accounts and updating them to use their new ProtonMail email address.

    Then, start forwarding Gmail messages to the new ProtonMail email address. This enables a gradual transition of old accounts to the new ProtonMail address. Forwarded emails will serve as a reminder of which online accounts are linked to the Gmail address. Simply update online accounts over time. After a few months of this, it will be possible to delete the old Gmail account without being locked out of online accounts linked to it.

    Limitation of Liability: No e-mail or secure communication provider is 100% immune to compromise. While ProtonMail does what they can to protect customers and their data, we still need to provide absolute service to those service providers so as not to serve malicious JavaScript.

    3. Be careful with the App Store you use

    Those of you with Android phones should stop using Google Play immediately. There many articles have been published over the past two years in connection with malware on the Google Play store. F-Droid is an open-source, community-maintained Android OS repository. Like the Play Store, the F-Droid can be easily installed and updated.

    While F-Droid applications can also install malicious software silently, developers use LibScout machine learning to detect known tracking libraries and some automated scanning. In addition, only open source applications are allowed in the F-Droid repository, making it difficult for attackers to sneak into malware. F-Droid's security model, integration process and reproducible buildings make it the recommended choice.

    In addition, the F-Droid app has recently undergone its second security audit. Such revisions are important because it makes the F-Droid Android app and their servers much more resistant to external attacks.

    If you use an iPhone, the iOS App Store is the best option. There are no other app markets for iPhone that are not riddled with software that is pirated, modded, or malicious. If you are jailbroken there are Cydia and Sileo, but the tweaks in these repositories are not carefully reviewed. While the iOS App Store has had some security issues, it's still the way to go.

    4th Keep Google from tracking you on smartphones

    All Android devices that have access to the Google Play Store (all but a few phones in the United States) have come pre-installed with a set of Google apps that includes Google Maps, Chrome, and Gmail. However, it has been found that Google apps can register your location as many as 340 times a day, so these apps are not ideal for privacy.

    Apple's apps record your location with about a tenth of Google's (PDF alert). When you combine it with most Android phones having Google apps pre-installed, while the iPhone doesn't, it's safe to say that iPhone is a better option for privacy in most cases.

    I say "in most cases" because Android phones can actually be more private than iPhones – in fact, the Gadget Hacks found that the two best phones for privacy and security both ran Android. However, short on built-in privacy phones, most Android phones are not as privacy-friendly as iPhones.

    For those who don't like Apple or iPhone and want to stay in the Android ecosystem, you can replace the stock operating system with a custom ROM like LineageOS, which is basically a Google-free version of Android. You can take things one step further by replacing Google services with an open source option like MicroG. So, Android phones may be safer than iPhones, but if you want the best experience in this area, Apple is probably your best bet.

    5. Opt-out of the Shady Telecom Provider Program

    In 2014 it was revealed that Verizon and AT & T injected "perma-cookies" into mobile customers web traffic. This means that telephone companies can better track people for advertising purposes. AT&T has since stopped training after much uprising, but Verizon does not have it, but you can opt out.

    There are privacy issues with almost all wireless operators out there, so there's not much to say here except being knowledgeable about the types of antics they use to invade your privacy. See if your operator has unique identification headings to track you for advertising purposes and reject it if so.

    While we can encourage anyone to stop using wireless carriers, something more appropriate in the Extreme section below, but we know it is quite impossible today and age. So just be aware of everything your operator does and then stop what you can be the best way to take it.

    6th Use the best practices of these best browsers

    When talking about the privacy and security of the browser, there are extreme degrees that can be achieved. In this category Moderate we will focus on mitigating site tracking and browser privacy issues.

    Google's Chrome and Chromium browsers have come under fire in recent years to enable user microphone microphones and use other "privacy" compatible "features" without warning or consent. It is for these reasons, and many more, that Firefox is the recommended browser for all of your personal conscious users.

    Firefox is a free and open source browser with a reputation for respecting the user's privacy. It is available on all operating systems, including smartphones.

    To make Firefox easier on the desktop, there are tools like Firefox Profilemaker. Klicka bara på "Start" -knappen, och det kommer att börja gå dig igenom de olika inställningarna som finns i Firefox medan du förklarar hur varje funktion påverkar webbläsaren. När det är klart, ladda ner och importera profilen till Firefox för att de härdade inställningarna ska träda i kraft.

    När det gäller spårning på flera sidor är det lite mer utmanande att besegra och därmed ett valfritt steg. Spårning på flera platser hänvisar till annonsörer och företag som Facebook samlar data om dig på flera webbplatser. De brukar utföra denna datagruppering genom sociala delningsknappar som finns på många webbplatser.

    Dessa knappar, förutom cookies för första partens webbläsare, gör det bekvämt för webbplatsadministrationer att anpassa sina besökares upplevelser. Den olyckliga bieffekten är att de också ger jättar som Google, Facebook och Amazon möjlighet att spåra oss över flera domäner samtidigt som de delar information med datormäklare och reklamnätverk.

    För att mildra spårning på plats kan Firefox profilansvarig användas för att isolera webbläsaraktiviteter. Till exempel använder du olika webbläsare för att separera arbetskonton, personliga profiler och privata webbläsarsessioner. Profilhanteraren kan åberopas genom att ange om: profiler i URL-fältet.

    Nedan visas ett exempel på hur profiler kan hanteras och färgkoordineras för att förhindra förvirring. Varje profil kan använda en annan Firefox Profilemaker-profil och har varierande grad av härdning tillämpad. For instance, the neutral web browser (black) can harden some privacy and tracking functions, while the private browser (red) hardens them all.

    • Green — Work accounts, employee logins, and business bank accounts. The green color can act as a reminder (green like money) that this profile is designated for work-related tasks only.
    • Black — This profile would allow cookies to persist in the browser, making it ideal for personal accounts that may be inconvenient to log into several times a day. The black color can act as a reminder that this browser window is somewhat neutral.
    • Red — For everything else. This profile would use Private Browser Mode to ensure all browser cookies are purged when the browser window is closed. Ideal for general web searches and internet browsing. The red color can act as a warning that activity inside the browser will not be saved.

    Browser extensions are dangerous. Only a few actually improve privacy and security in the browser without completely putting you at risk. In most cases, adding extensions and add-ons should be avoided. Many of the browser extension hacks affected Chrome in 2018, but Firefox add-ons are equally vulnerable. There are two add-ons that everyone should use:

    • uBlock Origin — An open-source ad blocker designed to allocate very little CPU and memory while efficiently blocking ads. It has gained incredible notoriety over the years as being a superior alternative over popular solutions like Adblock Plus.
    • HTTPS Everywhere — Many websites offer HTTPS in the browser but default to unencrypted HTTP. HTTPS Everywhere attempts to secure web traffic by rewriting URLs to use HTTPS every time.

    Other noteworthy add-ons include NoScript, Privacy Badger, and Decentraleyes, but are not required. If they are not security-related, be wary of what they are doing.

    When it comes to mobile browsers, Safari on iOS is actually pretty decent, since it has an option for disabling cross-site tracking, but Firefox Focus blocks a wide variety of online trackers. It's available for both iOS and Android.

    7. Get Rid of Old & Inactive Accounts

    The best way to minimize your digital footprint is to start deleting old and inactive accounts. Hackers can use data collection tools like SpiderFoot and Maltego to generate comprehensive activity and behavioral profiles about you.


    Many websites make it intentially difficult to find the "delete your account" button. The quickest way to delete online accounts is JustDeleteMe, a directory of direct links to "delete your account" pages for popular websites. It simplifies this process.


    One great tool for locating accounts you've forgotten about is Pipl, a free people search engine that's very easy to use. Simply enter your common usernames and email addresses into the search bar, and Pipl will generate a list of associated profiles based on public information.

    Below I'm using @snubsa well-known Hak5 personality and influencer in the infosec community, as an example. We see she's on LinkedIn, Flickr, Twitter, FourSquare, and more.


    Alternatively, PeekYou can be used as well. In the example below, we can see the accounts associated with the @hak5darren username.

    More alternatives include BeenVerified, CheckPeople, and Spokeo. Simply enter your name, usernames, or email addresses into the search engines, and they'll likely produce information you didn't realize was publicly accessible.

    Email Searches

    Another method for identifying online accounts is to search your email inbox for terms like "sign up," "signup", "verify," "account created," and "verify your email."

    Have I Been Pwned

    Yet another method for discovering accounts that need to be deleted is Have I Been Pwned. Enter your email addresses into the search bar, and HIBP will tell you which addresses were affected by recent data breaches.

    8. Get Delisted from People Search Engines Databases

    The battle isn't over after deleting online accounts. Now, the information needs to be removed from the very same search engines used to discover them. Pipl and PeekYou have their own private databases. Deleting an old Twitter account won't necessarily remove the existence of it in Pipl's database. Unfortunately, the only way to completely rid an account from the internet is to contact each website directly and request they remove it.

    For example, with PeekYou, it's required to first locate your listing on its website, send them the URL, and request it be removed. Remember to include your name and linked email address or they may not have a way to contact you or verify ownership the account(s) being requested for removal. Ironically, we have to send some personal information to have it removed from internet databases. This process is a real pain, but a necessary evil.

    Hard: Don't Support For-Profit Companies

    Congratulations on making it this far! If you've successfully managed to put most of the previously mentioned privacy and security tips into practice, you're in excellent shape for 2019.

    Keep in mind, the Easy and Moderate categories were more geared toward privacy and basic security practices — not anonymity. This category will focus more on creating small digital footprints going into the future, actively evading aggressive tracking tactics, and only supporting open-source software. As we're about to see, putting these tips into practice will prove to be much more challenging.

    1. Stop Using Windows 10 & macOS

    There are many privacy concerns with Windows 10 — more than we could fit into this section. The privacy-compromising and telemetry tools Microsoft allows you to disable will not prevent them from abusing its control over the operating system. Below are a handful of reasons why Windows OS is a less-than-adequate choice for a private or secure solution.

    Similarly, while Apple's macOS is based on open-source software, there are still many closed-source components. To make matters worse, Apple's operating systems, policies, and practices have been criticized in the past for containing backdoors, being involved in censorship, uploading files to iCloud without user consent, and surveilling macOS and iPhone users to several alarming degrees.

    Start using a Unix-based operating system as your primary OS. There are so many great Linux operating systems designed for beginners. Elementary OS is one such example (shown below), which recently received a $1 million donation, which allowed them to hire more developers and really push the project to the next level.

    Elementary OS has a macOS-like design with a minimalist interface that makes transitioning to a Linux system feel organic. Other recommended Linux distributions include Debian, Fedora, and Xubuntu. They all feature an easy installation process, massive support communities, and more control over the operating system than Windows 10 or macOS will every allow.

    Using an OS like Elementary won't make you completely immune to viruses and malware, however. No computer is. Joining a Linux community is more about supporting organizations that respect user privacy and security. These operating systems empower us to maintain full control over the system while having the ability to harden the OS to our heart's content.

    2. Stop Using Gmail

    It's time to stop using Google products. For some people, this is significantly more difficult than it sounds. Rest assured, more and more people are switching to privacy-respecting alternatives every single day.

    At this point, there are too many privacy, anonymity, censorship, spying, data-mining, tracking, and overwhelming ethical concerns to support Google as a company or any of it "free" products. If that's not enough to get you to quit Google, below are several articles that might pique your interest.

    To delete your Google account, first, navigate to myaccount.google.comand select the "Delete your account or services" button.

    Select the "Delete Google Account and Data" button, then enter your password again.

    Select the "download your data" button and store your Google data someplace securely in case you need to access an old email in the future. An encrypted container will work perfectly for storing such data.

    Back on the deletion page, scroll down to the bottom of the page, check both acknowledgment boxes, and hit the "Delete Account" button.

    And you're done! Congratulations on committing to quit Google! As stated previously, you should start using privacy-respecting email providers like ProtonMail instead.

    3. Stop Using Google Search

    Google's collection and aggregation of user data through the various tools enable it to determine a user's route through the internet by tracking IP addresses and cookies (cross-domain tracking). And remember: private browser mode (incognito) doesn't protect you entirely. Fortunately, there are several privacy-focused search engines available that allow you to search the internet without linking queries to your identity.

    SearX, for example, is a highly customizable meta-search engine. It queries dozens of other search engines simultaneously to produce the best possible results. There are over one hundred available search engines available to Searx including DuckDuckGo, Bing, and StartPage. Best of all, SearX supports operators (aka "Google Dorks") for advanced search queries, all without compromising your privacy or serving ads.

    Now, keep in mind, Google has expertly embedded itself into so much of our digital lives. It's near impossible not to unknowingly send data to its servers in one way or another. Even if you're not an avid Gmail, Google Search, and Google Maps user, simply visiting an ordinary non-Google website might result in your computer silently contacting Google-owned servers. We're talking about Google Fonts, Google Analytics, Google AdSense, and other Google products. In later sections, we'll show how to actively avoid these lesser-known analytical and privacy-invading services.

    4. Stop Using Social Media (Sorta)

    This is likely another big hurdle for most readers. Disconnecting from popular social media websites can be a real challenge. For some, Facebook is their primary method of communication with family members who are in different parts of the world. To make matters worse, social media websites make their services intentionally addictive to keep people from quitting while forcing them to consume ads.

    Social media giants are susceptible to massive data breaches just like any other website and are known to sell customer data to third-parties. Furthermore, cyberstalkers and hackers can abuse the information you put online to compromise your digital and personal life, as well as the lives of your friends and family.

    The good news is: we don't have to quit social media entirely. While the below websites can also be hacked, they at least allow people to sign up and access the website without forcing them to submit a phone number or real name. Now is the time to help your family and friends switch to privacy-friendly social media solutions. Don't wait for another data breach that results in their private data being shared by hackers around the world. There are some open-source, decentralized, and privacy-respecting alternatives that allow everyone to socialize securely while maintaining control over their data.


    Disroot providers a collection of services based on principles of freedom, privacy, and decentralization. It takes pride in its no tracking, no ads, and no data mining policies. Its services include email, chat client, pastebin, search engine, and more.


    Mastodon is a free, open-source, Twitter-like platform. Like Disroot, Mastodon has no advertising, monetizing, or major corporations behind the project.


    Diaspora* is a non-profit, distributed social network that consists of independently owned "pods." The pods work together to form the social network.

    5. Use Free & Open Source Software

    Free and open-source software (FOSS), in contrast to Apple's and Microsoft's proprietary software, is software that anyone can review and audit. It is also freely available (actually free) to copy and use. In this Hard category, it's important to avoid proprietary software that can't be reviewed by third-parties and independent developers.

    The use of open-source software is vital to your privacy, security, and anonymity. A good example of this is when the Kodi community discovered malicious code in a streaming app that turned everyone's Kodi device into a DDoS botnet. If Kodi and its extensions weren't open-source, it might've been weeks, if not months, before someone discovered the DDoS activity originating from Kodi devices.

    To help you transition from popular third-party software to open-source solutions, below are several great alternatives to popular closed-source software.

    • Discord: Wirea cross-platform and fully-featured alternative with secure texting, calling, video chat, and file-sharing.
    • Dropbox: Syncthinga lightweight file-syncing solution. No data is ever stored anywhere else other than on your computers.
    • Evernote: EtherCalca web-based spreadsheet, designed for teams working in collaboration. Changes to a document are reflected in real-time across everyone's screen.
    • Facebook: Diaspora*a distributed social network that consists of independently owned "pods." The pods work together to form the social network.
    • Facebook Messanger: Wirea cross-platform and fully-featured alternative with secure texting, calling, video chat, and file-sharing.
    • Gmail: ProtonMailan encrypted email provider that utilizes open-source cryptography.
    • Google Chrome: Firefoxan open-source web browser with a reputation for respecting user privacy.
    • Google Drive: SpiderOakan online backup and file hosting service that allows you to synchronize and share data using an encrypted cloud-based server solution which doesn't allow SpiderOak or (or anyone) access to data stored in the cloud.
    • Google Maps: OpenStreetMapa community-based Google Maps alternative that respects user privacy.
    • Google Search: SearXa privacy-focused meta-search engine that queries dozens of popular search engines simultaneous ly to p roduce the best possible results.
    • LastPass: KeePassXa password manager for that allows anyone to easily secure their passwords and personal data.
    • Twitter: Mastodona Twitter-like platform with no advertising, monetizing, or major corporations behind the project.

    For more alternatives, check out PRISM-Break.org

    6. Utilize Disposable Emails

    Disposable email addresses are a fantastic way to evade spam while minimizing exposure to website data breaches. For example, when a websites gets hacked, user email addresses are usually among the first thing hackers start passing around. In some cases, spammers will even buy email databases from hackers for email bombing schemes and other nefarious purposes.

    Guerrilla Mail is the disposable email provider of choice. At the time of this writing, Guerrilla Mail allows up to eleven different domains (e.g., @guerrillamail.com, @grr.la, @spam4.me), access via onion service (for anonymous access, which will be convenient in later steps), and the ability to scramble the email address.

    Scrambling the Guerrilla Mail address is very important to the usage of disposable addresses. In the event hackers acquire a leaked database containing your Guerrilla Mail address, the scrambled address will prevent them from simply logging in as you and resetting account passwords associated with the disposable email address. Always scramble the Guerrilla Mail address before signing up for websites.

    When storing disposable email addresses in your password manager, be sure to save the unscrambled address as well. This will allow for access to the email address again in the future, in case you need to reset the password or verify the account for some reason.

    It's not recommended to use disposable email addresses with sensitive accounts like banking and Bitcoin wallets, however. Sensitive accounts should be linked to your primary ProtonMail email address. While your Instagram and Reddit accounts, for example, can use Guerrilla Mail without damaging your security and simultaneously minimizing your exposure to data breaches.

    7. Use a Privacy-Focused Smartphone ROM

    At the time of this writing, Plasma Mobile is the only viable non-Android smartphone OS far along enough into development worth recommending.

    Plasma Mobile is a completely open-source, Linux-based mobile operating system. And best of all, it's not based on Google's Android OS. It is currently under active development so the end-user experience may not be as flawless if you're used to Android. To get started, reference the official site for different ways of joining the community and contacting the developers.

    As an alternative, postmarketOS is another Linux-based mobile OS but it still in the very early stages of development and therefore isn't stable enough to confidently recommend. In the future, readers can look forward to the Librem 5 and the Necuno. Both devices are 100% open-source Android OS alternatives.

    8. Only Use PrePaid Debit Cards Online

    Credit card numbers are dumped on the internet and shared privately on websites every single day. The below screenshot was taken from a website that publicizes new credit card information several times a day.

    The website is currently online and seemingly publishes hacked credit card information for no reason at all. How this data is acquired is unclear but anyone can easily become a victim of such compromises. Fortunately, using disposable debit cards will drastically help mitigate this kind of exposure.

    When making online purchases, it much safer to use disposable debit cards with a limited dollar value attached to the card. For example, losing a disposable card with only $200 USD on it will be far less devastating than hackers sharing your credit card info and accumulating $10,000 in credit. In the latter scenario, your funds will likely remain depleted for weeks while the credit card company attempts to verify your claims of being a victim of fraud.

    Additionally, when registering and activating the card, false information can sometimes be used to further minimize your attack surface from data breaches suffered by the companies distributing the disposable cards.

    The use of prepaid debit cards will help prevent fraud, as well as allow for some degree of anonymity when making purchases online.

    9. Use the Tor Browser Bundle

    Start using the Tor Browser as often as possible. It offers a simple solution for those of you who want to browse the internet anonymously, as we begin to dive deeper into anonymity technologies and concepts.

    The Tor network is a collection of thousands of volunteer-operated servers that allow anyone to improve his or her privacy and anonymity on the internet. The Tor browser allows us to securely access the Tor network and prevent tracking techniques deployed across the internet, like Google Analytics. For those of you who are unfamiliar, Tor provides a brief two-minute video that explains what Tor is and how it works.

    When using the Tor Browser, resist the urge to install any of browser add-ons. This is contradictory to what's stated in the Moderate category where we recommend installing uBlock Origin and HTTPS Everywhere. Part of how the Tor Browser is able to protect anonymity is by making all of your web traffic appear indistinguishable.

    For example, if ten people are using the Tor Browser to visit the same website and one of them has a User-Agent spoofing add-on installed, the Tor exit operator (possibly fingerprinting web traffic) and the website administrator(s) will be able to easily single out that user's web behavior from the other nine Tor Browser users. Additionally, Firefox add-ons are not audited or inspected by Mozilla or Tor developers, and they may even find ways of circumventing the browsers proxy settings — which could lead to de-anonymization. It's difficult, but in this Hard category, it's time to ditch your favorite browser add-ons entirely. They're unsafe and damage your anonymity.

    There are a few caveats to using the Tor browser you should be aware of. The NoScript add-on (installed by default) can sometimes break websites or prevent certain JavaScript elements from displaying web content. This can be frustrating and is an unfortunate side effect of hardening web browsers. Other times, CloudFlare, a web application firewall service, will block your exit IP address, and you'll have to deal with a lot of CAPTCHAs.

    A starter guide to Tor Browser best practices can be found on the Whonix website. For a more technical understanding of how Tor works, check out the official documentation. For help setting things up, visit the Tor StackExchange website or check out Null Byte's article by Black Slash.

    Extreme: Anonymity Best Practices

    The recommendations in this Extreme category introduce some advanced concepts intended for those of you who wish to maximize your operational security while remaining as anonymous as possible.

    Be advised, practicing the below steps without first adhering to the privacy and security practices in the Moderate and Hard categories will dramatically reduce the reliability of these Extreme recommendations. For example, using Whonix on a Windows 10 or macOS host is greatly discouraged for the reasons outlined earlier in the article. Or creating fake identities using a Gmail account will allow Google to collect data about you, the identity, and other accounts that may be linked to the Gmail address.

    Implementing any number of the below recommendations (correctly) will significantly improve your privacy and anonymity in 2019. Congratulations on making it this far.

    1. Use Cryptocurrencies for Online Purchases

    Cryptocurrencies like Bitcoin, Ethereum, and Monero allow people to make purchases online with some degree of anonymity. As with prepaid debit cards, cryptocurrencies can help minimize exposure to credit card fraud while providing some degree of anonymity to online transactions.

    The benefits and disadvantages of cryptocurrencies have been covered in greater detail in Hoid's article on buying bitcoin anonymously" Null Byte article. Be sure to check that out for more information.

    2. Use OnionShare for Anonymous File-Sharing

    OnionShare (via onion service) is an open-source tool that allows you to securely and anonymously share files using the Tor network. It's lightweight and easy to set up. When sharing files, OnionShare will automatically generate a new onion address that can be shared (shown below).

    Image by OnionShare/GitHub

    Similarly, OnionShare has a function to receive files. It will automatically generate an onion address where your conta ct can u pload files from their computer. This means your contact doesn't need to install OnionShare on their computer at all.

    Image by OnionShare/GitHub

    3. Use Fake Identities & Disinformation

    The use of fake identities online is a great way to minimize your exposure in the event a website you're associated with becomes compromised.

    Obviously, it would be easier to simply load the account with gibberish information, but don't underestimate the value of disinformation and blending in with the crowd (i.e., the leaked database). Using false yet believable information will make it difficult for cyberstalkers and advertisers to single you out as a privacy-conscious user.

    Of course, we're not recommending you go and start catfishing people online. Rather, this section should be used to help pollute website databases with false information. For example, when account registrations unnecessarily require a date of birth, profile picture, or home address. In the event said websites are breached, the personal information associated with your account will only contain false data, partially shielding you from compromises.

    Fake Person Generator is an excellent tool to help generate fake identities for online accounts. It provides a name, address, date of birth, phone number, and generic profile picture that can be used when registering to websites.

    The person in the above photo is not "Stephen Ortiz" at all. In fact, the photo was taken from websites that allow content redistribution. Alternatively, for unique profile pictures, thispersondoesnotexist.com can be used, which creates a new artificially-generated human face every time the webpage is refreshed.

    As a best practice, while assuming a fake identity, minimize communications with people online. This will be a challenge for all you social butterflies, but it's important to anonymity as we unwittingly divulge too much information about ourselves in the ways we write, form sentences, and choose words. Various darkweb forum users have been de-anonymized by their stylometry and patterns of writing. Be mindful of this when socializing online.

    4. Use the Whonix OS for Stream Isolation

    Whonix is an open-source, security-focused desktop operating system (OS) designed to be used in virtual machines. It consists of two VMs; The Whonix-Gateway runs the Tor process and acts as the secure gateway to the internet, while the Whonix-Workstation is where you install and use applications, completely isolated from the Whonix-Gateway.

    Isolating the two instances greatly increases operational security. If an application running inside the Whonix-Workstation becomes compromised, it would be difficult for the attacker to then compromise the Whonix-Gateway (or VirtualBox itself) in an effect to de-anonymize you.

    Whonix has a number of benefits that make it a practical solution for anyone interested in increasing the overall security of their operating system. Most notably, Stream Isolation (shown below), which lets multiple applications running inside the same Whonix-Workstation to use different routes through the Tor network. So, using an IRC client to chat with your friends will allocate one Tor exit node, while your email client utilizes another. Identity correlation attacks are mitigated by isolating the traffic on a per-application basis.

    Image via Whonix

    You're encouraged to check out the Whonix documentation, user forums, tips on remaining anonymous, and onion address.

    5. Use Qubes OS for Advanced Security

    Qubes OS (available from its onion service) is a secure, free, and open-source operating system. It allows you to isolate different activities on your computer by securely separating them from each other in isolated "qubes." This is beneficial because if one qube becomes compromised, it won't affect the integrity of other qubes and applications on the computer.

    For example, if you were to accidentally visit a mischievous website or open a Microsoft Word document containing an encrypted stager in one qube, it would not affect the security of another qube where banking transactions are taking place. The attacker would be isolated to one qube, which can be easily disposed of.

    For more on how Qubes works, check out OnionShare developer Micah Lee's HOPE talk, Qubes' official documentation, and YouTube user mrwilsox's video review.

    6. Force Onion Addresses with HTTPS Everywhere

    The Firefox add-on HTTPS Everywhere has a great feature built-in that allows you to rewrite URLs. This makes it possible to force onion addresses for their respective .com or .org address. For example, typing "searx.me" in your web browser can automatically navigate to the SearX onion address (shown below).

    After configuring HTTPS Everywhere, it will always use the onion address automatically, even when clicking on hyperlinks. To configure this in your browser, load the regular site's URL you wish to configure, click on the HTTP Everywhere toolbar item, then click the "Add a rule for this site" button. The below example is using the Security in a Box website.

    Next, click the "Show Advanced" button in the Add New Rule section, and paste the onion address into the "Redirect to" field. Leave the HTTP domain in the "Matching regex" field, and hit "Add a new rule for this site" to finish. Then, add another rule for the HTTPS domain. (Note: You can view all of your custom rules via HTTPS Everywhere's preferences from your list of "Add-ons" in Firefox.)

    That's all there is to it. From here on out, navigating to the website you set up, in my example, securityinabox.org, will automatically redirect to the onion address you specified.

    Below is a non-exhaustive list of websites that currently support onion addresses that can be forced using HTTPS Everywhere. For more options, check out our guide on the top websites on Tor.

    debian.org               :  sejnfjrq6szgca7v.onion
    deepdotweb.com           :  deepdot35wvmeyd5.onion
    duckduckgo.com           :  3g2upl4pq6kufc4m.onion
    facebook.com             :  www.facebookcorewwwi.onion
    gnupg.org                :  ic6au7wa3f6naxjq.onion
    guerrillamail.com        :  grrmailb3fxpjbwm.onion
    mail.protonmail.com      :  protonirockerxow.onion
    mail.riseup.net          :  zsolxunfmbfuq7wf.onion
    nytimes.com              :  www.nytimes3xbfgragh.onion
    onionshare.org           :  lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion
    privacyinternational.org :  privacyintyqcroe.onion
    propublica.org           :  www.propub3r6espa33w.onion
    qubes-os.org             :  sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion
    searx.me                 :  ulrn6sryqaifefld.onion
    securityinabox.org       :  bpo4ybbs2apk4sk4.onion
    thepiratebay.org         :  uj3wazyk5u4hnvtk.onion
    torproject.org           :  expyuzz4wqqyqhjn.onion
    web.archive.org          :  web.archivecrfip2lpi.onion
    whonix.org               :  dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion

    7. Avoid Exit Nodes with HTTPS & Onion Addresses

    Onion addresses allow you to actively avoid Tor exit nodes that may be monitoring web traffic. There are a handful of websites that support Tor onion services including news outlets, email providers, blogs, and social websites.

    Unfortunately, there are still many websites that don't support even basic encryption. Websites that don't support HTTPS leave us Tor users especially vulnerable as Tor exit node operators will be able to see everything you're doing.

    Now, this doesn't entirely negate the anonymity benefits that come from using the Tor browser. Tor exit node operators still don't know who or where you are — assuming there's no personally identifiable information in the HTTP traffic.

    Regardless, using Tor with unencrypted HTTP is unsafe and should be avoided. As partial a workaround, Archive.org's Wayback Machine is a great tool for accessing static websites over a secure protocol. And best of all, the Wayback Machine is available as a Tor onion service.

    Simply paste the domain (e.g., neverssl.com) into the Wayback Machine's search bar, and it will load the history of snapshots for the website you can choose from, immediately create a new one, or jump right to a recent one. Below, I'm viewing neverssl.com via the Wayback Machine's onion address. This allows for anonymous access to a normally insecure website.

    Archive.org knows someone viewed NeverSSL anonymously but they don't know anything about you. Similarly, NeverSSL's website was pinged by one of Archive.org's servers which is likely in a different part of the world and can't be linked back to you. This, coupled with forcing the Archive.org onion address in your web browser, can make avoiding Tor exit nodes pretty convenient.

    It's Up to You How Secure Your Data Is

    Absolute anonymity on today's internet is impossible. Everything we do online leaves a digital trail that can be correlated back to us in some way. The tools and techniques demonstrated in this article only make it difficult for internet providers, cyberstalkers, and hackers to track us and break into our accounts — not impossible.

    Still, it's worth trying to achieve some of the Hard and Extreme security and privacy measures. There's no telling which websites, companies, and databases will be targeted this year. You and your loved ones might end up the victims of a major data breach that ultimately lead to identity theft, fraud, and other compromises that might otherwise be mitigated by using two-factor authentication or deleting an old account you forgot existed.

    Your data, no matter how little value you might believe it holds, has great worth. Don't give it hackers and money-hungry corporations for free.

    Cover photo by 123RF; screenshots by distortion/Null Byte (unless otherwise noted)

    Source link