Most of you probably already know our non-profit blog InfoSec Handbook. It is a collaborative self-funded project, led by Jakub (Cyber Threat Intelligence Analyst) and Benjamin (ICS/OT security consultant).
Our blog is primarily focused on information security, and our basic mission is to share our knowledge – without any tracking, any ads, any sponsored content, or other shady dealings. We think showing readers why and how they can achieve security continuously by thinking about processes, becoming aware of threats, and learning about pros and cons of technology is the best way to actually improve security.
We joined this forum several months ago to also discuss privacy aspects and to collect some feedback on our work. For instance, @Mikaela already suggested becoming more transparent – since then, we continuously push all changes to codeberg.org where they can be reviewed.
Currently, we get most feedback via Signal, e-mail, or Keybase. But maybe some of you want to comment here. So what do you think about our project? What is your favorite topic/article? What do you miss? What needs to be improved? How can we help here, on forum.privacytools.io? (And we want to say here: We do all of this during leasure time without earning/demanding extra money.)
So what do you think about our project? What is your favorite topic/article? What do you miss? What needs to be improved?
I think it’s great. I haven’t read enough yet to pick favorites, but as you know I came to your site because of eelo reviews, which are very interesting to me (and to e). Recently, I very much enjoyed your article on the Capture the Flag contest you hosted, and the “shout out” to privacytools.io in your monthly summary was generous; I like the summaries, even if I didn’t read all the links/articles.
If I miss anything, it’s more on “Why” things are significant. Particularly, regarding eelo articles (or Lineage or other flavor on phones), why the different network traffic is important. Or maybe it’s also “How.” How do marketeers, or stalkers, or whatever we call them, use those bits of traffic to monitor? Why is a “connectivity check” to a google server significant? Or, so what if someone knows my phone uses NTP to check The Time…Do they know exactly who I am (and how)? Also to put it into context - If we could use our own personal server to replace those services, would the difference be significant, considering our ISP knows when and where we use internet at home, and our cellular provider knows when and where we use internet on the road, and they all probably share or trade all the logging data in an opaque grey market somewhere…including from our fingerprinted browsing internet at coffee shops…Obviously I have not yet read all your series, so apologies if it’s already covered in other articles.
That is a very good point. We already realized this and started to improve our articles and recommendations. As you may know, we continuously update all articles to remove outdated information. So we will add more information on “why” it is beneficial to do something.
However, this will take some time.
Regarding your questions not directly related to InfoSec Handbook:
This is more about getting small pieces of information from you. Big companies get many small pieces and with every additional piece they can identify you better. It is important to see the word “can” in our last sentence. In many cases, people assume that a company uses certain information to track/identify people, however, there is no proof.
Example: If you open a website once, there is a very small chance that they can identify/track you. However, if you return frequently and click on different pages of a websites, they will be able to see 1) when you read their articles (~when you use the internet, e.g., in the evening on workdays), 2) what you consider interesting, 3) which devices you use (user agent information), and 4) where you are located (IP address).
If you only look at one piece of information like a user agent header or a timestamp, it is not that informative. However, if you combine this and collect many pieces over time, it can be used for tracking.
TL;DR: Replacing all of these services is paranoid and introduces new problems.
Longer answer: We mainly listed this in the articles on /e/ to show readers that there is still network traffic to/from Google servers (while /e/'s ads read like “/e/ is 100% Google free” and this could be misleading). If you start to replace all of these services with other third parties, you simply start to trust the new third party. Example: You use a VPN provider, so “your ISP can’t spy on you” (VPN marketing lingo). However, now you have to trust your VPN provider that they don’t spy on you.
Besides, even if everything looks to be 100% Google free (if this is somebody’s goal), there can be still network traffic to/from parties that aren’t Google but host on Google servers. And if they put a reverse proxy in front of their Google-hosted infrastructure, it will be extremely hard to detect. The reverse proxy could be hosted by Hetzner, for example. Then, many web scanners will tell you that this IP address is hosted by Hetzner (while the hidden infrastructure like database servers could be hosted on Google infrastructure).
On the other hand, replacing all services with your own server(s) introduces new problems. For instance, the server produces costs, you must keep it up-to-date, you must continuously keep it secure, and – as you wrote – parties which route your network traffic can still observe your traffic.
In the end, you spend lots of hours and money to only change several small pieces of information mostly based on assumptions without knowing if this changes anything regarding your privacy.
Thank you very much for asking this!
All your articles are awesome and the home network series is even on a next level above everything!
IMHO the fundamentals of a private or secure network are laying on the door btw the inner and outer world, namely on the router, but I wouldn’t tell any secret if I’d say, im anything but an expert in this field…
So, I would really appreciate to read more about openwrt in general and about the Turris Omnia router and its settings. A detalied walkthrough on each setting in the Turris GUI and also in the openwrt lucy GUI.
My motivation is, that I plan to buy a Turris Omnia, so I want to learn more about it and also, why is it that much better, than a 50$ used router, which runs openwrt flawlessly too. Focusing only on the router functionalities, not on the capabilities to turn it into a NAS or a Nextcloud instance.
The following is not related to your project directly:
To see, what openwrt can offer, I flashed it on an old TP-Link N750, but after trying to set it up, it landed back in its box on the shelf… Honestly, I’m not familiar with all the settings, that lucy offers me, so the “f@ck-everything-up” vs “setting-up-my-secure-router” ratio was too high for me. Of course it’s not openwrt’s fault but mine, but tbh, I found the openwrt documentation, well, quite messed up and redundant so a straight forward series of detailed walkthrough - first just on the GUI(s) of the turris or openwrt in general - would be very warmly welcome, hopefully not just by me, but by a bunch of other people too.
During my research on the topic, I found the following blog posts, which make me think, like “hmm, these guys seem to know what they’re talking about but even their knives broke into this lock”, on the other hand, you seem to have no issues with the Turris. Could you please comment on these posts? https://routersecurity.org/TurrisOmnia.php
(just ignore mechanical issues, I’m a mechatronics engineer )
Back to a general topic:
My second wish - being so close to Christmas - would be to learn about LineageOS.
I understand your comment on another topic, that it would be just a snapshot of conclusions at that current point of time. OK, fair enough. On the other hand, you did a deep look into the /e/ rom, which performed quite poorly back that time - from being Google-free, as advertised.
Anyways, I don’t care about /e/, but about lineage, since I use that - w/o microg or anything from goglyu. Stock lineage plus f-droid on a sjaomi mi5. I know, all lineage ROMs for each device are unique, they don’t even run on the same kernel (3.xyz vs 4.sth), while being the same release, like 16.0.xx.
What I’m interested in is following: people write on several sites, forums, etc., that lineageos is not built with privacy in first place. OK. What does that mean? How deep and what has one need to tweak in general to turn lineageos into a privacy-focused OS? Don’t use the default browser, calculator, whatever default app or dig into the developer options and change system-level settings to prevent the phone to leak data to gagle, amazingon, (to the E-corp or the Black Army, hahaha)?
While I learnt already some, during my way into privacy, it would be so much appreciated if you would write such articles, which focus and describe questions like that above and more, which are on the line between an understanding of an average internet consumer and deep level insiders, like you are.
Thanks so much in advance guys! If I can contribute in any way, like sending an old phone for testing, whatever else, just ping me.
I really appreciate your work, just like I do appreciate and love privacytools.io.
Basically, the vast majority of the components in the Turris Omnia are open hardware, and if you want open-source software, you likely also want open hardware. Then, you can extend the router (e.g., installing an SSD as explained in our series). Fourthly, the Omnia is very beginner-friendly since it comes with an easy GUI and the extended LuCI. Finally, the Omnia’s hardware is powerful enough to run certain services on your network like NextCloud. If you don’t need open hardware or customization, then you may choose any other router that is capable of running OpenWrt.
This 2016 review is already 3 years old. See our comments below:
Solid hardware, gigabit ethernet, fast CPU, two wifi adapters
Supports many services and can do much more than a basic router
This is still the case.
Serious quality control issues. Loose antennas can be checked by touch.
You have to install the external antennas yourself during the first setup. So they are loose on purpose. There were no other loose parts here.
SSH issues out of the box, which makes everything harder.
We can’t confirm this. SSH runs as intended.
I could not find how to manually run updates (after getting Internet connection) from the web interface. It would have solved my issue with SSH, but I was only able to manually run the updates from the command line. Yes, I was missing one button.
We only know the command line option to look for updates, so we can’t confirm or deny if there is a GUI button.
No VPN configuration out of the box. It’s nice that it can do NAS and all the fancy stuff, but VPN is such a basic functionality that even most cheap routers do them out of the box.
The Omnia comes with an OpenVPN module. Configuring your VPN is very easy. The hard part is to configure a dynamic DNS provider if you don’t have a static public IP address. However, this is out-of-scope of routers.
LineageOS is basically the open-source version of Android with some additional apps and features. However, being open source doesn’t include being “privacy-friendly”. These people likely mean that there is still network traffic to Google. Sometimes, LOS is promoted as the Google-free Android, and this is not true in this case.
This depends on your version of LOS, your apps, and your level of paranoia. Of course, there is less network traffic to Google if you switch to LOS without Google’s apps. But some people don’t want any connections to Google and this is often not the case. For instance, the connectivity check, the default DNS server, and some libraries could still rely on Google servers. The question here is: Is there any real risk to your privacy if your device uses certain services? This can’t be easily answered. Some people offer replacement services here, but oftentimes you can’t validate their claims of being better for your privacy in the end.
However, as written in some articles on our blog, even if you fully control your Android operating system, many other chips of your smartphone are proprietary and can’t be controlled. One current example is the Simjacker attack that demonstrated the ability of remotely installing/removing software on your phone’s SIM card.
Thanks for your suggestions. As written in another comment on this page, we already plan to describe the why is this good for me in certain cases in greater detail.
At the moment, we have a long “we would like to write about this” list. So maybe in 2020.
I like your website. It has some good info and is well designed and good layout. It is easy to use.
I would like to see more articles about privacy. What you recommend about privacy online and in general like browsers, operating systems, software, search engines etc. Thanks.
I love your website particularly the glossary part where you explain the technical terms. My fav part is monthly review. What did you guys stopped posting them? there was no review for jan? How about feb? will there be any?
For all of us, 2020 started with a lot of security work (network traffic analysis, redesign and reconfiguration of production networks, awareness trainings, further education etc.). Due to this, we had to reduce our activities on infosec-handbook.eu. However, this will be only a temporary state. We expect to return to a “normal” state in April.
For today (2020-2-29), we plan to publish a combined monthly review that covers January and February.
I definitely do not mind delaying things if that contributes to make them of great quality. I really enjoy your content and reviews, they are very throughout, informative and touch on interesting topics that many other blogs and news sites miss. Thank you for that
Currently, there is no mirror. We evaluate different possibilities to provide one. We look for a solution that meets the following requirements:
People can read all posts without creating an account.
People can subscribe via ActivityPub.
People can subscribe via RSS/Atom.
We can export all of our posts in case the solution becomes outdated or is shut down.
We can edit posts after posting them.
Optional: There is no limit for characters per post (in theory).
A simplified comparison:
These aren’t all possibilities, of course.
Keybase: We primarily had a Keybase account for public proofs, encrypted Git, and for mirroring our public OpenPGP key. Lately, we operated a read-only group with 200+ members that reposted our Mastodon feed. However, the infamous Stellar Space Drop resulted in many fake accounts, so some of these members aren’t readers. Since we migrated our Git repositories to codeberg.org and use the “new” key server keys.openpgp.org as a mirror for our OpenPGP key, the remaining reason for keeping Keybase was public proofs. Many people seemingly don’t know about this feature or don’t understand it, so we decided to delete the account.
Mastodon: We experienced the shutdown of two Mastodon instances before. The first time, we lost all of our posts and all followers; the second time, we lost all of our posts and some followers. While you can migrate all followers since Mastodon 3.0.0, there is still no possibility to keep your “toots.” Furthermore, editing posts isn’t really “editing,” but deleting the old toot and creating a new one. Finally, the character limit has its pros and cons.
Website: A static website (see our current blog) comes with flexibility; however, we can’t provide the content via ActivityPub, so there is no direct way to share content with the Fediverse. On the other hand, a dynamic website increases our attack surface and is more time-consuming.
To clarify: We may consider replacing Mastodon with a solution that meets the requirements mentioned above. Self-hosting a Mastodon instance could also be an option; however, we do not prefer it.
Currently, there is no plan to delete our account here.
Regarding Patreon: We want to remain 100% independent. As soon as we collect money from people, there is some dependence. Besides, money isn’t an issue for us, but time. Money can’t replace time.
Regarding a podcast: We considered this months ago, but several elements for a good podcast are missing.
Let me contribute to your topic too. Let’s start with the title!
InfoSec Handbook - information security blog
That for me is a little bit of a contradiction itself. Is it a blog or a handbook? Maybe you want achieve a little too much with limited resources so far. What’s your definition of a handbook? Do you want to be more like a handbook or a blog? An example:
The Lifehacker folks aimed to have an always up-to-date Facebook privacy guide but even with their resources they had to abandon the project back in 2013. Or they just forgot about it.
Maybe, you are too focused on the terms. InfoSec Handbook is just a name because we were too lazy to create a “better” one. However, you could also see our Series, Terminal tips, or Glossary as a reference/handbook. Primarily, infosec-handbook.eu is a blog where we share our knowledge in a reverse chronological order (typical for blogs).