Originally posted in an off-topic forum Rapdaddy suggested this topic be moved to tutorials.
The original post is located at viewtopic.php?f=7&t=35399.
As far as external security goes, I'm going to try to convince you why this is important to you, and so you have to put up with a lot of words before you get to the how-to.
Regardless of the types of activity you engage in on the internet your privacy and security need to be protected. I'll provide links to sites with detailed instructions on how to implement a change if I haven't had a chance to put the steps in the topic below. I may recommend products but I don't necessarily endorse or use them.
This post is intended for guidance, but as always do your own research and post your results so that others can learn from your experience.
I'm going to divide the technical guide into two parts:
External Security and Internal Security. I'm going to try to be brief, but I have to quickly go over some fundamentals. I am going to skip mac addresses and the network topology model and keep it really simple. Skip to the white text if you're bored.
Think of your box (pc) as an apartment complex. Internal threats come from neighbors living in the same building eavesdropping on your conversations through the walls or having access to your front door, or otherwise having physical or a virtual presence at or on your pc.
External threats are the internet zombies and copy-write trolls outside of your building trying to get in, or trying to spy on you and what you are doing from across the street.
Your cable modem or internet gateway router (wireless or hardwired) is your interface to the outside world. As would be your telephone modem if you were using dialup. That single point of access to the internet has what is called an Internet Protocol (IP) address associated with it which is assigned by your Internet Service Provider (ISP). At the time an IP address is assigned you ISP creates a record with a timestamp recording the IP address, datetime and MAC address ( formally Machine Address Code, now Media Access Control address) of the equipment the IP address the assigned to.
For practical purposes your IP address represents your PC's gateway to the internet.
It must be visible on the internet so that you can exchange information with other IP addresses.
So you open up your browser and go to google.com and search for NASA ISS. Google does it's thing and returns the 17,200,000 hits to your browser window.
By submitting a request to Google, Google knows your IP address and the time that you submitted the request. Because that IP address is uniquely assigned to your personal internet gateway at a specific point in time the Government can request the searches that Google performed for a specific address at a specific time.
Current bills in congress would require google to keep information for a year, as well as your ISP which will be required to track all of your activity, all of the sites you visit and information that you request and submit in a database.
Any site you visit can and often does collect your ip address for their own security.
Your first line of external privacy and security is to use a Virtual Private Network (VPN) service that changes your apparent IP address to web sites that you visit.
These are called Virtual Private Networks (VPNs). Your box connects to a server that in turn connects to the rest of the world. The VPN provider then becomes your ISP. Keep in mind that your VPN provider can be subpoenaed just like any ISP. However finding your identity will require two separate subpoenas to two different ISPs. If you're very paranoid you can use several VPNs, but each VPN in the chain will degrade your network performance. Some web sites will block access from certain VPNs because hackers use VPNs to cover their tracks. If you do nothing else in this post, get a VPN. When you connect to the internet through a VPN server you get an added layer of security with some providers actively blocking malware, and hacking attacks attempts would directed against the VPN network IP, not your personal IP.
There are other advantages to VPNs. Regional blocking. Living in Az and want to watch the BBC News online? No problem, switch sites to a London IP address.
Getting a VPN
Here's a link to some VPN reviews on -->>> CNET
I removed a recommendation for StrongVPN because of their excellent customer service because I learned they are keeping IP logs.
Don't bother with itshidden.com - itslowasfuck.slo
Also if you read the actual terms of service you'll find they will track users though they said
they don't in the torrentfreak article below.
There are many of VPN services available that can fit any budget, including free ones.
Do your research.
Nevermore responded to this topic on Oct 7th. I've included the jewel that he posted.
Note that I added red to NMs original for emphasis.
Nevermore669 wrote:WHICH VPNs ARE TRUSTWORTHY???
I just ran across a fine little article on TorrentFreak asking which VPNs are really safe, in light of the recent alleged discovery of the identity of a LULZsec contributor who was using a HideMyAss service.
Basically, the rule is simple: If a provider keeps any logs containing any identifiable information (IP), then it is NOT safe. There is a nice list of safe VPNs in the article, as well as a few popular ones that are not (HideMyAss is not listed - but I think we already know how safe they are).
The article is here.
For me, 85.00 a year is worth knowing that my original IP is not visible to bad guys.
I don't care what VPN service you use, or if you use several at once. Protect your originating IP, ESPECIALLY IF YOU DOWNLOAD QUESTIONABLE CONTENT!
Ideally you will pay for your VPN with a visa or mastercard gift card through an anonymous paypal account.
What types of threats does this protect me from?
Casual hackers. You are behind your firewall that is behind the firewall of the VPN provider(s) making it difficult to find your originating IP address and even more difficult launching certain kinds of attacks against your box.
If you use torrents this will protect you from copyright trolls.
If you use torrents google TOR.
If you use websites and forums this will protect you from copyright trolls and to a limited degree
These Trolls get filthy rich by legally blackmailing people and have become so bold as they ignore
instructions of a Judge just to get at you and prey upon you.
https://www.eff.org/deeplinks/2011/09/j ... l-attorney
Right now, the MPAA is teaming up with ICE(notfilmsinfo). Evidence points to the fact that all forum member might not be trustworthy and may be law enforcement, or may be employees subcontracted by the MPAA to spy upon forum members.
A private company can legally invade your privacy in ways that the government cannot. Private companies can collect data and then turn that data over to the government for legal action without
fourth amendment hassles.
There are scams out there that allow you to download from multiple premium file hosting services. As soon as you download a link from them they have your IP address and the content of the link that you downloaded. Be very suspicious of privacy statements that indicate that your IP address is being recorded and that provide free gigabit bandwidth services. Who can afford to run such services for free? C-Trolls can. They can seed a forum with all kinds of groovy content and if you use one of their download services to get the content they've provided you may get a Troll letter.
If you EVER get a Troll letter contact http://www.eff.org and they will help you.
Never openly admit to anyone that you may have downloaded questionable content.
Keep in mind that nothing will protect you if you are breaking the law and THEY are out to get you, but making things more difficult by using a VPN or two will hopefully turn the BIG EYE towards easier targets.
What is the risk of not using a VPN?
A civil fine for downloading copyrighted material carries a penalty of up to $150,000.00 per copyright violation. If you engage in questionable activity then you are stupid if you don't protect yourself with a VPN. By questionable activity I mean downloading or uploading links that you don't own the copyright to or connecting to sites that you would be embarrassed to tell you mother about.
The next item to address is simple. Keep an open public wireless access point (WAP) for your friends and neighbors. Not only are you being a good citizen by sharing your spare bandwidth with neighbors who may not be able to afford internet connections, but what was a "private" IP address assigned only to you by your ISP becomes a public gateway. WAPs are less than 100.00.
WAPs, depending on model, have features that will keep your internal hard wired desktops/servers from being visible to anyone on the wireless network and you can assign the amount of bandwidth made available to the wireless side.
Please ask some questions in this regard. You do need to secure your wireless access point in some respects and keep it open in others. Other forum members will help you.
Check CNET, TomsHardware and Newegg for product reviews.
Before you purchase a WAP research if there are any security issues for that model.
If you maintain an Open WAP then your attorney may credibly deny in court that you personally connected with any site.
Do not confuse firewall routers with a VPN. NAT, and subnetting have nothing to do with the externally visible IP address of your network.
Next topic is browser security. I use different browsers for different tasks.
It's convenient to have two or more browsers set up for different needs.
But we're talking about security so enough about IE, let's discuss FireFox.
Firefox has some addons/plug-ins that will help guard your privacy and security.
Ideally the confidential areas of the internet you wish to search are using https:
If the sites you like to visit aren't https: then information you exchange with the sites including user ids and passwords may be intercepted.
I mentioned TOR somewhere above.
Read more about TOR here:
Use this with the Firefox add-on:
Appreciate feedback on this one...will ask in a post below.
Other Firefox Addons:
https://addons.mozilla.org/en-US/firefo ... efcontrol/
Keeps the site you were referred from confidential.
This tool among other things makes sites are already HTTPS
secure even more secure
Multiple anti-censorship tools
I've already had feedback on this post and I want to reassure members that more detailed instructions will be edited into this post that will guide users through each step outlined below.
Internal security. For the purpose of this discussion internal security is how secure is the data on your box should it be stolen, seized or hacked.
I will present the search terms you can google for for a security enhancement, followed by an explanation the core principle, or purpose for a change. I'm just going to have to do this as an iterative process, because there are some who can take the present suggestions and fly and others who are uncertain of what the hell I am talking about. So I'll expand each item below as time permits in a detailed step wise fashion. If you're unsure post to this topic and ask for help.
If you are totally lost, you can PM me. I have a friend that can connect to your system remotely but you (probably) cannot afford to pay him to secure your system remotely.
So first of all, backup your system. Always backup your system. If you're thinking about sex, do a backup. If you're not, do a backup. Get an external usb hard drive and use clonezilla.
Clonezilla will create an image of your hard drive on your external hard drive.
Use beginner mode.
Do not plug in you external hard drive until prompted to do so. Create disk images as opposed to partition images unless you are familiar with clonezilla.
Back up your system and perhaps put your most prized data, such as pictures of baby nemo on a secure online server such as google docs , or megaupload.
Okay, everything is backed up. If your external drive came with encryption software use that to encrypt your backup.
Let's create (or Set) a system restore point now, just for fun.
A restore point is a snapshot in time that you want to take of your pc before you make changes, that way if something goes wrong you can undo the changes.
Even though restore points should be created automatically by your pc, it's always a good idea to create one manually before you make changes.
XP create system restore point
First of all if you are using XP pro, make sure that system restore is turned on, if you are using home this feature can't be turned off:
I took these steps from the support.microsoft.com website at
Click Start, click Control Panel, and then double-click System.
Click the System Restore tab.
Make sure that the Turn off System Restore check box is not selected. Or, make sure that the Turn off System Restore on all drives check box is not selected.
Okay, now that you know system restore is turned on lets create the restore point.
Close any programs that are open.
Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. The System Restore Wizard opens.
Click Create a restore point, and then click Next.
In Restore point description box, type a description for the restore point. Use a description that is easy to understand. We're going to call our system restore point:
Note The date and time are automatically added to your restore point. Therefore, you do not have to use them in your description.
Do one of the following:
To finish creating this restore point, click the Create button. The System Restore Wizard notifies you when the restore point is created.
To stop creating a restore point and to return to the Welcome to System Restore page, click the Back button.
To stop creating a restore point and to exit the System Restore Wizard, click the Cancel button.
When you are finished, click the Close button.
Congratulations! You have successfully created a restore point, and you are finished.
Windows Vista/7 Restore Point
Open the link below for simple instructions with pictures to create a Vista/7 restore point.
Call your restore point: Pre-Lockdown because we are going to Lockdown, or secure your pc in a few minutes.
Go to this link to learn to create a restore point for Vista/7
http://www.howtogeek.com/howto/windows- ... m-restore/
Okay, let's make sure that you are using a strong password that can't be easily cracked. We'll then disable fast user switching and change how you log in to your computer.
Many people don't have to log in to their computers. They turn the pc on, go make a pot of coffee, and when they come back, there is their desktop all ready to get to work. Many people think it's too much of a hassle to log in. I'll admit it is a hassle. Many people don't wear seat belts. Many people don't use condoms. Many people wish they had a use for the condoms they have but that is a different story. So if you don't want to have to log into your computer, then stop here, and go post in "Be the last person to post."
So that we're all on the same step, I'm going to assume that you turn on your computer and "bink" there's your desktop. You may not even know what your user id or current password is.
A note about password strength. As a minimum use a password length of 12 characters with mixed case letters, numbers and special characters is required.
The longer the better.
Seems like a hard thing to remember and to type 12 or 25 chars...but it doesn't have to be. You'll be surprised how quickly your fingers remember a long password. Don't even think about writing it down or e-mailing it. ever.
unless there is a chance you will forget it. Then write it down and stick it in your wallet or purse until it's stuck in your mind.
A very attractive sys admin once shared the following tip with me for a password.
Use a street address. Ideally it would be one that doesn't belong to you and has never belonged to you, perhaps a neighbors address.
As long as you're consistent with your style of abbreviations.
Change Windows XP password
1.Click on Start and then Control Panel.
2.Click on the User Accounts link.
Note: If you're viewing the Classic View of Control Panel, double-click on the User Accounts icon.
3.In the pick an account to change area of the User Accounts window, click on your Windows XP user name.
4.Choose the Change my password link.
5.In the first text box, enter your existing password.
6.In the next two text boxes, enter the password you would like to start using.
Entering the password twice helps to make sure that you typed your new password correctly.
7.Click the Change Password button to confirm your changes.
8.You can now close the User Accounts window and the Control Panel window.
9.Now that your Windows XP password has been changed, you must use your new password to log on to Windows XP from this point forward.
Note: Windows XP Home users can only change the Administrator password through Safe Mode.
Change Vista/7 Password
Press ctl+alt+del keys
Select "change password" or
Open Control Panel.
Click Add or remove user accounts.
Click the account you wish to change.
Click Change the password
A word of caution about using long passwords on network equipment. Some devices only allow a limited number of characters, specifically routers, which I've locked myself out of. because my password was too long. Google the max pw length for your model.
Okay, let's lock down your box.
1) Require ctl+alt+del to log in and clear last user id.
2) Google: Dontdisplaylastusername
After you turn on ctl+alt+del, this prevents last userid who logged in from showing up.
3) Google: Disable fast user switching
Just do it. Learn to share a single account, or save your work and log the hell off when your done.
4) Google: Enable UAC
This really important security feature get turned off a lot of times when users are first setting up a computer and installing lots of software. Turn this on and leave it on. It's like a seat belt, it prevents changes to your system that you may otherwise be unaware of.
5) Google: Disable Guest account
Only use password enabled sharing and disable the Guest account. Need a guest account for an application, then rename the guest account.
6) Google: Enable Administrator account.
If you know a valid user id you're half way to compromising a computer, all you need is a password. So here is some really important and bad news!
Many people are unaware that their windows system has an Administrator account because the account is disabled.
a) Enable the administrator account. From an elevated command prompt run:
net user administrator /active:yes
Use this account only for software installs and disaster recovery.
b) log in to that account, usually the password is empty or <space>
c) create a strong password for the account.
d) rename the administrator account. There's a lot of different ways to do this...
use google and pick the one that's right for you.
Anything you like that you will remember:BigRoot
e) Disable the renamed Administrator account.
From and elevated command prompt type:
net user BigRoot /active:no
I like to use the BigRoot account for critical software installs, such as antivirus
What we're doing here is preventing anyone with physical access to the computer from using recovery tools to break into your box using the default Administrator account.
7) Disable remote access (windows remote desktop).
Right click my computer, click propertys, select advanced system settings, select Remote tab, disable all remote features. If you need remote access use GoToMyPC or LogMeIn.
Disable sleep and hibernation modes. (non laptop) You want it on instantly, leave it on. You want it off, shut it down. Use a UPS. (un-interruptable power supply)
9) Got a single computer? Then you don't need windows file and printer sharing.
Google: [os name] Disable file and printer sharing
10) Encrypt your internal and external hard drives.
Google: [os name] Disk encryption. Vista or 7, bitlocker
XP pgp or other free tools.
Many external hard drives come with encryption software installed, you just have to enable it.
If your computer is stolen, your data should be safe. If your computer is seized by police with a warrant, do not resist and be polite, but repeat constantly that you do not consent to search or seizure. Accept a copy of an inventory of what they seize but do not sign it. If questioned about access to your system, stand on your fifth amendment rights, demand an attorney and request an end of questioning until your attorney is present.
Routers and WAPs. Don't hook these puppies up to the internet until you've changed the default password and default admin user id!!!!!!!!!!!
WAPS. Disable remote and wireless admin. require https admin.
Make sure wireless users cannot see your internal network.
Need an internal wireless network? Use two different WAPs, one public, one private using strong encryption and dedicated IP by Mac address.
Other thoughts: Disable services you don't need. Use a good AV program.
Use Auslogics products to keep your system clean and tip top, most of their tools are free such as a FAST disk defragger, and registry cleaner. Other favorite tools are hijack this for examining processes and services and Spybot Search and Destroy. Clonezilla for backups to encrypted external media. Support shareware authors. Don't disable your firewall except for breif periods of testing. Occasionally run elevated cmd prompt then netsat to see who and what your box is connected to. Google [os]Enable Auditing if you're paranoid.
eh, do it anyway. Check your security and system event logs. Keep your system updated. Make sure that system restore points are enabled. Back up your system and data frequently. Make a backup. Do it now. Then encrypt it.
Sorry, this isn't pretty, but it was pretty fast. I'm sure I've missed a lot of stuff. but at least this is a start. I'll expand the details of each of the items above over time.