From here you should work on hardening the setup. Something that has been covered in previous Nextcloud Tor Hidden Service videos of mine and and more howto’s on onion hardening will become a topic for future videos.
This past week I joined Linux mobile (great resource for Pinephone applications organized + functionality support) and Elatronion to talk Pine64 (Linux hardware supplier + community), LoRa, Pinedio, Linux, and on open source, and even privacy.
Take a look at your Desktop and/or interface. Be it MATE (desktop/laptop), Phosh (Pinephone/Librem), or KDE. We use several buttons/shortcuts to programs everyday.
Some of these programs need the internet.
Some do not.
Have you minimized access to programs which do not need the internet?
Did you know some programs secretly “call home” and share data/your ip address with 3rd parties (sometimes this data is sold)?
The most ideal setup is restricted where possible, but not to the point where a given setup becomes unusable.
Here we are going to use a Hot Off the Press News example to demonstrate how to restrict networking only to those programs requiring it (such as web browsers, encrypted messengers, etc).
Other applications like a Media player, GIMP (image manipulation), and Libre Office do NOT need ANY networking for full functionality. A compromised update to any given program can cause it to act outside the scope of its description (including reverse shells, collecting data/sending and more bad ideas).
So why do we allow it?
Because this is default behavior.
We can change that.
We can go through and edit each shortcut to EASILY block network access for every single shortcut/button for programs who do not require internet access.
This can block/prevent not only personal data sales (by program creators/developers), even potential backdoors (such as a reverse shell or other example) from communicating.
This is really important.
I want you to go through every single shortcut and decide if it needs the internet or not. Don’t worry, you can always change it back later if it harms functionality. But for the programs unaffected, this will prevent your personal data from leaving via their execution.
Next we are going to look at a real world example with this exact potential issue.
I then want you to go through each and every shortcut and decide/edit it to block access to those where it is not necessary for a program to reach the internet.
EXAMPLE USING LINUX CURRENT EVENTS
(This example is a real/current problem, follow/fix this):
Do you minimize network access only to programs which need it to function?
I have to admit, I like using Audacity.
Those subscribed to my channels might remember my video “Your Computer Speakers Can Act As Remote Listening Devices.” There I tuned into frequencies coming from my laptop, discovered my speakers were acting as a remotely transmitting microphone anytime I had sound playing from my laptop speakers (I was able to demonstrate this 15 feet away: with a more sensitive device, through walls would not be hard to imageine [see: rf retro reflecting]).
After which, I demonstrated how to remove the static from the radio signal recordings using Audacity.
“”Why we collect it Personal Data we collect Legal grounds for processing
• App analytics • Improving our App• OS version • User country based on IP address • OS name and version • CPU • Non-fatal error codes and messages (i.e. project failed to open) • Crash reports in Breakpad MiniDump format• Legitimate interest of WSM Group to offer and ensure the proper functioning of the App• For legal enforcement• Data necessary for law enforcement, litigation and authorities’ requests (if any)• Legitimate interest of WSM Group to defend its legal rights and interests
The App we provide is not intended for individuals below the age of 13. If you are under 13 years old, please do not use the App.
Who does Audacity share your Personal Data with?
We may disclose the Personal Data listed above (your hashed IP address) to the following categories of recipients:
to our staff members. We take precautions to allow access to Personal Data only to those staff members who have a legitimate business need for access and with a contractual prohibition of using the Personal Data for any other purpose.
to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, or (ii) to exercise, establish or defend our legal rights;
to our auditors, advisors, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under contractual prohibition of using the Personal Data for any other purpose.
to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your Personal Data only for the purposes disclosed in this Notice;
to any other person if you have provided your prior consent to the disclosure.””
FIXES FOR RUNNING PROGRAMS WITH UNKNOWN NETWORK CONTACT (ASSUMING SAFE OTHERWISE):
NOTE: Just because I use Audacity in this example, doesn’t meant the best solution is one of the A-G options. Audacity is used in the example.
It usually it is better to wait for a trusted fork– still, if unsure what is existing inside Audacity code– it never hurts to restrict using these options.
Keep in mind these are meant to be options for all potential programs which do not need network access to function.
There are tools to remedy data collection. One such tool is Firejail.
If you love Audacity and aren’t ready to give it up, there are a few options for you.
A.) hold back Audacity updates in your package manager (or wait for a fork)
B.) use Firejail to restrict Audacity’s access to the internet, which will completely cut off it’s ability to share your personal data.
Use this command to open Audacity while restricting networking:
firejail –net=none audacity
(You can also optionally use –private to further compartmentalize the program)
C.) Use Bubblewrap as an alternative to Firejail sandboxing
D.) Run Audacity inside a Whonix jail or a virtual machine with network restrictioned.
E.) Torify Audacity (or use under other non direct connection- sudo not suggested unless you trust software)
Example Command (NOTE: this is an example- sudo should not be used w/programs considered untrusted):
Now replace the exec= line on all shortcuts for your devices. Be it: Linux Laptop or Pinephone or Pinebook or Pinetab, or otherwise.
If you have a Pinephone or other .desktop Linux shortcut, this means editing the:
line inside that .desktop file.
Exec=firejail --net=none --private audacity
Your shortcut files may be found in .local or at /usr/share/applications.
Example Shortcut/Button directory location (each application has its own .desktop file):
You can use this same option (firejail –net=none) for ALL apps on your system which do not require networking to protect yourself from needless data collection/backdoor communication.
Nowgo through all your other programs and their corresponding shortcuts .desktop files. Block internet access to ALL programs which do not need the internet to prevent them from sending your data, or worse yet, communicating via backdoor.
Thank You For Sharing Any Posts You Find Helpful/Useful/Interesting
I realize those reading make up a diverse group of various ages, experience levels, and interests.
Some beginning, Linux curious, maybe hoping to get started.
To those: I’m going to be mixing in more ‘just beginning’ Linux content.
Are there any topics you want to see covered? Leave a comment below. 🙂
To start, today I made this cheat sheet list of only the most important commands to get you started using the Linux commandline (shell).
Once you run the install script, you have a new Linux command you can enter anytime to print out the most common essential commands needed to get started.
This simple starter cheatsheet isn’t meant to be an all encompassing reference. Only what you need to get started. From here you can build onto more commands using “Finding Help” commands like apropos (search for new commands based on topics of interest).
I may add more to this over time and created it with recent questions in mind.
Pinetalk is the Community run Podcast built around Pine64 hardware and Linux.
Pine64?Pine64 is a crowd sourced maker of hardware geared towards serving the open source community (memorable products include: Pinephone, Pinebook, Pinetab, Pinedio, A64 LTS, Rock64 single board computers).
I have been working with single board computers over the last few years: small complete Linux system computer boards making affordable & portable options for customizing networks.
Recently acquired Pine64 A64 LTS board and have future videos planned to take a closer look. This board carries a similar hardware/chip profile to the Pinephone/Pinetab/Pinebook and additionally makes up the underlying board inside the Pinedio gateway (tutorials are in planning stages).
Linux newbie or not, welcome.
Based on recent conversations I have new content coming up geared towards the absolute beginner interested in starting with Linux.
Single board computers can be the perfect place to start.
In the next Pinetalk Episode (out this Friday/Saturday) I join hosts, Peter/Ezra as a guest.