Metapackage Planning
Hazards and Control Measures
A hazard is a general group of threats based on the motivation/objective behind the threat.
Hazard |
Description |
System Failure |
Your computer hardware/software being exploited |
System Theft |
Your computer being stolen |
Theft |
Theft of value |
Surveillance |
Spying |
Infiltration |
infiltration into the actual system/protocol |
Manipulation |
Manipulation of the Users Objective |
Censorship |
Blocking of content travelling through the internet |
Categories of information that a Hazard could compromise:
Information Type |
Description |
Personal |
Personal information about family, generally used for Identity theft or blackmail |
Behavioural |
Used for Selling marketing and Spying |
Financial |
Used to denote things with monetary value |
Ideological |
Used to identify political affiliation |
Operational |
used to identify actions and resist pressure |
Private |
information of a sensitive nature |
Based on the Hazard and the Information threatened, define countermeasures to use to mitigate risk. Of course, because we are dealing with active threats, the tools with these properties will fluctuate between being relatively secure or knowingly exploited.
# |
Control Measure |
Description |
1 |
OS Choice |
A Secure OS with minimal active exploits |
2 |
Firewall |
Protect yourself by blocking direct attacks |
3 |
Anti-virus/Malware |
Ensure you have Updated and active virus/malware protection, this may be provided by the OS |
4 |
Computer Use Training / User Competency |
When using a computer/specific software to achieve tasks safely. |
5 |
Cache Purging |
Ensure any processed information is not left where it can be recovered |
6 |
Password Safe |
If you have access passwords/keys, ensure they are stored in a safe location |
7 |
Disk Encryption |
Protect your sensitive information from being recovered from silenced disks |
8 |
Transport Encryption |
Encrypt data during transit, must be to an acceptable standard |
9 |
Out of Band Authentication |
Authentication where a shared secret had been securely passed and verified |
10 |
Authenticated Encryption |
Encryption that has been secured by an Authenticated secret |
11 |
Transport Anonymity |
A transport to prevent identification of actors communication |
12 |
Perfect Forward Secrecy. |
Encryption which ,even if intercepted, cannot be decrypted with any key |
13 |
Anonymity |
Communication cannot be identified or authenticated. |
14 |
Platform Selection |
Choice of platform/network to use based on protection given (https://tosdr.org) |
15 |
Authentication |
Authentication (less strong then OOB?) |
16 |
System Use Training |
A Specific system needs to give special usage information to the user |
17 |
Communication Obfuscation |
Allowing communication to concealed. |
18 |
System Updating |
Maintain the software against the active threats. |
19 |
Censorship circumvention |
Route around censorship. |
Tasks
Tools available brief description and control measures implemented. Further investigation is required to be sure of these claims. There are also grades of protection provided by packages, which isn't investigated here, An implementation of some kind of grading may be useful but also difficult.
Authenticated Communication (GnuPG)
GNU Privacy Guard (GnuPG or GPG) is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP. Current versions of PGP (and Veridis' Filecrypt) are interoperable with GnuPG and other OpenPGP-compliant systems.
GnuPG can be used for encrypting and verifying the integrity of files and emails. There is no central authority for determining the authenticity of keys instead using a "web of trust".
Name |
Info |
Description |
Implements |
Public-Private Key Cryptography |
15, 10 |
||
Public-Private Key Cryptography |
15, 10 |
||
Extending OpenPGP Web of trust |
9 |
||
Extending OpenPGP Web of trust |
9 |
||
|
Persistance of GPG instance |
15 |
|
Certificate Manager and Unified Crypto GUI |
9 |
||
|
privacy-friendly helper to refresh GnuPG keys |
13, 9 |
|
https://www.gnupg.org/related_software/pinentry/index.en.html |
Secure GUI for pass/pin entry |
6 |
|
Cryptographic key management |
6 |
||
PGP/GnuPG related things; signing, ring analysis, and party preparation. |
9, 15 |
||
|
Store you passwords with gpg (command line) |
6 |
Anonymous Communication (Tor)
Tor (previously an acronym for The Onion Router) is free software for enabling online anonymity and resisting censorship. It is designed to make it possible for users to surf the Internet anonymously, so their activities and location cannot be discovered by government agencies, corporations, or anyone else.
Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than five thousand relays to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult for Internet activity to be traced back to the user: this includes "visits to Web sites, online posts, instant messages, and other communication forms". Tor's use is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities from being monitored. An extract of a Top Secret appraisal by the National Security Agency (NSA) characterized Tor as "the King of high-secure, low-latency Internet anonymity" with "no contenders for the throne in waiting".
Name |
Info |
Description |
Implements |
Decentralised Node driven Encrypted Network |
13, 11, 17, 19 |
||
A wrapper to safely torify any application |
11 |
||
Pluggable transport proxy for Tor |
17, 19 |
||
Pluggable transport proxy for Tor |
17, 19 |
||
Download, update, & run the Tor Browser Bundle. |
18 |
||
Anonymously share a files |
13 |
||
|
Subvert IP blocking networks |
17 |
|
GUI Controller for tor software |
18 |
||
An anonymous VPN adapter |
11 |
||
A non-caching web proxy with filtering |
|
Deniable Communication (OTR)
Off-the-Record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of AES symmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bits group size, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides forward secrecy and malleable encryption.
The primary motivation behind the protocol was providing deniable authentication for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing. This is in contrast with other cryptography tools that produce output which can be later used as a verifiable record of the communication event and the identities of the participants.
Name |
Info |
Description |
Implements |
Private communications over instant messaging |
13, 12, 15, 17 |
||
OTR plugin for irssi |
|
||
|
OTR plugin for pidgin |
|
|
gaim-plugin-otr |
|
OTR plugin for gaim |
|
xchat-otr |
OTR plugin for xchat |
|
|
Encrypted VoIP/Video with OTR plugin |
|
Not Sorted
Name |
Info |
Description |
Implements |
Anonymous Remailer |
11, 13 |
||
Encrypted peer to peer Network |
11, 8 |
||
|
Secure file deletion |
5 |
|
encrypted peer to peer network |
8, 19 |
||
Encrypted VoIP |
15, 10, 8 |
||
Decentralized cloud storage system |
7 |
||
Distributed Encrypted VoIP/video Messaging |
8 |
||
Encrypted network tunnelling VPN |
8, 15 |
||
Force https usage in mozilla browser |
8 |
||
Block javascript in mozilla browser |
18 |
||
Metadata Anonymization tool |
13 |
||
Tunnel TCP connections through HTTP proxies |
19 |
||
Tool for tunneling IPv4 data through a DNS server |
19 |
||
|
Manipulate the MAC address of network interfaces |
13 |
|
Disk encryption support |
7 |
||
|
Secure password management and retrieval |
6 |
|
Password safe |
6 |
||
|
Cryptographic identity validation agent (Perl implementation) |
9 |
|
Secure deletion extension for Nautilus |
5 |
||
generate secure passwords |
6 |
||
|
tools to wipe files, free disk space, swap and memory |
5 |
|
Linux entropy source using the HAVEGE algorithm |
|
||
Internet censorship measurement tool |
|
Not in Debian
Name |
Info |
Description |
Implements |
Psyced |
Encrypted distributed chat and messaging system |
|
|
Bittorrent |
Peer to peer file sharing |
|
|
tox |
Distributed Encrypted VoIP/video Messaging |
|
|
CCNx |
Content Secured network with name addressing |
|
|
ZeroMQ |
A peer to peer network? |
|
|
zyre |
Proximity based Peer to peer framework |
19 |
|
Retroshare |
friend to friend secure decentralised net |
7, 10, 15 |
|
cjdns |
Encrypted IPv6 with PPK for address allocation |
|
|
I2P |
Anonymous network layer |
11, 13, 17 |
|
Namecoin |
Anonymous registry |
15, 17 |
|
Mixminion |
Anonymous Remailer (Abandoned? Alpha) |
11, 13 |
|
Freenet |
Decentralised node driven encrypted network |
8, 11, 13 |
|
Briar |
Proximity based encrypted peer to peer network |
|
|
Whisper |
|
|
|
Redphone |
|
|
|
Experimental
Name |
Info |
Description |
Implements |
Tribler |
Peer to peer file sharing (Experimental) |
|
|
Pond |
Forward secure async messaging |
|
|
Blackadder |
information centric networking |
|