Dolphin Zero is a privacy focused Internet browser for Android (iOS version planned). It does not store visited internet sites, cookies, passwords, favicons, or cache. Dolphin Zero is analogous to your desktop Internet browser privacy or Incognito mode with the distinction that in this browser privacy mode is always on by default.
The browser’s default search engine is DuckDuckGo, a searcher that does not log computer IP or keep tracks of its users. If you are not happy with DuckDuckGo you can easily swap it to Google or Bing tapping on the toolbar.
This browser will not block advertisements or scripts, your online movements will still be tracked by websites during each Internet session but on closing the window you will see an animated shredder graphic telling you that all temporary cookies and files have been erased. Websites will not be able to track your movements for more than one session at the time, the downside is that settings will never be saved.
Smartphone privacy Internet browser Dolphin Zero
Do not be fooled by the shredding graphic, Dolphin Zero does not wipe data, it simply does not store it on the phone’s or SD card to start with. Your Internet session runs in RAM memory that vanishes when you close down the browser. This method is safer than erasing the data after it has touched the memory card. The Dolphin Zero browser main function is to protect you from people who could get hold of your mobile device, and it does it well.
Dolphin Zero has Do Not Track enabled, a quirk in the HTTP browser headers indicating all websites you visit that you don’t want them to monitor your online behaviour to serve you advertising based on the pages you visit. However, only a few companies considerate this request and it is not compulsory to do so by law.
Dolphin Zero is the privacy version of the long established Dolphin browser, hinting at a valuable development team behind the program, Dolphin Zero is compatible with all websites I tried it on and my experience has been that it is more polished to have a dedicated privacy browser to visit websites you don’t want anybody to know about, than switching in between private and non private tabs that are easily forgettable or mixed up.
I find it very effective having Dolphin Zero installed alongside my main browser, I missed bookmarking but that feature would defeat the whole purpose of hiding the list of sites you visit. This browser is perfect to keep visited sites secret from anybody with access to my phone and to reduce online tracking, undoubtedly I am keeping this app.
A new smartphone designed to be secure by default is in the works by a joint venture in between PGP’s creator Phil Zimmerman company, Silent Circle and the first Firefox OS mobile maker GeekPhone.
Full details will be released next month at the Mobile World Congress in Barcelona but initial technicalities made public in the press release point towards a smarphone running a custom open source Android operating system called PrivatOS, able to make secure voice or video calls and send secure text messages or files and store them, there is also mention of a VPN, this should stop data packet sniffing when surfing the Internet on the mobile phone.
Blackphone security could be defined as secure hardware, custom OS and security applications. I would imagine that Silent Circle’s own software security suite will have a role to play in securing Blackphone communications.
Secure smartphone with encryption Blackphone
The good points of what it is known so far are that one of the people behind the company developing it is Phil Zimmerman and he does not come across as the kind of person who would sell people’s privacy to the NSA. The second good point is that hardware security will be taken into account, the third good point is that the project will be open source, at the very least PrivatOS, not sure about hardware, and the fourth good point is that Blackphone will be unlocked and not tied to any carrier.
Blackphone’s bad point of what it is known so far, is that it has been named as a high end device, the price will likely be out of the reach for ordinary people.
For those of you who can’t afford to pay businessman prices for a secure smartphone, I would recommend you to get an Android phone that is supported by Cyanogenmod, a forked version of Android without all the spyware that Google embeds in Android phones.
Wipe Android OS for good when you have the device and install Cyanogenmod, open a fake Google Play account, which I only managed to do with a Chinese proxy as attempting to do so with a USA IP made Google insist on verifying the account using a mobile phone number. Download Orbot, a Tor proxy to surf the Internet, Redphone to make secure calls and ChatSecure to encrypt real time chat conversations. All of the applications named and Cyanogenmod are free. Your phone could not be as pretty as the Blackphone but it will be secure enough to fool well funded adversaries.
Parrot OS is a live and installable operating system based on Debian Linux and targeted at penetration testers and people interested in online anonymity. The nearly 2GB DVD download integrates professional and beginner computer security tools inside the MATE Desktop environment, a GNOME2 fork
Booting can be done in forensic mode, listed as Stealth, to avoid modifying any file in the host computer, live, live fail safe or with a graphical GUI to install the operating system in your computer, visually impaired people can use a speech synthesis installer.
Parrot OS default username is root with password toor easily changed after logging in. The distribution homepage has a Wiki but at the moment it only contains basic information for newbies about how to boot from BIOS or burn the distribution to a USB thumbdrive. However, if you are familiar with Linux you should not have to read too many tutorials, the tools included in Parrot OS are the same ones found in similar pen testing distributions like Kali or BackTrack Linux.
Linux penetration testing Parrot OS
Some useful tools for privacy activists found in Parrot OS are Truecrypt to encrypt data, Bleachbit to erase Internet tracks, although if you run the live DVD this will not be needed, and the Iceweasel browser running with Tor, with Vidalia providing a graphical interface to manage the Tor network, showing consumed bandwidth, nodes you are connected to and message logs.
Tools for penetration testers include packet sniffer Wireshark, man in the middle attacks with the Ettercap suite and an md5crack to brute for passwords out of captured md5 hashes. A screenshot and desktop recording utility is able to document all you do.
Practically all of the hacking tools are found under the Parrot menu, dozens of programs nicely classified under descriptive activities such as “Information Gathering” ; “Sniffing/Spoofing“; “Wireless Attacks“; “Reverse Engineering” and many others with a submenu are all easily accessible.
Although this distribution is being advertised as anonymity and penetration testing in one, I believe that it is mostly suitable for pen testers, those who want anonymity are still better off with Tails. Parrot OS is similar toAttack Vector Linux, packing powerful penetration testing tools with Tor to hide who is using them. On the other hand, any sys admin worth his salt will be blocking all Tor proxies from accessing the network.
Computer forensics can also benefit from Parrot OS, as it has a dedicated “Forensics” menu with carving, hashing and imaging tools together with reporting tools to manage evidence and a forensic boot that will not modify data. You can find this distribution to be a sound alternative to BackTrack.
Bitmail is a decentralized open source email gateway that stores email messages encrypted offline and includes a secure IRC gateway for real time online chat. You can connect to the developer’s IRC channel from within the client.
Email communications are secured with libgcrypt, a GPG cryptographic library, and AES over SSL. There is no need to install the client, it can be run as portable. As soon as you launch it you will be asked to enter a password with a minimum of 16 characters, this will be used to create your private encryption keys. Make sure not to forget it like me, because you will be locked out of Bitmail the next time you launch it, with all tabs greyed out.
The same email client allows you to operate an IMAP capable BitMail server to relay messages to other people, running a server requires lots of configuration and it is not easy. Bitmail interface is well structured and tabbed but you will have to be familiar with encryption terms, there are lots of things that can be customized, like encryption algorithm, itiretation count, RSA key size and even salt length. This is not an email client for beginners.
Secure P2P email client Bitmail
You will need to manually add the encryption keys from the people you would like to communicate with in the address book, encryption keys will have to be exchanged via different channel, like messenger. Once you have the participants encryption keys and your IP has been added to the list of allowed senders in the Bitmail server, anyone in the group is able to securely exchange messages.
Bitmail darknet approach where there is no central authority that can be compromised and only those who know someone in the group are allowed to join in is the right approach against NSA state surveillance but I did not like that there was no anonymity in the network.
Your computer IP could be traced if anybody in the darknet is eavesdropped with something as simple as a trojan horse. P2P email services should have built in mechanisms to stop the compromise of a single user from spreading to the other people in the network and Bitmail does not accomplish this.
I liked that Bitmail is open source but due to the complicated set up and lack of anonymity I don’t think it is something I will be using. If you only need privacy, it might fulfil your needs, specially for intranet communications.
I have been using Countermail for over a year on a weekly basis and this review is based on my experience with them during this time. The service is free to try for a few days, after that you will be asked for payment which can be done with credit card, Paypal, wire transfer or Bitcoin.
Credit card corporations force businesses to keep payment details stored for two weeks, Countermail claims to automatically destroy the records after that length of time but the credit card company and Paypal will likely preserve payment details for years although they will not be able to link them to any specific Countermail account or nick. If you pay with Bitcoin you will make tracing payment origin much more difficult but there is a surcharge.
Signing up is simple, not requiring any personal information other than choosing a username and password, you only need Java installed in your computer, after account creation you can get rid of Java and use IMAP and SMTP with Thunderbird and Enigmail. There is a tutorial in Countermail help pages explaining how to set it up. It took me a few hours, demanding lots of reading and testing, it wasn’t very easy to do.
Be very careful to remember your password because if you lose it, it can not be recovered and your data will be lost for ever.
Anonymous email provider Countermail
Countermail webservers are live CD powered web servers, there is no hard drive, powering it off to install monitoring software will eliminate all data held in RAM, including encryption keys, and without any hard drive present computer forensics would be a waste of time. For further surety, encryption is executed in the user’s computer, Countermail does not store any password. By default it will keep your private encryption key (although the encrypted version only!) but not the password and you need bot of them to decrypt messages. If you are not comfortable with having your private keys in the server, you can delete them and store the keys in your computer or send Countermail your public encryption key. A second mail server with a hard drive stores messages and files but this is only accessible using the diskless webserver and no IPs are leaked.
The email service is based on a custom Squirrel email interface. You have the ability to automatically sign and encrypt email messages in your browser within webmail, including attachments, with the standard OpenPGP.
In Countermail settings you can import and export encryption keys, when you email someone Countermail will automatically encrypt the message with the key found in your keyring and if none is found you will be notified. Communicating with other Countermail or Hushmail users does not require you to have the receiver’s key, it will be automatically fetched for you.
You can create aliases under the countermail.com or cmail.nu domain name and distribute these disposable email addresses without never revealing your main inbox, it is best to do this from day one and if you receive spam you can delete the address. I advice you to choose a cryptic alias because after you erase it someone can register it straight away and any emails meant for you will go to that other person, it happened to me that I registered a very common alias @countermail.com address and I received messages meant to be for someone else, I never abused the content but I could have done.
The company claims to keep no logs of when you log in and out, email back ups are kept encrypted in Countermail servers for 7 days and rotated, the company headquarters and mail servers are all based in Sweden, your usage of their service is subjected to Swedish law.
Countermail webmail encryption keys
When you send a webmail message your computer IP will be stripped from the headers and swapped by 127.0.0.1, if you use SMTP an anonymous German or Swiss tunnel IP will show in the headers. Other Countermail security practises include disabling HTML messages by default, you have to click on view HTML if someone sends embedded images.
If you click on a URL inside an email message it will be automatically deferred to stop the website server from seeing how you got there and clicking on the escape key on your keyboard will log you out of Countermail and take you to the page of your choice, this is meant to be an emergency log out key.
I wanted to play the paranoid card and I did not want Countermail to hold my encryption keys and it is necessary to note here that my Countermail private keys are created in my own computer and only send to their servers after they have been encrypted, but it did not feel right to trust someone else with something as important.
I communicated with other people deploying my own keys and it reduced webmail functionality, if the private encryption key is not uploaded to Countermail server you will get a Java error and you will not be able to view the message, you will have to download as attachment to your hard drive and save as text before decrypting it locally.
I contacted Countermail staff a couple of times about a problem I had importing a PGP public key and they replied to my support email in under 24 hours with helpful advice about how to get copy and paste right.
There are non email features included with the package, a bookmark and notes storage inside what they call “Safebox“, I found it very basic but no harm being there. You also get a calendar and an XMPP chat server compatible with Jabber clients like Jitsi and you can use Countermail portable downloading the prebuild Firefox Portable browser with Java from Countermail servers or set the email service with your own domain name for a one time fee.
Countermail.com Java login screen
Another option is to buy a USB key from Countermail that will be used as keyfile to login into your account, if your password is stolen nobody will be able to login unless they physically have the USB key in their power. I only used the email service during all this time, I can’t comment too much about the rest, I only glanced at it.
Overall, I think that this is one of the very few email services that not only protects your privacy with encryption but also makes your IP untraceable by not keeping logs. There are a dozen other encryption email services out there in the market and Countermail is one of the very few being very clear about not keeping any logs.
If you don’t need high level anonymity and are only concerned about email encryption (privacy), you might find cheaper and simple to use email services, but if you care about how long for your email provider keeps logs, about being able to pay in Bitcoins, and about your email service taking proactive measures to stop state surveillance as well as your email provider being located outside the USA, I don’t think there are too many competitors to choose from, it is either Countermail or Anonymous Speech, and I think that Countermail has better security with their diskless servers and by only keeping your private encryption keys after they have been first encrypted in your computer before they are uploaded to the server.
Assuming Countermail does everything as they say, it seems to be good value for money for those after a high degree of email privacy and anonymity.
And if you want a free anonymous email alternative, download Tor, OpenPGP Studio and combine it with any email provider, it will also get the job done.
In a very little publicised case of bomb threats that have been going on for months against US public buildings like universities, hotels and airports, an anonymous caller identifying himself as a friend of James Holmes, continuously warned the FBI that if the Colorado cinema shooter was not released a building full of people would be blown up using Ammonium Nitrate.
An Emergency Discloure Request order sent to Google exposed that the caller was using Google Voice VoIP service to carry out the bomb threats while masking his computer IP with a free VPN service called HotSpotShield, also known as AnchorFree.
Subsequent bomb threats included numerous email exchanges, a chat in between the suspect and an FBI agent using Yahoo Messenger and photographs the suspect sent of, supposedly, himself to the FBI, dressed wearing an Iranian camouflage military uniform.
The FBI trojan horse is referred to in the search warrant application as Network Investigative Technique (NIT) and it was sent to the suspect’s Yahoo email address “texan.slayer@yahoo.com” in the form of a link, it should have been executed when the suspected terrorist logged into his email account, connecting to FBI servers and downloading malware to let law enforcement know the following:
– Computer IP address, computer network card MAC address, list of open ports, a list of running programs, operating system and Windows serial number, web browser brand and version, computer’s language encoding and default language, computer time zone, previous visited websites and other identifying information that could be of assistance.
The document shows that the trojan horse failed to execute correctly but not before revealing that the person making bomb threats was doing so from Iran.
There is no specific information about how the FBI executed the malware but since a download link is mentioned, I will make a guess, without backing evidence, of how it could have been done, by saying that that the trojan horse could have been embedded in an HTML formatted email and executed with Javascript as soon as the suspect opened the email message.
NetSecL OS is a penetration testing OpenSuse based Linux distribution with the lightweight Xfce window manager. The distribution’s kernel has been hardened with grsecurity patches, a set of rules that allows for more extensive system auditing and protects you from stack overflows by making them non executable.
The latest NetSecL OS 5.0 removes Firefox and incorporates the Chromium browser, not to be confused with Chrome. Even thought they both use the same source code, Chromium does not release binaries, it has to be built from source, and it does not send data to Google, the Chromium browser has improved privacy over Chrome.
Other privacy enhancing features in NetSecL OS include Macchanger, a Unix utility to view, fabricate or forge a MAC network card address and a Firewall GUI builder to set your own system access rules.
Linux security distribution NetSecL OS
You can run NetSecL OS as a live DVD or install it in a USB or hard drive. A .ova virtual machine is available for download from Suse Studio website for testing. The default users are root and tux and the password for both of them is linux
You can find specific penetration testing tools like the Metasploit framework , packet sniffer Wireshark, network monitor EtherApe, Open Vulnerability Assessment System OpenVas, port scanning Nmap, security reconnaissance Skipfish along password manager KeePassX, text editor Abiword, FTP client FileZilla and the open source Windows API implementation Wine, to run Windows programs in Unix.
NetSecL OS has all the tools a security professional needs to break into a network, I can see this operating system complementing BackTrack. The main difference in between both being that NetSecL OS is fixated with offensive security and not digital forensics, for example,NetSecL OS does not have image acquisition tools, in lieu BackTrack covers both fields.
If you don’t like Backtrack Ubuntu base or just want to try something new, NetSecL OS is a valuable OpenSuse pen testing distribution.
