The application that has the most remote exploits that most activist use every day is Firefox -- how sensible is to to run it with read permissions for all your data?
Run Firefox as another user
Create a firefox user, set up ssh, install sux then create ~/bin/firefox:
#!/bin/bash # using X11 and ssh # ssh -X firefox@localhost firefox # using sux sudo sux - firefox firefox
Then when you launch firefox it runs as the firefox user and if there is a remote exploit then firefox can't access your files.
The script above assumes you can sudo without a password.
If you used the commented out ssh method you can make ssh more secure by adding this to the start of your key in ~/.ssh/authorized_keys:
from="localhost" ssh-dss AAAA
Write the cache to a ram disk
Debian and Ubuntu create a ram at /dev/shm and you can write your Firefox cache there by entering this in the location bar:
If it doesn't exist then right-click and select new string and create it and set it to:
And if you are really paranoid then create en encrypted ramdisk, start by creating a directory to mount it in:
The the following can be scripted to run on boot by adding it to /etc/rc.local:
cryptsetup -c blowfish -s 64 -d /dev/urandom create ramcrypt /dev/ram0 mke2fs /dev/mapper/ramcrypt mount /dev/mapper/ramcrypt /ramcrypt
The change the ramdisk size you need to edit your grub conf file, see: http://www.vanemery.com/Linux/Ramdisk/ramdisk.html or http://mtehrani30.blogspot.com/2008/12/change-ramdisk-size-in-debian.html -- basically you need to add something like this to the kernel line in /boot/grub/menu.lst
Firefox user on an encrypted ram disk
Add this to /etc/rc.local
cryptsetup -c blowfish -s 128 -d /dev/urandom create ramdisk /dev/ram0 mke2fs /dev/mapper/ramdisk mount /dev/mapper/ramdisk /ramdisk mkdir /ramdisk/firefox chown firefox.firefox /ramdisk/firefox chmod 700 /ramdisk/firefox rsync -qav /home/firefox/ /ramdisk/firefox/
And edit /etc/passwd to set the firefox user's home directory to /ramdisk/firefox/ and remember to rsync the ramdisk to home after you install a firefox plugin so it's there next time you reboot!
ssh socks proxy
The advantage of using a socks proxy is that it doesn't require squid or anything to be running on the server -- any machine you can ssh to can be used as a proxy server, the disadvantage over squid is that it can't be set to cache and filter and anonomise headers etc etc
ssh -N -D 9999 proxy.example.com
in about:config in Firefox:
network.proxy.socks : 127.0.0.1 network.proxy.socks_port : 9999 network.proxy.socks_remote_dns : true network.proxy.socks_version : 5 network.proxy.type : 1
You can also use a socks proxy with things that don't support socks proxies, eg apt, install tsocks then create ~/.tsocks.conf with this in it:
server = 127.0.0.1 server_port = 9999 server_type = 5
Then run apt like this:
sudo tsocks apt-get update
And you could add some aliases to ~/.bashrc like this:
alias apt-get='sudo tsocks apt-get' alias apt-cache='sudo tsocks apt-cache'
Changing the location of bookmarks
If you in effect wipe all your history then the autocomplete in the location bar doesn't work so well, one work around is to move the bookmarks to somewhere where it doesn't get deleted and bookmark the pages you often visit.
On the about:config page set network.prefetch-next to false to disable