Saturday, November 25, 2017

PGP and GnuPG

 
CERT at Carnegie Mellon University - Software Engineering Institute has said "We recommend that you encrypt sensitive information in email to protect it from being viewed by unintended recipients. We prefer OpenPGP standard cryptography, which usually means Pretty Good Privacy (PGP) or the GNU Privacy Guard (GnuPG or GPG)." 
 
Having an OpenPGP key-pair allows others, who have a copy of your public key, to send you encrypted messages that only you (with your private key) can read. There are several freeware programs that use OpenPGP. I have listed some of the most popular and easy-to-use programs here:
 
Once you have a PGP key-pair, publish your public key where others can easily access it, such as on your Facebook ‘Contact an Basic Info’ page, on your personal web-page, in your blog (my PGP public key can be found here),  or upload your public key to a PGP Key Server.
 
Even if you regularly use some other means of encrypted communication, having a PGP key-pair has many advantages, such as allowing someone you never met to communicate with you securely (as long as that person has your public key), and allowing people you have never met to validate things that you have digitally signed with your private key.
 
 



Friday, November 24, 2017

How to Encrypt Your Facebook Messages

 
If you use Facebook Messenger on your phone, please be sure that you have the latest version (to support 'Secret Conversations'). If you haven't done so, go to the App Store / Play Store and re-install / update your version of FB Messenger. Secret Conversations has been available in Facebook Messenger for over a year, but many long-time users of Messenger may not have the most current version on their phones.
 
Updating to the latest version of Messenger will give you the option of using the 'Secret Conversations' function to have end-to-end encryption when sending a FB Message to someone else's phone. Secret Conversations can be turned on when starting a new message within Messenger.  Messages will only be kept secret if both users have the updated versions. If someone is using an outdated version of Messenger they won't be able to send and receive Secret Conversations.
 
A secret conversation in Messenger is encrypted end-to-end, which means the messages are intended just for you and the other person - not anyone else, including us. Keep in mind that the person you're messaging could choose to share the conversation with others (example: a screenshot). Both you and the other person in the secret conversation have a device key that you can use to confirm that the messages are end-to-end encrypted. You can use multiple devices for secret conversations.
 
The Facebook help page provides the following instructions for using Secret Conversations:
 
Secret Conversations also gives people the option to let specific messages within Secret Conversations expire after five seconds or up to a day -- a feature not unlike what's offered on Snapchat.
 
Secret Conversations are currently only available in the Messenger app on iOS and Android, so they won't appear on Facebook chat or messenger.com.
 
 




Thursday, November 23, 2017

Stingray - How Cops Hack Your Phone

 
Police agencies around the United States are using a powerful surveillance tool to mimic cell phone signals to tap into the cellular phones of unsuspecting citizens, track the physical locations of those phones, and perhaps even intercept the content of their communications. The device is known as a Stingray, and it is being used in at least 23 states and the District of Columbia. Originally designed for use on the foreign battlefields of the War on Terror, "cell-site simulator" devices have found a home in the arsenals of dozens of federal, state, and local law enforcement agencies.

In an article published yesterday (November 22, 2017), Isabella McKinley Corbo discusses "How cops hack into your phone without a warrant" and the upcoming US Supreme Court case involving Timothy Carpenter. At the end of November, however, Carpenter’s lawyers will argue in front of the Supreme Court that the FBI violated his Constitutional rights by searching his cell phone’s location data without a warrant. His case could change how law enforcement goes about finding and using information on Americans’ cell phones. 

Wednesday, November 22, 2017

Confidential Tips

 
Whether you are a whistleblower wanting to provide information to a news agency, or a news agency wanting to be able to receive reports from confidential sources, it is important to understand how to securely and anonymously send and receive sensitive information. The Intercept, the Washington Post, and the Guardian each provide instructions on their official web-pages for individuals who wish to provide confidential tips to these news agencies. If you want to set up a way for sources to contact you anonymously and securely; reading the article "Opening Secure Channels for Confidential Tips" may provide you with some good ideas.
 
It’s not just news agencies, however, that may want to receive information from confidential sources. A law enforcement agency may want to receive tips about crime, and a security agency may want to receive suspicious activity reports. Having a way for sources to provide you with information anonymously and securely may result in you receiving information that you might not otherwise get if sources must fear for their safety, or risk exposure in the public eye. Of course, an anonymous report means that you have to work harder to validate the credibility and veracity of the information that you receive, but in many case the reward is worth the extra effort. It may also be that a source is willing to identify himself or herself, but wants to ensure the security of the information that he or she is providing. Secure communication tools such as GnuPG, Signal, and Secure Drop make this possible.  If you work for the DOD, or other government agency, you might consider using Safe Access File Exchange as a way to securely send and receive information. 
 
Dealing with confidential sources and maintaining secure communication is a skill that requires practice, and requires having the necessary protocols set up before you actually need them. So, if tomorrow someone wanted to contact you with time-sensitive, confidential, information would you have a way to receive it and protect your source?
 
 



Tuesday, November 21, 2017

Underground Tradecraft

 
 
Anarchists, activists, protesters, and dissenters all have their own security culture and employ their own underground tradecraft to protect themselves from surveillance and arrest by the state. There are several guides and manuals that offer advice to these groups. Some of the advice offered is just good general security that may be of interest to anyone regardless of their activities, while other information is specifically aimed at circumventing the law. Whether you are just looking for some security advice for your daily life, or you are trying to understand the tradecraft employed by anarchists, activists, protesters, and dissenters it can be useful to read the security guides and manuals published by and for these groups.
 
The following are just a few of many such guides available on-line:
 
 
 
 
 
 

Email security for Black Lives Matter activists

Surveillance Self-Defense Against the Trump Administration

Cybersecurity for the People: How to Protect Your Privacy at a Protest

Monday, November 20, 2017

Six Books You Should Read

 

This textbook, at nearly 500 pages, will explain how to become digitally invisible. You will make all of your communications private, data encrypted, internet connections anonymous, computers hardened, identity guarded, purchases secret, accounts secured, devices locked, and home address hidden. You will remove all personal information from public view and will reclaim your right to privacy. You will no longer give away your intimate details and you will take yourself out of 'the system'. You will use covert aliases and misinformation to eliminate current and future threats toward your privacy & security. When taken to the extreme, you will be impossible to compromise. This work contains the Third Edition of Hiding from the Internet in its entirety.
Law professor James J. Duane became a viral sensation thanks to a 2008 lecture outlining the reasons why you should never agree to answer questions from the police—especially if you are innocent and wish to stay out of trouble with the law. In this timely, relevant, and pragmatic new book, he expands on that presentation, offering a vigorous defense of every citizen’s constitutionally protected right to avoid self-incrimination. Getting a lawyer is not only the best policy, Professor Duane argues, it’s also the advice law-enforcement professionals give their own kids. Using actual case histories of innocent men and women exonerated after decades in prison because of information they voluntarily gave to police, Professor Duane demonstrates the critical importance of a constitutional right not well or widely understood by the average American. Reflecting the most recent attitudes of the Supreme Court, Professor Duane argues that it is now even easier for police to use your own words against you. This lively and informative guide explains what everyone needs to know to protect themselves and those they love.
From cyberspace to crawl spaces, new innovations in information gathering have left the private life of the average person open to scrutiny, and worse, exploitation. In this thoroughly updated third edition of his immensely popular guide How to Be Invisible, J.J. Luna shows you how to protect your home address, hide your ownership of vehicles and real estate, use pagers with dumbphones, switch to low-profile banking and invisible money transfers, use alternate signatures, and how to secretly run a home-based business. J.J. Luna divulges legal methods to attain the privacy you crave and deserve, whether you want to shield yourself from casual scrutiny or take your life savings with you and disappear without a trace. Whatever your needs, Luna reveals the shocking secrets that private detectives and other seekers of personal information use to uncover information and then shows how to make a serious commitment to safeguarding yourself.
 
Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
Your cell phone provider tracks your location and knows who’s with you. Your online and in-store purchasing patterns are recorded, and reveal if you're unemployed, sick, or pregnant. Your e-mails and texts expose your intimate and casual friends. Google knows what you’re thinking because it saves your private searches. Facebook can determine your sexual orientation without you ever mentioning it. The powers that surveil us do more than simply store this information. Corporations use surveillance to manipulate not only the news articles and advertisements we each see, but also the prices we’re offered. Governments use surveillance to discriminate, censor, chill free speech, and put people in danger worldwide. And both sides share this information with each other or, even worse, lose it to cybercriminals in huge data breaches.
 
Your every step online is being tracked and stored, and your identity literally stolen. Big companies and big governments want to know and exploit what you do, and privacy is a luxury few can afford or understand. In this explosive yet practical book, Kevin Mitnick uses true-life stories to show exactly what is happening without your knowledge, teaching you "the art of invisibility"--online and real-world tactics to protect you and your family, using easy step-by-step instructions. Reading this book, you will learn everything from password protection and smart Wi-Fi usage to advanced techniques designed to maximize your anonymity.
 
How to Disappear is the authoritative and comprehensive guide for people who seek to protect their privacy as well as for anyone who’s ever entertained the fantasy of disappearing—whether actually dropping out of sight or by eliminating the traceable evidence of their existence. Written by the world’s leading experts on finding people and helping people avoid being found, How to Disappear covers everything from tools for disappearing to discovering and eliminating the nearly invisible tracks and clues we tend to leave wherever we go. Learn the three keys to disappearing, all about your electronic footprints, the dangers and opportunities of social networking sites, and how to disappear from a stalker.

Secure Your Communications

 
U.S. Justice Louis Brandeis called privacy "the right to be left alone;" the concept that one's personal information is protected from public scrutiny. Having a secure means of communication is essential to preserving our privacy rights and safeguarding our civil liberties.
 
The following programs and applications all provide good security for your on-line communications. I encourage you to review each of these programs adopt the ones that meet your needs.
 
Tox - https://tox.chat
Wire - https://wire.com/en/
Wickr https://www.wickr.com/personal/
GnuPG - https://www.gnupg.org
Ring - https://ring.cx
ProtonMail - https://protonmail.com
Tutanota - https://tutanota.com
Jitsi - https://jitsi.org/jitsi-meet/


If you are serious about protecting your private communications, you will probably end up using more than one of these programs. To have secure communications it is necessary that everyone is using the same communication protocol (i.e. everyone chats on Wire, or everyone sends e-mail between ProtonMail accounts). As your number of contacts who use secure communications increases, you may find that not everyone has chosen the use program or application. In this case it will be necessary to agree upon a secure means of communication. Having several secure communications possibilities available, and being familiar with how these programs work, can make it easier to quickly establish a secure communication channel. Finally, while I believe that each of the above programs provides very good security, it is possible that any one of them could be compromised somehow in the future. In this case having redundant secure communications channels allows you to continue to protect your private communications.   
 
 




Sunday, November 19, 2017

No Skype

 

Some have asked what I think of Skype and whether I use it for personal communications. First, let me say that while Skype provides clear and reliable communication across a variety of platforms; Skype is a communications platform where your private communications are monitored by both Microsoft and by various government agencies. Microsoft (and likely some government agencies) holds the Skype encryption keys, so it has the ability to decrypt and monitor your conversations whenever it wishes. So... No, I do not use Skype for my personal communications, nor do I recommend it to others.
 
Let’s see what others have said about Skype:
 
Skype uses 256 bit AES to encrypt communication between users, although when calling a telephone or mobile, the part of the call over the public switched telephone network (PSTN) is not encrypted. Skype's encryption is inherent in the Skype Protocol and is transparent to callers. Skype is not considered to be a secure VoIP system as the calls made over the network do not make use of end-to-end encryption, allowing for routine monitoring by Microsoft and by government agencies. (Wikipedia)  
 
According to the German web-site DW Akademie "Skype is incredibly popular for making calls and sending instant messages. Part of its attraction is because it’s cheap and easy to use. But many journalists and dissidents also use Skype because they believe it is safe from surveillance and eavesdropping. That simply isn’t true... It is unclear, however, to what extent agencies or governments in other countries apart from the US have been given a backdoor to able to eavesdrop on Skype (although it is clear that Skype in China has been modified to allow for the scanning of certain keywords to filter out messages deemed sensitive by the Chinese government). But even if we play naive and assume Skype isn’t cooperating with other countries, there’s a still a big hole in the belief it can’t eavesdrop on its own services. Earlier in 2013, it was revealed that Microsoft scans Skype instant message (IM) services for URL links. This is a common practice in many companies and isn’t necessarily a bad thing. Companies need to be able to check messages to make sure they aren’t carrying fraudulent links to phishing websites. But in this case, the news that Microsoft was even able scan the messages set off alarm bells in the internet community. This is because it proves the company can convert Skype messages into human readable form even though it has always said it can’t." 

ARS Technica wrote "If you think the private messages you send over Skype are protected by end-to-end encryption, think again. The Microsoft-owned service regularly scans message contents for signs of fraud, and company managers may log the results indefinitely... And this can only happen if Microsoft can convert the messages into human-readable form at will... Still, there's a widely held belief - even among security professionals, journalists, and human rights activists -that Skype somehow offers end-to-end encryption, meaning communications are encrypted by one user, transmitted over the wire, and then decrypted only when they reach the other party and are fully under that party's control. This is clearly not the case if Microsoft has the ability to read URLs transmitted back and forth... So, the next time you use Skype, enjoy the clarity of the voice communications, its generally slick user interface, and its many other benefits. Just don't think the service can't peer into your messages and store indefinitely what Microsoft managers want. It can, and until officials specifically disclose their practices, users should assume it does."
 
Because our private conversations on Skype can be, and we must assume are being, monitored; Skype does not provide an environment that is secure enough to protect sensitive, private, or personal information. This being said, Skype is certainly more secure than a standard telephone call - which isn't secure at all - but being more secure than no security at all isn't any type of recommendation. There are secure alternatives to Skype that allow us to secure our private messages and conversations, and for my personal use I choose to use a platform that provides me this additional security.