Posts Tagged ‘pgp’

An Essential Guide for Activists: Comprehensive Basic Security

Thursday, July 20th, 2017

the following smart phone info applies to androids. i would assume it can be adapted for iphones as well.

Why do you need security?  Because you’re an activist!

I am far from a security expert; I have no technical background whatsoever. I am, however, an expert on being raided and having my privacy repeatedly violated by law enforcement (LE). Do they really need your compromising pictures?! Nothing will protect you 100% online. They’ve penetrated and seized entire dark web criminal enterprise sites. So if they want you, they’ll get you. But we can sure as fuck take steps to protect your privacy

Passwords

Your system is only as secure as your password. A “brute force” attack is where a program tries to crack your password by trial and error. I believe that our only real protection is in using a password that will potentially take years to crack.  16-character passwords have been cracked by hackers in under an hour. So I don’t believe estimates that it will take 50 years to crack a complex 64-character password; nonetheless, even if it takes a year or two, time is your friend here.

Whole-Disk Encryption

The first and most basic measure you need is disk encryption. This means that if your device is in the physical possession of LE, they have to break in first to be able to access your drive. I prefer encryption systems that will wipe your drive if the wrong password is entered 10 times. I know, none of us wants to lose all the data we’ve accumulated. But your personal information is better gone than in the hands of someone — LE or an identity thief — who will use it against you. Everything I discuss is open-source, unless otherwise noted.

LAPTOPS

I liked TruCrypt because if anyone entered my password wrong 10 times, my drive would wipe and the device would become useless. Since TruCrypt is no longer maintained, my research suggests that VeraCrypt is the best open source (non-corporate) tool available. I have a tech who sets up my encryption for me, I use my complex password, and once it’s set up, it is transparent. Just do it. You never have to think about it again.

SMART PHONE

Encrypt your android through your security settings and set it to wipe and revert to factory settings if your password is incorrectly entered 10 times. I respect Apple for refusing a government subpoena last year demanding they decrypt the phone of an alleged terrorist. However, someone did, in fact, break the encryption. If they are intent upon accessing your data, they will. Data can be retrieved even after a factory reset. A good habit is to use an iShredder app during routine maintenance.

Get in the habit of powering down whenever you leave the house. If you run to the store and leave your laptop open it defeats the purpose. No one is going to make an appointment to come raid your house or rob you. It happens when you least expect it. Be prepared.

Virtual Private Networks (VPNs) & Tor

So you decrypted your device and you’re ready to get online. Not yet. As soon as you connect to the internet, your provider (Comcast, Verizon, etc) can see everywhere you go and log all of your activity. If LE ever subpoenas them, they will hand it right over. No concerned with the state? Supposing you Google “popular murder methods” out of sheer curiosity and your next door neighbor is murdered. The “evidence” would seem to point to you. Let me disabuse you of any misconceptions like “if I didn’t do anything, I have nothing to hide.” No one cares about your guilt or innocence where LE is involved. It’s about winning and losing period. Maybe you’re more concerned about protecting your identity online. You need a VPN. It will  route your traffic through a third-party proxy so that your provider can’t spy on what you do online. It will hide your IP so you cannot be identified, but it does not completely anonymize the user.

LAPTOPS

I only trust two VPNs, both user-friendly (i.e., EASY) and neither keeps any records of what you do once you connect. You can choose the location you wish to connect through. These are not open-source so there is a fee. If you really want to protect your identity, you can pay with Bitcoins. (A separate post will be published about cryptocurrencies and tails). You can compare IPVanish and NordVPN and decide which you like best.

Tor is a browser like Firefox that will anonymize you on the web (it hides your identifying information such as browser or operating system). You may download Tor here and there is a lot of information on the site about how it works. It’s a good idea to read up on the background and how you should use it most safely (e.g., don’t make the browser full screen, turn off java script, etc).

SMART PHONE

Bitmask is free and easy to use. It will divert your traffic through Montreal. You will need to open up a Riseup Black account and may download the android software there or through Google Play. The instructions to set it up are simple. Download, log in with your black account, turn it on.

In order to access the Tor on your android, you need to download Orbot and Orfox from Google Play. Simply explained, Orbot is a server that connects to the Tor network. It needs to be running in the background. Orfox is your browser that will connect through Orbot.

VPNs and Tor are intended to protect your identity to make your online experience as safe as possible. If you want to check your public IP as well as how much of your information may be leaking out, JonDo is an amazing resource. Click here to do their IP check.

Encryption

Regular PGP (pretty good encryption) allows people to exchange communications in code. Each party exchanges their keys allowing them to unlock each other’s messages. OTR (off the record) is a type of encryption where the key only works for the duration of a conversation then disappears. If someone gains access to your device, they can read all of your old messages if they find your key. With OTR, no one will ever be able to read them again.

LAPTOP

GPG4win is a free pgp system that you can download here. And Deepdotweb published this excellent step-by-step tutorial for beginners.

SMART PHONE

We use text and messengers for everything. This may be the most important information for some. You need to encrypt and protect your chats. A messenger that gets some rave reviews is Signal. DON’T use it. Don’t trust any anonymity app that wants to trace you through your phone number.

ChatSecure may be downloaded through Google Play. It encrypts your chats while you are communicating and then erases them. It transmits through the Tor network (Orbot on your phone) and records nothing on your phone’s drive. This manual will walk you through how to install and set it up. I prefer this method.

Conversations (Jabber/XMPP) can be downloaded through Google Play for $2.49. It is more user friendly which may make it preferable. If your friends won’t use a security app, it makes it worthless. You can also use OTR with Conversations which makes it a very nice option.

Please let me know if you have any questions, need help, or if you have anything to add to this guide.