HOW TO SECURE YOUR DAILY DIGITAL COMMUNICATIONS ============================================================= v0.2 Thu Oct 20 13:42:24 EDT 2016 Most ALL of these tools and techniques apply to both desktop and mobile. A few cases are specifically for mobile devices. All of the tools presented below have been approved and validated by cryptography and network security experts who have proven themselves on the public record and who speak out in favor of privacy rights. All worthy crypto tools are transparent by design and work correctly even though the code is visible to all. Any one of the following tools and suggestions will improve your day-to-day security and protect your privacy. Naturally, developing a practice that uses as many of these suggestions as possible will result in a stronger protection against criminal and commercial theft of your personal data. TABLE OF CONTENTS-- * EASY THINGS TO DO * ADVANCED OPTIONS * LEARN ABOUT CRYPTOGRAPHY AND SECURITY * RESOURCES AND ORGANIZATIONS USEFUL SITES https://duckduckgo.com https://www.ghostery.com https://emailselfdefense.fsf.org https://itunes.apple.com/us/app/signal-private-messenger/id874139669?mt=8 https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en https://www.wickr.com https://spideroak.com/solutions/semaphor https://www.torproject.org http://www.panix.com/general/howsub.html https://tails.boum.org https://securedrop.org https://freedom.press https://geti2p.net http://cydia.saurik.com/ http://thebigboss.org/ https://ipsw.me/ // EASY THINGS TO DO ---------------------------------------------------- 1 STOP USING SERVICES THAT COMPROMISE YOUR PERSONAL DATA BY GIVING YOU FREE SERVICES. This means Facebook and Google and anything like them. (Eg: Pokemon Go!) Google's business is advertising. Facebook's business is demographic modelling. Especially don't use Google telephone services. Your conversations are translated into text messages and associated with your identity, just like your emails. All these are searched and sorted to build a profile about you and to send you advertisements. If you must use these services, ALWAYS LOGOUT WHEN YOU ARE FINISHED. If you do not log out, they continue to track all your activities on your computer or your mobile device. ALWAYS LOG OUT. 2 Don't post anything about your friends or family unless you know they approve. Most private information is leaked via the "best intentions" of friends and family. 3 Use a DIFFERENT PASSWORD WITH EACH SERVICE. Exercise your associative imagination. Use a unique password that comes to mind when you visit a particular site in a particular way. Better that your passwords are different than complex. (Though complex is always good.) 4 Choose an Internet SEARCH ENGINE THAT RESPECTS YOUR PRIVACY. https://duckduckgo.com Duck Duck Go has a mandate not to record or catalog your searches. You can set it to be your default search engine. Most search sites remember your searches and build a profile about you based on your interests. Think about all the weird stuff you search for. These results are cataloged over your lifetime and sold to advertisers and other agencies. 5 Block all the PIXELS AND TRACKERS THAT RECORD YOUR WEB BROWSING BEHAVIOR and build your identity into shared cookies. Download and install a plugin for your browser from Ghostery: https://www.ghostery.com http://www.npr.org/sections/alltechconsidered/2014/02/24/282061990/if-you-think-youre-anonymous-online-think-again Ghostery shows you all the trackers that engage when you visit a web page. You can easily turn them all off, or selectively turn them on or off. Pixels and trackers are little programs that fire when you visit a page. Some pages are crowded with 10-20 or more pixels from a variety of sources including advertisers, social networks and third party data gathering organizations. Pixels search your system and track your behavior and record it in cookies (like your browser, per se), which are then sent back to the the creators of the pixel. Pixels at one site can talk to pixels at another site, like a virus. This technology is effectively unregulated by law. 6 Spend 15 minutes to READ THROUGH THE PREFERENCES SECTION OF YOUR BROWSER. Pay attention to network, privacy and cookie settings. Learn how to turn off cookies and how to limit, zero out or reset your history each time you start or stop your browser. Browsers like Safari and Firefox provide lots of options, including allowing you to set and limit your search engines. Your browser will help you build a security perimeter. 7 Use PGP to ENCRYPT YOUR MESSAGES WITH PUBLIC-PRIVATE KEYPAIRS: https://emailselfdefense.fsf.org If you manage your keys carefully, you can exchange secure messages across insecure channels. Share your public key fingerprint on your business card to BOOTSTRAP THE WEB OF TRUST. 8 Use the Signal app on your phone to MAKE SECURE CALLS AND SEND SECURE TEXT MESSAGES. It requires one registration step to configure and works through the communication apps you already have installed on your Apple or Android phone: https://itunes.apple.com/us/app/signal-private-messenger/id874139669?mt=8 https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en 9 Use the Wickr app to SEND SECURE TEXT MESSAGES THAT SELF-DESTRUCT after a period of time chosen by you: https://www.wickr.com 10 If your enterprise uses chat tools, migrate towards secure alternatives. Semaphor is a new alternative to Slack: https://spideroak.com/solutions/semaphor http://www.dailydot.com/layer8/semaphor-spideroak-collaboration-security/ 11 Obscure your web traffic by using a using a browser enhanced by onion routing protocols: https://www.torproject.org Even if you are encrypting your traffic, the start and end points of your traffic can provide useful information to an adversary. Onion routing obscures traffic analysis techniques by routing your packets through a mesh of onion routers before they reach your destination. ADVANCED OPTIONS ---------------------------------------------------- 101 Move your primary email account to a small, but successful Internet Service Provider whom you can trust. Learn about them by word-of-mouth and go visit them in person. One such organization is Panix: http://www.panix.com/general/howsub.html 102 Never read email in a browser. Browsers secure their connections with SSL, but they do this to protect the servers and not the end users. Instead, read your mail from the commandline using SSH. Any ISP you trust can give you a terminal account and give you pointers on how to configure and read your email. http://www.panix.com/email/ http://www.panix.com/shell/ Secure Shell (SSH) is like PGP, except it works on the commandline with remote hosts. SSH allows you to setup a public-private keypair and automatically encrypts your packets: https://en.m.wikipedia.org/wiki/Secure_Shell 103 Learn UNIX. UNIX is the operating system that runs on most machines and devices, including iOS, Android, MacOS, Linux and your terminal account at your trusted ISP. The first 1/2 of "The UNIX Programming Environment" discusses, by example, how to use and configure your terminal account: https://en.wikipedia.org/wiki/The_Unix_Programming_Environment 104 Install Tails on a thumbdrive to create a PORTABLE SECURE SERVER: https://tails.boum.org 105 If you are a journalist, whistle-blower or simply need to communicate or send documents from a hostile or insecure environment, you can use Secure Drop from Freedom Of the Press Foundation: https://securedrop.org https://freedom.press Secure Drop combines cryptography, PGP, onion routing, Tails secure server and other techniques to allow you to anonymously communicate with a Secure Drop endpoint from almost any security hostile environment, anywhere in the world. Many major news agencies world-wide have adopted Secure Drop in their day to day activities. 106 Use the Invisible Internet Project (i2p) to run onion routing by hand on your local machine. i2p can be downloaded and started in 15 minutes or less. It provides proxy host port numbers allowing you to anonymize any of your localhost services with onion routing, including your browser in its standard configuration: https://geti2p.net 107 Use a DIFFERENT EMAIL ADDRESS WITH EACH INTERNET SERVICE to which you subscribe. One way to do this is to purchase a cheap domain name that forwards to your home account. Then use a different login with each Internet service. This should help to fracture your identity metrics across all the services you use rather than consolidating them under a single email. You can purchase the domain name of your choice from any number of domain name management companies, such as GoDaddy. By using a different login, you decrease the ability of sites and trackers to associate all your activity into a single identity. We cannot always hide our data. But we can generate noise around our data such that the "value" of our identity is lost in the multiplicity of noise. 108 Jailbreak your device. Use it as a full-service UNIX machine while continuing to leverage the standard UI: http://cydia.saurik.com/ http://thebigboss.org/ https://ipsw.me/ LEARN ABOUT CRYPTOGRAPHY AND SECURITY ---------------------------------------------------- history of alphabetic ciphers https://en.wikipedia.org/wiki/The_Codebreakers introduction to digital ciphers and network cryptography https://www.amazon.com/Network-Security-Private-Communication-Public/dp/0130460192 http://internethalloffame.org/inductees/radia-perlman Marcus Ranum on SSL https://threatpost.com/how-i-got-here-marcus-ranum/112924/ thorough overview of digital cryptography https://www.schneier.com/books/applied_cryptography/ https://www.schneier.com/cryptography.html RESOURCES AND ORGANIZATIONS ---------------------------------------------------- Application Transport Security and Perfect Forward Secrecy http://motherboard.vice.com/read/apple-wants-to-kill-the-unencrypted-internet?trk_source=recommended http://crypto.stackexchange.com/questions/8933/how-can-i-use-ssl-tls-with-perfect-forward-secrecy https://www.cnet.com/news/data-meet-spies-the-unfinished-state-of-web-crypto/ https://whispersystems.org/blog/asynchronous-security/ Bitcoin https://en.wikipedia.org/wiki/Bitcoin http://financialcryptography.com/ Citizen Four by Laura Poitras https://citizenfourfilm.com/about http://cryptome.org Electronic Privacy Information Center https://epic.org/ Electronic Privacy Papers https://www.schneier.com/book-privacy.html Hackers on Planet Earth conference http://livestream.com/internetsociety/hopeconf/ https://www.2600.com http://store.2600.com/collections/hope-flash-drives Highlights from HOPE 2016 -- https://hope.net/grid.html Crypto War II: Updates from the Trenches http://livestream.com/internetsociety/hopeconf/videos/130664320 Freedom and Privacy in Our Lives, Our Governments, and Our Schools http://livestream.com/internetsociety/hopeconf/images/131213653 LinkNYC Spy Stations http://livestream.com/accounts/686369/hopeconf/videos/130816888 Privacy, Anonymity, and Individuality -- The Final Battle Begins with Stephen Rambam http://livestream.com/internetsociety/hopeconf/videos/130737666 The Next Billion Certificates: Let's Encrypt and Scaling the Web PKI http://livestream.com/accounts/686369/hopeconf/videos/130816207 The Onion Report http://livestream.com/internetsociety/hopeconf/videos/130664126 Internet Engineering Task Force http://ietf.org/ https://trac.tools.ietf.org/area/sec/trac/wiki iPhone security http://www.libimobiledevice.org/ https://itunes.apple.com/us/book/hacking-securing-ios-applications/id497526358?mt=11 https://itunes.apple.com/us/book/iphone-forensics/id396891637?mt=11 https://www.zdziarski.com/blog/?page_id=150 https://media.blackhat.com/bh-us-12/Briefings/Zdziarski/BH_US_12_Zdziarski_Dark_Art_of_iOS_Application_Hacking_Slides.pdf www.zdziarski.com/blog/wp-content/uploads/2010/02/iphone_forensics_gartner.zip location services http://www.esri.com/industries/transportation Open Graph Protocol http://www.ogp.me/ https://en.wikipedia.org/wiki/Ontology-based_data_integration ready definitions https://en.wikipedia.org/wiki/Forward_secrecy https://en.wikipedia.org/wiki/IPsec https://en.wikipedia.org/wiki/Network_security https://en.wikipedia.org/wiki/Pretty_Good_Privacy https://en.wikipedia.org/wiki/Secure_Shell https://en.wikipedia.org/wiki/Tor_(anonymity_network) https://en.wikipedia.org/wiki/Virtual_private_network https://en.wikipedia.org/wiki/Web_of_trust https://www.schneier.com Steve Bellovin https://www.cs.columbia.edu/~smb