Posted on February 18, 2013 12:05 pm

Protection in the Wire

Here’s an attempt:

  • Web Browsing
  1. use the [1] https everywhere browser extension.Thanks to this the content of your web traffic to a particular website is encrypted. someone reading your traffic only learns what sites you are browsing.
  2. when needed, use [2] Tor. This makes practically impossible for someone looking at your traffic to know where it is being sent and its content, and someone looking at the other end of the traffic doesn’t know it comes from you. (And if you’re using httpS over Tor, only the exact last recipient knows the content.)
  3. Don’t use big US services with real accounts, identifiable data and without Tor for anything sensitive. Not even google searches.
  4. Anytime you see a certificate alert where there shouldn’t be one, assume you’re talking to a fake server impersonating the website and/or intercepting login forms and content.
  • E-mail
  1. Check out[3] Riseup
  2. Avoid Google/Hotmail/etc for sensitive stuff. Riseup is better, something running on an encrypted server you or a friend own is best. The closer you are to control the mail server, the better.
  3. Use PGP to sign e-mails you absolutely and want to prove are coming from you.
  4. Don’t use PGP to sign e-mails you might want to deny at some point in the future. Signing is irreversible. Nevertheless e-mails leave tracks, so not signing is not enough. It’s just a start.
  5. Encrypt with PGP any e-mail you don’t want content providers and bad people to read. Never forget this encryption is only as strong as how the recipient handles his PGP keys. Lose the key and the mail can never be read again. Get it stolen and all mails encrypted for you are in the wild.
  6. Use spam filters and don’t trust links. Always copy/paste urls inside any link from any mail, and check if the url looks legit or not. [4] http://paypal.com is legit. [5] http://paypal.com.bananarepublic.cia.gov is not.
  7. The “from” field of any e-mail can be forged as easily as clicking it and editing it before sending. Always consider the “from” field a lie unless the mail has been signed with PGP. Seriously, the from field doen’t mean shit.
  8. Never forget the mail you sent from a trusted server to your girlfriend’s/lawyer’s/brother in the military’s Gmail will be read at the receiving end (Gmail) if it can’t be at your end. You’re as secure as the weakest link, and your correspondent is part of the chain.
  9. Sending an e-mail can disclose your IP address. Use Tor to avoid that.
  • PGP
  1. Encrypt your private keys. No excuses.
  2. Encrypt those damn private keys. You are putting your correspondents’ security in danger by being lazy.
  3. RSA1024b can be broken in weeks by a strong adversary or someone with enough money/patience. RSA2048 and above is absolutely fine.
  4. DSA1024 should be enough key-strength-wise, but DSA is frightening. If your computer doesn’t come up with good random numbers, every single time, any signature/encryption you ever do can reveal your private key entirely. If you don’t trust your system’s Random Number Generator, avoid DSA. This is very true for embedded systems, phones, routers, and anything that doesn’t play porn 24/7.
  5. Get your key signed by others, it’s the only way to link an identity with a key. You will never have enough signatures.
  6. Never sign a key you didn’t check the fingerprint AND the identity of the holder IN PERSON. Not once. Never. No excuses. Without this your key and signatures don’t mean anything. If you see someone behaving like this, revoke your signature and report the incident publicly.
  7. Use a PGP key management software you understand. Seahorse is fine for Linux. Don’t use anything closed-source.
  • IRC/JABBER/GTALK/SKYPE/FB CHAT/Instant Messaging
  1. Don’t trust those servers. They might listen, they might lie, they will record.
  2. use SSL/TLS when available. This will encrypt messages between you and the server you don’t trust.
  3. use OTR when you want to have a conversation the server can’t see or fake.
  4. If you want to be anonymous, use Tor, a fake account/username, change your vocabulary, software, punctuation, language patterns and timing. Don’t follow a pattern when choosing random nicknames. Having multiple personnality disorder helps a lot.
  5. [6] Pidgin and [7] Jitsi are multi-platform and include OTR either by default or as a plugin. Check them out. Irssi, Xchat and weechat have OTR plugins for IRC.
  6. Never forget you cannot get around trusting the person you are talking to and his computer. When in doubt, shut up.
  • OTR
  1. Check fingerprints before you assume someone is who he looks like.
  2. fingerprints should be checked by phone or in person. Your client will tell you if they don’t match on future conversations, you don’t need to check them all the time.
  3. Always terminate an OTR session properly. That’s when encryption keys are flushed and your conversation gets perfect forward secrecy. Until then, assume you can still be caught with your pants down if someone finds the encryption keys in your RAM memory.
  4. OTR doesn’t protect you against a liar, or a friend wanting to screw you up.
  • VOIP
  1. Skype is toxic. Use once, die once.
  2. Skype will get you and everybody you talk to killed.
  3. If you have nothing to hide, Skype will only get you tortured. Then probably killed.
  4. Mumble with SSL/TLS should be fine.
  5. VOIP clients with SRTP basically work like chat clients with OTR, more or less.
  6. Do not use VOIP with Tor. Tor only works for TCP, VOIP always uses UDP.
    • Phones
    1. If you use a Blackberry, you’re fucked.
    2. If you use an iPhone, you’re also fucked.
    3. If you use an Android, you’re probably fucked too.
    4. Old phones just give less information about you, or give it more slowly.
    5. The only real defense against this is powering them off and removing the battery.
    6. Using them as a misinformation tool is great fun. Leave them where you are not, send them where you are not and back. If you’re actually under active surveillance this is the most fun you’ll probably have. They will go crazy before they figure it out. Seriously.
    • Disk encryption
    1. Encrypt everything you can. Anything left in the clear might leak data or become a backdoor/trojan/keylogger
    2. Use your encryption keys daily, or you will forget them. If you can go a month without using en encryption key and you didn’t forget it, it means it’s not complicated enough.
    3. Don’t write it down, someone with physical access to your hard drive probably has access to your wallet, your notes, and the porn magazines under your bed.
    4. Your encrypted system is only encrypted when it’s offline and the encryption keys are off the RAM. When in danger, emergency shutdown and throw the computer out the window.
    5. Even after 15 minutes, data may be recovered from your RAM. This includes encryption keys. I don’t care if it’s heavy, the computer goes out the window. Physically.
    6. If the bad guys are bad enough, they will eventually break both your face and your encryption. You cannot avoid this.
    7. If using SSDs, disable the TRIM feature. It tells bad guys where you had data written and where not. Leak no information from the data within the encryption. An encrypted volume should be a big random blob with no coherence whatsoever.
    8. Encryption doesn’t defend against physical keyloggers, video cameras, or a $5 wrench.
    • Secure deletion
    1. Never write anything from an encrypted volume to something outside of it. Not once. Even removed, these files can be recovered. Encrypted data does not leave encrypted volumes.
    2. If you want to correctly remove data, use a tool to re-write it multiple times with random data. THEN remove.
    3. If you are using SSD or Btrfs, you’re screwed. There is no reliable secure deletion for you. You should have encrypted in the first place.
    • Passwords
    1. Create an encrypted volume within a file, store your passwords in there. They don’t leave this volume. No excuses.
    2. All passwords are at least 13 characters long, they are all generated at random with upper and lowercase letters, numbers, and special characters when allowed.
    3. A password is used for only one service. No exceptions.
    4. If you know a password by memory, it’s probably too weak.
    5. The only password you should really remember is the password to your encrypted disks and encrypted volume containing other passwords. They must be different. If you don’t like having all passwords in one encrypted volume, create one per security level. Passwords must differ.
    6. Don’t generate a password from something outside your computer.
    7. When any doubt of a compromised password arises, change it completely.
    • Anonymity
    1. Use Tor
    2. If Tor is not enough, use more Tor. Use this from a moderately untrusted computer too.
    3. Don’t send identifiable data over an anonymised channel. It’s like signing an anonymous letter.
    4. Using anything other than Tor will probably get you killed. Trust only Tor.
    • Ciphers/etc
    1. Anything that’s not AES is suspicious and must have a pretty good reason for not using AES.
    2. The more exotic the cipher, the less trust it deserves in real life situations.
    3. MD5 is dead. Never use it or let it hash any password of yours. Start avoiding SHA1 when possible.
    4. When confronted with something new you don’t understand, seek help.
    5. The friend claiming he’s haxxor3d the NSA five times already and who is getting laid every night is of no help in cryptography.
    • General / Social Engineering
    1. Anything closed source does not deserve trust.
    2. Anything you depend on that you cannot check or have checked does not deserve trust.
    3. The less you control it, the less trust it deserves.
    4. Trust decreases geometrically with each transfer. Too much intermediaries means no trust.
    5. Trust can always be revoked. Things change and allies become adversaries.
    6. If you trust someone or something with something that could end your life, change strategy. Trusting someone else than you for such things is a last resort only.
    7. Never suspend your paranoia against someone just because he asked you to. No matter how good the excuse is. Accept only tangible and external proof. People lie a lot.
    8. Just because it’s stronger than you doesn’t mean it should be trusted.
    9. Just because it’s weaker than you doesn’t mean it should be trusted.
    10. Just because it needs your help doesn’t mean it should be trusted.
    11. Don’t trust me. I may be wrong, I may be lying. check for yourself and have people confirm anything before implementing it.