15 November 2016

So, what now? Part 2: Information security

In part 1, I looked at quick easy activism involving donations to political organizations and charities. In this article I’ll look at something totally different — protecting your privacy. As you might have noticed recently, senior FBI officials seem to have a pretty chummy relationship with Donald Trump. I’m betting that the FBI and NSA will do whatever mass surveillance Trump asks them to. For his part, Trump has a history of surveillance — he used to listen in on private phone calls at his own resort. His campaign has openly stated that it’s compiling a list of enemies, and Trump loves retribution. If you don’t think you have reason to be concerned, consider that Newt Gingrich has called for a new House Un-American Activities Committee. The original one started out as a committee to investigate Nazis and Communists, but soon became part of a system that could get you blacklisted from being able to find work for expressing what the committee considered socialist points of view.

It’s also clear that repressive governments like to restrict or spy on messaging and social apps. The USA hasn’t done so yet, but I wouldn’t put it past them. If you’re outspoken about the Trump regime, you could end up with unwelcome attention from online trolls and hackers who will seek to dox you or access your online accounts. So, I think it would be wise to start engaging in some proactive steps to secure your electronic communications and sanitize your social media presence. It won’t stop you from being beaten up, it isn’t guaranteed to stop you from being jailed, and it won’t keep you from being deported — but it might at least prevent preemptive arrest or blacklisting.

1. Secure your instant messages and phone calls

When it comes to phone calls and text messaging, there’s a clear winner: Signal. It’s available for both iPhone and Android, with a Chrome browser application to support desktop use. Here’s why it’s the best choice:

  • It’s open source, and has been security audited by cryptography experts.
  • It has a clear and concise privacy policy.

  • It has already successfully withstood an attempt to subpoena user data.

  • It’s not just secure from interception — it’s also designed so that data can’t be extracted from your phone backups.

  • It’s really easy to use, just like any ordinary SMS messaging app. On Android you can even set it up to handle your SMS and MMS messages as well as encrypted ones, making it the closest thing Android has to iMessage.

  • It will let you make secure voice calls over the Internet, as well as send text messages, file attachments, links, and so on.

  • It just got a new “self-destructing message” feature, like SnapChat.

  • It’s free, has no ads, and isn’t owned by a big corporation. It’s funded by donations.

  • It doesn’t chew up your phone battery. (Or at least, it has never hurt mine.)

  • In the NSA documents Edward Snowden leaked, Signal’s encryption was explicitly identified as causing the NSA major problems.

The only downside to Signal is that not many people use it; which is why a good second choice to install is WhatsApp. WhatsApp is the single most popular messaging app worldwide. In spite of being owned by Facebook, the makers of WhatsApp worked with the developers of Signal to incorporate the exact same battle-tested end-to-end encryption. It’s slightly less secure in some other respects, but it’s worth having and using because there’s more chance the person you want to talk to will have it. It also has encrypted voice calling and a web app for desktop use, just like Signal. If the other person uses iOS, Apple’s iMessage is an OK option. It’s not as good as Signal — it logs and leaks metadata about who you contact, and of course it’s iOS only and nobody outside Apple has checked the encryption.

Some systems to avoid:

2. Encrypt your phone

There’s not much point securing your messages during transmission, if police can arrest you on a trumped-up charge and read all the messages on your phone. So, make sure your phone is encrypted. On iPhones it’s the default these days, but it’s easy to switch on for earlier versions of iOS. On Android, recent Nexus and Pixel phones are encrypted by default. Thanks to Qualcomm, that likely won’t stop the NSA, but it will at least prevent casual police snooping. If you have a phone running a customized version of Android rather than standard Google Android, you might have to encrypt your phone.

Choose a secure PIN

When you encrypt your phone, you need to pick a PIN. I would suggest choosing one that’s 6 digits long. That gives you significantly better security than a 4-digit PIN, which can be brute forced pretty quickly. Also, the pattern of greasy finger marks on your screen can provide clues to which digits are in the PIN, so it’s worth re-using at least one digit.

Beware of fingerprint unlock

Courts have ruled that police can physically force you to give your fingerprint to unlock your phone. If you are going to a demonstration, traveling internationally, or going somewhere else where you think you might be stopped by law enforcement, you should disable the fingerprint scanner on your device. If you’re stopped by police unexpectedly, the fastest option is to turn your phone off — that will force it to demand the full PIN when it’s powered on again.

3. Encrypt your laptop

What goes for your phone goes for your computer too. On a Mac, use FileVault to encrypt your disk. It’s a built-in feature of macOS. Do not enable the option to use your iCloud account to unlock your Mac. If you do, your encryption keys will be uploaded to Apple, and law enforcement can compel Apple to reveal them or hack your iCloud account to get at them. If you think you have a good chance of forgetting your Mac’s password, instead of using the iCloud back door, print out the bypass codes macOS offers to generate for you and store them away somewhere safe.

On Linux, use LUKS and dm-crypt. I won’t go into details, as (of course) it varies according to what distribution you’re using.

On Windows, it’s complicated, as there currently isn’t a clear winning choice. Microsoft’s BitLocker is OK, and has the advantage that it’s built in to Windows 7 and 10. However, ideally you’ll want to buy the full Pro or Enterprise version of Windows; the standard version of Windows bundled with PCs comes with a hobbled disk encryption system called Device Encryption, in which Microsoft keeps a copy of your encryption keys. The main alternative to the above suggestions is VeraCrypt, which is a spinoff of the now-defunct TrueCrypt.

4. Secure your online accounts

Most of the big e-mail leaks aren’t the result of people intercepting e-mail. Instead, they’re the result of hackers breaking into people’s accounts remotely, by guessing or stealing their passwords. To avoid having your e-mail, social media, bank or other accounts compromised by hackers, there are two main things you can do: get a password manager, and set up two factor authentication.

Get a password manager

The single best thing you can do to secure your online accounts is to get a password manager. Passwords short enough to remember are short enough to crack. If hackers steal the password database from a web site, they can crack an 8 character password in 2.2 seconds. For proper security, your need your password to be 12 characters or more. And that’s assuming it’s a totally random set of upper and lower case letters, symbols, and numbers. Also, to keep your accounts safe you should never use the same password for more than one system. Otherwise, if hackers crack one account, they can use the same password to access the others.

Clearly it’s infeasible to remember dozens of 12-character random passwords, particularly not if the sites force you to change them regularly. That’s where a password manager comes in. No password manager is perfect. If hackers install remote control malware on your PC, for example, you’re screwed no matter how supposedly secure your password manager is — they can just record what you type on the keyboard. So, it’s a matter of looking for a password manager that’s reasonably secure, and convenient enough that you’ll actually use it.

My current suggestion is LastPass. It works with Safari, Firefox and Chrome; on Windows, macOS and Linux; and on iOS and Android too. The data is encrypted on your computer before being synced to the service, so they can’t reveal your passwords even if the FBI demands that they do. Yes, some possible security holes were found in LastPass, but the company fixed them in a timely fashion.

Before I switched to LastPass, I used KeePassX, an open source password manager, with KeePassDroid on my phone. KeePass is more secure against browser-based attacks, but it has no built-in synchronization; instead, it’s up to you to synchronize your password database using Google Drive, SyncThing, Dropbox, or whatever.

1Password is supposed to be good, but it’s useless to me because it has no Linux support. The same goes for Dashlane.

Get 2FA

Two factor authentication (2FA) means that as well as a login and password, you need a second independent thing before you can log in. Generally, that thing is your smartphone.

There are three main ways of doing 2FA. The first is to send you a text message with a code that you have to enter when logging in. The assumption is that a hacker won’t have access to your phone to get the text message. This SMS-based approach is generally discouraged as insecure. In practice, hackers can redirect your text messages. Also, if you’re traveling somewhere, you might not even be able to receive your texts in a timely fashion.

The better way to do 2FA is to have an application which generates code numbers that change every minute or two. The sequence is predetermined, and each code only works once. So when you log in, you are asked to run the app on your phone, look at the appropriate number, and type that number in on the login form. The standard system for this is called TOTP, Time-based One Time Password. It’s an Internet standard, which means there are many options for which app to use. One popular one is Google Authenticator; another is Authy. An open source option for Android is FreeOTP.

I used to use Google Authenticator, then switched to FreeOTP, but now I’m using LastPass’s new 2FA application, LastPass Authenticator. This new app offers a third style of 2FA: When I log on to LastPass from my browser, I get a push notification to my phone to say that someone is trying to log in to my account. If I’m expecting the notification because that person is me, I just tap the “Accept” button and I’m logged in. No code numbers required. For systems which don’t support LastPass push-login directly, the app falls back to the normal 6-digit TOTP codes.

This probably all sounds a bit complicated, but if you know me I’d be happy to show you how it works and help you get it set up. Finally, when you set up 2FA, you’ll get given some emergency bypass codes to use if you lose your phone or forget your password or whatever. Print those out on paper and stash them somewhere secure.

5. Secure your email?

Now for some bad news: There’s no good option for securing your e-mail against the NSA. OpenPGP exists, but it’s difficult to use, and it’s very easy to make a mistake which leaves your communications insecure. The other main encryption standard is S/MIME. That’s supported by Apple Mail, for example. Apple Mail makes S/MIME easier to use than PGP, but there are other problems which still apply.

The first problem is that anyone who doesn’t have the right software, or doesn’t know how to use it, gets a bunch of unreadable garbage in their email inbox. The second problem is that S/MIME and PGP only protect the body of the e-mail message. All the mail headers — including the subject line — are left in plain text. That means authorities can still collect the metadata which links you to all the people you communicate with.

There are services like ProtonMail which try to make encrypted e-mail easy. However, they only keep it easy if the recipient uses the same service. So, right now my advice is: if you want to discuss something that you wouldn’t be happy seeing splashed across the Internet, use Signal.

There is one thing you should definitely do, though: dump Yahoo. Yahoo voluntarily set up a system to let the NSA search everyone’s email for anything they wanted.

6. Clean up the cloud

If it’s on Facebook, it’s going to end up public knowledge. A couple of years ago I went through and deleted as much information as possible, including my phone number. I recommend doing the same. Along with that, make sure you have copies of your contact list and other vital information on your own devices; don’t assume you can rely on Facebook to find out how to contact someone.

If you want to go further than that, you might want to go through the lists of data brokers and background check sites and request removal from their databases. In general, move your data to companies that the EFF rates as more trustworthy. (Note, however, that that list hasn’t been updated since the revelations that Yahoo built in a backdoor to allow the NSA to search everyone’s email.)

© mathew 2017