True Privacy in a Few Easy Steps (2 of 5)

Privacy

Encryption
Encryption is the source of frustration for surveillance agencies (FBI vs Apple – Crypto Wars Have Just Begun), snooping corporations and hackers alike. Encryption is also the tool all cybersecurity experts recommend when it comes to privacy protection mechanisms.

Encryption is, in layman terms, data scrambling. Encryption software turns your data into an intelligible gibberish of ones and zeroes. Only the person holding the encryption key can decrypt the data.

With proper encryption in place, your data is scrambled even if a hacker breaks into your account. With the current state of technology, it will take modern computers a dozen years to brute force a strong password.

There are talks about powerful quantum computers of tomorrow that will break today’s encryption easily. However, where there is action, there is counter-action, and cryptology does not stand still. Already, cybersecurity researchers are working on equally strong encryption that would withstand the potential advent of quantum computers.

Until that is a reality, there is no tool more powerful than encryption to protect your private data.

Encryption keeps you safe. Encryption protects your financial details and passwords when you bank online. It protects your cell phone conversations from eavesdroppers. If you encrypt your laptop — and I hope you do — it protects your data if your computer is stolen. It protects our money and our privacy. Bruce Schneier “The Importance of Strong Encryption to Security

Since we mentioned proper encryption, let us outline briefly the core components of proper encryption.


Strong passwords
The first line of defense in your encryption solution is a strong password. Forget your children’ birth dates, 12345678, qwerty and “password,” which still top the charts of the most frequently used passwords. (Gizmodo: We’re All Such Idiots). While qwerty kind of passwords is easily predictable, birth dates and addresses are also frequently used in passwords, but equally easy to “mine” from your social account by social engineering techniques.

Here are some basic tips to make your passwords strong:
•    Use dedicated cryptology software to generate strong passwords, such as LastPass, KeyPass.
•    Store your passwords in a password management securely encrypted vault.
•    Keep your master key off of your desktop computer, preferably the old-fashioned way, in a notebook or a securely hidden piece of paper.
•    Keep a backup version of your passwords in an encrypted file on an external drive that is never connected to the Internet. Keep it safe. Whenever you make changes to the primary database, make sure to back it up.
•    Never use the same password for different accounts. Period.
•    Always enable two-factor authentication whenever possible.
•    When it comes to security questions, document them along with the passwords in the encrypted database, but don’t provide real, factual answers. For example, if your security question is “The maiden name of my Mother,” don’t put “Sobesky” or “Sobesky1956.” Use it as an opportunity to add yet another strong password to your account, and put something like “IdJ*.|Cax3;NQBzH3′?SmFPaW2|h~F+”
•    Change your passwords at least every three months. Don’t recycle your passwords to use them in other accounts. Create new ones.


Zero-knowledge
Choose your provider carefully. Opt for providers operating on zero-knowledge principle. Zero-knowledge providers do not hold your encryption keys, and therefore can neither access your files nor restore your password if you should lose it.

Dropbox, for example, encrypts your files at rest, but the company holds your encryption key (password), and can and does access your data. Microsoft, for example, is explicit about scanning the contents of your OneDrive to prevent copyright infringement in case you store an unlicensed copy of a song, book, or a movie in your cloud storage. Redmond took it ten steps further in Windows 10, which disables all software it deems as unlicensed.

There is an argument that alleges the falsehood of zero-knowledge principle. It allegedly urges users to not seek a company they would trust, but instead, to trust a technology that protects their data from the service provider. There is a certain falsehood in that statement, too. We say you should have both – a reasonable, informed trust in your service provider based on due research in cybersecurity public communities, and a trust in the technology they provide.

End-to-end encryption
When choosing your product or service provider that is based on encryption, make sure they encrypt your data in transit (when you upload and download it) and at rest (when it “rests” on a server).

Open-Source vs Proprietary
When possible, always opt for the open source projects as opposed to closed source, proprietary solutions. The latter can, and in many cases do, have manufacturer in-built backdoors that are often times discovered and exploited by hackers. Open-source software, on the other hand, is open for the cybersecurity experts to review, and provide independent audit and opinion. Open-source projects quickly generate large communities, which test, review and submit reports on bugs, security holes and flaws. The transparency and accountability in the case of the open source projects urge the developers to patch the flaws quickly.

Plausible deniability and encryption
Some encryption programs allow you to create covert databases behind the encrypted databases. In simple terms, you create an encrypted file or folder that’s visible to the system and is easy to spot. At the same time, you create a second encrypted folder that’s hidden and can only be accessed by knowing where to look. It can be masked as a simple .TXT file with size no bigger than 15 Kb and hold Gigabytes of encrypted data. In this case, should a serious situation arise, and someone should try to force a password from you, you can provide the password to the primary, “visible” folder. The hidden encrypted storage is then the case of a “plausible deniability” since you deny its existence, which can as well be true.

Anonymous
Choose providers that let you register accounts without providing your real name, or phone number. Some require a secondary email address, but there are many that do not make this option obligatory.

Self-destructing messages
Sometimes, you need to send over highly confidential information, such as your Social Security number, bank account, address, or personal information-loaded CV. In other cases, people send sensitive images to their recipients. It is advisable to use services that offer self-destructing emails and messages for this purpose. No, not Snapchat, and no, none of them will protect your information from a screen capture. The only thing self-destructing messages protect you from is in the case of a potential hack of your account. Should you set a self-destruct timer for an email containing sensitive data, you will know the email will be wiped out from your account, the server and the account of your recipient based on the rule you set. Make sure the provider explains the algorithm they use to erase your data.

Revenge Porn
Revenge porn deserves a say since we’ve mentioned self-destructing emails and messages. A proliferating cybercrime, revenge porn is popular not only among vengeful exes but is also a profitable online business. Revenge porn websites often charge their users for access to their content while the victims have to walk the red tape and pay to cybersecurity experts to remove their images and videos from public access. Needless to say, the irreparable damage it does to their social lives and reputation.

Take this piece of advice seriously – if you have young women or teenage girls in the family, educate them on the dangers of revenge porn. This is not to say young boys need no guidance, but the women are traditionally targeted more often.

The rule of thumb is to never shoot a compromising video or image at all. Relationships come and go, and a person you trust can turn into a malicious stalker in a blink of an eye. If a partner tries to talk you into making a harmless short video by “Don’t you trust me?” or “Don’t you love me?” identify it for what it is – blackmail.
However, if you absolutely must have that sort of experience, make sure:
•    you record the video or image by a camera that does not have access to the Internet
•    you never do it with a smartphone or tablet
•    if you store it, use a USB flash drive or external hard drive that’s encrypted
•    never store it in the cloud, let alone your iCloud or Dropbox account
•    when you delete it, use special erasing software that overwrites the deleted files multiple times using military-grade algorithms. This way, the file can not be restored. If you just send a file to a Recycle Bin, it’s not deleted and is easily recoverable. Check out Recuva – for both securely deleting files and recovering accidentally deleted files.
•    Don’t share your sensitive media files online.
•    Finally, if you wish to share, understand the risks. Choose self-destructing email or chat with a short self-destruction period. Understand self-destructing messages do not protect your content from screen capture.

Of encrypted chats and email services
The above-mentioned benefits of anonymous, encrypted, zero-knowledge and self-destructing chats and email services are available if both parties, the sender and the recipient, use the same client. Stop demanding a secure and encrypted email should send equally secure and encrypted emails to Gmail and Yahoo accounts. It does not work that way. You can’t make everyone switch to a secure email, of course, but you can at least send the most sensitive information to trusted parties using secure solutions, and urge the recipient to respect the privacy of your confidential data.

Encrypt everything, enable two-factor authentication
From smartphones to hard drives, USB flash drives, to online services, say yes to encryption and two-factor authentication. This means more passwords to manage, but it also means more privacy and security, since one is directly dependent on the other.

Below is a short list of services and programs that offer encryption-based solutions. No affiliation with any of them, just a quick list of recommendations from privacy advocates:

Email:
ProtonMail
Tutanota
GhostMail
InvMail
Shazzlemail
RiseUp
Torguard
OpenMailBox
Mailbox.org
Mail-in-a-Box for technically savvy users
Email Clients:
Claws
Thunderbird
Mobile and chat apps:
Pidgin
Threema
Signal
CryptoCat
GhostApp
Tutanota
Wickr
ChatSecure
Kontalk
Conversations Android-only
Cloud storage:
SpiderOak
GhostBox
Password Management:
KeePass
MasterPassword
Encryptr
PassPack
Hard Drive and folders:
BestCrypt
VeraCrypt After TrueCrypt was mysteriously discontinued, VeraCrypt is the go-to option.
PeaZip
DiskCryptor
Chat apps:
Bitmessage
I2P-Bote
Pond
Ricochet
Encrypted video and voice calling:
Signal
Linphone
Jitsi
Useful reading: EFF chat apps Secure Messaging Scorecard

This is obviously some actual tools rather than just behavior. Self-sufficiency, having control of your own information is a basic human need.  Hope this helps you along the way.

Next week, I’ll cover little known phone settings, various phone hacks, mobile payments, private browsers, VPN’s (Virtual Private Networks), and TOR browsing.

Facebooktwittergoogle_plusredditlinkedinmail

3 thoughts on “True Privacy in a Few Easy Steps (2 of 5)

  • September 1, 2016 at 8:44 pm
    Permalink

    I wonder why Mailfence (https://www.mailfence.com) has not been in this nicely organized list (under Email section). It is a true end-to-end encryption and digital signing service, that scores much better PGP interoperability and ease-of-use.
    Also, the service is completely locally hosted and follows high standards of security and privacy.

    Reply
    • September 1, 2016 at 9:33 pm
      Permalink

      Hey Mick, Thank you for your post. I just don’t have any direct experience with them. I read through their offering and seems well thought out. If you work there or can let me know what sets them apart, I’d be interested in knowing.
      -Chris

      Reply
  • August 21, 2017 at 7:54 am
    Permalink

    Hello Chris,

    Thanks for suggestion, just saw your comment.
    I’m affiliated to Mailfence.
    In short what sets Mailfence apart is the following:

    – True OpenPGP implementation in a webmail
    – Interoperable with any other OpenPGP service or client. Users are thus not confined to communicating in a secure way on our platform.
    – Implementation of digital signatures
    – Own OpenPGP keystore that gives full control over key management
    – More than secure email: Mailfence offers a suite with Online Calendar, Docs, Contacts and presence and can be used by SME’s as a collaboration tool through our groups that allow users to share their data in a secure way.

    Am available for any additional information about our service via email.
    Regards,

    Patrick

    Reply

Leave a Reply

Your email address will not be published.