Dear friends,
I have decided to share with you something which I originally sent out to the key members of the Saker community: my recommendation on how to keep your private communications private in the age of “Big Brother” aka NSA, ECHELON, GCHQ, Unit 8200, etc. I have been interested in the topic of encryption for many years already, and I have had to use encryption techniques in the past to protect myself from snooping by indelicate employers. There have also been some discussions inside the Saker community of what did and did not work for us. I have now come to the conclusion that there are two services out there which I feel I can recommend to our entire community, one for emails and another for messaging/audio/video/file sharing. Why two different services rather than one?
The truth is that the confidentiality issues with email are unique and require a unique solution. Typically, emails are designed to remain kept on some kind of storage device whereas most telephone calls or video conferences are not recorded (at least not by the participants).
Let’s look at these two issues separately.
ABSTRACT: if you want to protect your communication from any kind of snooping, including government snooping, the most reliable and advanced solution currently available are:
For your emails: Prontonmail https://protonmail.com/ (free of charge)
For your messaging/telephone/video/filesharing needs: the Silent Phone app for Android and iOS https://www.silentcircle.com/products-and-solutions/software/ ($9.99/month)
——-
Protecting your emails with Protonmail:
Protonmail is a Swiss company whose history is well described in this Wikipedia article: https://en.wikipedia.org/wiki/ProtonMail. I won’t repeat it here. I will just say that with Protonmail your mailbox remains encrypted in such a manner that even the managers and technicians at Protonmail cannot access it. Here are a few videos which will give you more details:
Quick Introduction To ProtonMail and ProtonMail Plus:
ProtonMail – Is this The alternative email we’ve been looking for?:
Protonmail and Encryption – A Re-visit:
Protecting your messaging/telephone/video with Silent Circle’s Silent Phone:
Unlike Protonmail which deals ONLY with emails, Silent Circle’s software (called “Silent Phone”) which can be installed on any Android or iOS smartphone, protects your instant messaging, your telephone conversations (audio), your video conferences and even allows you to securely send your files up to 100MB in size. However, while the Silent Phone software is free of charge for download, you will have to pay $9.99 a month to get all of the following:
- Unlimited Worldwide Secure Voice/Messaging between Silent Circle Members
- Up to 100MB File Transfer
- Full Burn Functionality
- Video Calling
- Conference calling for up to 6 callers
- Direct access to Technical Support
- Available on iOS, Android, and Silent OS
You can check all their fancy marketing materials here: https://www.silentcircle.com/
Here is the Wikipedia article about them: https://en.wikipedia.org/wiki/Silent_Circle_(software)
This is the link to their software solution: https://www.silentcircle.com/products-and-solutions/software/
And this is the link to their White Paper: https://www.silentcircle.com/enterprise-cybersecurity-white-paper/
Finally, here are some of their case studies: https://www.silentcircle.com/wp-content/uploads/2017/01/SilentCircle_Case-Studies.pdf
This is all very slick and could hide anything, right? Actually, no. What makes their offer so interesting is that it is based exclusively on open source code which is publicly available. Why is that important? For two reasons: first, they cannot hide some backdoors in the software. But second, even MUCH more important, is that the best encryption algorithms are NOT the secret ones that nobody can check, but the public ones which everybody can check. This is long to explain, but please trust me. The level of confidence which you can have in the technologies used in Silent Phone are about as good as it gets. Not perfect maybe, but very very close.
[If you are interested in the details, I can explain to you one on one why you ALWAYS want to make use only of open sourced encryption technologies (You can find out about the protocols and algorithms used by Silent Circle here: https://www.silentcircle.com/products-and-solutions/technology/zrtp/)]
You might notice that both Protonmail and Silent Circle (the company which makes the Silent Phone app) are located in Switzerland. This is not a bad thing since Swiss laws about privacy are pretty good. However, this is not the reason why you can trust these products. In fact, in the past the Swiss have worked with the US CIA to sell the Iranians encryption devices with backdoors. The current Swiss government is as pro-USA as any other. No, the reason why I like these is that Switzerland has some of the best cryptologist on the planet (even if very few people know about this). In fact, the technology for Silent Phone is so secure that even the US government had to certify it for governmental use (in spite of it being open source, which tells me that they don’t have much better): http://www.zdnet.com/article/silent-circle-phone-app-cleared-for-us-government-use/
I hope that this reference to the US government does not freak you out. If it does – relax, Silent Circle was co-founded by Phil Zimmerman, the man who single handedly forced the US government to give up trying to keep a monopoly on military-grade encryption (read about him here: https://en.wikipedia.org/wiki/Phil_Zimmermann).
Here is a keynote presentation by Zimmerman
and here is an interview with him:
In other words, his “I do not work for the NSA” credentials are the best on the planet.
By now you must be wondering if I am working for Silent Circle or whether I have bought shares in their company. Don’t worry, I did not. I am only writing to let you know that I think that this product is fairly secure and very reasonably priced. I know of no better one. Just think of it – worldwide unlimited calling (including VIDEO!) for 10 bucks is already a halfway decent deal. But with rock solid encryption it becomes very good.
There is one important caveat which you have to keep in mind: Both Protonmail and Silent Phone are truly secure only if BOTH people communicating are using them (from Protonmail to Protonmail email addresses or from Silent Phone subscriber to Silent Phone subscriber). Likewise, the $9.99 suybscription costs with Silent Phone only covers all communications between Silent Phone subscribers. You *can* call a non-subscribed number, but it will not be secure and you will pay international calling rates.
Also, if you get Silent Phone, you will be given 2 options: a) to use a username only b) to pay 2 dollars a month for a dedicated phone number. Since using Silent Phone only really makes sense if used between two Silent Phone subscribers, I recommend you forgo the extra cost for a dedicated telephone number unless you really need it (depending on your usage of your telephone).
Here are a few short videos showing how Silent Phone works on Android (for iOS go to the Silent Circle YouTube channel):
Calling and Conference calling
Logging and Setting:
Messaging:
Conclusion:
We live in complicated and, frankly, dangerous times. Having personally worked in Electronic Warfare (EW), Communication Intelligence (COMINT) and military intelligence in general, I believe that the ability to keep communications secure is absolutely crucial for most people. Until recently, the kind of technology which could protect you from government (or corporate) snooping was simply too complex to be used by most people (keep in mind that bad encryption is much worse than no encryption since it gives you an illusion of security!). Even software like the famous PGP/GNUpg were not that easy to use and required a fairly solid understanding of the technologies used. Nowadays we are lucky that we can use VERY sophisticated services with do not require that kind of expertise from us. But then, you might ask, how do we know that we can trust them? There are two replies to this. We can trust them because
- all the technologies used by these services, including source code, protocols, algorithms, etc, are fully “open source” meaning that they are available for download and audit. Not by you or me, but by colleges, institutes, corporations and even governments worldwide. For encryption that is the highest standard of security: when everybody can see your code and check it for flaws.
- because all these services are regularly audited by entities we can trust, such as the Electronic Frontier Foundation (EFF) which, for example, reported this “scorecard” for Silent Phone:
(Full disclosure: I am a card-carrying member of both the Electronic Frontier Foundation (EFF) and the Free Software Foundation (FSF))
If you are an active member of the Saker Community (author, researcher, translator, computer tech, editor, etc.) I STRONGLY recommend that you use both Protonmail and Silent Phone. If you are not a member of our community, I recommend that you at least use Prontonmail. If you make a lot of international calls to trusted relatives, friends or colleagues, I also STRONGLY recommend use sign up for the Silent Phone subscription as for $9.99 you get unlimited worldwide and high-quality audio (telephone) and even video everybit as good or better than Skype or Whatsapp. And it happens to as secure as the best government/military grade communications.
Finally, three final and minor points:
First, let’s imagine that some government agency (Swiss, American or other) comes to Prontonmail or Silent Circle and orders them to have them over all your communications (as has happened already so many times): neither Prontonmail nor Silent Circle will be able to comply, not because of bad will or some heroic resistance to pressure, but because they will NO ACCESS to your data: in the case of your mailbox, it will be completely encrypted and only you will have the capability to decrypt it, and in the case of Silent Phone the encryption used is one between end-user to end-user which is NOT shared with Silent Circle in anyway and as soon as you hang up it is also erased.
Second, the company Silent Circle also manufactures a real “physical” phone, called the “Blackphone 2“. It was a failure, don’t bother with it. I don’t want to discuss the reasons for that, but just ignore that option which simply does not work too well and has major problems.
Third, I want mention something crucial here: both Protonmail and Silent Phone offer the option to destroy your email, message, of file after a specific delay. In other words, you can configure these two services to destroy everything which you ever send through them. So by the time somebody tries to get that data it will already have vanished. So even though your Protonmail mailbox is heavily encrypted and even though Silent Phone exchanges encryption keys only between end-users (p2p), you have that additional level of security of having all your data self-destruct after a pre-sent time/date.
That’s it. Please don’t bombard me with questions about these technologies and products. If you do your own research and just follow all the links above you should get all the info you need. Right now I literally don’t have the time to do more about this than share the above with you. And just to make thing worse, I currently have a painful gout flare-up which makes it hard for me to sit and type. If you still have questions, ask them in the comments section and the more tech-wise will probably help you, but first please make sure that you do your own research. The geek community refers to this as RTFM or Read the “French” Manual :-) Also please do take the time to watch the videos above, they are very informative.
I hope that the above has been useful and that at least some of you will decide to at least try out these two outstanding service.
Good luck, kind regards,
The Saker
The only secure technology is no technology. Any electronic communication that passes through any part of the net can be read by NSA.
An alternative (also used by the Saker) to keep messages – this applies for mail and some instant messengers – secret from snooping is PGP.
PGP became commercial, but there was an excellent (actually superior) version called Open PGP which was free as in “free beer” and free as in “freedom”. The problem with all of them is that they required a basic understanding of public key encryption, symmetrical session keys, RSA and RSA-like encryption algorithms etc. The modern tools I mention today are really simple to use. That is a huge plus. The Saker
The best current PGP derivate I know is BCTextEncoder from Jetico (http://www.jetico.com/download).
Free, Suisse-made and easy to handle. For use in texts and mail.
In the 90s I used an old version of PGP. It can encrypt with 8196 bits. Newer versions I don’t trust. I think Zimmerman was forced to sell PGP. Later I realized that encryption only makes me interesting and I really had nothing to hide. Saker is probably monitored and encryption is a must for him and his team.
It is even much worse: we ALL are monitored in the sense that ALL our communications are recorded, including the metadata (who contact who, when, how, etc.). But while we cannot prevent that, we can at least fight it. The Saker
Thanks for answering me, Saker. Everything is monitored in my country, everything. I have been on the net for many years and am hopelessly compromised as for my opinions in various forums. For example about NATO:s war against Yugoslavia. For me not using encryption is a sort of protection. Let them snoop and see that I am harmless. I hope this makes sense. For you and others it is different. The blog must be protected.
I had a strange but nonthreatening experience when I visited Russia, but I will not tell you the details. My activity on the net, foremost about Yugoslavia, probably attracted attention there, also. It surely did in my country.
The point to fight is to make it EXPENSIVE for the collectors to handle/read our data. In such economical model the future of data collection is doomed.
IMHO
tanto
guys, please don’t post nonsensical and unsubstantiated comments here. If you don’t know what you are talking about, then don’t talk about it.
Thanks
Isn’t this what the majority of people do on the internet anyway?
Maybe, but on my blog I don’t want sweeping statements, especially when they are backed by nothing, not facts, not arguments, not personal expertise.
To have an opinion is not a “right”. Is the result of a process of learning and thinking. When an “opinion” is based on nothing, then it is a waste of whatever medium is used to convey it.
Finally, one or two sentences are *slogans* not arguments. I want to comments section to be fore arguments. For slogans we have the corporate media.
So far about half of the comments on this thread are nothing but a waste of space and time (for anybody reading them). They contribute absolutely *nothing*. The saddest part of it all is that those making these comments don’t realize who ignorant it makes them look.
It’s really simple:
1) if you know what you are talking about, by all means – share your knowledge.
2) if you don’t – then shut up and try to learn something.
3) if you have a question – please post it and let #1 above reply to it.
The Saker
Well, Saker. I can back up how I was monitored on the net, but I can’t post the information. One day the monitoring stopped and I was sort of cleared. Everything I wrote was readable and I was not a threat, me being an old Christian. It is different for you and your team. You need to protect the blog. I used an old version of PGP which had much stronger than military encryption at the time. It was an experiment when the net was new to me and it raised suspicions.
I can also tell you what happened in Russia. I can at least tell you that my knowledge of the Russian language was investigated, but in a friendly way. I had many more problems at the Finnish border. I was asked to leave the country at once.
I have looked into these technologies for some time; as always, a chain is as strong as its weakest link—in this case, the server.
So long as communications rely on a central server, they cannot be guaranteed to be safe. At the very least, a government can “hoard up” the information until computing advances make decryption possible. Sure, the AES protocol is purported to be very strong, but a combination of hardware and software back-doors, badly implemented encryption, and computing advances all work against the user. At the very least, under legal pressure, the server provider would be forced to provide the metadata (or “data about the data”, e.g. date & time, sender & recipient information, length/size of communication, etc); with data mining, a surprising amount of information can be gleaned through metadata.
As far as I understand, the solution is to do away with the server and develop a p2p through TOR communication suite (hopefully, with some HTTPS-masking); this way anonymity is enhanced and the messages reside only in the computers of the calling parties.
However, I have never seen anything like this that is practical for the average user to use. There a couple of solutions but they require too much arcane knowledge to set up.
You are absolutely correct: the only way to beat this is p2p encryption which is exactly what Silent Phone does. There is no central server holding anything. Even a man-in-the-middle attack is impossible against Silent phone.
For Protonmail there is a central server, but it is very heavily encrypted. Also, with Silent Phone there is a self-destruct capability: for example you can specify that your message be wiped 3 hours after being received. The Saker
I’ll look onto Silent Phone again, but here’s the problem: $10/month, and both parties have to have it. This guaranteed that there will never be enough people using it. This makes not only making the subscription harder to justify, but it also draws the suspicion of the government.
Presently, if I understand correctly, if it is secure communication between *particular* individuals that one needs, a better approach is steganography. Just send an email with some photos of puppies, commenting about how cute they look. Hide the real message within the images. Again, however, this is impractical for mass acceptance.
A communication protocol that does not have mass acceptance (as in “the solution to pollution is dilution”) will always draw the attention of an oppressive government; as is the case with TOR. And for a communication protocol to gain mass acceptance has to be open source, cross-platform, free, and practical to use.
Tunnelling can be made in Linux. That is why I don’t believe the stories about Russian, Chinese or North Korean hackers. Did you see The Net with Sandra Bullock in the 90s? Sandra had a similar solution, going from company to company and making it impossible to trace her.
P2P is no solution either if the alphabet agencies are really interested in you. Why? No matter what technology you use to encrypt/obfuscate your data, at some point it has to be converted into a form you can read; and if the XXX has access to your phone (which they almost certainly have), they can intercept it at that point. If you have text on your screen, they can have a background program that takes snapshots, does OCR and sends the text to the agency without you having a possibility to detect it. If you are on a telephone conversation, they can listen in on your microphone and on your speaker.
It is actually one of the interesting ways that NSA circumvented browser encryption to Google and Yahoo, for example – they simply snooped inside the companies’ own (trusted) network, instead of relying on interception of the encrypted version over the internet. See e.g. https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html (Ouch, hate citing that horrid rag.)
As to the microphone, it is well documented that the XXX’s can snoop on your microphone even when the phone is turned off. Hence anything you say into your phone – or to anyone while your (or their) phone is within range (which is quite long for a phone with computer enhancement) – even if turned off – can be listened to, transcribed, and made searchable. Similar for your PC microphone, Smart TVs, your car microphone (if it has phone support), etc., etc.
And all this assumes that the XXX’s cannot decrypt the popular encryption standards, an assumption which is far from clear.
I could go on and on, but in short, I agree with the first poster: “The only secure technology is no technology.”
And all this assumes that the XXX’s cannot decrypt the popular encryption standards, an assumption which is far from clear.
No, not “popular” ones, but “massively peer-reviewed” ones. BIG difference.
RSA was peer-reviewed, but still made vulnerable. OpenSSH has a security flaws exposed regularly, despite being open source – hard to know if the developers have NSA ties (just like RSA, in the end, ended up having).
But again there are other methods. If the XXX’s are able to exploit a vulnerability in your phone (i.e., any app on it), in addition to what I wrote above about screen-grabs and listening to microphones and speakers, they can simply copy your private key and decrypt everything just as easily as you can (a clear weakness of any protocol that uses a specific key associated to a person/device for all encryption, unlike SSL, which uses a negotiated private key – though in that case the entire key negotiation can be intercepted, and the keys discovered, if the server’s private key is known, which is a simple enough task once the server has been compromised).
The 3 letter agency did the end around encryption by having a hack implanted at the distribution center. The old saying “nobody goes through encryption, they go around it” is very true.
https://www.youtube.com/watch?v=_ahcUuNO4so
NSA defective by design Dual_EC_DRBG is discussed. RSA took millions to leave the defective one as the default.
The weakest links are actually the client devices. If Big Brother has got access to the device of one participant he has access to everything that is interchanged with anybody.
Microsoft has officially admitted to have built in backdoors in Windows and Google – the vendor of Android – is official partner of US intelligence agencies. If you want to make sure your smartphone is not equipped with surveilance ‘services’ from the onset, you need to use alternate versions like Lineage OS https://www.lineageos.org that are really open source (not really that easy 10 bucks solution).
Encryption is at best ‘strong’ which means costly but not impossible to break. If they consider you really interesting they can decrypt virtually everything you send…
Mail
100% agree for Protonmail. The most secure mail you can find in the world. And for free. The inconvenient with Protonmail is that it works only within a browser. A few days ago they announced that they are working on a IMAP / POP solution.
Phone
Silent Circle is not free and it seems not to work with PC.
Correct. It works only from smartphone (Android or iOS) to smartphone (Android or iOS).
Have a look at MEGA (https://mega.nz). It is free and works with PC and within an https encryption. Sound quality is not perfect, but acceptable.
Silent phone sound quality is superb, and include 6 way video conferencing
Protonmail reserves the right to delete your account after a few months inactivity however.
Polisrea is right; If you don’t want it read, heard and retained, keep it off the internet. No one really cares that much about bloviation and reasoned opinions about the criminal gang that runs the USG. If that’s all you are guarding, then pfft. Encryption just draws attention to you.
For the stuff the billionaires and their henchmen might actually care about; learn clandestine comm techniques. That’s all that will do. The rest of this is busybody tech prattle.
Russia is a northern European (apologies to The Saker – but the overall impression is more European than Asian) country with a Christian tradition, highly education population and with immense natural resources.
Of course we should demonize her.
No really, that this community feels the need to go secret just to discuss openly the potential for communication and cooperation with the nation is testimony to the failure of the American Dream, or as I said before, testimony to the utter failure of the American Dream to ever develop.
It is also possible to connect to ProtonMail through their onion website :
https://protonirockerxow.onion/login
Very interesting, I did not know that
Thanks!
The Saker
I use the combo Protonmail & Wire.com messenger because I can.
Wire is another Swiss based company and although their business model is not yet clear (..), encryption, burning and open source factors are there together with the advantage of having client software for the PC operating systems.
For Android you can download the apk to install directly from their website and circumvent the dreaded Google Play store.
Sorry for this: “my messenger software first” but I find wire.com hold a very high convenience / trustworthyness rate.
Also check Jitsi. They offer encrypted calls and videoconference through a browser. No need to install any software, just allow sharing of mic and camera to the browser. Anybody with the correct weblink can drop in.
Please op, offer your comment
An alternative for messages and phone calls is Signal (https://whispersystems.org/).
Cheers from southern France.
http://82.221.129.208/baaasepaget3.html
His name was Seth Rich
He worked in IT (voter database) for the DNC. He felt the Bern.
He was young,,and perhaps none too versed in the dark, arcane “Arkancide”* world. He met with Wikileaks founder Gavin Macfadyen. ((Also now deceased, cancer*)).
Seth was shot twice in the back. Treated at hospital, his injuries were deemed NOT life threatening. And then he died. Now a doc from the hospital has made a statement:
http://theduran.com/democrat-party-murder-seth-rich-leaked-documents-wikileaks-video/
*Arkancide. An interesting little word alluding to the many curious, and mostly unexplained deaths afflicting those hapless persons irritatingly “inconvenient” to the Clintons.
http://www.arkancide.com
Why this post here?: Because the whole “Russian hackers” brain-atrophying psy-op hysteria that is paralysing the US admin traction is “cover” for the unmasking and murder of Seth Rich.
Saker I’m sorry for your gout – it has to do with food quite often – its like Laminitis with horses – rich foods – grass – in horses – causes it – its very serious with my own horse – I have to watch her so carefully or she gets flare ups –
Perhaps it was salmon ? I know that’s a traditional cause of gout –
I’m not sure if its the sugar in fresh grass or the protein – rich protein perhaps as Salmon doesn’t have any sugar –
I hope you feel better soon
Is Snowden real?
Snowden and Bruce Schneir have recommended Signal.
Does anyone have an opinion about the iOS and Android – telephony, and text messaging app called Signal.
One problem is that if they have the ability to hack into a device, then the app on the device can not be consider secure.
As an example, say you send an encrypted message from one device to another. Lets say “they” can not break the encryptions to read it. But, if “they” have hacked a device at either end of this, then all they need to do is to see what’s displayed on the screen and they can read the messages. “They” let the app do the decrypting, then if they’ve hacked the device itself so they can see what’s on the screen, then its like “they” are reading over your shoulder.
Thus, the various leaks about how “they” hack devices is relevant to all of this.
Just be careful what you say anywhere, and don’t really, completely trust that any technology will give you some magic cloak of invisibility.
Hello Saker,
Thanks for sharing these useful tips and platforms.
Thanks to everyone also for sharing other alternatives.
As we mostly know, a secure tunnel is only as secure as its weakest link. What do you make of the Intel Core pro chips as from Sandy bridge which have a back door 3/4G radio for security but which could equally be used to access the processor and run the computer with any small power reserves left in the battery. Would this not be the weakest link and could it not be used to steal your encryption keys and share with whoever wants to access your secure comms?
My personal experience is that I bought a new laptop and it was lightening fast. Aftrer visiting a couple of websites (yours of which I do once or twice a day), the laptop got bogged down. I reinstalled the OS, switched from Windows to Linux but ever since, the laptop has not been the same again. This is not the first time it happens.
I believe it is compromised in some way and the recent disclosure on sites such as ZDNET about the intel backdoors on the processors leads me to believe my problems with these laptops could be more than just software processes but inherent to the deep lying architecture of the hardware and government mandated backdoors built in.
Your take on this would be interesting.
THanks and kind regards,
TiRius
In this age of electronic intelligence. And more importantly the evil doers that misuse it. There is absolutely no way an average citizen can fully protect themselves from being spied on. Unless you have the power of a “state actor” securing your communications you can’t be safe. And even there, attempts are constant 24/7 to break that down. Just look at the US spying on the leaders of Brazil,Germany,etc. Now I’m not sure about Brazil. But I feel sure that with the technological prowess of Germany that Merkel’s phones should have been secure. But,no,the US was able to even hack that phone.
I think a lot of the problem can be traced back to globalism. Most of the devices and software for those devices come from a limited number of global companies. More than likely all of them infiltrated by US spy masters. Probably the equipment itself. But certainly the programs operating them. The fact that even Russia and China use that equipment and software for a lot of things,puts them in danger as well. The best thing would be for them to develop and use,only their own equipment and software. And that be done by government companies.Not able to be influenced by “any” outside source. But until or “unless” that is done we will just have to deal with this problem.
Its not a real issue unless you are actively working against the empire and need to secure your work. Just by posting on here and other sites,its not a problem. Sure the US will know who you are. But they aren’t really concerned about “us”. We aren’t plotting revolution against them (except in our wishes). So we are very “low hanging fruit”. They aren’t going after us,unless a war or real revolution breaks out (and by then we should be smart enough to get away. Because we’ll know they would be after us). By as of now we have two choices. Either don’t say anything. Or (my choice) don’t worry about them knowing who you are. And keep on working to expose their actions.
Most file transfer tools are cumbersome. You can transfer big files with Binfer easily. Interesting big file transfer calculator here.
I wouldn’t trust any for-profit capitalist company to truly encrypt and keep encrypted my communications. Money talks, and “gummint” has a much much bigger wallet than all of us here combined.
For encrypted emails I would use any old regular free email service, but encrypt the messages themselves with a large size key using PGP – Pretty Good Privacy program. It’s open source, which means that many individuals all around the world have had a look at the source code and gave it thumbs up. It was classed as weapon at one time (and probably still is), which makes it a subject to export restrictions from the US. The way it was “exported” was to print the source code in a book and export that. Or so the legend goes. In any case, PGP used properly with a large size keys, it would take 40,000 years to crack the encryption using all the computers ever made on this planet all at the same time.
For voice and video gasbagging, Skype used to be fairly secure and private, but alas – since Microsoft has bought it I wouldn’t trust it as far as I can spit. Skype was encrypted between users, and keys were generated by “neighbours” and not on the central server. But that’s all history now.
On the other hand, we could be mischievous and sign all our emails with “US EMBASSY BOMB TOMORROW MORNING BE PREPARED” or some such bait, let the NSA and their “intelligence community” or braindead robots sift through millions of emails each day and waste resources? We pay for them anyway, so why not?
Few years ago when Australia brought the laws to force ISPs to keep all the data on their users, there was a lot of backlash. One ISP calculated that it would cost them around $23 million PER YEAR for a datacenter, hardware, staff and all the rest to comply. It didn’t help, the law was still passed. I’ve read somewhere at the time that Danmark introduced the similar laws and repealed them within 2 years. Why? Well, it turned out that the mass of stuff to sift through was so large that they had to increase their staff from 300 to almost 6000 or some such stupid number, and nothing to show for it.
I have some observations on encryption. I have gnupg and enigmail, so I can send and receive encrypted e-mails already. And some of my friends profess concern about their e-mail privacy, but they refuse to get gnupg and enigmail. This reminds me of something Mark Twain presumably said. It is like the weather: everyone talks about it, but no one does anything about it.
One problem I see with gnupg-enigmail is that, while the body of the message is encrypted, that the stuff on the envelope (From, Two, Date, etc.) is in the clear, and it cannot easily be hidden because the e-mail and Internet protocols require the information to route the messages.
Some people fear that sending encrypted e-mail serves only to call attention to it. In my view, people should encrypt all electronic communications, including laundry lists, pizza orders, checking what movies are playing, etc. Because if everyone does this, the Department of Nameless Terror will have to spend enormous effort decrypting all of it only to find out how boring it all is (it is my impression that 90% of e-mail is spam, and I giggle at the thought of the DNT cracking the encryption of all of it).. The fact that something is encrypted will not raise flags because everything would be encrypted.
gnupg + enigmail works (with Thunderbird for example), but it is complex to handle.
Try BCTextEncoder: Encode your text within a textbox, then copy/paste it into your mail.
If you have annexes, encrypt them with 7-Zip (for example) and put the password into the text.
Check out MaidSafe – «the new decentralised internet» – an interesting new p2p blockchain technology out of Scotland, currently in alpha, with the emphasis firmly on data security: https://maidsafe.net/
Hello everyone.
May I point out a few facts:
1. If you are not a spy you really don’t need to use super encrypted messaging systems, because:
(a) If it is only a privacy issue against peeping toms and low level criminals who steal your information for petty crimes: they are plain stupid and cannot break even a rudimentary encryption.
(b) We see a lot of hackers on TV (most of them working out of their mothers’ basements), this is just a dramatization. These idiots don’t even know how encryption works, let alone being able to attack a system’s encryption. Let lone understand how to breach a properly configured hardware and software system. There could be millions of different setups in a community.
So how security breaches take place? Here is how:
1. carelessness of users (Snowden used other peoples’ passwords which were lying around or jotted down for convenience). He did not breach a single system.
2. Employees (usually low level) of organization, like banks credit card companies, retailers, lazy bosses who circumvent the security procedures to make their lives easier, with access, secretaries with access, and your every day losers in the IT are the main source of most of the disasters.
3. Communication companies either as corporations or their employees individually, offer up any communication for a bit of money.
Can you protect yourself against real computer scientists working in various governmental agencies with unlimited resources? The answer is no. On two accounts:
1. Everything which had been sent on a computer which is not a one time book cypher can be encrypted, no matter what these agencies claim (for example apple’s quixotic stand), and
2: It is not the message or its contents which draw people’s attention, it is simply when a cypher is seen being used by someone, the first question is why? It raises red flags immediately and then the person is investigated because there is usually something to hide. You can pretty much assume that anyone using a cypher is trying to hide something that can jeopardize him–and it is usually something that breaks the law in a more serious way than having an affair with your best friend’s husband.
I think that simple password protection, not writing self-incriminatory stuff on social media is sufficient for a reasonable person to protect themselves against criminals. Anything more will actually draw unwanted scrutiny.
So if you are not breaking any laws or intend to break any laws, relax!
Jenn
1st – I do not trust *anybody* who implores me to trust them. 2nd – *Anything* that is made can be unmade.
So no.
It is a myth that commercial software based on open source projects are more secure.
How can you be sure that a developer compiles a “clean” code. You add 2 lines of code in your targeting build, and that’s it.
What’s is true is if you have a control over building process, then a software become more secure.
But still not entirely, because the blueprints are known.
If you want a top-notch encryption software for yourself or your close circle, grab a copy of “open source project” like Brian Gladman’s Implementations of AES Rijndael (my recommendation, preferable from 2007yr), and modify heavily to suites your goal, and keep it closed to the public. With a such approach a decryption attempt becomes unpractical and impossible even for Government organizations or super computer clusters.
The best defense is to go low-tech. Meet in person, face-to-face. Do it somewhere unexpected, or someplace where directional mics and lasers bounced off windows can’t listen in. And of course some place where there can’t or shouldn’t be any listening devices.
Read some old spy novels, the good ones, not James Bond, to learn the tricks of how to communicate covertly. How to leave little signs in pre-planned places to signal the need to have a meeting. How to schedule a set of places where to meet at certain times if the signal is given. These days, an old-fashion dead-drop can carry a ton of information as memory sticks with lots of capacity are common, available, and easy to hide. Leave a signal someplace that you are making a drop, like perhaps putting up a lost dog poster on a certain pole, then hide the memory stick in a gap in a wall, and someone else see’s the dog poster and then picks up the memory stick.
The problem with technology is that it can always change. What’s safe today may be less so tomorrow. And these days, you know for certain that if a tech seems to be safe today, then orgs like the CIA and the NSA probably have multi-million dollar projects to crack into it. Open source is fine in theory, but it also takes active people constantly checking it, or else someone can still slip something in. And while a million or two of dollars or euros would be a small fortune to a programmer, its chicken-feed to the CIA or NSA or any other government that wants in. And they also have their usual tools of blackmail and extortion to get someone to do their bidding. So, just remember, if something seems safe today, then its a target already. Doesn’t mean it won’t stay safe, at least for awhile, but history has shown that whenever something emerges that the NSA et al can’t listen in on, then getting that capability becomes a priority project for the NSA.
Develop codes within codes. The safest codes are ones that rely on personal knowledge between people. If you encrypt that you want to meet at the coffee shop on 4th street, then its possible for someone to decrypt that and read it. But if you just say to meet at the place we ducked into on that day we got caught out in a rainstorm, then only the other person can understand that this means to meet at that coffee shop on 4th street.
And remember, face-to-face is the safest. Especially if you take precautions to make sure its at a unique place where its hard to listen in on. Meeting in a suana used to always be a favorite in stories, as no one can conceal a wire easily when naked, and no windows a directional mic or laser might pick up on.
Thanks for this!
Incidentally, Brave Browser is worth a look, if you fancy a bit more speed and privacy while you surf, and https://www.qwant.com is an interesting search engine – very good interface.
I wouldn’t go as far as polistra to say that the safest way is no technology, but low tech could indeed be the safest way (100% safety is impossible anyway). This solution is for tech savvy people (aka Nerds).
Computers have been complex machines ever since. With the years the complexity of hardware and software increased. For most (maybe even all) it’s impossible to be certain that neither hardware nor software is compromised. This implies that sending and receiving messages also may be compromised – even before encryption.
If you’ve got an old computer that was produced before mass spying was considered fashionable, then some basic live system – with a hardened kernel, with as little software installed as possible and with as little background processes running as possible – that boots from CD/DVD may be the safest way to send and receive encrypted messages.
For all those recommending VPN-services or some anonymous p2p routing networks: I’m pretty confident that several alphabet agencies (of different) nations are participating in playing that game. (Wasn’t that “garlic router” developed by the military or some former military member?)
I recommend everyone to move from Windows or Mac OSX to Linux based systems like millions of people already have done. Windows is actually malware, spyware and crapware.
I’ve been using protonmail for about a year now. It is good at what it does but the contacts feature is very poor. That said I love the fact that every time I get an email in my protonmail account a notice goes to my gmail account “you have a new message in protonmail”.
Just a funny way of poking the bear in the cage even though the door is open :)
I never said I was a smart one. A smartass? Yes.
I would like to recommend another way of keeping your browsing history secure. If you remember the Snowden files, the NSA and the likes keep a log of metadata from the sites that you visit. This can tell them an awful lot about you.
I use a VPN service, and would recommend VyprVPN. It is very reasonably priced (I do not work for them!), super fast and has servers all over the world. It also uses 256bit encryption and is very secure.
If you do not know how a VPN works, it is essentially an encrypted tunnel between your computer and the website that you visit. Not even your internet provider can monitor what you are doing. VyprVPN also has a option to mask the packet size (the amount of information being sent at any one time) as some programs give themselves away by sending a certain packet size all the time and then the service provider can recognise this traffic, even though it cannot see what is being sent.
No encryption will help you if your hardware & OS are compromised ;)
Dear saker community,
First of all thank you to the Saker for this very thorough review. As a non-technical person I have nevertheless the wish to communicate privately and researched the alternatives. The encrypted chat apps Signal and telegram seem to be very popular and especially signal is praised on many reviews.
What is your opinion on signal and telegram? Are they trustworthy? Do you have alternative suggestions?
Kind regards D.
To assess your security needs, you need to assess what kind of threats you face. The article mentions the NSA by name. If you’re not already a computer security expert, you probably don’t have a prayer.
Now, it depends, if you’re just talking about the mass surveillance aspect, then sure, don’t post controversial stuff and keep your email clean or encrypted and you should be okay.
If the NSA really considers you a threat, you will face the TAO [1]. Now, these guys will compromise your ISP to capture everything going in and out and then they’ll hack your machine. That’s where the security expert part comes in, and even then, well, I don’t bother because I’m not sure I’d “win”.
In practice, the best you can do is use Tails [2] to access protonmail or maybe yandex.net because Russia doesn’t honor NSA security writs. Beware though, just running The Onion Router can be enough to bring retribution from a hostile totalitarian government.
Okay, I know, I said to not post stuff, which is horrible but if you think you will outwit the three letter agencies to post on thesaker.is without their knowledge, well, good luck with that.
I’ve got over 20 years in security and I still wouldn’t want to tangle with the NSA. The only real chance I have is to stand on my first amendment right as a US citizen and to be willing to go to prison for freedom.
[1] https://en.wikipedia.org/wiki/Tailored_Access_Operations
[2] https://tails.boum.org/
The end-to-end encryption currently in use on the Internet is flawed in both design and sometimes implementation. Ways to subvert it are numerous – from the various publicly known methods ( various versions of SSL stripping etc etc )
to known to you know who hardware backdoors to Tempest intercepts to the ridiculously easy ( and some more complex ) ways of security certificates forgery. One Time Pad is your best shot at any semblance of secure comms assuming the hardware is secure.