Note: This paper has not been updated recently and may contain out-of-date and unsafe information. There are no plans to update it in the future. Should you want to take over this project, please get in touch with me on Keybase at @CryptoSeb or via ProtonMail at root@cryptoseb.pw. Please exercise caution when deploying and using what is discussed below. A paper was not a good deployment method for this content in hindsight. See: https://privacytools.io

The Crypto Paper

" Privacy, Security, and Anonymity For Every Internet User. "

[Table of Contents]

About The Authors

CryptoSeb

Hello. My name is Joshua but many in the online world know me as CryptoSeb or just Seb. There is absolutely no correlation between my name being Joshua and my alias being Seb (Sebastian). Simply put, I just didn’t think using my name as an alias was all that cool. Back in 2015, some online friends and I noticed a gap in the information being provided to people to better their knowledge of security, privacy, and anonymity in our ever-changing digital world. We could find papers, forum posts, and discussion around little bits and pieces but we had to do the searching ourselves and put it all together. It really wasn’t suitable for like 75% of the Internet population. So in early 2016, I had this idea of writing a paper that would encompass everything related to security, privacy, and anonymity but tailor it to all walks of Internet users; whether that is my 59-year-old grandma, or Edward Snowden like individuals. This paper, titled “The Crypto Paper” resembles the beginning of my alias because it largely a collection of my own personal thoughts, knowledge, and experiences. As well, this paper is not going to be something that strikes every individual in a good spot 100% of the time – you WILL disagree with some of what is included and that is perfectly fine. We encourage you to submit corrections or give suggestions on how we can improve it. A full list of my contact information is available at https://cryptoseb.pw/encrypted and verifiable at https://keybase.io/cryptoseb & https://cryptoseb.pw/verified. Email/XMPP = root@cryptoseb.pw Wire = Seb

Bitmarauder As a cypherpunk and wanderer on these here wires, from time to time you will find that my hands feel the need make note of what I've learned in my travels in search for truth and freedom. By trade/study I work in infosec. My anonymity and privacy when necessary are huge. For all you legacy privacy noobs, I can be reached via 'email' at bitmarauder@tuta.io or preferably on bitmessage at BM-NBQJBmcPFrHdwvRnhJJjyP1cS4dFGQ6b and like everyone should have, I'm also on Wire as @bitmarauder :: PGP http://pgp.mit.edu/pks/lookup?op=get&search=0xDCB897EB52F7A0B4

Reviewing / Content Editing

Originally, I had these high hopes for this paper to get peer-reviewed by some big(ger) name people in the privacy/security industry and even though many of them agreed to take on the task, lives are busy and the paper is 61 pages. So I am just going to have to settle with a little more harsh criticism from the public. I know there has to be places in here where I am dead wrong or you think I should add/take out something so I encourage you to really speak up if you see the need. I intend on publishing an edited version 1-2 months from the initial release.

A Brief Introduction

Reasons Behind The CryptoPaper

Back in mid 2015, I (among other friends) started to see a real issue with the people using the Internet. Not only were they using it completely incorrectly on so many different levels, but they didn’t have the resources to acquire accurate knowledge and change their behaviors. It isn’t necessarily the fact that people want to use the Internet incorrectly, it’s just that we have come from Windows 95, 50 pound desktop computers, 512mb of RAM, and Minesweeper, to petabyte servers, Google, self-driving cars, and ransomware in the course of 16 years. We have made technological leaps forward and it is literally consuming the massive portion of the population who weren’t born/raised in this era or who don’t have an interest in becoming “tech-savvy”. And yes, consuming is the right word. I swear if a computer could eat you, some of the 65-year-old people trying to text their grandchildren would be gone. That phone would have a mental break down as they ‘attempt’ to use it correctly and just eat them.

But I have nothing against people who cannot seem to understand the security/privacy/anonymity aspects revolving around technology. That is actually the reason for this paper being developed in the first place. I want all my grandmas to be successful Internet users and not have to approach it with such a disconnect. Furthermore, we want avid tech people to also find a benefit and learn a little as well.

Uniquely Designed

Designing something of this magnitude wasn’t as easy as you would think. I needed a way to separate the content so it had some sort of “flow” to it. But I also needed it to be something that wouldn’t lose the less experienced people right off the start. The idea I came up with was the split it into 4 categories of people:

Common Internet Folk

Business & Tech Geeks

Government Level Individuals

Edward Snowden?

As you move up from one category to the next, the information becomes more intensive and techy. I hope that this method ensures adequate learning on behalf of ALL Internet individuals and we definitely encourage you to learn in the sections where you are lost. This is meant to be a tool of knowledge to promote your learning!

Common Internet Folk

What is Privacy?

Wikipedia describes privacy as “the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively” and I would largely agree that the definition provided fits the mold. However, I would suggest another definition as well. “Privacy allows everyone else in the world to see your life through a selective lens of your choosing.” It means to have the choice to not allow your neighbours to view your bank account information. It means only displaying certain information about your Facebook profile to the general public. And it means having curtains on your bedroom windows to conceal your sexual acts from onlookers. In information security circles, privacy is often synonymous with encryption, whereas anonymity deals more with the transportion and discoverability of one's information.

Well Then What is Security?

… and security is what keeps us safe. Privacy is the idea; security is the thing. In the online world, security is what safe guards our information from hackers, thieves, Joe sitting next to you at the coffee shop, and even Government bodies who want a little more control. It encompasses a wide range of “things” that we use to keep our data compliant with the Privacy Rules we, or the organizations and services we use, specify. Security would be things like encryption, or strong passwords. Privacy would be not letting a co-worker watch you type in these passwords.

Okay, So What About Anonymity?

Privacy and security are very closely related and anonymity is just the distant uncle who always shows up the party in socks and sandals. I say this because everyone makes fun of him at first, until it starts to rain and they all wish they had his nice warm wool socks on their feet to protect them. Anonymity is the concept of not being identifiable as your true self online. It seems to get a really bad reputation because a lot of hackers and online criminals are referred to as being anonymous. But it is also a very positive thing. Like in cases where a teenager who is questioning their sexuality wants to conceal their online activities from their parents or school until they are ready to make that big coming out moment. Or for a police officer doing undercover work to takedown a child pornography ring. Countless individuals around the globe use anonymity in some form or another every single day. As a final note, I think it is also important to understand that anonymity isn’t always just important for people as individuals but people as a collective. To have a truly open democratic system, anonymity plays a huge roll. It grants us free speech, allows us to question without negative repercussions, and gives us a means by which we have choice.

Let Me Explain Further..

Based on the arguments I have had with people in the past, I don’t think simply explaining what security, privacy, and anonymity are will be enough for many of the readers taking a look at The Crypto Paper. I think part of this comes from the mindset people have while using the Internet, but I also think part of it comes down to people just not knowing how serious the issue of privacy and security is. Let me give an extended explanation.

The primary reason for curtains/blinds/drapes covering our windows in our house is to stop people from being able to see in. The reason we don’t want them to see in is because we consider much of what we do inside our homes to be private. Whether that be having dinner at the table, watching a movie with your kids, or even engaging in intimate or sexual acts with your partner. None of these things are illegal by any means but even knowing this, we still keep the curtains and blinds on our windows. We clearly have this strong desire for privacy when it comes to our personal life and the public. The same is true for our personal affects in not so personal places – like using an ATM (with your debit card) or paying with Interact at a grocery store (not such a personal place). It would be foolish to not cover your pin while it was being entered or to make sure the person beside you in line wasn’t recording you while you entered it in. You are keeping your PIN private, which is directly increasing your personal security. Even if we aren’t consciously being safe about these things, our subconscious has our back most of the time. Think of this: If there were 5-6 rough looking individuals joking around by the ATM in the entrance of a bank, do you think many of the women looking to get cash out would be feel comfortable going in to do the transaction? Or do you think they might wait until the group left? In so many ways we have this consideration and desire for security and privacy but then we move into a digital environment, really beginning to harness the capabilities of the Internet, and many of us just throw it all away.

It’s hard to think of all the ways where we put our very personal information out into the world, while holding this belief that it “has to be safe. Just because.” so here are some examples:

Many Debit and ATM machines only use the 3DES encryption algorithm to keep your financial information safe. 3DES was developed in the 1970s and is significantly weaker than the new and much more cryptographically sound AES algorithm. http://blog.erratasec.com/2013/12/target-displays-its-incompetence.html

You pay for a catalog order by calling the company and telling them your credit card number over the phone. The representative then reads the number back to you for verification.

You keep an agenda book in your purse with your passwords written down in it.

You use the same PIN to unlock your phone that you do with your debit card or credit card.

You use the same email for your online banking, PayPal, iCloud (important accounts) that you hand out to the cashier while out shopping.

You have texted someone a password, piece of financial information, SSN/SIN.

You use less than 5 different passwords for everything online.

I would have liked a way to record people’s facial reactions while they read the bulleted list above. I am curious to know how many of you went down all 7 items and said quietly to yourself “yup, I do that too”. But these typically aren’t things we consider to be insecure. You deleted that message you sent to your husband with your social security number in it so you must be safe, right? Not quite. The digital world is so vast and is comprised of numerous “levels”, for lack of a better word. You as an Internet user would be one level, a system administrator doing work on your bank’s server would be another level, your bank itself would be another level, the people setting rules and regulations for that bank another, and high level government organizations are usually the final level at the top. So even something so simple as logging into your bank account has the potential to hit tons of these “levels”. This is both good and bad. On one hand, it means our information is being looked after by a varying amount of people, companies, and organizations – no better way to determine the faults in our security. But on the other hand, HOLY SHIT! OUR INFORMATION (that we probably want to be private) IS BEING LOOKED AFTER BY WHO KNOWS HOW MANY DIFFERENT PEOPLE, COMPANIES, AND ORGANIZATIONS. You wouldn’t likely walk outside to go to work and tell your neighbor “Yup, had some really great sex last night with my fiancé!” But… you might text that to a best friend over SMS where there is a potential for one of these people or organizations to have a little peek at it? And that's where it doesn't really make sense.

The NSA (National Security Agency) has been running a program called Dishfire that collects up to 200 million text messages per day from users globally. For reference see here: http://www.theguardian.com/world/interactive/2014/jan/16/nsa-dishfire-text-messages-documents, here: https://en.wikipedia.org/wiki/Dishfire, and here: http://www.belfasttelegraph.co.uk/technology/gchq-given-access-to-us-dishfire-system-that-reads-hundreds-of-millions-of-text-messages-from-around-the-world-according-to-nsa-documents-leaked-by-edward-snowden-29924715.html

This means that the text message you sent your buddy about the wonderful sex, could have been read by a member of either the NSA or the similar GCHQ in Britain (whom they have granted almost unrestricted access to Dishfire data). Think about that for a second. Someone you don’t even know, from a country you may have never even have visited, knows about your sex life, all because you texted it to a friend. This is just the beginning too! The NSA has been rumored to have a program capable of crawling the Internet and mining (collecting) mass amount of data for later analysis. Due to the classified nature of really anything the NSA has in its possession, we obviously don’t know what information, or how much information is being gathered (if any at all) but based on the size of the NSA datacenter (https://nsa.gov1.info/utah-data-center/udc-photo.html), I would say an astronomical amount containing the sum of EVERYTHING. You don’t have a datacenter that large without a purpose.

If it doesn’t concern you that a member of your government is able to see everything you are doing online, read the text messages you are sending, or even listen in on the calls you are making, it should scare you to know that companies like your Internet or mobile service provider likely have the capabilities to do this as well. See: http://hotair.com/archives/2015/08/16/attverizon-nsa-partnership-shows-why-government-and-businesses-shouldnt-mix/ and http://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order “But they are just doing it to keep us safe! And besides, I have nothing to hide!” – These statements are valid for you to make, but really based on false ground. Think about the argument I made earlier concerning the blinds and curtains in your house. They keep you safe and allow you to go about your daily lives in private. Not that we are being secret about any of our life, or that we close the curtains just so we can commit illegal acts. We use them because we don’t like the fact that someone walking by at night could see, watch, and even record everything we are doing. Imagine what it would be like without those blinds. Would you still feel comfortable engaging in many of the same activities that you do? Would you still masturbate in your bedroom where the neighbours had plain view from their kitchen window?

So if we aren’t going to give the public ready-made access into the details of our daily lives, why are we making an exception for our governments? Because technically, the same governments we are making exceptions for, are made up of these individuals from the same public who we do not want knowing and seeing this information. They are people with whom we can’t verify the intentions or motives of. They could be watching your every move (with or without the consent of their superiors) and you would be clueless. The same goes for the individuals in the same room as the lady you read your credit card information to while making that catalog order over the phone. Was there someone else in the room with malicious intent writing down the number, expiration data, and CVV code while this representative read it back to you for “verification”? I guess you’ll have to be okay with the fact that you will never know and trust the individuals at your bank to alert you if something goes astray.

This is why privacy and security matter. This is why we need to implement strong encryption and NOT let anyone have a backdoor in the code. Although we may have good intentions as individuals, we can’t rely on the assumption that other individuals will match our same intentions. If we do not hold the companies who are storing our personal information (like our bank, PayPal, Facebook, etc) accountable and responsible for keeping our information and identify safe, we will willingly be moving into the unknown. Into a digital era where it is more common for a random onlooker to know more about your personal life, financials, and account information than another member of your family. Mozilla put it best: Privacy Lets You Be You. https://advocacy.mozilla.org/encrypt/social/1

So keep this in mind when you are reading the remainder of this paper. I didn’t do a lot of explaining with precise examples as to “why” you need the security, privacy, and even anonymity as showcased in the next 50 pages… but it shouldn’t be rocket science. We can’t really assume that backdoors, government surveillance, and poorly developed security measures are keeping us safe just because we trust the people using and implementing them, can we? Because if so, then you should take a look at this breach that compromised 20,000 FBI and 9,000 DHS employees and imagine how secure your life would be if you left it in someone else’s hands: https://motherboard.vice.com/read/hacker-plans-to-dump-alleged-details-of-20000-fbi-9000-dhs-employees

Watch: https://www.youtube.com/watch?v=VPBH1eW28mo. It explains locks + technology.

Watch: https://www.youtube.com/watch?v=V9_PjdU3Mpo. It explains mass surveillance.

Defining Your Threat-Model

For starters, a threat-model could be defined as how an individual needs to be protected based on things like: the valuables they own, the information they know, or the work they do. Someone like the President of the United States is going to have a much greater threat model than someone who works at a grocery store. However, this doesn’t always apply to the Internet world because we often don’t look at the idea of threat modeling from a holistic approach. We tend to see it as good guys VS bad guys when it comes to the whole security, privacy, and anonymity concept. Think of someone like Edward Snowden – the big whistleblower that revealed a ton of NSA secrets regarding the privacy of US Citizens. His threat model is very different from yours or mine because his life is literally on the line. People want him dead for what he did. So before diving into the whole idea of security, privacy, and anonymity in the online world, we need to ask ourselves: what and who do I need protection from and what information or data are they going to try and get from me? See yourself as a storeowner and assume that someone is always going to be trying to take what you have and use it for his or her benefit. This is where the idea to break this paper into 4 sections came from. We go from common internet folk, to tech savvy users like myself, to government officials, advocates, and the like, to Edward Snowden himself. Once you have determined whom you need protection from and what you need to protect, you should be able to take the steps to further your knowledge and stay safe online.

Encryption. EVERYTHING ENCRYPTION.

I am a pretty big believer in encryption online because encryption can be seen as the primary tool that keeps our information/data secure. It prevents outside people from taking a looksee at things we would probably like to remain confidential. Wikipedia defines encryption as “the process of encoding messages or information in such a way that only authorized parties can read it.” With this tool available to us in so many different forms online, we are foolish to not make sure a huge portion of everything we do on the Internet is encrypted. We should be encrypting our computers. Encrypting our connections to websites. Encrypting our communications. Encrypting the places we store confidential information. Even encrypting our search results on Google. I believe that this is how we are going to be the most secure in this digital world – by making all this data unreadable to anyone that we do not specifically grant the ability to read. Sort of like the lock on your front door. Without a key, people don’t get in unless they use force. And the stronger that we build our house, the more secure our door is, and the bigger fence we put up on the outside, the harder it is to use force to gain entry.

Firefox Please

Diving right into the specifics, I want to start off with the most common mode of accessing the World Wide Web, your Internet browser! Probably around 99% of the people reading this have used one to access this paper (unless you are reading a printed out version that was given to you of course). The most common examples of a browser are: Internet Explorer, Safari, Chrome, and Firefox. Ideally, you want to be using a browser that is being developed by a company who is dedicated to your security and privacy in the online world. It is also considerable to use one that doesn’t inhibit your browser experience by flooding you with options. It should just make your experience secure/private in a seamless fashion. For this reason, I recommend Firefox. It is open source, and widely used by security professionals. It is also very secure and enhances proper usage with little things that are easy for individuals to pick up on while still being very customizable to those looking for something more. It has a feature called “In Private Browsing” which doesn’t log your history, store permanent cookies, or save search results. You can also download “Add-Ons” that both tailor your browser to your needs, and offer more security. As a side note for those individuals looking for a really high level of security, privacy, and anonymity, Firefox is also the base that the Tor Browser is developed off of, which I would say is a very good argument for using it as a daily browser.

HTTPS / Browser Encryption

Often times when you connect to a website, you will notice that the URL just displays the website name (ie: amazon.ca or www.amazon.ca) But as we move into a more digital world, it is highly recommended that sites use SSL Certificates and Transport Layer Security to encrypt your connection to them. This displays in your browser as https:// with the S being the important thing to look for. Now, browsers like Safari on your iPhone/iPad/iPod and Firefox on your desktop/laptop are making it easy for you determine which sites are secured and which are not by displaying a lock icon beside the website. See this linked example of PayPal’s website that shows not only the lock icon, but also identity verification known as an Extended-Validation Certificate (green words beside the lock) to supply a trust factor in making sure you are connecting to the real PayPal website https://cryptoseb.pw/uploads/screenshot_10:10:37.png

In a nut shell, when you connect to a website with an SSL Certificate, it means that everything you do in association with that website is going to be encrypted from your browser, to the website’s server, and then back to your browser. This includes login information, passwords, financial information, and all other personal details. Even on my website cryptoseb.pw, I have an SSL Certificate that is using TLS to encrypt all the traffic. I don’t have a need for one at all, but it is good practice to always use one. Encryption is never a bad thing on the Internet. But be careful, certificate authorities (the big companies that hand out trusted SSL certificates for users) can and have gotten hacked/breached in the past, which would compromise the security of every certificate they have issued. HTTPS doesn’t just provide us with encryption for the data in transit either. It gives us a way to authenticate the data. With a website transmitting all the information over plaintext, you can’t be certain that even the website you are viewing is the real one. If your connection was victim of a man in the middle attack, the data could be compromised at any time. This is not an easy task when a website makes proper use of SSL/TLS.

However, encryption to and from a website isn’t always up to current standards and can be misconfigured, using weak algorithms/cipher suites, or have trust issues with the certificate. The best way to find out if the website you are connecting to has good stats on their certificate is to head over to https://www.ssllabs.com/ssltest/ and put the website URL into the scan box. I have configured cryptoseb.pw to get an A+ with complete 100s down the list. This is serious overkill and loses support from some older browsers, but it means the highest level of security. Here are some pointers on what to look for to acquire maximum encryption strength/trust:

Certificate is TRUSTED

Key is greater than 2048bits (RSA)

TLS1.2 offered as a protocol but NOT SSL

RC4/MD5 ciphers are NOT allowed server-side

Secure Renegotiation enabled

HSTS Strict Transport Security enabled

Public Key Pinning (HPKP) enabled (not absolutely necessary though, just a bonus)

OCSP Stapling enabled

Forward Secrecy ciphers preferred server-side

Choosing and Using Strong Passwords/Passphrases

Now, there is a difference between some terminologies here that seems to be used interchangeably when they aren’t really the same.

PIN – Numeric characters in sequence (usually 4 characters in length)

Password – Letters, words, numbers, spaces, and symbols in sequence

Passphrase – Significantly longer than passwords often with words in sequence

Passcode – Apple’s take on a PIN/Pass combination (usually 4 digits but alphanumeric option available)

So when we take a look at creating passwords that are secure enough to protect us online, people tend to have the assumption that your passwords have to be all random characters and all different from each other. What a nightmare to remember! This isn’t true for like 97% of the population. Your passwords should be, for the most part, all different, but they do not have to be a combination of randomized characters. Take a look at this diagram I did up on how to come up with easy to remember but very secure passwords: https://cryptoseb.pw/passwords.png This allows you to create passwords that you won’t forget (as you only have to remember the base and the part being changed for each site) but keep you secure. You could even write down the part that changes somewhere fairly secure, like your Notes app on your phone - if your phone makes use of a strong passcode for encryption of course. Even if your kids are snooping through those notes, you don’t have to worry because they don’t know the base you have created. From the example picture, you would be writing down grip = Facebook, toes = PayPal, etc.

I would however recommend that instead of storing passwords on pieces of paper beside your computer, or in a diary you keep in your purse, or even on notes inside your mobile device, you look at getting a password manager like LastPass, Dashlane, or 1Password. I personally use and recommend LastPass for keeping all of your account information secure but easily accessible. It offers very good usability across your devices, and is accessible from anywhere in the world through your vault at LastPass.com. When you create an account, you are also creating a vault in which your passwords are stored. This vault is always encrypted on their server and is only presented in an unencrypted form to you from within their app, or in your browser after inputting your account information to decrypt it. All of this encryption happens behind the scenes and is seamless with your login. They also have enhanced security features like Two-Factor Authentication, geo-location (country) restriction, and email security notifications. However if you fall into the last 2 categories of this paper I would not recommend storing passwords in LastPass for accounts that can be accessed with a warrant. Things like your SpiderOak account do all the encryption client side and they do not store your password or encryption keys server side. So storing this password in LastPass could present itself with some issues if someone was able to provide a warrant to get in and see all your passwords. You could still store parts of these passwords in your LP Vault but in a secure fashion to simply remind you if you are forgetful. Say your password for SpiderOak was Koala_PURPLE-2015== , you could save the password in your vault as Ko*******5==. This should be enough to jog your memory, but not enough to give someone immediate access. For a yearly subscription to LastPass Premium, I paid $12, which is really affordable. I would link my referral code but I feel like that takes away from the idea that this paper is designed to be completely free and open.

KeePassXC - https://keepassxc.org/ KeePassXC is a fork of the underdeveloped/maintained KeePassX and provides very strong security of your passwords. They are stored in a Database file offline (you chose where to save the file) and protected with a very good level of encryption. It allows for both AES-256 and Twofish to protect your database file, has Yubikey challenge-response support, and allows keyfiles (https://en.wikipedia.org/wiki/Keyfile) to help secure the database as well. More information can be found on their website.

MasterPassword - https://ssl.masterpasswordapp.com/ There will be a review here soon.

Hashing & Authentication

It is important when we learn about encryption and using it alongside strong passwords, to also take a look at how these passwords are stored on the website’s server. The issue is that once you send something to a server, it is out of your hands unless you operate the server yourself. So it is important for server owners to be storing as little information as possible on the server unless it is in an unreadable, encrypted format. SQL injections and database compromises can expose anything in plain text and they are surprisingly very common occurences. Hashing is similar to encryption but comes into play when securely storing password. When you register for many websites, they take your password and they store it on the server so that every time you login, it just compares the two passwords and if they are the same, it logs you in. However, this is incredibly insecure even with SSL implemented. The good websites/servers (which should be the majority of them now) hash your passwords before sending them to the server, which basically means storing them in a jumbled fashion. It is done commonly through what we call “hashing algorithms” like SHA256 or SHA512. As a side note, those are two common hashing algorithms that are often accompanied by PBKDF2 (which is used for key stretching https://www.schneier.com/cryptography/paperfiles/paper-low-entropy.pdf to thwart brute force attempts). Then when you login the next time to the site, your browser converts the password into that same string of random characters and matches it with the string of random characters it has stored on the server. If the two match, you are authenticated and allowed into your account.

Going into a little more detail on key stretching and PBKDF2, there is a related term known as Password Iterations or Iteration Count that defines the computational power that needs to be exerted between password attempts. The higher the number of rounds used, the more secure your account/encryption/password is going to be. Companies can also add a salt to the hash, which adds a random string of characters to the end that actively thwarts dictionary attacks (https://en.wikipedia.org/wiki/Salt_%28cryptography%29). For some reference, the default iteration count for 4 common services/applications are listed:

LastPass – 5,000 (Client side) + 100,000 more (Server Side)

TrueCrypt – 1000

VeraCrypt – 500,000

FileVault2 – 41,000

What Information and Where?

So once you have the basics of how the Internet can work with you to keep you safe, it is vital that you determine what information you are putting out there, where it is going, and who is able to view it. Everyone has seen the posts on Facebook where someone uploads screenshots of a text message that was clearly meant to be personal but somehow got leaked – likely from another party with malicious intent. It sucks to be that person getting exposed! So we must be careful with the information we are sharing and how it can be used against us. The general saying is that once it is out on the Internet, it is impossible to take it back or erase for good. One should always assume that something, or someone, somewhere, is archiving that information for later use or reference.

To start, take a look at common websites like Facebook, Instagram, Twitter and what privacy options they provide. Take Twitter for example. You can either protect all your tweets, or have your entire profile open to the public. This is the same with Instagram where your account is either entirely private or entirely public. Unless you are very selective with what you are posting, I would recommend having these privacy features enabled on both. The exception to this would be if you were very avid in the online world, famous, or running a business where the publicity from you posting is going to drive customers. For average people just posting about their personal lives, keep it locked down for security. It protects you from random onlookers and also from someone who may be trying to steal your identity. Facebook is a much larger mode of social media and encompasses a greater aspect of your identity so it is of course going to be more complex. But ideally, you only want the public to be able to see information about you that isn’t personally identifying or revealing. An example of this would be your date of birth. People outside of a small circle of family and friends don’t need to know that. Especially the people you meet on Facebook. This is why Facebook provides a bunch of different options on who you share information with. I generally only use the 3 common ones: Public, Friends, and Only Me. Things like my date of birth, email address, phone number, and sexuality are all kept to Only Me because they are things I don’t want anyone else knowing unless I specifically hand it out to them. The majority of my other information is kept at the Friends level and only miniscule information is actually viewable by the public.

If you are one of the people who are relying on privacy, security, and anonymity to keep you safe, you should consider not using social media like this or being incredibly restrictive on what you are posting. All of these websites log your information and may even store it even after you delete it. Using dis or false information in these cases will benefit you. If you are very keen on using something like Twitter, maybe consider not using your real name and personal email upon registration. You must also take in consideration that these websites may not be keeping the information for just themselves to look at. We would be foolish to think they aren’t selling our information out to third parties or handing it over to Governments when they ask.

Business and Tech Geeks

A Starting Place

I often times see people whom are clearly business people doing business related things with customers, clients, and the like in very public places in very insecure manors. I was just in an airport where a medical professional of some sort was discussing personal things with what I assume was one of his patients not 5 feet away from me. It was rather disturbing to listen to him as he wrote things down on a clipboard and I could hear the entire side of his conversation from 3-4 seats away. The nature of his call wasn’t disturbing… but the fact that the person on the other end was having their privacy completely compromised was. What got even scarier is while he was finishing up the conversation, he asked for this person’s health card number so he could document the conversation when he arrived. Not only did she give it to him over the phone, but he READ IT BACK to her over the phone. I could have recorded the entire conversation and I would have had her first name, and health card number along with a slough of medical related information about her. That is scary…

Take a look around next time you are in a coffee shop or public place like a library where people are using their laptop or tablet openly and see what they are doing. You may honestly be able to stand over their shoulder and watch them from 2 feet away for some length of time without them even noticing. These are places where people might even do financial transactions, update banking information, or send confidential emails/messages to clients and we are able to see it all as a passerby.

Securely Transmitting Information (Messaging/Calling)

Currently, technology allows us to communicate in so many different ways with each other that even 30 years ago we were unable to do. Skype, Email, SMS, Facebook Messenger, Twitter Direct Messaging, Mumble, and TeamSpeak are all examples of ways in which we communicate through technology. However, these are all methods of communication that are either inherently insecure due to the way they have been developed, or not used securely on behalf of the user. A study done by Forrester (http://blogs.forrester.com/michael_ogrady/12-06-19-sms_usage_remains_strong_in_the_us_6_billion_sms_messages_are_sent_each_day) claimed that in 2012, around 6 billion text messages were sent in the US each day. Those statics are 4 years old now but should give some insight into the usage of technology in this day and age.

Now, I want you to think about what you would message one of your friends or family members or what you have messaged them in the past. I’m not talking the day mumbo-jumbo either. Think about the times when you have said something really personal. Maybe shared a password with your girlfriend, took a picture of a bank statement and emailed it to another family member, or even sent your social insurance number to a future employer. These are all too common in the daily world of technology and it is incredibly foolish and negates the security of our identity on many different levels. Facebook, Yahoo, Google… they don’t need to know this sort of information about you; even if they are claiming to keep it safe from third parties. To add some more scary information to the mix, the National Security Agency (NSA) in the US, runs a program called Dishfire (https://en.wikipedia.org/wiki/Dishfire), which collects hundreds of millions of text messages per day. How this is even a thing?

This is where companies like ProtonMail, Wire, Open Whisper Systems, Apple (iMessage/Facetime), and Tutanota come in. They provide services that are dedicated to helping us communicate securely and privately with others. Most companies that WANT to keep you secure online will do so without draining your pocket either. Let’s take a closer look at the first four listed above which are my go-to services every single day.

ProtonMail – Secure Email in Switzerland

Before coming across the ProtonMail crowdfunding campaign, I was an avid user of email services like Yahoo and Gmail. However, Yahoo was only putting in a minimal effort to keep me safe, and Gmail, although secure from hackers and account breaches, was not fully encrypted. ProtonMail however, was marketing itself as the all-inclusive solution for encrypted email. Based out of Switzerland, ProtonMail providers end to end encrypted email that keeps your communications private. It is free, open source, and they have zero access to user data.

ProtonMail also employs some great security features that actively work to keep both your account safe, and your communications completely private. The first great security feature is the use of two passwords in the login process. The first password accesses your encrypted mailbox and the second password decrypts it. There are ways to employ fully encrypted email without using a dual password method but I prefer typing in two different passwords every time I log in. This allows me to store the first password in my LastPass Vault and the second in my head. Even if someone gets into my LastPass account, they aren’t getting into my email. Another feature I really like is self-destructing emails. This allows really sensitive communications to take place within a set period of time, thus reducing the chance of them getting leaked to an unwanted party. Alongside this, ProtonMail allows you to encrypt emails to users who do not have a ProtonMail account using their secure reply feature. This gives us a chance to sort of impose the level of security we want on those we are communicating with. Lastly, ProtonMail now also offers the ability to link your domain name with your account and upgrade for premium features. This gives us a chance to use our own domain, which provides trust to those we communicate but does it all through the ProtonMail servers making everything fully encrypted. My email for my domain name ‘cryptoseb.pw’ flows seamlessly through the ProtonMail servers and provides me with a more secure email for communication, while giving me the benefit of keeping my online persona “findable” and tailored to me. As of December, 2016, ProtonMail now offers Single-Password Logins and Two-Factor Authentication via the TOTP protocol (Authy/Google Auth). More information here: https://protonmail.com/blog/protonmail-v3-6-release-notes/

Wire

Replacing Wickr (for my daily go-to secure messaging app) is Wire. Wire is a company based out of Switzerland that was founded in 2012. I don’t have much information about the application before the huge kick it had in July of 2016 when I decided to start using it, but I do know that for like 2 years it wasn’t open-source and didn’t provide many of the features it does currently. On the opposite end of the spectrum to my reference above, because Wire is open-source, we can validate the intentions of the developers and administrators behind the app on a greater scale. They would have to put some serious work into designing a backdoor to hand over information to an agency like the NSA considering the app is reproducible with the OSX and Windows versions.

Unlike many of the other apps in its category however, Wire is jam packed full of features and seems to be listening to user suggestions and really pushing out updates with new content on a regular basis. In the last 3 weeks since installing it, I think I have seen 4 new features that I found useful alongside getting open-sourced completely in that time (https://github.com/wireapp/wire). Some of the bigger features that Wire has going for it are:

Messaging that is end-to-end encrypted and forward secure to thwart big data compromise from man-in-the-middle attacks

Group chats with up to 128 people that are also end-to-end encrypted and forward secure

Encrypted audio (group as well) and videos calls

Support for encrypted attachments, photo sharing, GIFS, drawings, voice changing on audio messages, sending your location, and pinging other contacts

Fingerprint verification

Multi-device encrypted pushing so you receive all your content on all your devices

Registration with either an email, phone number, or both

Phone number is not viewable by other Wire users or by the Wire server and email is viewable to both. This provides a layer of anonymity over Signal and allows a user to share their email linked to Wire for discovery

Ephemeral (Expiring) Messages for greater privacy

Wire provides both a Privacy and Security Whitepaper which are viable on their website at: https://wire.com/privacy/ and give in-depth analysis of how the company operates and how the internals of the application work. The only downside to the encryption used by the application is that it is sort of a knock of version of the current Signal Protocol. The developers of Wire took the Axolotl implementation and modified the ratchet calling it ‘Proteus” and using it strictly in Wire. The basics of encryption are ChaCha20 for the stream cipher, HMAC-SHA256 as MAC, and Curve25519 for the key exchange. Should still be considered secure encryption by anyone’s standard. For encrypted audio calls, Wire uses a mixture of HTTPS for call signaling and SRTP-encrypted media sessions. Keys and parameters are negotiated through a DTLS handshake. You can find out more about the encryption used here in their security whitepaper.

I am very happy with the direction that Wire is going and really proud to say I would prefer this mode of communication to anything else currently in the abundance of secure communication methods out there. The support is wonderful, they are very active with their followers on Twitter, and give me the biggest vibe that they truly care about our privacy in this ever-changing digital world.

XMPP + OTR

The one thing missing from version 2 of the paper was the XMPP/Jabber Protocol and OTR (off-the-record) for messaging privately and securely. XMPP is very nice because it is a federate protocol, which means you can run your own server and have XMPP work on your own domain. My server runs Prosody which handles the XMPP protocol so instead of giving someone a username for a new application they would have to download to connect with me, they just open their XMPP application and add root@cryptoseb.pw to connect with me. Probably the best feature of XMPP is that OTR is built into it fluently. Off-The-Record (https://otr.cypherpunks.ca/) allows you to have private conversations over IM by providing encryption, authentication, deniability, and perfect forward secrecy. All things necessary in keeping yourself secure. When I initiate a conversation with someone over XMPP with OTR enabled, it stops the server from being able to see messages in plaintext as OTR is client-to-client not client-server-client. Once you have connected to someone over XMPP and enabled support for OTR in your client, you can verify their OTR fingerprint with them to make sure you are containing the real person and not someone in the middle.

Some really good clients that support XMPP are:

Another neat aspect of OTR is that it is used in more areas than just XMPP. Clients like Adium (see above) make use of the OTR Protocol over IRC as well. One could connect to an IRC server and communicate securely in private messages with another individual whom has a client that supports OTR over IRC as well. This eliminates any chance of the server being able to log/monitor these private instances.

Signal – by Open Whisper Systems

Open Whisper Systems had originally created separate apps for encrypted calling and encrypted messaging called TextSecure and RedPhone back in 2010 but they have since combined the two services into one app called Signal. Signal is marketed on the Open Whisper Systems website as “Privacy that fits in your pocket”. They are the encrypted texting and calling application used by many and advocated for by big name people in the security/privacy industry like Edward Snowden, Matthew Green, and Bruce Schneier. This really gives the application a level of trust that goes beyond its competitors in the same field like Wickr, Telegram, WhatsApp, or Facebook Messenger.

Signal is very simple to use and provides a level of encryption that is top notch A+ grade and usable for all kinds of conversations. It is also open source, which allows everyone to view and validate that the application is working exactly as it is being marketed to work. This also provides transparency in assuring that the intentions of Open Whisper Systems don’t change or become malicious. The one thing that Signal provides that is above and beyond Wickr is support for very simplistic encrypted calling. This means you don’t have to just message someone, you can hold audio conversations with them completely encrypted and private from all levels of adversaries whether that be hackers, your mobile service provider, and even government bodies.

There are a few major downsides to the way Signal operates however and it definitely isn’t for everyone. The biggest downfall of Signal is that it requires your phone number to operate. Even though they send only hashed phone numbers for contact discovery and uses encrypted bloom filters for calling contact discovery, this only prevents their server for seeing sensitive information like your name or number. But because it requires your phone number, you lose a serious level of anonymity over using something like Wire that does not explicitly need your number. Not everyone you have to speak with is going to be worthy of having your cell phone number; it is something that can compromise one’s identity and lead to things like fraud and identity theft. This is especially true for those who rely on being anonymous in many aspects of their life, like journalists, activists, or even whistleblowers (Edward Snowden). I find it odd that a person like Snowden, who would likely need a very high level of both security and anonymity in who he holds conversations with, uses a service that requires him to give up that anonymity with a cell phone that could be linked to his true identity. However, they have recently added support for self-destructing messages quite like how Wickr did it, which is awesome to see. Messages that go kaboom and don’t let the recipient view them after your allotted destructed time are wonderful.

Regardless, of these design flaws Signal is secure and that is what many people are looking for. It allows us to hold private conversations with another party in a fully encrypted fashion that keeps each party secure from anyone outside of said conversation. Signal isn’t anonymous by any means but for many, that isn’t an issue. I have started using Signal on a daily basis to talk with friends and it is starting to grow on me. You just can’t beat the simplicity.

Ricochet

Using Tor for communications is pretty crucial if you have a desire for any sort of security in your threat model. It isn’t enough for many people to just keep their conversations private, many need to also be anonymous the entire length of the way. For this reason, Ricochet is great because it integrates Tor into the process so your connection is completely anonymous. Although I (Seb) have not used Ricochet extensively, I have heard from it lots on the /r/privacy and /r/privacytoolsio subreddits and it is a recommended application on the PrivacyTools.io homepage.

Richochet is open source, which provides its community of users the ability to verify the code and build the application from source themselves. They provide the .asc PGP verification files on all downloads and host the code on GitHub. As well, Ricochet has gone through an audit (February 2016) and the creator has since patched the issues found see: https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf

More information can be found on the Ricochet homepage by visiting https://ricochet.im

iMessage

Apple has provided a messaging service since the dawn of the iPhone many years ago and expanded on it to be a very privacy conscious and secure way of communicating. Now, nearly every person who has an iPhone, iPad, Mac, or iPod Touch uses iMessage. What hasn’t really hit the spotlight and been discussed is the fact that messages sent iPhone to iPhone that show up as blue are sent fully encrypted end to end. When you first start using iMessage, your device creates two sets of private and public keys: one for encrypting and one for signing. Your private keys never leave your device, but your public keys are sent to Apple’s servers to be used by others whom you communicate with. iMessage uses 128 bit AES for encrypting the messages and ECDSA keys using a 256-bit NIST curve for signing. This ensures both the authenticity of the messages and the strength of encryption is maximized. However, Apple does this fluently and the user never has to worry about enabling extra features or downloading other applications like Signal to make this work. The only issue with iMessage that will hopefully be addressed soon by Apple is that the key servers are located in the United States. If they really wanted in, Apple isn’t going to be able to stop them at this stage of the game. A good step forward would be for able to separate the signing keys into say 3 different geographical locations around the globe to maximize the effort needed for a full compromise.

Recently as well, Apple has begun encrypting device backups to iCloud using your device passcode, which means if you are using a strong enough passcode to protect your device, you are also keeping that same security across the board when your phone uploads its important data to the cloud for backup.

BitMessage - https://bitmessage.org/wiki/Main_Page There will be a writeup here soon as well.

Storing & Sharing In The Cloud

Right alongside messaging people in a secure manner, we have to think about how and where we are storing files in the cloud, and how those files are being shared with others. Likely the most common forum of storing files and data in the cloud is to use a service like Dropbox, Google Drive, Mega, One Drive, or the like. Most of these services have been developed to keep the user safe from account compromise – allowing two-factor or step authentication/verification to keep everything locked up. Google Drive would be my top pick of the above for account security as they manage millions of accounts every single day and have quite the automated system for authenticating and fighting hackers/jackers from compromising your account and stealing your sensitive information. They make use of things you know and things you have, like your password and your cell phone to block unwanted access.

However, the thing these services don’t do is prevent more powerful bodies from accessing your information and peeking in on the things you are storing with these services. Say you decide to store a Microsoft Excel document that you use for keeping track of all your financials inside of your Google Drive account. This file would not be encrypted on their server in a manner that only you could decrypt and could technically be viewed by anyone with enough credentials or clearance. This includes a government entity with a warrant. However, the majority of the population isn’t defending themselves against large entities like that so Google Drive is a fairly good solution for many of us.

But… What if…?

The question stills remains on whether the average, ordinary person needs more security than what these services provide. I am an advocate for our privacy and a believer in encrypting everything we do online, so I would say yes! Because we can’t account for all the “what ifs” in the world, but we can eliminate a large chunk of them. There are services out there that provide complete security of your files with strong encryption. These services give us full control of our files in the cloud and keep them secure from even the company being able to snoop on them. I was and still am a user of ownCloud, a service that lets you host your own cloud-based storage. However, it isn't encrypted in a manner that keeps files at top-level security so I ended up switching. There is also room for question on whether just encrypting your sensitive information gives an adversary knowledge of what to target. If the majority of what you do online is in a plain-text manner, does that make your encrypted data more susceptible to attack?

Tresorit

The switch I made was to a company called Tresorit. They are a cloud service that takes file storage to a very desirable level of security. Everything you upload to your Tresor is encrypted device side before hitting their server, which means you have the assurance that no rogue system admin is going to be looking through your sensitive data. Your Tresorit password acts like the master key for everything you upload. Without this password, your files are irretrievable and lost in the cloud forever. This is good because it means no password resets and no compromised accounts. However, we technically can’t verify this information as customers/users because Tresorit isn’t open source. For those of us just looking to make a switch to something more secure, this isn’t an issue. Tresorit is still encrypting all our files client side and presumably keeping the keys for the encryption and decryption process off their severs which is enough. But if you are the next Edward Snowden, I recommend looking at something that is FOSS (Open-Source). This would give you the comfort of having everything stored in your cloud service completely encrypted and would give you the ability to verify this through their published code. You can view Tresorit’s Security Whitepaper here: https://tresorit.com/files/tresoritwhitepaper.pdf to read up more on the security they are employing to keep your files safe.

The Great Extras of Tresorit

I like it when companies offer more than just the basic product they are out to provide. Tresorit is a cloud storage service. It would be very easy for them to just provide secure cloud storage and call it a wrap. But they strive to offer more, which is a bonus for their customers. Probably the best added feature is being able to send encrypted links to download files stored in your Tresor. This allows a user like yourself to send someone else (whether a Tresorit user or not), an encrypted copy of the file to download. It remains completely encrypted the entire way to their browser. You can define an expiration time for this link and premium users also have the option to set a password for the download. This is a big security enhancement over sending the file non-encrypted via email or another upload service. Another feature that improves the usability is being able to share Tresors with people. So I as a user could create multiple Tresors and upload different things to them (one for work, one for family, one for personal stuff). Then you can share those Tresors with respect people added as a contact on your account; granted they too have a Tresorit account.

SpiderOak

Although I haven’t used SpiderOak, they are the open source alternative to Tresorit so I do think it needs a spot in this paper. They are a similar service to Tresorit and hold true to the zero-knowledge system that cannot be attacked from within to hand over data to law enforcement. They are also “Private by Design and Choice”, a term you will see explained further on in this paper. The biggest benefit of SpiderOak over Tresorit is that they open source and that should be very appealing to a wide variety of people reading this. But alongside being open source, they have also documented the security and privacy side to their service very well on their website; a serious bonus to future customers looking to get secure cloud storage.

Because I haven’t used SpiderOak before, I can’t comment on the usability or behind the scenes working of the service, so I am stuck going through reviews, reading the content on their website, and making my decisions from a very narrow scope of information. That being said, https://spideroak.com/about/law-enforcement has a line of drool running from my mouth and down my chin. I love it when companies post Law Enforcement Guidelines (Wickr was the first company I noticed doing this). It solidifies their commitment to their users and strives to show the public how much they care about security and privacy online.

The one thing that Tresorit made note of on their website is that SpiderOak doesn’t provide you with a way to securely share files in a form such that they remain encrypted from the time they are shared to the time they are downloaded. I cannot vouch for this claim as I have not tried out SpiderOak, but I can say that I am happy with the service that Tresorit is providing. I would only consider switching if it became known that they had implemented a backdoor in their software or if my threat model changed to that where only using open source software was a necessity.

Keybase File System

New to the online world of file storage and sharing is the Keybase File System. For more tech-minded folk who are fluent with the workings of PGP, one who has a Keybase account can utilize end-to-end encrypted private, and plaintext, signed public storage/sharing on the Keybase servers. The unique additives of KBFS that aren’t available with the other services are how they have intertwined your verifiable identities from your Keybase account into this network of sharing. All the files you upload to your public account are automatically signed and verifiable by an outsider. As well, you can create private folders with other users by simply adding their name (or username from another service) to the folder name. If they have a Keybase account, they will be able to access the folder; still end-to-end encrypted of course. More information about the KBFS can be found here: https://keybase.io/docs/kbfs

Securing Online Accounts

Hopefully by now you have registered for a ProtonMail or Tutanota account and are ready to start transferring some accounts over. So it is time to discuss some tips for keeping your accounts locked up tight so an adversary doesn’t jack them. This section really only applies to non-government entities attacking you for malicious intent. If a Government body like the FBI wants in, a warrant is all they need.

The most important thing to consider is how your account is verified. Most Internet sites use Email because it has been around for so long. So linking up your ProtonMail account makes things all that more secure because your ProtonMail email is incredibly secure from jacking unless someone watches you type both passwords in (which is thwarted by using the LastPass extension in your browser), or you get a keylogger on your computer (which will still likely be thwarted by the LastPass extension). Even if your ProtonMail account is discoverable to a good portion of the public, because you have either given it out or posted it publicly somewhere like your blog, they still need inside of it to do a password reset on your account.

Next, you are going to make sure you go through the security settings the website provides you with and do some researching on the added security those options provide. Take Twitter for example, they allow you to require Personal Information to reset your account. This means an adversary has to type in your email or phone number to even begin the reset process for your password. Another example would be PayPal requiring you to input your credit card information AND receive an email or text message with a reset code before allowing a password change. But where applicable, always use Two-Factor Authentication.

Two-Step Verification and Two-Factor Authentication

There is big discussion over whether there are differences between Two-Step Verification and Two-Factor Authentication. It seems like Google, Apple, and Microsoft seem to use the first of the two where most other sites use Two-Factor Authentication (2FA). The idea in separating the two is that 2FA is something physical that you have like a Yubikey, Smartcard, Fingerprint, or CryptoKey. Two-Step Verification requires a second form of authentication alongside your password like a TOTP (Time-based One-time Password Algorithm) code from an authenticator app or a text message sent to your phone.

I shouldn’t… but I do use the above two pretty interchangeably. I think the term I use most often is Two-Factor Authentication (2FA) and there is a very good possibility that I am wrong in using that terminology to define methods like SMS-Auth and TOTP but I am going to use it for the remainder of this paper. Generally getting a verification code sent to your email would be considered an insecure form of Two-Factor Authentication because if your email is compromised, they have both your 2FA method and the email needed to reset your password. Likewise, SMS or voice based 2FA is also pretty insecure as your phone provider can be “tricked” (http://www.securityweek.com/hackers-tricked-att-network-solutions-employees-tesla-attack) into giving up enough details about your account to forward your texts to another number and with the advancement in technology, some providers also give you the option to read your messages through their online account portal. The best methods of 2FA are properly implemented TOTP, Yubikey, or Biometric authentication.

“Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time” (Wikipedia). Basically, we install an application like Google Authenticator on our phone and link our account with it by generating and inputting the shared secret. This synchronizes with the current time and generates a new 6 digit code every 30 seconds (usually). After inputting their email/username and password to the website, the user must then type in the 6 digit code generated at the current time by the authentication app. This would be using something you know (password) and something you have (TOTP Code) to secure your account. This is my preferred method for securing my online accounts. All TOTP codes are sent to my smart watch and stored securely around my wrist. I don’t even need my phone to login most of the time.

I think Yubico gives a better description of how a YubiKey works for 2FA than I could so here is the excerpt from their site:

A YubiKey is a small device that you register with a service or site that supports two-factor authentication. Two-factor authentication means that each time you log in, the service will request proof that you have your YubiKey in addition to your regular username and password. Phishing, malware, and other attack methods don’t work because they would need both your physical key and your passwords to breach your accounts. Two-factor authentication with a YubiKey makes your login secure and keeps your information private. The YubiKey requires nothing more than a simple tap or touch. There are no drivers or special software needed. You can use your YubiKey on multiple computers and mobile devices, and one key supports any number of your accounts. YubiKeys are nearly indestructible — just add it to your keychain along with your house and car keys.

As for Security Questions and Answers, you would be wise to keep them stored inside of your LastPass account so you can keep them away from the obvious. What I mean by this is instead of using your Dog’s name (which could be guessed or identified), you could add a symbol to the front or back of your answer ie: %Baxter instead of Baxter. A maximum-security suggestion would be using random characters and storing them so you don’t forget them.

For people who are very active and/or famous on social media, or for business people securing important websites that may be handing important customer details, Two-Factor Authentication is an incredibly important thing to be enabling on all websites/services that give you the option. It may be a learning curve, but it will save you in the end against an attack on your identity.

Full Disk Encryption

One of your strongest counters to surveillance, attack, and theft of your devices is making sure the data on them is secure. Really, the only way to do that in this day and age is to make sure they are full disk encrypted. Full Disk Encryption refers to taking a hard drive inside of a device and encrypting it as a whole so that all the files it has are converted into an unreadable form (encrypted) and not accessible without the password to decrypt them. Some devices, like those running iOS, do this by default. Other’s like Macbooks and PCs running Linux, need to have these features enabled and setup. To start, I’ll dive right into FileVault2, which is the OSX built in Full Disk Encryption because it is what I use on my primary machine.

FileVault2 Native to all versions of Lion and up, FileVault2 is the advancement on the original FileVault that only encrypted the home folder. It uses 128bit AES in XTS mode to encrypt the disk and is highly suggested when setting up a new computer that has Yosemite or higher. Good strategy here on part of Apple to include a dedicated section about it in the Initial Computer Setup when you first setup OSX. When you set up FileVault2 for the first time, it requires you to have a password on the current administrator account and uses a random number generator (with about 320 bits of randomness available after first boot) to create a recovery key. I would recommend not storing this Recovery Key with Apple even though they give you the option to do so; using 3 security questions and answers for recovery authentication of this key. Instead, I would recommend writing it down on a piece of paper temporarily until you can keep it in an encrypted form (7zip password protected archive) in something like your Tresorit Drive. Once you have securely saved this key, burn/shred the paper you originally wrote it down on. Based on some findings in this paper: https://www.cl.cam.ac.uk/~osc22/docs/cl_fv2_presentation_2012.pdf, FileVault2 uses PBKDF2 x SHA256 and 41,000 iterations on the password. This works to prevent bruteforcing the password due to the delay in checking the hashed password with the one stored on the system. There also doesn’t appear to be a limit to the password length so one could in theory create one 100 characters long without any issues other than delay before unencrypting. It is unknown, but unlikely, if a backdoor has been implemented by Apple in FileVault2. If you have a Mac, I would highly recommend enabling full disk encryption to keep your files safe.

LUKS

Short for Linux Unified Key Setup, LUKS is the full disk encryption solution used by many Linux/GNU based operating systems. Typically, it uses AES 256-bit encryption in CBC mode with SHA256 for hashing but that can be edited if needed to run other modes like XTS and decreasing the key size of the AES algorithm to 128-bit. Like FileVault2 for OSX, LUKS has no character limit for the passwords/passphrases and I have tested this with a 212-character passphrase consisting of letters, numbers, spaces, and symbols. The iteration count for LUKS is specified by the CPU power of the machine. For slower computers, this may be lower than wanted so it can be specified with the cryptsetup command. The command would be: cryptsetup luksFormat -i 15000 <target device> and I would recommend experienced users setting the value at no less than 20,000. For serious individuals, you would be wise to take that count above 70,000 with a passphrase over 40 characters. LUKS is also fully open source that along with its consistent use within Linux distributions makes it a very trusted choice for FDE.

TrueCrypt

TrueCrypt is no longer recommended as a full-disk encryption / volume encryption application. VeraCrypt (see below) has been audited and the issues have been fixed. You can find what was originally written in here in versions 1 and 2 of the paper.

VeraCrypt

When TrueCrypt died back in 2014, there was a lot of talk about the security issues that the developers could have been talking about on their website. Was there really security issues? Were they served a National Security Letter mandating a backdoor in an update version be released? Nobody really knew anything above and beyond speculation and it had many people becoming weary. For Mounir Idrassi, that meant taking all of the security issues present in the TC 7.1a release and fixing them in a fork of the project called VeraCrypt. It is considered to be the official upgrade to TrueCrypt by many as it is open source, and had a code audit completed in October of 2016 (see: https://ostif.org/the-veracrypt-audit-results/). I am a firm believer in VeraCrypt as it boasts some serious enhancements to the general security of TrueCrypt while also adding in features of its own that really make the program that much more secure to use.

For starters, they got rid of RIPMD-160 due to it only being 160 bits on the hash and replaced it with SHA-512, which is of course the successor of SHA-256. They also upped the default iteration count in the initial releases to 500,000 iterations on the password, which is a serious, serious improvement over the 1000 that TrueCrypt offered. Recently, they have implemented a feature called a PIM value which stands for Personal Iterations Multiplier and not only gives us a third step of verification to decrypt alongside your passphrase and keyfiles, but also allows us to specify our iteration count in a unique but secure way. When specifying a PIM value for system encryption, you take your PIM value and multiply it by 2048. For container-based encryption you take 15000 and add it onto your PIM value times 1000. This means you could specify a PIM of 999 and have an iteration count over a million for an encrypted container. Some serious security for your files to be resting inside of.

VeraCrypt has also made some graphical improvements over TrueCrypt, is being consistently updated, and included little tweeks to improve usability, like adding a randomness meter to the “move your mouse screen” to display the random entropy you are acquiring. This, alongside the recent audit, is very promising for the tech industry. We now have a very solid encryption program to rely on for keeping our information and data secure.

As of October 2016, VeraCrypt has implemented some new algorithms for both encryption and hashing which is a positive move forward. Camelia and Kuznyechik were added as encryption algorithms, but stand-alone and are not able to be paired like the original three, and Streebog has been added as a hash algorithm. Moving forward, it would be nice to see an algorithm for encryption with Camelia and Serpent as a team. That way, we are able to get the added security of two encryption algorithms in cascading fashion, without having to rely on AES.

VeraCrypt Encryption Algorithms:

Serpent

AES

TwoFish

Camellia

Kuznyechik

VeraCrypt Hash Algorithms:

SHA-256

SHA-512

Whirlpool

RIPMD-160

Streebog

iOS Devices

Apple Mobile Devices running anything above version 8.0 are protected with Full-Device Encryption by default known as “Data Protection” in your Passcode settings. However, there is a big leap up from the 5C to the 5S and all devices from here on out that have TouchID. As a starting point, you should refresh yourself on the recent events that have unfolded between Aple and the FBI. I have posted links about this further down in the paper but it should be easy enough to search online. If you have one of the listed devices above 5S (6, 6S, 7, etc), you will have the best encryption Apple currently offers for their devices. Your iPhone will have a hardware chip inside called Secure Enclave that manages all encryption and the delays in between password attempts. All versions of iOS above 8 employ 256-bit AES full-device encryption in a unique way that protects all data past the lock screen. This data on the above listed devices is secured using an ephemeral key generated on boot that is entangled with your devices unique UUID to do the encryption. Your passcode protects this key. By default, a 4 digit numeric code is suggested when setting up a passcode/TouchID but users have the option to enable much longer, alphanumeric passcodes for greater security. This is something I would recommend doing.

As well, your device makes use of PBKDF2, as described above, with an iteration count high enough to generate an 80ms delay on passcode inputs (key stretching). This along with a few other security features effectively prevents bruteforce attacks on a device with a passcode longer than 11 characters. The other security features include a lockout after 5 failed passcode attempts and each attempt after that, Data Wipe feature than can be enabled to wipe your device after 10 failed attempts, and mandating your passcode to be inputted instead of using TouchID when you turn off your device or if you have not bypassed the lock screen in 48hrs.

Alongside the device level encryption that is deemed to be very secure (but not 100% yet), Apple pushed out properly encrypted iCloud backups in 9.3 that use the device’s passcode to encrypt the backup. Prior to this, Apple was able to give out iCloud backups when presented with a warrant and a user really couldn’t be deemed completely secure unless they disabled these backups on the device. But now, all of your information is backed up securely to iCloud and you still have the option to encrypt full backups to your computer. This being said, I would caution users to not backup applications that store sensitive information to iCloud. You have 2 modes of encryption protecting your device backups to iTunes if you are using full-disk encryption on your computer, but only one line of defense with iCloud.

Recommended Encryption Setup

For an individual who is battling a government level adversary (like a whistleblower), I would recommend the following strategy for keeping very sensitive or classified files from being disclosed to an unwanted third party. Keep in mind that I have never been in such a position so these are just the thoughts from inside my head and may not be entirely well versed with experience. Your first step is going to make sure that your system is full disk encrypted using one of the above 4 programs/solutions. I would recommend LUKS or VeraCrypt with a 50+-character passphrase because they have been well trusted and proven in the courts for many years now (http://scienceblogs.de/klausis-krypto-kolumne/when-encryption-baffles-the-police-a-collection-of-cases/). Secondly, I would have an external drive that was full disk encrypted with VeraCrypt, a 60-character passphrase, and a PIM Value over 800. This will give you an iteration count of over 1.6 million. It is also recommended that you add no less than 2 keyfiles to this encrypted drive and store them in a folder among 200-300 other pictures somewhere on your computer. The encryption algorithm that I would use for this drive would be Serpent(AES) because it relies on two different algorithms that are very well trusted. The hash, not that it really matters, would be SHA-256/512. Once this external device has been fully encrypted, I would then use VeraCrypt to created an encrypted volume on the drive using similar standards but no PIM value (not supported) and no keyfiles (not worth the time). The encryption algorithm would be simple AES to keep the read/write speeds higher. For this container, even a 40-character password with words, numbers, symbols, and possibly spaces is going to be secure enough because it is acting as the internal level of defense. If for some reason there is a backdoor in VeraCrypt, they will still have to get through your TC container’s security before getting any of the encrypted files.

Firefox / Tor Browser Bundle Add-ons & Preferences

Generally speaking, plain Firefox is secure enough for everyday people. However, website still do their best to track your browsing habits, feed you advertisements, reduce your browser's security, and even send out malicious content. But there are some really good add-ons you can get for Firefox based browsers that work to proactively increase your security and privacy online. Here are my recommendations for must have add-ons and preferences/settings you should be modifying.

AdBlock Ultimate

This is a pretty big no-brainer. AdBlock Ultimate means no more ads. And for the average person, this will keep you safe from clicking on things that could download files without your knowledge, or attempt to steal your login information via phishing. The only drawback for me is that it removes YouTube advertisements, which ultimately takes away from the potential income a YouTuber would be making. Nonetheless, security and privacy are definitely more important.

HTTPS Everywhere

To help make sure you are always connecting over a secure connection when browsing different websites, HTTPS Everywhere tries all connection attempts to new sites over SSL. Because a lot of sites don’t force SSL connections server side, add-ons like this are a real big boost in security.

NoScript

For people really concerned about their privacy, security, and even anonymity, NoScript is definitely something you should look into. It comes standard with the Tor Browser Bundle (TBB) and disables things like JavaScript, Microsoft Silverlight, Flash, and other plugins that can compromise your browser and leak information about you and your browsing habits. My recommendation is that if you are looking to gain a high level of anonymity online, you always disable Javascript, Flash, Silverlight, and Audio/Video. It disables the plugins you specify by default when you visit a new site but gives you the option to temporarily/permanently enable them for on a site-to-site basis from your menu bar.

Privacy Badger

The Electronic Frontier Foundation (EFF) developed an add-on to help protect you against sites looking at tracking your browsing habits, and spying on you through advertisements that AdBlock may not have blocked. I have it installed but I haven’t yet touched it, played with settings, or received any notifications/pop-ups from it. Super nice to know it is protecting me in the background without any effort on my part.

Random Agent Spoofer

One of my favourite add-ons to date is Random Agent Spoofer. It gives you options to change your browser profile and spoof headers to display “falsified” information. You could change your browser from telling websites it is Firefox on Windows 10, to Safari on iOS. One could also spoof the x forwarded headers being given to the websites. I would caution you to be careful with this feature though as in many jurisdictions, spoofing your headers to make you show up from another location may be illegal, especially if you are changing it to one from a federal or state/provincial authority.

LastPass Extension

If you have taken my advice and chosen to go with LastPass to manage all your accounts and passwords, they have an extension for Firefox that I recommend installing. It will automatically input your login details for websites, give you the option to auto-fill forms, and ask to remember password for new sites upon registration. Very easy to use but also really useful.

Firefox Preferences

All browsers come with preferences that you can change and modify to increase or decrease the security and privacy that you will have online. I would make the recommendation that all users enable private browsing which will not remember history, store cookies, or keep other temporary files. This helps to both keep unwanted junk off your computer, and disable tracking of your online activities.

For those looking for serious levels of security, privacy, and anonymity, you should type “about:config” into your URL bar and change some of the following settings. Javascript.enabled → false network.http.sendRefererHeader → false browser.safebrowsing.enabled → false browser.safebrowsing.malware.enabled → false datareporting.healthreport.uploadEnabled → false network.dns.disablePrefetch → true

You can read more about what disabling each of these settings does by heading over to the following links: https://www.bestvpn.com/blog/8499/make-firefox-secure-using-aboutconfig/ and https://vikingvpn.com/cybersecurity-wiki/browser-security/guide-hardening-mozilla-firefox-for-privacy-and-security

The idea, if you need any serious anonymity, would be to NOT download add-ons to the Tor Browser Bundle. You want to keep your fingerprint as generic as possible. Adding a bunch of stuff to the browser will make you more unique and set you a part from the rest.

Virtual Private Networks (VPNs)

There are very few locations where I actually trust connecting directly to the Internet. I don’t even do things like online banking or logging into my LastPass from work because the connection is open (not secured with a password/encryption) and thus much more susceptible to attack from an outsider. My home connection is likely the most secure because it is something that I have personally setup and am able to monitor, but even then, the modem that our ISP supplies that doubles as our WiFi router doesn’t provide the best possible security.

This is where Virtual Private Networks come into play. If chosen and set up correctly, they ensure us a secure, private, and often anonymous connection to the open Internet. Meaning we can browse freely without restrictions and free from surveillance. For the most part, those reading this won’t have any serious reason to avoid surveillance, but people have a right to privacy and shouldn’t be snooped on. Even if it is just by the sysadmin for the free WiFi at Starbucks. The issue comes down to picking a VPN that suites your needs. Some offer lots of locations globally, others a really great rate and awesome prices annually. I tend to root for and use the providers that offer the best privacy, security, and anonymity, even if it means paying a little bit more. Often times, the cheaper providers are only able to provide such great prices because they pack their servers and don’t “really” concern themselves with being all too private. So lets take a look from the perspective of someone who needs top notch security, spyproof privacy, and a high level of anonymity by going through some of the providers I have researched to be the best in these areas. Ideally, we are going to want a provider that isn’t based in one of the “5 Eyes Countries” (https://www.privacyinternational.org/node/51). This means it cannot be based out of Canada, The United States, The United Kingdom, Australia, or New Zealand due to their agreement to share information with one another without much question. They tend to have intelligence agencies (Like the NSA and GCHQ) that do a fair amount of data mining and surveillance on the individuals within their country for “matters of national security”. I would also caution you to stay away from anything listed inside of the “14 Eyes Countries” if you were relying on this provider for your personal safety. The provider you chose should also NOT provide the option for a dedicated IP address. Shared-IPs are strictly the way to go if you want maximum anonymity because it doesn’t single out your incoming IP and matching it with the VPNs outgoing IP. Harder to log/trace, but definitely not impossible.

Accepted payment methods are also a consideration you need to not take lightly. You obviously wouldn’t want to pay with your PayPal or Credit Card if you were looking for full-scale anonymity. Well-mixed bitcoin that doesn’t link back to you, cash in mail, and PaySafeCards are all methods of payment that are considered to very anonymous if done correctly. Encryption and protocols offered by the VPN Company should also be considered before making a purchase. You will often see the term “Military Grade Encryption” when you are out shopping for a good provider. Generally this just means they employ AES-256 and 4096 bit RSA keys but checking to see if they offer Perfect Forward Secrecy and good Curves for ECHDE Keys is important (http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html , https://www.perfectforwardsecrecy.com/ , https://safecurves.cr.yp.to/).

Diving a little deeper into the providers as you shop around, you should check out the server locations they offer and see if they are in jurisdictions that you are happy to be connecting to. This would be a good time to see if any of the sites you want to connect to only work in certain countries (like Hulu, Pandaora, Netflix, etc). As well, like I mentioned above with SSL certificates and how you can check to make sure the site is implementing strong standards for HTTPS, you should be checking the VPN provider's site to see what kind of SSL they are using. If they don’t get a grade of A, I would caution against using them as a provider because it shows that they clearly either can't take the time to get a good SSL score (if even just for the promotion) or that they aren’t knowledgeable enough to attain it; a fact that could point towards their service being held up by mountains of false claims. It is also good to see what kind of protocols they are promoting and not just what they are supporting. Most of the good providers will at least ship out a client for Windows and have added features like killswitches and firewalls to stop DNS/IP leaks. However, there are a few providers that I saw who were saying that connecting over L2TP was the best option when it definitely is not. To read more about the different protocols, you can see this link https://www.ivpn.net/pptp-vs-l2tp-vs-openvpn

Below are reviews of the 4 VPN Providers that I have used and trust. You can also check out this link to a website (formerly Google Doc) that was created by ThatOnePrivacyGuy. It documents a lot more providers than just these 3 but is something that has backed my decisions to promote these companies. See: https://thatoneprivacysite.net/vpn-comparison-chart/).

IVPN

To kick the personal reviews off, I have decided to go with the VPN provider that I have been using since early 2013. IVPN, originally incorporated in Malta but recently making the move to Gibraltar due to changing privacy laws, is dedicated to your privacy. They offer 12 countries and a total of 19 servers as of April 2016, which is a fairly small network compared to many other providers. However, I am happy with the locations they have chosen. You can see the full list of locations here: https://www.ivpn.net/status. They market themselves on Twitter as “IVPN is an online privacy and security service” which to me is a step up from all the Military Grade Encryption and Non-Logging talk that goes around in the VPN community all too much. They state very clearly in their privacy policy (https://www.ivpn.net/privacy) the information that is and isn’t logged. The nice thing about connections to IVPN servers is their multihop technology, which allows you to connect through two separate IVPN servers before hitting the open Internet. This gives you as a user more anonymity, as both servers would need to be compromised to compromise your identity; unless they turned on logging of course. Their administration team also informed me that all the VPN servers are running from RAM so everything written is only temporary before being wiped. As a user, I cannot confirm this – but I do trust their word. Hopefully that isn’t a misplaced trust. The encryption protocols used are openly outlined in their “18 Questions to ask your VPN Service Provider” answers on their Support Page (https://www.ivpn.net/knowledgebase/108/Answers-for-18-Questions-to-ask-your-VPN-Service-provider.html). They state that they use AES-256 with 4096 bit RSA keys across the board, which they consider to be "Paranoid Encryption". I would be interested to find out what their thoughts are on post-quantum cryptography. Upon looking through their OpenVPN files given to the user to download, I was able to determine that they are using TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA for the TLS cipher suite so you can rest assured that Perfect Forward Secrecy DOES exist on IVPN. They are using the highest level of encryption currently possible for OpenVPN (apart from allowing DSS and SHA1 for older clients) so that is a very good thing. You can confirm the encryption used yourself by downloading the .ovpn files from their website and opening them in a text editor but this will not confirm that those same standards are being employed through their native apps. But really, why wouldn't they be?

As for payment and pricing, IVPN is definitely on the higher end at $100 USD for an annual subscription. But they do offer PayPal, Bitcoin, and cash in mail so two possibly anonymous methods of payment are provided and one very easy and renewing method (PayPal). Their plans give access to all servers which is a nice change from the VPN providers that split up their plans based on a bunch of different factors like speed, server locations, etc. Registering was easy and they didn’t ask for anything more than an email, password, and my payment. That meant no identifying information had to be given out. IVPN also provides a warrant canary on a monthly basis as a way to say, “Hey, we haven’t received any government gag orders” and an entire section of their website dedicated to pretty much being 100% anonymous while behind a VPN. I suggest you check it out, I have pulled a lot of my own knowledge from these write-ups: https://www.ivpn.net/privacy-guides

As a final note, I have done a lot of verifying with their administration team over PGP encrypted email (pretty awesome that they kept up fairly lengthy conversations with me in an encrypted form), so I have a lot of personal trust with the company. But me having a lot of personal trust doesn’t give you the go ahead to also give them a bunch of your trust. You should do your own research and ask your own questions to make sure they are the company that will suite your needs. I do commend them greatly for the work they are doing, but I do not place all my eggs in one basket. I have been really satisfied with their service over the years but am finding that in a very competetive market, it is difficult to list any one VPN service at the top.

Mullvad

This re-write of the Mullvad review was spawned due to serious changes in their company over the last 2 years since I begun writing this paper.

Mullvad is a provider that I am now coining as "no bullshit". They very clearly outline their service, company, and practices on their website without any of the "Security Threater" talk of Military Grady Encryption and ZERO logging practices. To start, their website claims: "For maximum security, we use physical, bare metal servers (no virtual servers) that are administrated and either owned or rented by us in carefully selected data centers." I did not have to dig around to get this information either. It is very conveniently placed on their Features page and easily accessible to anyone who is checking out their website. They also state very explicitely, the encryption used in the connections:

Our data encryption is AES-256

All our OpenVPN servers use 4096 bit RSA certificates (with SHA512) for server authentication

All our OpenVPN servers use 4096 bit Diffie-Hellman parameters for key exchange

All our OpenVPN servers use DHE for perfect forward secrecy

OpenVPN re-keying is performed every 60 minutes

I feel that having this information stated so plainly on their website is a big plus for their ability to cut through the VPN bullshit and just give the reader the facts. However, they don't stop there. Their features page also explains that Mullvad accounts do not need any of your information to register; not even an email address. You just fill out a CAPTCHA and it generates you a string of characters that is used as both your username and password for connections. This, as well as a plethora of other information relating to the data they do and do not collect and store is best read here: https://mullvad.net/en/guides/no-logging-data-policy/

Diving into their website a little deeper, you will find that they, like IVPN, publish "Privacy Guides" of sorts here: https://mullvad.net/en/guides/. Although these guides do not appear to be as "all-inclusive" as the ones published by IVPN, they are still a wonderful resource to have listed on their website. They are also one of the first providers I have checked out to be supporting the WireGuard Protocol for connection. Although it is only currently available for Linux, WireGuard implements some neat cryptography above and beyond just simple AES-256 and 4096 bit RSA - Namely: "Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions." Being able to use eliptical curve cryptography with VPN connections is wonderful.

One point that I did find of particular interest on their blog section of their website is their work towards Post-Quantum Cryptography and the introduction of a VPN in the future that would be able to withstand the imposing threat of Quantum Computing (https://mullvad.net/en/blog/2017/12/8/introducing-post-quantum-vpn-mullvads-strategy-future-problem/). To see a provider looking forward into the future, not for their own monetary gain, but for the privacy and security of their clientel is really great to see. I believe this work, parelling the work ProtonMail is doing with secure email, is crucial in developing technology that exceeds the minimums to go above and beyond.

ProtonVPN

There will be a review here for ProtonVPN eventually. It definitely deserves a spot in my paper.

Cryptostorm

Lastly, we come to a provider that I only really started looking into in around September of 2015. I was still very satisfied with IVPN but my subscription was coming to an end, which meant another long process of anonymizing a method of payment and I wanted to make sure that the company I was going to continue to support got the most stars in my personal ratings from my “shopping” online. I had heard some amazing things about the CS Network and wanted to see what they were all about in more in-depth than just browsing through their site like I had previously done a few years back.

The first thing you’ll notice when you go to Cryptostorm’s website is what many perceive as a mess that is difficult to follow, hard to read, but somewhat appealing. It is unlike any of the other providers and almost unprofessional; but that feeling of difference seems to draw me closer. Sort of like how Mullvad was so straightforward and minimalistic, the odd nature of Cryptostorm’s website tells a story of diversity. To start, they are a company that is “sort of” based out of Iceland but handles all of their financials out of Quebec in Canada (they don’t really have a straightforward location – wouldn’t this make it difficult to provide a subpoena to them?). Iceland is a good privacy centered country to be incorporated in (although they don’t have a central office anywhere) and I have always liked .is domains.

Navigating through their website was pretty difficult to acquire the information one might want when choosing a provider so I took to their IRC to get some of my questions answered. I was unfamiliar with token-based au