Long before Snowden, those of us who snoop in the public interest for a living _ and have read every James Bamford book _ knew enough to know we were being watched. And we started putting together infosec toolboxes. Here’s a compendium.
The point of greatest vulnerability in our interaction with the Internet is the browser. That’s is why it is a must to use end-to-end encryption via Secure Socket Layer, or SSL. It is not perfect. In fact we learned on Sept. 5 from reports based on Snowden documents that it has been compromised by the NSA. Where, we don’t know. But the HTTPS secure communications protocol remains the best available shield for standard browsing. It was designed to protect against such scourages as identity theft. It is especially important when on an open Wi-Fi network. I use the Firefox browser add-on “HTTPS Everywhere” from the Electronic Frontier Foundation. HTTPS does not hide your online activity, the websites you visit, from “sniffers” monitoring your traffic. What it does is encrypt your interactions with websites that use HTTPS.
ANONYMOUS ON THE INTERNET
If you want to hide your online activity, a good option is Tor, originally short for The Onion Router. Tor is designed to hide your IP address, concealing your location and erasing your online footprints. It is open source, free and supported by a nonprofit. It encrypts users’ online communications – supporting applications including browsing and instant messaging – and bounces them around through a random set of servers called onion routers operated by volunteers. It makes web browsing slow, but much more secure. *Don’t not expect it to be effective, however against the NSA or other gorvernments equipped with sophisticated global surveillance tools. Download it here and read the directions carefully.
How Tor works: https://ssd.eff.org/tech/tor.
A Tor proxy exists for Android operating systems. It’s called Orbot
On the Mac (as well as for iPads and iPhones) the Onion browser tunnels web traffic through the Tor network. Developer Mike Tigas charges 99 cents.
Another way to go, albeit less secure, is to use proxy services. They are popular for circumventing censors.
Duckduckgo is the most popular anonymous alternative to Google’s search engine. Its makers explain why it’s a good idea even if you’re not trying to hide from the NSA or other spooks. It has its own webcrawler and also uses other sites. There’s a Duckduckgo Firefox browser extension.
Google search can be run through a Tor browser for more complete results. Google will demand that you prove you are not a machine. But it’s worth it.
Startpage is an anonymous search engine hosted in the U.S. and the Netherlands that gets its results from Google.
Pretty Good Privacy (PGP) doesn’t just encrypt your email. It also authenticates them with digital signatures. Plus it can be used to encrypt disk partitions and files. What it does not do is hide from eavesdroppers the identity of those with whom you are communicating. Easiest to use of the free PGP products is the combination of Enigmail and the Thunderbird email client. I formerly used a commercial product from PGP Corp. until it was purchased by Symantec. Now I use gpg40, an Outlook plug-in. It is not free but works well.
For encrypted chat use the Off-the-Record Messaging protocol (OTR). It can be installed as a plug-in for Pidgin, an open-source chat program that can talk to all manner of propietary chat programs including AIM, Yahoo! And Google Talk. Get plug-in here.
Jabber.org is a free, public instant-messaging system that uses the XMPP communications protocol (originally called Jabber) and supports OTR. Google Talk and Facebook chat can connect to it as they support XMPP. Jabber.org is currently not accepting account registration but you can create an account on other XMPP services.
For MAC OS X there is Adium. It is free and can connect to AIM, Jabber, MSN, Yahoo and more.
TextSecure from Open WhisperSystems is a good option in secure IM for Android. It is also reported coming for Apple iOS.
ChatSecure is an IM client for Apple’s iOS that uses OTR
AUDIO/VIDEO COMMS and CHAT
Skype, as we know, is insecure. To replace pretty much everything it does there is Jitsi. It supports some of the most popular instant messaging and telephony protocols and works for secure video calls, conferencing, chat. I use it layered over Google Talk. It also works with AIM, ICQ. Yahoo! Messenger. It is available for Windows, Mac and Linux. (Note some privacy concerns are being addressed regarding DNS leaking _ or exposure of the IP address of the server that helps you navigate online.)
For protecting cell phone calls, encryption is available through RedPhone for Android, also from WhisperSystems. Both parties must use RedPhone for end-to-end encryption. Telecoms service providers do not overtly get metadata (the call register details on which number is calling which, when and for how long) on these calls.
Silent Circle offers encrypted mobile calls, encrypted text and MMS messaging, encrypted VoIP audio and video calls and conferencing. (encrypted mail no longer). It works on Andriod and iOS. It’s from PGP creator Phil Zimmerman and partners.
I use TrueCrypt, freeware that supports Windows, Mac OSX and Linux. There are sophisticated ways to obtain the encryption keys on machines on which these products are installed, but not if the computers are shut off and the attacker is doing a cold boot.
Journalists who travel internationally will benefit from this good guide by the Electronic Frontier Foundation on strategies for taking computers across borders, where airport searches are possible: EFF’s – Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices.
A good guide with a catchy name to open source, free infosec solutions: https://prism-break.org/
AP colleague Raphael Satter’s June 14 piece on keeping your data private from prying eyes.
The Committee to Protect Journalists includes an infosec page in its online Journalists’ Security Guide.
Press Freedom Foundation compendium of online security tools and how they work.
Surveillance Self-Defense from EFF: https://ssd.eff.org/
The Tactical Tech Collective have a very good list of tools and a how-to booklet at SecurityinaBox.org