Introduction: ============= From a computer security perspective, America is about to enter an extremely challenging time. We've had numerous people about to take power threatening to use the full capabilities of the modern US military, intelligence community, and the tacitly approved-surveillance state against citizens without due process or regard for the Constitution or civil rights. It will be extremely difficult for the average citizen to defend against such a concentration of power, but it's critical that we don't lose heart, and that we don't give up just because the task seems impossible. Each step, each measure, each tool buys time and hope that we can survive this threat to our liberties and our country. What we need to do - must do is to raise awareness of the need for security and privacy: without the rule consistently interpreted and publically ratified law, *everyone* might have something to hide. Only by widespread adoption can we hope to avoid scrutiny no matter how good our technology. The current sitting administration has already created numerous special cases and exceptions to the basic rights of both humans in general, as well as our own citizens. Consider the precedent that this erosion of rights sets for an administration with less integrity. This guide is not intended for lay-people - to advocate many of these technologies for people who have no previous technical background would offer little benefit and generate confusion. The purpose of this guide is not to provide a panacea - the threat model inherent in a the coming regime will shift and evolve, and require continual re-evaluation. This is instead a guide to information hygeine, and it is intended for people who are already technical, but not necessarily accustomed to thinking in terms of the security consequences of their actions. A few general notes the theories that inform this guide: We hope to provide information that can help people be safe. While a change in policy can create a chilling effect in a free and open community, it must not be allowed to interfere with the principals of a moral, civil, and inclusive society. While we will have to change some of our practices, we must not give up our principles. Content vs. Metadata: There are situations where insuring that the contents of communication aren't readable by other parties is enough to prevent trouble. In other situations, just knowing *that* communication took place, that is was encrypted, when it occurred, where it occurred, or between whom (metadata) can be problematic. Obscurity and security are different things, and we'll endeavor to use them both in order to insure safety and privacy. Obviously, if everyone sends everything over secure channels, knowing *that* something is encrypted doesn't mean much - the presence of encryption doesn't diminish obscurity because it's pervasive. On the other hand, if most of your communications aren't encrypted, the ones you send encrypted will stand out (security, but not obscurity). It's possible that use of encryption could become cause for suspicion - the more people who choose encryption (and in as many circumstances as possible), the less easily prosecuted the use of encryption will be. On Backdoors: politicians world-wide have begun pushing for intentional, hidden faults in popular encryption systems. We've demonstrated repeatedly that you cannot create a back-door that can only be used by "good" guys. Any backdoor would break the mathematical guarantees that keep the content of our communications safe. It's also important to note that even if we mandate and elect to use only broken encryption ourselves, our enemies will not subscribe to this limitation. We do not have a monopoly on software and hardware creation, not can we rewrite the rules of mathematics to suit our purposes. Just as we must be wary of threats to our freedoms and civil rights, we must be wary of the criminalization of systems and practices that preserve privacy - these things will all be one and the same in the coming months and years. Your phone, your computer ========================= Networking: ----------- DNS: DNS (Domain Name Service) is a technology that translates names like "google.com" into a set of numeric internet addresses that your computer and routers on the internet understand behind the scenes to get your packets to and from your intended destination. Set the DNS servers on your home router manually, instead of using the ones provided by your ISP. Google does free service via 8.8.8.8 and 8.8.4.4. These addresses should also be set directly on each of your computers and phones, to avoid subversion by automatic internet connections. [+] probably safe against rogue hackers [ ] probably not safe against nation-state actors on the scale or russia or the US If you're worried about nation-state actors, consider freedns or dns.watch. [+] probably safe against rogue hackers [?] complicated against nation-state actors WiFi: ----- Never use unencrypted WiFi. If you offer free WiFi, establish and share a password with the intended uses. Rotate the password on a regular basis. On your devices, look through your list of trusted WiFi networks, and get rid of things you don't need anymore. Repeat periodically. Establish a guest network for guests visiting your home. OS and Updates: --------------- First and foremost, keep your computer up to date. DO NOT keep using whatever came with your computer or phone if it's no-longer supported with security updates. Malicious updates are possible, but significantly more difficult than finding a way into old, unpatched software. If you can't afford to buy an updated copy of MS Windows (10 at the time of this writing) or OSX (Sierra at the time of this writing), there are a number of free, secure operating systems including Tails, Ubuntu, Kali Linux (Linuxes), FreeBSD and OpenBSD (other unixes). There'll be a learning curve with each of these, but the alternative of sticking with an unpatched, outdated system is not viable. Keep your browsers up to date as well. Always apply Chrome and Firefox updates ASAP. Avoiding using Internet Explorer and Safari. Tor Browser is a viable option for certain tasks, but see the note regarding using Tor below. Avoid using websites that don't encrypt traffic using TLS/HTTPS (check your browser bar to confirm that you're using a secure connection). If you keep a blog or website, make sure to get a free LetsEncrypt HTTPS certificate, install it, and keep it up to date. Failing to apply updates is [ ] not safe against rogue hackers [ ] not safe nation-state actors Supplying malicious updates may well be a tactic of nation-state actors. VPNs and Onion Routing: ----------------------- VPNs secure communication between your computer and a point on the internet. This endpoint on the internet may serve as a "bastion" or "proxy", obscuring your location, but these technologies aren't foolproof. Onion routing (such as tor) can go further to obscure your traffic, but may serve as an immediate "flag" of intentionally obscured activity: I would liken Tor to putting on Sauron's ring. The wearer is invisible to ordinary beings, like Men, but highly visible to the Nazgûl. --https://twitter.com/matthew_d_green Keeping a tor browser or tool like Orbot, Tor Browser or Orfox around in case of emergency is a good idea, but don't use them unless you feel it's absolutely necessary. [+] probably safe against rogue hackers [ ] complicated against nation-state actors - if you store your keys with your provider, NOT safe. Full-"disk" encryption: ----------------------- Using storage encyption on all devices provides a basic line of defense against direct data extraction should those devices fall into the wrong hands. Bitlocker ships free on Windows 10 (although it requires remote key storage for non-professional grade versions), and FileVault ships free with MacOS. Please note that if you choose to store decryption keys with Microsoft or Apple, they can be compelled to share these keys to eventually grant access to your device. While TrueCrypt was considered a free software standard for encryption for a long time, the maintainers of the package discontinued the project under mysterious circumstances. While the project still exists, it may be wise to assume that this can keep your information safe from individuals, but not state-level actors. [+] probably safe against rogue hackers [ ] complicated against nation-state actors - if you store your keys with your provider, NOT safe. Passwords: ---------- Use strong passwords for everything. The length of a password is a primary indicator of strength, as are the inclusion of unusual symbols and numbers. NEVER reuse passwords between sites. Use a password manager without online storage if you can. KeepassX and OnePassword both provide local password management features. Note that biometric identification (fingerprint readers, etc) use properties of your identity that *can't* be changed like a password - once someone has a copy of your fingerprint/retina pattern/etc, you can't "change" this property easily. Also note that you can be compelled to provide a copy of your fingerprint (as during an arrest). It's this writer's opinion that while biometrics are a useful factor in authentication, it should be used in conjunction with something that *can* be changed. In general, if you use a numeric code as a password, you should make sure to use an 8 or 9 digit combination. For devices that support it, setting your device to self-erase after a certain number of attempts may be a prudent step. [+] probably safe against rogue hackers [ ] complicated against nation-state actors Backup Services and Online Storage: ----------------------------------- Unless you're sure you can use a non-shared encryption key before transmitting your data, it's important to recognize that those backups can be shared with other parties. MacOS and Windows both provide built-in services for creating encrypted local backups using an external drive, which is preferable to cloud backups for many purposes. If you want to store and share files online, use a system that can't access your encrypted files. This means that DropBox and Box are *NOT* acceptable solutions. SpiderOak (pardon the name) is a stronger system. [+] probably safe against rogue hackers [?] complicated against nation-state actors unless your provider has a policy or canary GPS: ---- GPS iteself is a fairly safe and difficult system to subvert... however virtually all mobile phones and computers now use "Augmented" or "assisted" GPS. This is accomplished by reporting the cellular and wifi networks the device can observe to google, apple, or microsoft, and receiving a response that allows the on-board GPS to "tune" to the right satellites in the right orbits. In many cases, augmented GPS requests alone (without your phone or computer making any further report) are enough to give away your location within a few feet. Turn off "improved location" don't use it when you don't need it, and avoid sharing it as much as possible. It's important to note that many common applications (such as Tinder and Google Maps) have permission to access and share this data when you install them. Be particulary wary of GPS locations used in identifying people that the emerging coalition will target - I'm looking at you, Grindr. [+] probably safe against rogue hackers [?] complicated against nation-state actors Phone Cameras: -------------- Most smartphone cameras automatically upload pictures to the cloud. Many automatic include GPS data (in the EXIF headers of JPEG images) in these images. If you're worried about an actor with subpoena access using these pictures, make sure to disable geotagging, and to disable automatic backup to the cloud. Security Precautions and Systems: --------------------------------- Phones: Consider tools from https://guardianproject.info/apps/ Avoid jailbreaking your phone. Try and use the best vendor supported phone OSes possible (Apple does a great job, for Android, use the "Pure" experience phones such as the Pixel, Moto X Unlocked, Nexus Series). Avoid the junk software your carrier likes to install on your phone. If you do elect to jailbreak an android phone, check out some more secure OS builds such as Copperhead or Cyanogen. Computers: AV (TODO) Other devices: -------------- Your smart-home and IoT devices are about to become a major liability. Buy "dumb" appliances where you can, and if you want a "smart" TV or radio, use something from a reputable vendor with clearly stated security and privacy policies, such as the Apple TV. Your toaster doesn't need to be connected to the internet. "The "S" in IoT is for Security" --numerous wags on Twitter [ ] probably NOT safe against rogue hackers [ ] probably NOT nation-state actors unless your provider has exceptional security guarantees "Burner" Phones: ---------------- [+] probably safe against rogue hackers [?] complicated against nation-state actors unless your provider has a policy or canary The services and software you use to communicate: ================================================= Person-to-person: ----------------- Text Messaging: stop using basic text messaging for all purposes. Adopt a secure replacement that uses data and end-to-end encryption instead of unsecured or subvertable elements of the telephone network. The EFF has a good score sheet here: https://www.eff.org/node/82654 Avoid Skype Avoid Telegram Avoid Telephone calls (avoid using the cell network for non-encrypted data, avoid using the POTS (plain old telephone system) at all costs.) Group Communications: --------------------- On of the biggest challenges here will be learning not to trust centralized, hosted systems that have become part of the fabric of an open, free society. The applies to websites below as well. Offline Communications Tools: ----------------------------- Firechat (TBD, risks) Signal: ------- While signal is a great tool for individual communication, remember that when you initiate a group chat in signal, the phone numbers (and hence the identities) of all participants are shared with all members of the group. It uses a PFS (Perfect Forward Security) cipher; this is a good encryption scheme for our use case. A few further warnings: - Uses GCM (Google Cloud Messaging) to achieve a wake-up signal - this is a metadata flaw - Telephone number-based addressing (using address books) is a discoverability/metadata flaw - RedPhone (encrypted voice) server core isn't open-sourced, so we don't know how good it is (maybe just stick to text) [+] probably safe against rogue hackers [+] probably safe against nation-state actors unless your provider has a policy or canary Wickr: ------ Wickr is a proactively secure product, but they've earned the spite of several bug bounty hunters by patching without paying out - the implication is that people are witholding bounties to sell instead of sending them in for the bounty now. [-] probably not safe against rogue hackers [-] probably not safe against nation-state actors unless your provider has a policy or canary Whatsapp: --------- Also strong (uses the same protocol as Signal now), but owned by Facebook, so metadata may be a larger concern. [+] probably safe against rogue hackers [?] unknown safe against nation-state actors unless your provider has a policy or canary Email: ------ EMail is not secure by default. You can use encryption on both ends, but this requires agreement and sharing of information by the parties ahead of time, and this will stand out, like using Tor. Most email providers and relay servers store messages for various periods of time (in the form of messages waiting to be delivered, your mailbox, or transient caches) which can be shared on demand. The route by which your email may travel or the servers which it may traverse is not easily limited by end users. Avoid sending sensitive information over email at all costs. Avoid sharing your email address book unecessarily. Use BCCs instead of multiple "To" or "CC" addresses when possible. Note: many email services allow you to set up anonymous or semi-anonymous email addresses, however they will log and match the internet addresses from which you register and from which you access these accounts. [+] probably safe against rogue hackers [-] probably not safe against nation-state actors unless your provider has a policy or canary Slack: ------ (TBD - 2016.11.11-009.KR) [ ] not known safe against rogue hackers [ ] not safe against nation-state actors unless your provider has a policy or canary Hipchat: -------- (TBD - is this worth evaluating?) Google Chat: ------------ IF you use google chat, use OTR. OTR is available through Adium on OSX and Pigeon on Windows (linux?) [+] probably safe against rogue hackers [ ] not safe against nation-state actors unless your provider has a policy or canary Websites: --------- Centralized services that can be compelled to share your personal information, activity, conversations, or location are now a major risk. Never share more than you need to with these service providers. Note that while Multi-Factor Authentication (MFA) and 2-Factor Authentication (2FA) are great for verifying access to sites, but almost always involves providing distinguishing information (i.e. a phone number, shipping address) about yourself, so can have a net negative effect on privacy. The web is built around a few core ideals, and revisiting those ideals can make a significant difference in safety and privacy. Stateless protocols: HTTP (HyperText Transfer Protocol) is the core language of the web. It is stateless by design. We use cookies (see below) to overcome this limitation... but we should ask ourselves in all situations, "who benefits from the use of this cookie and what negative consequences does it have." In the trivial cases, cookies allow advertisers to track and learn about us, allow us to stay "logged in" to websites securely, and allows cross-identification between sites... but each of these things come with a diminishment of privacy. Allow cookies only from the minimum of trusted parties. If you have to load an advertiser's cookie to use the site, ask yourself whether it's worth it. Decentralization: In its inital imagination, the internet and the web were meant to be fully decentralized. The internet was designed this way to survive nuclear war. The web was designed this way to prevent subversion or control of information. Since the inception of the web, we've become increasing dependent upon a small number of common "destinations" (Google, Facebook, Twitter, Reddit, Office365) to provide shared nexus of functionality and interaction... but the price becomes the vast accumulation of information by these providers, in terms of identity, activity, and interrelationship. It makes sense to retrench on use of these services in light of current developments and their size and accountability profile. Don't use public or shared computers if at all possible, particularly when accessing anything on the internet that requires a login or personal information. If you must use a shared computer, considering carrying a bootable USB stick with a "safe" OS on it such as Tails (https://tails.boum.org/install/win/usb/index.en.html) or OpenBSD on a stick (http://www.volkerroth.com/tecn-obsd-diskless.html) (advanced users only). Third-Party Javascript: ----------------------- Third party javascript may be loaded visibly (such as the Facebook Like button) or invisibly (such as Google Analytics). There are a number of risks inherent in these libraries, including: 1. Access to page contents (incuding forms such as login, registration, sensitive information input) 2. Access to set and get cookies (see below) 3. Ability to manipulate the contents of the page Using tools such as privacy badger can enforce a stronger "same origin" policy, limiting or eliminating the access these scripts have. In the "hard" case, a browser plugin named "Noscript" for Firefox can disable ALL third party scripts by default. Cookies: -------- Cookies allow remote servers to save a "token" in your browser so they can identify you and save state from request to request on the web. You can selectively disable cookies or remote code from third party sites using the EFF's "Privacy Badger" browser plugin. In general, the web subscribes to a "Same origin" policy - allowing javascript running in a page to access only endpoints from within the domain from which the javascript was loaded. There are a number of technologies such as CORS which allow the seamless integration and permissioning of javascript across domains. (TBD - other ad-blockers, TBD - details on CORS, jsonp) Private/Incognito Browsing: --------------------------- Google's Chrome Browser and the Mozilla Foundation's Firefox both support private browsing sessions. Without cookies that can link common sessions between sites, the amount of behavior data that can be collected about you diminishes significantly. Please note that ad blockers are often disabled by default in private/incognito modes. Search Engines: --------------- Search engines present a tricky challenge. While Google and Bing represent remarkable utilities, it's important to remember that the searches and results from these service are logged and can be shared with other parties. They both make extensive use of cookies and javascript for tracking. DuckDuckGo duckduckgo.com is an actively unencumbered search engine, if not as full-featured. Also, see the notes about private browsing and cookie management above. Use duckduckgo.com whenever possible. Online Document Sharing and Editing Systems: -------------------------------------------- As mentioned above, storing unencrypted documents in DropBox and Box is probably not a good idea right now. If you encrypt a document well enough, you can (probably) put it anywhere, but given the strength of the actors we're discussing, minimalism is always safer. Using/sharing google documents (even with new, anonymized accounts) will ping your access to an internet address and timestamp. Safety first. Link Shortening Services: ------------------------- DO NOT click on links that have been shortened by services like bit.ly. (TBD: even t.co?) You can't tell where they'll lead, or what they'll do before redirecting you. If you want to follow one of these links, consider wget/curl-ing it to determine the redirect target from a non-traceable address. Facebook: --------- Facebook has provided unprecedented convenience, but now constitutes a huge risk for privacy and security. If you use it, use it sparingly. Never send anything secret or sensitive over Facebook. Facebook's "realnames" policy means that a strong definition of identity is associated with all interactions with the site. Just because your history on Facebook is obscured doesn't mean that it isn't stored and can't be shared. If you decide to use Facebook, activating as many privacy settings as possible and avoiding posting anything sensitive is necessary. The metadata inherent in the Facebook social graph can betray information relationships between people. When adding "friends" on Facebook, it's advisable to check for information that only the individual in question would possess, since "catfishing" (impersonating someone) is a common method of leveraging the social graph to information. Facebook doesn't need your home address. Facebook doesn't need to know that much about you. While Facebook Messenger does provide end-to-end encryption, it may be inadvisable to use it as a way to send sensitive data, due to the company's history of sharing information with the police, since the company still has access to the metadata. Information Hygeine on Facebook: Who can see my stuff: friends or less Review all your posts and items in which you're tagged Limit the audience of the posts you've shared with and limit past posts Limit who can send you friend requests - always check who your mutual friends are and ask for references if needed Hide your email address and limit who can look you up based on your email - or use burner Limit who can look you up by phone number Don't allow search engines to link to your profile Limit who can post to your timeline to only you Review tags by friends before they appear on your timeline Limit old posts others have left on your wall to "only you" Review ALL tags before they appear on your timeline, don't add any audiences, and turn off tag suggestions If you're worried about hackers, not nation state actors: Get login alerts and login approvals - turn on 2FA Use Facebook at your own risk. It is ill-advised to believe that these tips will conceal any activity on Facebook - the company can and will hand over any information it has on you when faced with legal action. This is more of a precaution to save you against well-meaning, but potential leaks of information by friends and family. Other suggestions to consider: have a trusted set of people who can take over your account in the event of your death. Review all the 3rd party apps that are using Facebook Oauth - whatever is necessary, create an account with a "burner" email address and then revoke its permissions. If in doubt, download your Facebook profile and delete it. Twitter: -------- Twitter does provide anonymity as an option, although it's not yet clear what information they do collect and save (IP address, distinguishing information). Avoid the "checkmark." There should be no assumption of privacy on this platform, although Twitter's established stance is pro-privacy. The same elements that make this platform a viable tool for abuse (bullying, harassment) also make it less invasive than Facebook. Suggested security settings: Do not display your email address - use a "burner" email Turn on 2FA to verify login requests Don't allow anyone to tag you in photos - VERY IMPORTANT Don't allow your location to be set with tweets and delete past historical data - HIT SAVE AFTER SETTING THIS Do not allow anyone to search for you by email or phone number Do not allow Twitter to track you for advertisements Don't let anyone add you to teams Turn on quality filter When in doubt, delete your Twitter information Instagram: ---------- Decide whether you feel you need this. Instagram engages in facial recognition database contribution, and has provided data to law enforcement. As a part of Facebook, all warnings that apply to Facebook apply to Instagram. See "Practices for Social Networks" below. Tumblr: ------- Decide whether you feel you need this. See "Practices for Social Networks" below. Reddit: ------- Supports a degree of anonymity. (TBD) GitHub: ------- GitHub should be considered a social media platform. It's possible to organize ideas in private repos, but the data is not encrypted and should be used with caution. Practices for Social Networks: ------------------------------ Never tag people in pictures - this information contributes to facial recognition databases. Never tag posts with locations. Never tag posts with people's identities or whereabouts. Practices in General: --------------------- Encourage your friends and relatives to use the techniques listed above. Avoid the "if you have nothing to hide" argument. When you can't count on the government to uphold civil liberties and human rights, anyone *could* have something to hide. Don't share information that isn't necessary; the era of safe open experimentation on the internet is on-hold. Just remember: "Cyber is hard" for people with whom we disagree as well. http://www.geocities.ws/jjack229/Duke_Hammerhead.html http://orwell.ru/library/essays/nationalism/english/e_nat