We want to use the internet without sacrificing our privacy. In order to do that, it seems that one needs to have worked at the NSA in cyber for thirty years.
In America, a herd mentality reigns. Because of pervasive advertising, people are lulled into believing that communications products from Google and Apple are safe and appealing. They are certainly not always safe, even though a lot of people use them. Apple phones are wonderful for being controlled remotely, and Google’s Android phone is inherently unsecure. In fact, it is a big, fat joke to think that either type of phone can be rendered secure.
Their apps come from all over the place, and there is a lot of tracking. Sorry to say, the purpose of that phone is to gather your information! It is very difficult to check the integrity of most Google apps. Therefore, it is not just Google who is collecting your coveted data. Try calling one of those app providers for customer service: you’ll be speaking to someone in Bosnia, Turkey, etc. Security and privacy are not emphasized at all; in fact, they are constantly, blithely undermined. Those in the herd are not supposed to complain, and the less they know the better.
There is a lot of deception going on. Data is money, and they want your data. It has gotten so bad that tracking blockers such as Ghostery and AdBlock Plus have actually become tracking tools (only limiting obtrusive ads). People go to Ghostery and AdBlock Plus to limit tracking, but they only enable it. All roads lead to Google, and they are depending on you being uninformed. But the good news is that people like the EFF have reacted, and a real tracking blocker is now available: Privacy Badger.
Mobile devices are inherently unsecure unless extraordinary measures are taken. Just in the news is a story about how mobile devices in China are being injected with malware by fake phone towers. Passwords and banking information are being stolen and exfiltrated by SMS. There is no end to how your phone can be attacked and owned, and your information stolen. If you want a secure phone, then get a small old-school device with no camera, no apps, and no social media. The amount of information that an attacker is going to get out of you is lessened greatly.
If you know someone who does cyber offense for a living and you ask for his of her personal email address, then you might get a wince: “I don’t do email.”
If you know someone who does cellular offense for a living and ask for security advice about mobile phones, then you might get this: “Your phone? Lose it.”
So, the question of our time: how does a person live in this collection-platform world? First, you need to do a security assessment. You need to know what level of security is right for you. And you need to know what security products actually work. We have already talked about Ghostery. This is not only the era of fake news: this is the era of fake security products that compromise your data, which is valuable.
The purpose of this website is to inform people about real information security. Our emphasis is on how to use encryption. There are very few clear explanations that enable an absolute beginner to use encryption well–that is, so that it works. If you stick to our site, you will gain assurance about your activity on the internet, and you can know that your information and privacy are really protected. For the absolute beginner, we have to start from his or her viewpoint, and go step by step, clearly. These sorts of explanations are largely missing from the internet today, even though they are sorely needed.
First, we will go over general principles, and then in subsequent posts we will do step-by-step actions (for using PGP, for creating an air-gapped system, for compressing files, for using symmetric encryption, for storing information securely, etc.) involving specific operating systems and software.
For All Internet Users
There is no such thing as absolute security on the internet, but you can take precautions.
Step 1: Don’t Do Encryption on Your Mobile Device
A. We are not going to depend on a mobile device to secure our information. Despite all the hype, all the advertising with smiling inter-racial volleyball matches on the beach with pretty girls in bikinis, those phones are designed to collect your information and turn you into another uninformed, schmendricked consumer. If you must have a phone, go old-school and use it for phone calls and SMS only. All of that information is completely open to collection.
B. We are going to use a laptop, desktop, or netbook that we connect to the internet. The next step, for those who need a very high level of security, is to set up an air-gapped device that never has, and never will, touch the big collection platform that we all love, the internet.
Step 2: Get Rid of Windows and Use a Linux-based Operating System
C. We are going to use a Linux-based operating system. They are inherently more secure. We are going to choose a flavor of Linux that we like, and we have several good choices. Over-the-top security claims about Linux-based OSs are mistaken. But using a flavor of Linux can your security.
- TAILS is best
- Fedora is very good
- Ubuntu is good
- Puppy is good
D. We must wipe the computer that will receive our new operating system.
E. We must verify the integrity of the Linux-based operating system ISO file that we download. We must also make sure that it came from the place we think it came from.
Step 3: Be Aware of the General Security Principles for Everyone (What Must be Done)
A lot of bad stuff depends on you being uninformed. For example, that the U.S. Constitution has been subverted.
A. Use a Linux-based operating system that you verified, but don’t get over-confident. This is just a step in the right direction, not a cure-all.
B. If we put the OS on the hard drive, as opposed to running it as a live system (on a USB, for example), we must encrypt the full hard drive, or, at least, our home folder.
C. And we must use a real password, one that is at least 24 characters long; uses as much of the full range of letters, numbers, and symbols as possible, etc. Password management is one of the worst problems in information security, and it had not yet been fixed–until now. We are going to show you how to do this the easy way. Full disclosure: we are getting a patent for this and it is going to be a product for sale. There will also be a free version.
D. Applications are a huge threat vector. We need to keep an eye on them, harden them, update them properly, and make sure that we don’t maintain applications that we never use. Some operating systems make this easier than others. AppArmor or SELinux are important tools in this effort.
E. We must harden and configure our BIOS.
F. We must properly configure, manage, and use a firewall.
G. We must make sure our display locks after a certain period, and that a password is required to re-open it. Yes, that can be inconvenient, but convenience is the enemy of security.
H. We must check for rootkits. Chkrootkit is not easy to understand, and it can give false positives. Using chkrootkit properly starts with verifying it after download. Getting a baseline reading of chkrootkit results is important for tracking changes.
I. We must limit and manage the connections of our device to the internet. We need to turn off remote control and manage how our computer operates its listening services. External ports that are not needed do not need to be listening.
J. It is important to know who to turn to when you have questions about your operating system or an application.
K. We must not use root permission when it is not needed.
L. We must make sure that our system is updated, especially for security. Fedora is especially good at this. TAILS also does a very good job.
Step 4: Set it Up for Security
Step 5: Choose a VPN and a Commercial Email Provider
A. A good VPN is one that is not based in the United States, sorry to say, and has a minimum of logging, uses strong encryption, has its own DNS servers and a NAT firewall, and has good customer service. Expressvpn used to be a very good choice, but it no longer is because they put the Google collection suite on your phone. VyprVPN is a good choice. Make sure to connect to a server that is not in the U.S., Canada, Australia, New Zealand, or Great Britain. It is often useful to connect to a server in a time zone that has low traffic (between midnight and six in the morning, their time). The best choice by far is ProtonVPN.
B. A good commercial email provider is one that is not based in the United States, sorry to say, nor in Canada, Australia, New Zealand, or Great Britain., and it is uses strong encryption end-to-end. Protonmail is an excellent choice. Protonmail is end-to-end encrypted, security conscious, and based out of the inside of a mountain in Switzerland. Tutanota is a good choice. It does not track you either, and it is based out of Germany.
Step 6: Let’s Choose a Browser
A. That is easy. Go with Mozilla Firefox, and take advantage of their security and privacy add-ons. Be careful, though, of the poisoned pills: some add-ons do the opposite of what they purport to do. This is a pathetic situation, but your information is valuable, and a lot of tricks are being played against decent people.
B. Choose add-ons for your Firefox browser.
Congratulations! You have gone a long way to making your information life safer. Malicious actors are not going to be able to piggy-back on Google and Microsoft products to steal from you and spy on you. Now let’s talk about PGP. Wait, we already did! If you chose Protonmail, you are using state-of-the-art encryption already. Let’s talk about PGP anyway, and encrypt some files.