Tag: encryption

Posted on

Digital GoBag

With todays tech flash drives are an amazing and under utilized tool. You can use them to store an entire media library incase of emergency or install a whole operating system and carry a “computer” on your key ring. For those interested for more information on this look into linux live drives there is way better info out there than I could ever put out.

Live drives afford many possibilities when it comes to privacy and security especially when traveling, you’re in a situation where you can’t or don’t want to carry a computer or in extreme situations you need to have a secure/concealable system to store sensitive data.

This is often the case with politically persecuted people, people in countries that heavily censor their people. This also applies to investigative journalist that cover sensitive topics that could put a target on their back.

The main way I advocate using them for the every day person is using them to set up an emergency electronic #gobag of sorts.

Using an OS called TAILS you can set up an encrypted drive that you can store important documents such as passport images, birth certificates, visas and so forth within encrypted files as well as the flash drive being encrypted. You can also set up crypto currency wallets for emergency funds if you so desire.

Once this drive is set up properly you can carry or conceal it on your person and plug it into any computer if you need to and access the information you’ve stored, the internet, you’r crypto, what ever you need it for at the time.

The drives OS and anything you do will be isolated from the main system on the computer and leaves no trace of use as it wasn’t using the main systems memory (only its flash memory which wipes on shutdown)

This makes it so that anything you do, your passwords, your information and documents etc all are safe because no tracking software that may be on the main system or the next user can access your info or data because the.

To set this up in the manner that I mentioned above you will need to set up the drive with encrypted persistence.

To do so you will need two drives as you need one drive running TAILS to set up another with encrypted persistence.

SET UP INSTRUCTIONS

ENCRYPTED PERSISTENCE INFO

Once that is done your good to go. Just about everything you should need for a basic privacy set up is on there with the OS.

If you enjoyed this post take a look at our TRUSTED RESOURCES page. If you decide to use any of the links and purchase anything we may get a small commission that helps support the site.

Sign up for our email list and you will receive exclusive content that adds to the articles we post here.

Get the most out of our posts by subscribing to our telegram or Matrix/element rooms ​

Trusted Resources

Posted on

ProtonMail and Encrypted Email

A secure and encrypted email address is the backbone of even the most basic online privacy plan. This is the first thing that just about any other tool, account or service that you will need such as email forwarders, cell phone accounts, and so one is going to ask for.

I recommend having multiple addresses for different aspects of your plan/life. I have mentioned this before in other posts and I will cover this in more depth in the future as well as how to benifit most from Protonmail for the privacy minded.

The email service that I highly recommend is ProtonMail. I use it personally, as well my clients, and many people I know use it as their business email structure as well because you can link your web addresses to it so that you can have email addresses using your url.

They offer some of the best security and privacy protections in the business and have a grown a trusted reputation in the privacy sector as well as among people whoes life may very well depend on their privacy and security holding up, such as reporters, the politically and just generally persecuted and so one.

ProtonMail is a Switzerland-based secure/encrypted email service that was created in 2014. They also offer VPN service and are constantly adding features to their platform including cloud storage, contacts, and encrypted calendar(BETA). ProtonMail’s mission in their words is “to make secure and private email communication easily accessible to all.”

The following information is facts directly from Protonmail.

ProtonMail is owned by Proton Technologies, which has a long history and ​strong reputation in the privacy world.

The company maintains some of the world’s most widely used open source encryption libraries and has a long history of working towards promoting Internet privacy.

ProtonMail uses end-to-end, zero-access encryption so that no one even the company can access users’ messages, drives, calendar details and so on. There are no special or overly technical steps to follow, and all encryption happens automatically and by default.

To achieve this high level of security, in their words “ProtonMail assumes that all mail servers may eventually be compromised. Thus, ProtonMail uses end-to-end encryption and zero-access encryption to protect user data. If a server only contains encrypted messages, users have a much higher level of security in the event of a security breach. The use of encryption also prevents ProtonMail from being able to decrypt and share user emails with third parties.”

As well as their security precautions that keep them from being able to analyze user data they also have no incentive to
spy on or sell its users’ data as they have no advertising inside their apps.

The security of their platforms extends beyond just strong encryption and includes features designed to mitigate human vulnerabilities and physical threats.

End-to-end encryption
Which means that messages cannot be intercepted in transit and decrypted by any third party as they are encrypted on the senders device and can only be decrypted by the recipient.

Zero-access encryption
Even if a user’s contacts are not using ProtonMail, All emails sent to/from a ProtonMail account (even if the other side is not using ProtonMail) are stored with zero-access encryption. So that the messages are encrypted, they can only be decrypted by the account owner. (Keep in mind any copy on the other persons email account may not be stored encrypted.)

Additionally, ProtonMail users can also send end-to-end encrypted emails to non-ProtonMail users with the ​”encrypt to outside” feature​. Which sends the email encrypted to the recipient and you can give them a way to decrypt the email without them needing a ProtonMail account.

Open source cryptography
ProtonMail uses only secure implementations of AES, RSA, and adheres to the open source OpenPGP standard. By using open source libraries, users have greater assurance that the encryption algorithms do not have built-in back doors. ProtonMail’s open source software has also been vetted by security experts from around the world to ensure the highest levels of protection.

Hardware-level security
ProtonMail has invested heavily in owning and controlling its server hardware and doing so within Switzerland, so data never goes to a third party cloud. This ensures that all user data is protected by Swiss privacy laws and on a system level, ProtonMail servers utilize fully encrypted hard disks, which protects user data from physical hardware seizures.

Authentication
ProtonMail uses the Secure Remote Password protocol to ensure that neither ProtonMail nor an attacker with network access can obtain users’ passwords. ProtonMail also offers two-factor authentication via 2FA apps.

Address Verification

To mitigate man-in-the-middle attacks​ ProtonMail uses Address Verification which leverages ProtonMail’s ​Encrypted Contacts​ feature. This unique feature ensures secure communications cannot be intercepted by an attacker tampering with encryption keys.

This additional enhanced level of security, and it’s one of the reasons it is the preferred email provider for journalists and other individuals with the highest security and privacy needs.

Self-destructing emails
ProtonMail allows users to send messages that will automatically delete themselves after a user-selected period of time.

Plans and pricing
All of the company’s revenue comes from subscriptions to premium plans and donations from the user community and does not show ads or make money by abusing users’ privacy.

ProtonMail has apps for IOS and Android as well as web access that can be used on any OS with an internet browser. In addition ProtonMail offers other useful apps such as The ProtonMail Bridge, which is a desktop application for paid users that encrypts and decrypts mail as it is sent or received by the user using a program that supports IMAP and SMTP, such as Microsoft Outlook, Mozilla Thunderbird etc.

They also offer an Import-Export application (beta) which is a application currently available to users on paid plans that lets them transfer emails easily to and from their ProtonMail account. This allows users to import their mailbox from another email account, such as Gmail or upload email files stored on their computer into their ProtonMail encrypted Inbox. It can also be used to export emails from their ProtonMail account to their hard drive for secure local backups.

ProtonMail believes everyone in the world should have access to secure and private online communication, regardless of their ability to pay. Which is why they offer a free plans as well as paid plans for those who need more storage, more features, or just want to support the project so that they can continue to offer the service to those who need it and cannot afford it.

Posted on

Element

Our Element/matrix room consists of a oneway feed (think Newsletter) much like a telegram channel. You will receive occasional posts and content that is equal to or more in depth and exclusive than that which you will find in our email newsletters.

The big benefit to Element is that it is end to end encrypted unlike telegram channels. This means our posts in the room, messages and files that are attached are all encrypted before they leave our devices and stay that way until they reach your devices. This means they can only be read by the people that are in the room.

This means…at least at this moment as things are always possible to change when it comes to tech and their companies running them.

No data mining

No eavesdropping

No censorship

At least for now

It is also decentralized to give all parties ownership and control of their data. As well as being universal and you should be able to connect with any app that uses Matrix protocol.

If this continues to work out and the desire is there on the part of our followers we plan to expand the usage of Element not just as a back up but hopefully we can gradually switch to it paying a more primary role.

Posted on

Online Infosec Basics

You are the commodity! You’ve probably heard the saying “there is no such thing as a free lunch” well this truer than ever now. Your online personal Infosec is just as important as it is in your in person interactions and passive situations.

.

With only a few exceptions if a product, or service is free to you this means that the organization putting it out is working on an alternative business model. They are not getting money from their product users so you have to ask where they are getting their money from.

.

This usually means they are harvesting info from you. This can be addresses, name, phone number or any other personal info. How big a threat to your personal infosec will depend on where on the scale these companies and organizations fall.

.

On the low end of the scale they are asking for an email to send you a news letter where they will up sell you on paid content or that companies products. This’s is where most small businesses and entrepreneurs is operating including ourselves. They won’t sell your info, they are just trying to conduct their own businesses. The main threat in these instances are data leaks and hacks of either their own systems or any third party service they use to conduct their business.

.

On the other end you have organizations that will take any and all info they get and sell it. The more info they require the more likely this is the case. This info is likely then, not only used by them but sold to people search sites and other services. This is by larger organizations because they are getting a volume of info that people search sites are willing to pay for. Now not all companies do this and this does happen at everywhere on the spectrum. Do your due diligence and ask your self is what I’m getting worth it if they sell my info.

.

Now luckily the way to protect your self from both data leaks/breaches and the company them selves selling the information is the same. It’s called one time use information.

.

This is most easily done with emails as there are multiple services that offer one time use forwarding address. This allows you to create an email address that you will use for only one website or organization that forwards any email sent to it to your actual email address. By doing this you are able to protect your actual email address and if your one time address gets sold, leaked or hacked you are able to shut it off and stop receiving any spam you might be getting and if the information is hacked or leaked, it doesn’t matter because that email is only used for that site and doesn’t connect to any of your other accounts.

.

This tactic should be used for any newsletter, website, or organization you sign up for or give your information out to. That being said never use these services for anything that involves sensitive information. These services will be able to see any email that is sent to

you so it should not be used for financial, medical, or anything else you consider sensitive. For these instances you should just create a dedicated email for those purposes. We recommend proton mail for a email provider you can find them HERE.

You can either set up a separate account or you can set up a paid account and have multiple addresses that feed into one inbox.

Posted on

End to end encrypted messengers

If you want to make sure your communication is private(which shouldn’t even been an if) you need to use encrypted platforms that are zero knowledge. With that ideally this platform would also be open source and decentralized but there are none worth mentioning to my knowledge at this point.

End to end encryption means the out side world cant eavesdrop on your communications zero knowledge end to end encryption means the company or organization running them cant see what you’re saying either. Most companies and organizations encryption are protecting your communications from out side eavesdropping but they leave them selves access so they can still eavesdrop for moderation or marketing research. This also leave the door open for the rouge employee to eavesdrop on conversations for personal gain. In some extreme cases for espionage when the platform is funded by a foreign intelligence service or a rival company.

I recommend wire messenger primarily, I personally have had the best experience with them and a lot of professionals that I trust and have researched the code, and company it self a lot harder than I am able to have checked them out and recommend them as well.

The down sides to wire can easily be overcome. For instance the fact that you need to use an email or phone number to sign up. While this could be a sticking point for some but for most it’s not a big deal and for those seeking more privacy there are ways around it using a more full coverage privacy plan.

An alternative that I recommend and also keep on my devices as a back up is signal messenger. (this is also required to use the haven security app) Signal does requires a phone number.

Below you will find a link to a comparison table of the different “Secure” messengers on the market and how they rate on different important topics. As you will see there is no perfect platform yet and you will have to look at the best options and choose based on where you are willing to make your concessions.

Weaknesses

Full Disclosure: No App or platform is full proof, I have seen a few articles today about flaws in signals programing that allow outsiders to intercept messages as well some shadiness of its initial start up funding and developers. While I cannot personally confirm or refute this information about funding we have to take this information into consideration as well as the possibilities of it being misinformation/corporate espionage (to drive away users) as well.

Now as far as the Flaw goes, there is a New York firearms trafficking case where they appear to show signal messages from the suspects. The articles about this flaw are written in a click baity tone that implies the messages are being intercepted (wirelessly). From my understanding this is false.

Not only does the FBI appear to be in possession of the Phones in which case all bets are off any way, this appears to be a flaw in phones security that allows them to crack the phones encryption and unlock it and therefore they can access signal through the phone owners account.

This is not just the FBI there are many private individuals and obviously companies with the know how and tech to do this as well if they physically posses your phone. Keep this in mind if you are a targeted individual such as an investigator, operator, company executive, head of security, celebrity or just a wealthier than most individual.

The best counter to this threat is to ensure physical security of your device, if they allow an app pin or pass word turn it on, and make sure the self deleting messages is turned on in which ever app you use. It would have saved tiger woods and it can save you too. All jokes a side self deleting messages will limit the amount of messages and information that can be gathered by anyone who posses your phone and manages to get it unlock.

We are currently developing our free email course and hope to have it live soon. Email content will simultaneously posted into a messenger group(along with some group only content that we are starting as well. We are currently testing multiple platforms to see which will work best but as we recommend people use it, we are planning for it to be on wire. So stay tuned for the launch notification post that will explain it in detail.

If you enjoyed this post take a look at our TRUSTED RESOURCES page. If you decide to use any of the links and purchase anything we may get a small commission that helps support the site.

Sign up for our email list and you will receive exclusive content that adds to the articles we post here.