Hi everyone….
I’m a friend of John’s for several years now who works in the IT security industry. I’m also the dad of Cole, his godson. John and I met through World of Warcraft way back in vanilla and stomped around Azeroth for many years.
He has asked me to do a few posts about helping you secure your personal communications and the like. This will hopefully be a multipart series that you will find useful. I want to cover different vectors of communication like texting, instant messaging, email and more. Later, we can talk about data leakage on social media and the like.
Starting with texting/instant messaging….. Anything sent via SMS or MMS (traditional text messages) are not secure at all. They are not encrypted in transit so a man in the middle can read the message while it travels across the network. Your cellular carrier also keeps copies of these messages and can retrieve them and provide them to law enforcement. Bottom line, if you care about secure communication, don’t use this AT ALL. It doesn’t matter who made your phone or what version of the OS is on it, this communication is unencrypted and vulnerable to both rogue malicious actors as well as the state.
Instant messaging has taken off and replaced SMS and MMS for a lot of people, both because it doesn’t cost per message like SMS used to be sold, but also because of the features the different clients offered. These are things like iMessage, WhatsApp, Telegram, Allo, Facebook Messenger and more. There is a good article on The Verge that does a quick and dirty breakdown of each from a security perspective. Click here to read it!
I think that’s all for tonight. I’ll talk more about how to deal with things like backups, server side copies and more in the coming days. I leave you with some kid pics of Cole since John said you guys like that stuff.
TaMara (HFG)
Cole melts me. Thanks for posting that. Oh, yeah and I’m sure the security stuff will be interesting, too.
NotMax
VPNs (and exit nodes) will be covered as well, one hopes.
John Cole
@TaMara (HFG): I’m single, too, sweet thing.
Oh, never mind.
Gin & Tonic
What happened to Adam’s post?
And since you’re new here, fuck you.
Okkam
@NotMax: Yeah, I hope to go as far down the rabbit hole as people will follow. I figure start with low hanging fruit and go from there. We will all be buying meth and hitmen on the dark web with bitcoins in no time!
debbie
Cute kid, but mmmm, donuts.
Okkam
@Gin & Tonic: lolwut? :)
Mary G
Thanks for this, and your son is a very handsome young fellow. Plus doughnuts!
Adria McDowell (formerly LurkerExtraordinaire)
Oh, wow! Thank you for your post! I have a feeling we’ll all need your kind of knowledge in the times to come.
Your son is adorable!
Gin & Tonic
@Okkam: That’s the traditional B-J welcome. Ask Cole how it worked out for Freddie.
Oh, and there was an Adam post up for a minute or two that I wanted to comment on, but by the time I refreshed his was gone and yours was up, spoiling my mood.
chopper
wot, no pet pics? if you’re trying to impress me you’ve failed.
SiubhanDuinne
@Gin & Tonic:
Fuck G&T’s “fuck you.” How many cats do you have and what are their breeds, names, and ages?
Okkam
@Gin & Tonic: No worries. I don’t know what happened to it. I saw it briefly as well above mine. I’ll ping John about it.
Manyakitty
@Okkam: Woohoo! That sounds like a party!
Okkam
@SiubhanDuinne: No cats. Wife is deathly allergic to them. When she ultimately leaves me for Nathan Fillion, I will be getting a siamese because I love those and Tunch is in heaven.
maeve
In my twitter feed it was advised it you are going to tweet (not positively) about Trump then
a) Make sure your passwords are secure and different for different services
b) Use 2 factor authentication (e.g, verify w/ your cell phone when logging from different device
Can’t remember all the others (there were 4) but the implication is that if you are critical of Trump or mock him then alt-right or Russian trolls will be hacking you.
I have a password strategy but re-thinking it … ( Don’t tweet a lot or post controversial things but looking at Gamergate etc. it doesn’t take much for someone to get on your trail — the “secret” PantsSuit Nation Facebook is page is being trolled now by not only comments but people messaging posters )
jharp
Tell me if I’m wrong but I still just go to the bank and drive to the store and kind of like my routine.
Though I’m about to adjust my life where I walk to the store.
Okkam
@chopper: No domesticated pets currently. Our backyard has become an unofficial rabbit sanctuary and I’ve told Cole and his brother Gabe, if they can catch one, they can keep it. So far, they are coming up empty.
TaMara (HFG)
@Okkam: He just stepped on you, saw it and pulled it. I’m sure he’ll repost in an hour or so. He’s only being nice because you’re new here. Otherwise, bigfooting is just an I love in with a time stamp.
jacy
Welcome!
Such a cute kiddo.
And I suppose we’ll be needing all this cybersecurity stuff for the coming underground resistance? I’d better start taking notes.
Jane2
Donuts, adorable tot, *and* useful info! You’re a keeper.
NotMax
@Okkam
Heh.
.onion, the digital equivalent of Tolkein’s Dead Marshes.
TaMara (HFG)
@John Cole: OMG, you have no idea how much I needed that smile tonight.
MattF
Stephen Dodson’s blog is a good one. Here, he offers a translation of a poem by Maria Tsvetaeva.
Adam L Silverman
@Gin & Tonic: That’s a very good question. Someone seems to have pulled it and rescheduled it.
Major Major Major Major
Are you going to cover encryption?
Larkspur
Oh my, this security stuff is what I need to know.
Okkam, your son is beautiful. I am trying to ignore the donuts. It’s hard to tell on my screen: are your son’s eyes blue or are they an exquisite other-worldly kind of silver?
And please do answer the cat question.
Edited to say bunnies are good, too.
Imonlylurking
Once I am able to think, much less speak, about this election without choking back tears-and once I am able to speak without half the words being a variation of fuck- I will absolutely need this information. Thank you.
Gin & Tonic
@Adam L Silverman: You didn’t pull it? If I were in your shoes I’d write a stern letter to management.
Nied
@maeve: I would recommend a good password manager like LastPass. That way you eliminate duplicate passwords across different accounts. They can also be further hardened with hardware based 2-Factor authentication like a Yubikey.
John Cole
@Adam L Silverman: I did. Figure we wouldn’t stomp the new guy. Tonight.
Omnes Omnibus
Not the best time to intro a new person. No offense. But I think that most of us are focused on something else.
3am
Signal, VPN, Tor?
NotMax
@John Cole
Plus you know what other pix of you he might have?
;)
(I kid, I kid.)
jacy
@John Cole:
I’m somewhat surprised you didn’t stomp on him accidentally yourself.
Adam L Silverman
@Gin & Tonic: I did not do it. It has been rescheduled for 11:45 PM EST.
CaseyL
@Omnes Omnibus: It’s always nice to meet new people, and Okkam has useful info, too. Win-win.
fuckwit
Great post. TextSecure is pretty cool.
I hope you’ll be getting to tor and noscript and such.
We are all Greenwald now.
Steeplejack (tablet)
@3am:
Cloaking devices to keep you secure and anonymous on line.
Omnes Omnibus
@CaseyL: My point was that the late night, after many people had “medicated” given what happened might not be the time to introduce a valuable new guy. I just question the timing.
seanindc
two questions:
1) What class did you play and why was it a DK tank?
2) do you remember the root pw for kali?
MomSense
Welcome, Okkam and thanks for the info. Cole is adorable.
Aleta
Thanks for this. Have become more concerned lately, and now with trouble about to blast off, I want to know if privacy is even possible.
Major Major Major Major
@Aleta: Well, you can always get pretty good privacy.
*rimshot*
Eric NNY
@chopper: Chopper is correct. Pet pics or you’re not welcome in these parts…
Adria McDowell (formerly LurkerExtraordinaire)
@Omnes Omnibus: hey, it could be valuable to know how to cover one’s goat-porn-watching tracks after self-medicating! YOU DON’T KNOW MY LIFE! /s
GrandJury
Yea but you need a data plan to use messenger. SMS/MMS is included with voice or usually is anyways. If you don’t send too many then it doesn’t make sense to get a data plan. At least not just for that. There is wifi all over the place for that a lot of the time too.
The simplest most secure thing to do these days is to use 2 factor authentication. That locks things down tight enough for most peoples needs.
NotMax
@Omnes Omnibus
Planning to medicate after din-din with an A1 (or three).
2 parts gin
1 part Grand Marnier (I prefer a less syrupy mouth feel, so opt for ½ part)
juice from a generous wedge of lemon
Shake well with ice and pour. Garnish with lemon twist, if desired.
Aleta
@Major Major Major Major: ha, will check it out ! Get confused about differences betw different approaches though.
Major Major Major Major
@Aleta: The OpenPGP and GPG implementations are adequate and vaguely user-friendly. The trick of course is that everybody involved has to be using it. Once you’ve got that set up though you can plug it into emails, texts (there are apps), desktop instant messaging, etc. I’ve worked professionally with a few mumble mumble groups of rightly paranoid people, and we always used PGP.
Lizzy L
Medicating even now — w/ a Corona. Welcome, Okkam! Thanks for the donuts.
Paranoia strikes deep
Into your life it will creep
It starts when you’re always afraid
You step out of line, the man come and take you away
We better stop, hey, what’s that sound
Everybody look what’s going down
Ripley
Text messaging is why I can never run for public office. I’m good with that.
How do you say “bring it” in Russian?
gwangung
Oh, good….discussion of security at hopefully an intelligent layman’s level…
Just dipped my toes into it and got a VPN provider….anxious to see if I’m doing it right. Looking forward to other recommendations.
EBT
Telegram has weak encryption and the default setting is to save all your conversations server side, not a good choice.
Mnemosyne
I just want to say that I remember the day that John G. Cole posted the newborn Cole’s picture right here at Balloon-Juice.
How time flies.
Gretchen
Young Cole is very cute! We need cute kid pictures these days!
So text is insecure. Is it a problem if the texts I’m sending are things I don’t care if the world sees? Say, meet me at 6? Can they get into other, more private things of mine by seeing that?
Gretchen
@Mnemosyne: @Mnemosyne: Yes, I remember that too. I can’t believe so much time has passed!
Applejinx
Welcome and thanks, Okkam. I’ve always been super crotchety about another specialist, our Health Insurance Industry Guy, but right now I’m grateful for him because rather than get a sane health care system our people are gonna get flung into exactly the sort of madness he’s an expert on, redoubled.
I welcome our new specialist, who might well save some lives around here. I think it’s important, because one thing I think that’s been lacking on the Left is information: I was thinking of my election day MoveOn adventure and how we were the only ones canvassing certain places, and how they hadn’t even asked me for anything except endless asks for money, and I wondered whether we might not divide it into two ‘worlds’ and see which wins:
1) ask people for money, raise money, buy TV ads etc you know the drill
2) no money at all, ask people for time and to communicate and organize. We need digital samizdat, we need to be able to look up non-fake information about what is happening in the world, know who’s running for office and what sorts of things are put up (locally and nationally) to ‘vote’ on, given that we’ve got a tradition of voting that would be very messy to simply remove. If things become so dangerous that we need ‘moles’ getting into the system to weaken it because it becomes untenable to practice democracy directly (like for instance if alt-righters just start assassinating people who openly oppose ’em, MURIKA FUCK YEAH, we’re a direct country) then there’ll have to be a way for such people to communicate.
Digital security and the darknet become indispensable there.
I’ll be paying really close attention and am grateful for this new information. It’s interesting to track who stands where: tech apparently is behind the recent ‘Calexit’ talk, though that talk is itself pretty naive. I’ve always been skeptical of Amazon, seeing ’em as just Wal-Mart digitalized, but it seems like Amazon and Bezos are hostile to Trump interests, and one thing about ’em is that oh my GOD are they a disciplined, scary lot. If I was Trump I’d be really scared of a politicized Amazon, their infrastructure capacities are mind-boggling and their attitude is like crazed Spartans, except self-absorbed and dedicated to commerce because there’s been no reason for them not to be.
On the other hand, Peter Thiel looks to be on the Trump side, so God help you if you’re a Gawker hoping to publicly shame the new administration and think you’re gonna have any sort of freedoms of speech or protections as a political actor.
Taylor
@Nied: A password manager is essential, agreed. Podesta’s emails were hacked because he used the same password for his email and for a Web site with weak security. The password was compromised by an attack on the latter. Better to use unique random passwords for every Web site that you have an account.
OTOH the vulnerability of a Web-based password manager is that they have all your passwords. Sure, they are encrypted with your master password, but you provide that every time that you log in. I’d like a solution where the password manager is a local app, maybe on a USB stick, with the Web maybe used for backup.
Social media sites are of course really excellent spying machines. Cookies can also be used to track you across Web sites. You can delete all your cookies or try to get by browsing “incognito”, but they can still track you with your IP address, and your ISP can supply the information needed to connect your identity to your IP address.
If you’re sophisticated, you can try using Tor, but I assume that the FBI automatically flags anyone using Tor as a “person of interest.” And I’m sure that the NSA has some tricks for cracking Tor anonymity that they aren’t telling anyone about.
Applejinx
Also, if you are not a poo-flinging monkey and in political terms you’re fairly unidentifiable, or can be pigeonholed as ‘just some loser who’s not important’, that can be really good cover. I know a heck of a lot of Vermonters and New Hampshire-ites who are quietly and intractably armed to the teeth, not alt-right, and not open-carry gunhumpers. Some of them are interested in protecting the country from enemies foreign and domestic, and that doesn’t necessarily mean ‘headscarves and hijabs’. The Keene police department has a tank. Literally a tank. Those who are all ‘muh freedums!’ have not been solely worried by the Left for some time now.
These are natural allies but you will get nowhere if you’re a poo-flinging monkey. If you have friends who have always been utterly decent people, particularly if they don’t get drawn into hotheaded arguments, and yet you know they are heavily armed and they take pains not to talk about it, well, maybe now we understand their world a little bit better. Expressing that might not go amiss. Just remain aware that if you’re opening that conversation, you might not meet THEIR standards, and that might have more to do with whether you’re as responsible as you ought to be, and less to do with political litmus tests, than you think.
Sort of IRL darknet stuff, really. Trust is earned, not assigned.
Bill Arnold
@maeve:
For the paranoid (those seriously worried about doxxing (good justification here)), last time I checked (a few months ago?) it was still possible to create an anonymous twitter account if you can manage to create an anonymous email account. (The later requires a burner phone typically.) Tor (and preferably a VPN) a prereq though, and discipline.
I expect that there will be a lot of primers available shortly for the newly paranoid.