Cybersecurity for the Trumped

9. VPNs

2016-12-22T13:29:15Z

Time to write about VPNs. VPN means Virtual Private Network. Using a VPN is one of the best ways to improve your online privacy and security. There are many tutorials out there on how to get started with that, but most of them are trying to steer you towards a certain provider; there are also good and neutral articles. I will provide links to them later.
But first, since I'm writing this for people like my mother, who is plenty smart but not super well versed in technical stuff (hi mom!), I will explain how VPNs do what they do.

How it works

Let's imagine the internet like a village. It has streets, houses and stores. Just like in any village, people in your neighbourhood can see what goes on there.
Let's say that one fine day, I want to go out for a stroll and visit the sex shop at the other end of the village. This is something I probably don't want everyone to know! Because when I return with a big bag of none of your business, printed in bold bright letters that say 'Ye Olde Sexy Shoppe', my neighbours will probably see me.

One of them is the janitor (my ISP), who, when asked, reports my comings and goings to the mayor... who may very well have strong opinions on what the villagers should and should not be buying.
Another is a store owner, who would probably start shouting at me: "Wouldn't you like a bottle of wine to go with that? Maybe these candles, or some chocolate? How about these flowers? Perfume? Lingerie?"
A third one might be a burglar, who notes down where and when I shop, in order to mug me or rob my house later.

So I sign up with the VPN store. I pay them, and they dig a tunnel from my house to their store. I leave my house through the tunnel. This is great! The neighbours can't see who is walking there. I'm strolling along through the tunnel without a care. The only problem is, I'm underground and I want to visit stores that are on street level. So I need to come up.

For that reason, I walk straight to the VPN store. The greeter says: "Welcome! You gave me the secret handshake, so I know that you are one of our customers. Here's a coat. Right this way, please!"
I enter the store and put the coat on. I walk out the back door onto the street and to the sex shop, and to all the other places in the village where I may want to go! No one, not even the janitor, saw me leave my house: I popped up from out of nowhere behind the VPN store, and I'm wearing a coat with my VPN provider's name printed on it, so I have more privacy. You'd have to take my fingerprints to recognise me. The greeter doesn't care what I do, and ideally does not keep a log.

When I walk back home, I go back through the tunnel, for the distance from the VPN store to my house, carrying all my bags full of none of your business. (I should probably draw some pictures of all of this, it won't make things clearer, but it might be fun.)

Translated back to the internet, this means:

Your VPN service accepts encrypted traffic from your computer to their servers (we call them endpoint), because you're their customer. You'll need some kind of software in order to do this encryption; they will generally provide this and make it easy to use.
Your connection to the internet will then go through their servers and be shielded.
This is especially great when you are using public WiFi, because in that case you may not even know who is acting as your ISP by providing you with internet access. Using a VPN here is a big deal and makes your browsing much more secure!

What it does... and doesn't do

Using a VPN does not make you fully anonymous. Of course, when you log in somewhere, you are then known by that identity. But your system can also be recognised by its fingerprint. Still, a VPN does hide your IP address and also your physical location and this adds a layer of privacy and security to your browsing.
Using a VPN does not protect you from fake websites or malware. But it does protect you from man-in-the-middle attacks that happen 'in your neighbourhood': if you are connecting to a free WiFi that's not actually run by who you think is running it, or if someone is listening in on your WiFi connection, they get only encrypted data from you.
Using a VPN can make it possible to use websites that are otherwise blocked to you because of your location (geoblocking). If that's what you're after, choose a provider that has endpoints in the location where you wish to access content, or at least a 'friendly' location that has this access.

How to get started

You get started by picking a provider. They'll tell you what to do. They want to make this stuff easy for you, because they want you as a customer.

How to choose a VPN

Most VPNs are probably better than none at all. Still, you usually get what you pay for. While there are some free VPN providers, they are generally not reliable. And since it's not easy to check how well they do what they say they do, it's probably better to pay a few dollars and have more peace of mind. Some things to look out for:

Make sure they offer support for the OS(ses) that you are using! Don't forget your mobile devices.
Make sure they do not keep logs. Read their statements on this.
Make sure they are using up-to-date technology. Find out whether they support OpenVPN. This is software that runs on your end and handles the encryption, and it's open source and probably the best option that is currently available. It runs on multiple platforms.

Here are some articles to help you choose.

EFF makes no recommendations but has a great outline on the basics. I would start here.
Choosing the best VPN for you goes into great detail... for some of us, too much detail. But it's good stuff, so give it a try.
How To Geek is very thorough on this, as well.
PC Mag has a nice table and a decent looking article.
Torrentfreak: Which VPN providers take your anonimity seriously?
If you're really picky (and why shouldn't you be?) check out this list on privacytools.io

This blog post was edited on December 23 based on feedback from savvy friends. Thank you, KdB and Stoneshop!

Back to Index

comments

3. Email providers

2016-11-22T12:12:55Z

Let's start off with something fairly easy: getting your email off of US soil. If you're using a Europe based provider, they can't be subpoenaed into handing over your data. That is exactly the result we are after. A US company, like Google, can be forced to hand over your data even if that data is not stored in the US, according to this article. Just another reason to avoid them like the plague.

Here are some good and mostly free options; keep in mind that a good, reliable and secure email provider is in my view well worth a few dollars. Most of the free providers also offer a paid option with more features, more storage, and so on.
These providers generally offer an English-language interface; one less thing to worry about.

All of those listed below offer built-in encryption, that you don't have to know anything about in order to use. You may feel that you do not actually need that, but it's a valuable layer of security. Then again, if your goal is just to get away from Google and/or get your email into a place where the US government can't easily reach, you have a lot more options (see links below).

OpenMailbox (FR)	Free	Encryption, POPmail, IMAP	1 GB storage
ProtonMail (CH)	Free	Encryption, webmail	0.5 GB storage
Tutanota (DE)	Free	Encryption, webmail	1 GB storage
Mailfence (BE)	Free	Encryption, webmail, POPmail, IMAP	0.2 GB storage
StartMail (NL)	€ 49,50/year	Encryption, webmail, IMAP	10 GB storage

You'll find more options listed here and here. These lists also show providers that do not offer built-in encryption.

Some of you are probably familiar with Lavabit. That is a privacy-concious provider whom the US government tried to force into giving up their data (and its encryption keys) in 2013 because they had an account that belonged to Snowden. The owner responded by pulling the plug and did not give up the data. Now they are (soon to be) back. I would trust these people but their service is on the geeky/techy side. They are preparing to offer 5GB of storage for $30 a year and they are quite serious about security. Not bad!

If you have your own domain name, another option to get e-mail service is by using the service offered by your domain hosting provider, if they offer that; of course, they may be using servers in the US, so you'd need to check that first. But for some of us, that's a good option, with the added advantage that your email address never needs to change for the rest of your life if you don't want it to.

Bonus!

Need a free throwaway email address for one hour only, with no records kept? Here you go.

Protection level and limitations

How much does having a EU provider protect you? That's hard to say. If you have a provider that you trust, the chance that they will hand your data over to the US government is definitely smaller, because they can't be forced to do that as easily as a US-based company can. So that is a certain level of security.

However, there are some reasons why 'they' can still get your data:
- The receiver may use a US provider, who may be forced to hand its data over.

This would of course give them only a access to segment of your sent emails. Sure, they can probably puzzle all your email traffic together this way, but it's harder and more expensive than just asking Gmail to give them the whole batch.

- Data has to travel somehow. It needs to travel through US servers to reach you, and can be read on the way.

If your provider uses secure POP, secure IMAP and secure SMTP (usually done through something called TLS) then your data is encrypted on the way from your computer to your email provider's server and back. That helps, for sure. Pay attention to whether your provider of choice offers TLS or its predecessor, SSL. You don't need to know how they work, just make sure that they offer them so you can use them. It's generally a server setting in your email program.
Webmail is generally protected by the HTTPS protocol (S for Secure).

It's good to realise that you are by definition leaving a trail when you're sending email. Anything you can do to obfuscate that trail helps keep you a little bit more secure. But using a non-US email provider is not a panacaea.
End-to-end encryption offers a lot more protection, but for most of us, that's just not feasible, at least not all the time. If you're interested, Enigmail combined with PGP (Pretty Good Privacy) is a good option for POP and IMAP, and runs as an add-on in Thunderbird and SeaMonkey Mail.

What are POPmail, IMAP and webmail?

Webmail is email that you read and write on a webpage, as shown by your browser of choice (such as Firefox). Can be useful to those who want to use email on the go, on computers that aren't their own. No e-mail software is needed.
POPmail is email that you download into your own computer, using e-mail software such as Thunderbird (or Outlook, but let's not go there). Can be useful to those who want to keep control over their stored emails. Be sure to make backups now and then.
IMAP is email that you view through e-mail software but that lives on your provider's server, not yours. Can be useful to those who use several computers for their email and want to keep things synched, yet prefer email software over webmail.

Using e-mail software (also called an e-mail client) has the advantage that you can add a digital signature as well as encryption.

This blog post has been edited on November 13 and 16, based on feedback from readers. Thank you!
New links have been added on December 3.
More links added on February 8 2017.

Back to Index

comments

2. A list of things you can do

2016-11-22T11:52:42Z

A lot of people are worried about their level of online privacy and safety lately, for reasons that shouldn't be too hard to understand. The big thing here is that US companies collect data, and the US government can grab hold of that data if they feel there's a need; if you are now under a government that you distrust, it makes sense to reduce the amount of data that you hand over to US-based companies.
Here's a list of things you can do. Some are easy and some are hard, but every one of them can help. Even if you can only do one of these things, it's worth doing.

Here's the hardest one, for many of you: Get off of Facebook. Facebook collects a LOT of data, even when you're not on it. It's not just what you post on Facebook, it's also about your surfing habits on other sites, and a lot more. All this data is under the control of a man who called his users 'dumb fucks' for trusting him. If that offends you, good! It should. If you feel you cannot do without Facebook, consider abandoning your account and setting up a new one, using an altered version of your name, and reconnecting with your friends on that. Changes like that help obfuscate your digital trail.

Get away from Google. I will post in more details about this later, because Google is an ecosystem that consists of a lot of services. Most of them have good replacements! The very fact that Google has all these services is also why it's so potentially dangerous: they collect a LOT of different data from all those sources and combine it all into a very detailed profile. Need a good search engine? Try StartPage.

Get your e-mail off of US soil. Use an e-mail provider that's hosted in Europe and offers encryption. There are plenty of them and some of the good ones are free. More information on that is now posted here.

Compartimentalize. Use different browsers for different purposes. Use different providers for different services, so that your data is split up and therefore less meaningful. Keep your profiles on social media and other websites separate. (I know, I don't always do that either. But I do have a few online hangouts that you probably don't know about.)

Here's another hard one. Don't use a smartphone. If you must, be very wary of the apps you install. Review and think about the permissions your apps ask to use. Can they also operate with less? Switch it off when it's not in use. If you can make do with a nonsmart cellphone, or use that for phone calls and use your smartphone for data only, do that. That's compartimentalizing too.

Here's some easy stuff! Use adblockers and other browser add-ons that improve privacy. Your surfing experience will be safer and faster and the sites you visit will look nicer! This is another good topic for a separate post, but for now I'll throw out some names: UBlock Origin, Ghostery, BetterPrivacy, PrivacyBadger, DecentralEyes, SelfDestructing Cookies. If you use Ghostery, be sure to check the settings carefully, as the default is not great.

Also easy: if a service you are using offers two-factor authentication, set that up. It makes your accounts a lot harder to break into. This is especially important for webmail accounts, since they are often the key to a lot of other things, because many services use email to reset passwords.

Another fairly easy one, and we should all be doing this already: use good, strong passwords and be smart about using them. Read more on that here.

Learn to use an e-mail client that supports encryption. You may not need it now, but it's a good option to have. Thunderbird is just fine for this; with the add-ons Enigmail and GPG installed, it works well. It's also an all-around good e-mail program. And if more people use encryption, those who use it won't stand out anymore. Remember when mail used to be private? E-mail should be private, too.

If you haven't yet, consider getting away from Apple and Microsoft. Linux isn't just for geeks anymore. There are several good looking, easy to use Linux based OSses nowadays, they can run on most of the hardware that you are using, and they are free. Ask your friendly local nerd or cybersmart cousin to show you Linux Mint. Bonus: your computer will probably run faster, and will not need to be replaced as rapidly!

One of the best things you could do would be to attend a cryptoparty: an interactive workshop about cybersecurity, often aimed at beginners. Find out here when and where they are happening. A good place to ask about this would also be your local hackerspace; hackerspaces are physical spaces (as in, buildings/rooms) where people get together to tinker and to share knowledge about many things, cybersecurity being one of them. Don't worry about the bad reputations of hackers; there are good reasons why malicious hackers generally stay away from hackerspaces (they don't need them, they aren't welcome, and they don't want the extra visibility).

Back to Index

comments