Cybersecurity for the Trumped

10. Instant messaging and chat

2017-02-08T14:54:26Z

Many of us like to stay in touch with others in real time. For that purpose, we have a lot of tools that we can use. Some of them are safer than others. Let's look at some popular ones...

Twitter is very popular and not private/secure in any way. Assume that anything you tweet is public.
IRC has been around for a long time. It's still used by many. It's not secure unless you use OTR (Off The Record).
Facebook Messenger... well, it's Facebook. Not secure in any way.
WhatsApp is encrypted, but the metadata is still logged, and says more than the actual conversations; also, it's owned by Facebook.
Google+, Google Hangouts, Gchat... it's Google. Avoid.
ICQ and Yahoo chat? Not secure.
Skype is popular for voice and video chat. But it's owned by Microsoft nowadays. The calls are encrypted, but there's that pesky metadata thing again. So it's not really secure.
SMS (text messages) are not secure at all.

So what are the better options?

Signal is well-known for being recommended by Snowden. It does voice chat as well as instant messaging. Can be used on smartphones and desktops.
Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed. It works on many platforms and also in your browser. I like this one.
Hoccer is a privacy-conscious messaging and file sharing app for smartphones.
Confide is a messaging app for smartphones and Windows and OSX computers; it's hyped to be very secure (messages cannot be kept). But it's closed source, so who knows, and some experts say it's not great.
Tox is another good option that works for messaging, voice and video chat. There are clients (= software) available for all platforms.
Ring serves a similar function. It also allows group chats (teleconferencing)
Linphone: same same.
And if you do not want to download or install anything or get an account, there is always Talky video chat which can simply be used on the web. Set up a 'room' by choosing a room name, send the other person the URL for your room, and you're off.

So which one do I use?

The one you can get your friends or family to use.

A note on the technical side of all of this

We need to distinguish between two things when talking about chat/messaging software: there's the software and there's the protocol.
Just like PDF documents can be opened with Adobe Reader, and many people assume that this is the only option... but in reality, there are lots of different programs that can open PDFs. Likewise, there are different programs that can handle different protocols, and even programs that can handle a whole lot of them!
For example, I use IRC, ICQ and Telegram, but I don't want three programs running on my laptop all the time. So I use multi-protocol messenger software, that can handle all three of these and more.

Some good multi-protocol programs are:
Pidgin (for Linux, Windows, OSX)
Miranda IM (for Windows)
Adium (for OSX)
These are mainly meant for laptops and desktop computers. On a smartphone, a dedicated app is generally the better option.

Some instant messaging protocols are:
ICQ, IRC, Gadugadu, AIM, AOL, XMPP, Bonjour, Telegram (has OTR feature built in).

If you want secure instant messaging on a protocol that's not inherently encrypted, look into adding an OTR plugin.

Further reading (and even more apps) in this article in the New York Times.

Back to Index

comments

6. Getting away from Google

2016-11-22T13:32:05Z

Why?

First of all, why would you want to avoid Google? Well, there are several reasons...

Google offers a lot of services, so they collect a lot of different data from different sources.
Google connects all the data from these services into a very detailed profile, meant to advertise at you with more precision. This is their whole business model and they're very good at it.
Google is quite willing to share this profile with the US government. They only need to ask.
Google has been known to break promises about privacy and data retaining policy. Here's the most recent case.
They also are known never to delete any data.

Need more reasons? I sure don't.

How?

How can you get away from Google? There are lots of things you can do. Any of the items listed below will decrease the stream of data that flows from you to Google. The more you can do, the smaller it gets.
Most of their services have decent alternatives; some are so good you'll be happy you jumped ship. But before you do, clean out all that you can.

Check to see if your web history has been recorded by Google. If so, you need to wipe all of it. Do the same with your location, which Google very kindly keeps a record of just for us.
Next up: YouTube. Go to YouTube and click both Clear all watch history, and Pause watch history. From now on, when watching YouTube, do it when logged out of Google, as with all your browsing. If you need to log into your Google account for some reason, do that in a separate browser, and log out after use.

Stop using Google for searches

This is easy. Start using a different search engine, and set your browser to use the new one as the default. Google listens in on your searches, doubly so when you are logged into a Google account (so don't do that in your normal browser). Here are some privacy-conscious search engines.

DuckDuckGo
StartPage <--- my personal favourite
Ixquick
Qwant
Blekko

Stop using Google Docs

Google Docs is pretty great, which makes it seem like it's hard to quit. But here are some alternatives. Some of them are hosted outside of the US: always a plus.
What we're looking for: online collaborative document editing and sharing, with the possibility of keeping documents hidden from those who aren't logged in. It needs to have some formatting options, and to have some kind of protection against data loss through accidental simultaneous editing. It would be great if it were something that can be viewed and used inside a webbrowser. It would be nice if it were free!
Etherpad is great for quick editing of simple documents in groups, in real time and with no editing conflicts.
Here's Zoho. Here's Evernote. Here's ThinkFree.
Mailfence is in Belgium, privacy-oriented, and may be your one stop shop for docs and email.
You could also possibly make do with LibreOffice documents saved in Dropbox or elsewhere.

Stop using Google Maps

Easy-peasy. Use Here, Mapquest, or another one of several sites and apps. Plenty of options here!

Stop using Google Talk

Google Talk is Google's instant messenger. We have to make the distinction between the service (the protocol) and the software here. Google Talk is generally used through your browser, so many people do not use any specific software when they are using this service (and Google's servers). There are other protocols, as well as other software; some well-known services are ICQ (remember? It still exists), MSN, Facebook messenger, Jabber, and nowadays Signal and Telegram. Most services offer their own software but can also be used through third-party software.

There are a lot of options out there. The world is full of options for instant messengers. Signal is said to be great for privacy; Telegram is good too. These can be used on your desktop, laptop and smartphone. I'll write more about chat and messengers later.

The hard part with this one: getting your friends and other contacts to join you on a different service. Usually, users of one service cannot talk to users on another one. If this is a problem for now, you could start using Gtalk through a third-party application for now, so you don't have to log in into your Google account in your browser. There's that compartimentalizing thing again!
Good clients for desktops and laptops include Miranda IM for Windows, Pidgin for Linux and Adium for OS X.
Franz is multi-platform, and in fact so is Pidgin. But there are others out there.

Stop using Google Translate

This is tough. Google is probably just the best option here.Try Bing, or install some translation software.
Then again, they are certainly storing the content of the text that you are translating, but probably not a whole lot else, as long as you're logged out of any Google accounts. You're logged out, right?

Stop using Blogger

Move your Blogger blog over to a different service. Yes, it'll hurt a bit. But there are tons of good options. You could clear it out and leave a link to your new home behind, if you want people to be able to find it easily. You may lose some readers and commenters, but you'll gain new ones.

Stop using Google+

Just stop. No need for a replacement.

Stop using Google Chrome

Start using a different browser. If you're a creature of habit, Chromium is for you.
Install it, and let it import your bookmarks. Then, in Chrome, go to Settings > Advanced Settings > Privacy > Clear Browsing Data. Tick all the boxes, so it all gets deleted.
Finally, delete your Google Chrome profile from your computer. In Windows it's generally stored in C:/Users/[yourusername]/AppData/Local/Google/Chrome/User Data.

Stop using Google Mail

I know this is a big step! It's fine not to do this straight away. It is a step that has a lot of positive impact on your privacy, so it's a great thing to do, but save it for last if you're finding it scary.
Before you switch to another email provider, which is something I strongly recommend, go into your Gmail account and clean out all email that you don't care about; then set up Thunderbird (or a different email client of your choice) and download all the email you want to keep. Here's how. Also download your address book: here's how.
Go back into your Gmail account and delete everything. All emails and all addresses. We don't know how deleted they really are. But it may help.
Now you're ready to sign up with a non-US email provider that offers encryption. Congratulations!

Now, the ultimate step is to delete your Google account. If and when you're ready.

Further reading on getting away from Google:
Going Google-Free: The Best Alternatives to Google Services on the Web
How To De-Google-ify Your Life: The Complete Guide To Leaving Google
The Best Google Alternatives For Email, Search, Docs and Everything Else

As always: if I'm in the wrong, please set me straight and steer me to decent sources. Thank you!

Back to Index

comments

4. Browser hardening

2016-11-22T13:22:49Z

As we've established, we're not going to give up the internet. It's informative and it's full of cats. But we do want to be safer while doing it, and less trackable. So how can we make this happen? Let's take a good look at the tool we use to look at the web: our browser.

Browsers help us view a lot of information. But the information stream goes both ways. Websites that we visit gather a lot of information about us, if we let them. For example, the fact that we've visited a website is generally logged. But also whether or not an individual picture has been shown in our browser, and that picture may very well be hosted on a different server (so we don't even know who is getting that information). Previous browsing history is collected, too. Our searches are logged, and also specific information about our computer (such as installed fonts and plugins) and location. All of this makes it quite possible to pinpoint a specific computer user, and follow them around from one website to another. Here and here is some information on how that works.

Browsers

There are more browsers than you can shake a stick at, even if you're very good at shaking sticks.
I would recommend not using anything made by or in cooperation with any of the big corporations: Google, Microsoft, Apple. So that means: it's best to avoid Chrome, Internet Explorer / Edge, and Safari. Here are some options:

Firefox. A good old standard that used to be innovative. Has a LOT of good privacy enhancing add-ons available. Win, Linux, OS X, Android.
Seamonkey. My personal favourite. Classic looks, robust features. Comes as a suite, bundled with (good!) software for email, HTML editing and IRC (= Internet Relay Chat). Win, Linux, OS X.
Pale Moon. A Firefox fork. Like Firefox before they got the Chrome-like interface. Win, Linux.
Chromium. Like Chrome, but not linked to Google. Open source. Win, Linux, OS X, Android.
Iron. Based on Chromium, but the makers claim it's fully anonymized. Win, Linux, OS X, Android.
SlimJet. Another Chromium fork. A newcomer. I heard good things, seems pretty privacy-centered. Win, Linux.
Vivaldi. Technically similar to Chrome. A newcomer. Win, Linux, OS X.
Opera. Now uses the same rendering engine as Chrome. Win, Linux, OS X, Android.

This list is by no means exhaustive. Some others are listed here.
Browsers are a personal preference. Pick your favourite... then pick another one and another one. Why? Because:

- Not all browsers are compatible with all websites.
- It's good to have separate browsers for specific activities. Google and Facebook come to mind. If you need to use these, and especially if you use them in such a way that requires you to log in, then it's a whole lot safer to run them in a browser that's just for those activities. Compartimentalize!

Add-ons

Add-ons are small pieces of helper software that add functionality to your browser. There are a lot of add-ons that can increase privacy and security. Most of them can be installed through a feature inside the browser (add-on manager) or on a specific webpage that lists all of them for your specific browser. Here are some good ones.

Adblockers:
AdBlock Plus used to be good. Nowadays it's not the best option anymore. Will allow some 'non-intrusive' ads unless you tell it not to; if you're running this, check the settings carefully.
UBlock Origin is a better replacement for AdBlock Plus. Blocks adds really well and can hide stuff you don't want to see.

Tracker blockers:
Ghostery used to be very good, but now needs it settings checked carefully, and a user account in order to see full tracker info.
Disconnect does much the same thing and is said to be good.
Privacy Badger protects your privacy by blocking spying ads and invisible trackers.

Other:
DecentralEyes protects you against tracking through "free", centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.
Selfdestructing Cookies allows you to accept cookies, and then gets rid of them automatically when you're done with them.
NoScript keeps sites from executing Javascript on a case by case basis. Lets you whitelist and blacklist sites.

My advice would be:
- For starters: run an adblocker because it makes the web so much safer, faster and more pleasant.
- Add a way to deal with cookies. Can be a browser setting or an add-on. Accept them selectively or accept them but do not keep them.
- Add DecentralEyes just because you can, if you can.
- Finally add NoScript. It's a bit of a pain but it works very well. You can allow Facebook-scripts in your dedicated FB-browser and not anywhere else. Same with Google.
You'll have to adjust this recipe for your OS, browser and personal preferences.

Search engines

Step away from the Google. Google is not your friend. Google listens in on your searches, doubly so when you are logged into a Google account (so don't do that). Here are some privacy-conscious search engines.

DuckDuckGo
StartPage <--- my personal favourite
Ixquick
Qwant
Blekko

What about Private Browsing /Incognito Mode?

That only limits what gets saved to your own computer. It has no influence on what gets sent to others.

'Safe' Browsing

Mozilla-based browsers (Firefox, SeaMonkey, and others but apparently not Pale Moon), and also Chrome and Safari, have an option called Safe Browsing. If that is switched on, pages get checked against a blacklist hosted by... Google. It's a useful feature in principle, but it means that Google gets to keep tabs on your browsing, which is one of the things we're trying to avoid!
Once you have add-ons installed that block ads, scripts and other potential security risks, it's better for your privacy to switch the Safe Browsing feature off. More information here.

Another way to compartimentalize (slightly more advanced)

If you really really really like Firefox (for example), and can't get to grips with any other browser, there's another way to make separate 'sandboxes' for things like Facebook and Google: you can set up different profiles, and make icons on your desktop that start an instance of Firefox working in each of these profiles. Name them after what you're going to use them for and set the settings accordingly in each of them.
Hey presto, separate browser profiles for your different activities. That means data from your surfing behaviour in one instance will not bleed over into the Facebook usage in another instance, even when they're running at the same time.

Bonus!

Firefox settings, including tracking prevention settings, made easy: FF Profile Maker.

If you want to go further...

Want more anonymity? There's the Tor browser, a modified Firefox with extra security features for fully anonymous surfing. I don't use it, but you might want to, so here's a how-to or two.

Back to Index

comments

3. Email providers

2016-11-22T12:12:55Z

Let's start off with something fairly easy: getting your email off of US soil. If you're using a Europe based provider, they can't be subpoenaed into handing over your data. That is exactly the result we are after. A US company, like Google, can be forced to hand over your data even if that data is not stored in the US, according to this article. Just another reason to avoid them like the plague.

Here are some good and mostly free options; keep in mind that a good, reliable and secure email provider is in my view well worth a few dollars. Most of the free providers also offer a paid option with more features, more storage, and so on.
These providers generally offer an English-language interface; one less thing to worry about.

All of those listed below offer built-in encryption, that you don't have to know anything about in order to use. You may feel that you do not actually need that, but it's a valuable layer of security. Then again, if your goal is just to get away from Google and/or get your email into a place where the US government can't easily reach, you have a lot more options (see links below).

OpenMailbox (FR)	Free	Encryption, POPmail, IMAP	1 GB storage
ProtonMail (CH)	Free	Encryption, webmail	0.5 GB storage
Tutanota (DE)	Free	Encryption, webmail	1 GB storage
Mailfence (BE)	Free	Encryption, webmail, POPmail, IMAP	0.2 GB storage
StartMail (NL)	€ 49,50/year	Encryption, webmail, IMAP	10 GB storage

You'll find more options listed here and here. These lists also show providers that do not offer built-in encryption.

Some of you are probably familiar with Lavabit. That is a privacy-concious provider whom the US government tried to force into giving up their data (and its encryption keys) in 2013 because they had an account that belonged to Snowden. The owner responded by pulling the plug and did not give up the data. Now they are (soon to be) back. I would trust these people but their service is on the geeky/techy side. They are preparing to offer 5GB of storage for $30 a year and they are quite serious about security. Not bad!

If you have your own domain name, another option to get e-mail service is by using the service offered by your domain hosting provider, if they offer that; of course, they may be using servers in the US, so you'd need to check that first. But for some of us, that's a good option, with the added advantage that your email address never needs to change for the rest of your life if you don't want it to.

Bonus!

Need a free throwaway email address for one hour only, with no records kept? Here you go.

Protection level and limitations

How much does having a EU provider protect you? That's hard to say. If you have a provider that you trust, the chance that they will hand your data over to the US government is definitely smaller, because they can't be forced to do that as easily as a US-based company can. So that is a certain level of security.

However, there are some reasons why 'they' can still get your data:
- The receiver may use a US provider, who may be forced to hand its data over.

This would of course give them only a access to segment of your sent emails. Sure, they can probably puzzle all your email traffic together this way, but it's harder and more expensive than just asking Gmail to give them the whole batch.

- Data has to travel somehow. It needs to travel through US servers to reach you, and can be read on the way.

If your provider uses secure POP, secure IMAP and secure SMTP (usually done through something called TLS) then your data is encrypted on the way from your computer to your email provider's server and back. That helps, for sure. Pay attention to whether your provider of choice offers TLS or its predecessor, SSL. You don't need to know how they work, just make sure that they offer them so you can use them. It's generally a server setting in your email program.
Webmail is generally protected by the HTTPS protocol (S for Secure).

It's good to realise that you are by definition leaving a trail when you're sending email. Anything you can do to obfuscate that trail helps keep you a little bit more secure. But using a non-US email provider is not a panacaea.
End-to-end encryption offers a lot more protection, but for most of us, that's just not feasible, at least not all the time. If you're interested, Enigmail combined with PGP (Pretty Good Privacy) is a good option for POP and IMAP, and runs as an add-on in Thunderbird and SeaMonkey Mail.

What are POPmail, IMAP and webmail?

Webmail is email that you read and write on a webpage, as shown by your browser of choice (such as Firefox). Can be useful to those who want to use email on the go, on computers that aren't their own. No e-mail software is needed.
POPmail is email that you download into your own computer, using e-mail software such as Thunderbird (or Outlook, but let's not go there). Can be useful to those who want to keep control over their stored emails. Be sure to make backups now and then.
IMAP is email that you view through e-mail software but that lives on your provider's server, not yours. Can be useful to those who use several computers for their email and want to keep things synched, yet prefer email software over webmail.

Using e-mail software (also called an e-mail client) has the advantage that you can add a digital signature as well as encryption.

This blog post has been edited on November 13 and 16, based on feedback from readers. Thank you!
New links have been added on December 3.
More links added on February 8 2017.

Back to Index

comments

2. A list of things you can do

2016-11-22T11:52:42Z

A lot of people are worried about their level of online privacy and safety lately, for reasons that shouldn't be too hard to understand. The big thing here is that US companies collect data, and the US government can grab hold of that data if they feel there's a need; if you are now under a government that you distrust, it makes sense to reduce the amount of data that you hand over to US-based companies.
Here's a list of things you can do. Some are easy and some are hard, but every one of them can help. Even if you can only do one of these things, it's worth doing.

Here's the hardest one, for many of you: Get off of Facebook. Facebook collects a LOT of data, even when you're not on it. It's not just what you post on Facebook, it's also about your surfing habits on other sites, and a lot more. All this data is under the control of a man who called his users 'dumb fucks' for trusting him. If that offends you, good! It should. If you feel you cannot do without Facebook, consider abandoning your account and setting up a new one, using an altered version of your name, and reconnecting with your friends on that. Changes like that help obfuscate your digital trail.

Get away from Google. I will post in more details about this later, because Google is an ecosystem that consists of a lot of services. Most of them have good replacements! The very fact that Google has all these services is also why it's so potentially dangerous: they collect a LOT of different data from all those sources and combine it all into a very detailed profile. Need a good search engine? Try StartPage.

Get your e-mail off of US soil. Use an e-mail provider that's hosted in Europe and offers encryption. There are plenty of them and some of the good ones are free. More information on that is now posted here.

Compartimentalize. Use different browsers for different purposes. Use different providers for different services, so that your data is split up and therefore less meaningful. Keep your profiles on social media and other websites separate. (I know, I don't always do that either. But I do have a few online hangouts that you probably don't know about.)

Here's another hard one. Don't use a smartphone. If you must, be very wary of the apps you install. Review and think about the permissions your apps ask to use. Can they also operate with less? Switch it off when it's not in use. If you can make do with a nonsmart cellphone, or use that for phone calls and use your smartphone for data only, do that. That's compartimentalizing too.

Here's some easy stuff! Use adblockers and other browser add-ons that improve privacy. Your surfing experience will be safer and faster and the sites you visit will look nicer! This is another good topic for a separate post, but for now I'll throw out some names: UBlock Origin, Ghostery, BetterPrivacy, PrivacyBadger, DecentralEyes, SelfDestructing Cookies. If you use Ghostery, be sure to check the settings carefully, as the default is not great.

Also easy: if a service you are using offers two-factor authentication, set that up. It makes your accounts a lot harder to break into. This is especially important for webmail accounts, since they are often the key to a lot of other things, because many services use email to reset passwords.

Another fairly easy one, and we should all be doing this already: use good, strong passwords and be smart about using them. Read more on that here.

Learn to use an e-mail client that supports encryption. You may not need it now, but it's a good option to have. Thunderbird is just fine for this; with the add-ons Enigmail and GPG installed, it works well. It's also an all-around good e-mail program. And if more people use encryption, those who use it won't stand out anymore. Remember when mail used to be private? E-mail should be private, too.

If you haven't yet, consider getting away from Apple and Microsoft. Linux isn't just for geeks anymore. There are several good looking, easy to use Linux based OSses nowadays, they can run on most of the hardware that you are using, and they are free. Ask your friendly local nerd or cybersmart cousin to show you Linux Mint. Bonus: your computer will probably run faster, and will not need to be replaced as rapidly!

One of the best things you could do would be to attend a cryptoparty: an interactive workshop about cybersecurity, often aimed at beginners. Find out here when and where they are happening. A good place to ask about this would also be your local hackerspace; hackerspaces are physical spaces (as in, buildings/rooms) where people get together to tinker and to share knowledge about many things, cybersecurity being one of them. Don't worry about the bad reputations of hackers; there are good reasons why malicious hackers generally stay away from hackerspaces (they don't need them, they aren't welcome, and they don't want the extra visibility).

Back to Index

comments