The title of this post is inspired by Crypto Parties, groups committed to promoting digital privacy for normal people. With more of our lives online now than ever, the potential for compromising data to be leaked is more frightening and possible than ever. Cryptography isn’t something reserved for government spooks, criminal hackers, or computer nerds. It’s something we should all be taking seriously. And it’s not as hard as you think! Here are three simple actions you can take right now, in less than 20 minutes, which will dramatically improve the safety of your online activities, personal information, and communications.
1. Use Signal as an SMS replacement. With iPhone, Android, and desktop apps, there is no reason not to. Signal allows you to send text, group, voice, video, and picture messages around the world. You can even make encrypted voice calls to other users— albeit the feature works best over wifi. It’s completely free, open source, and operated by Open Whisper Systems, a project of the Electronic Frontier Foundation, which advocates for Internet privacy rights.
2. Route your web traffic through a VPN. A virtual private network, a VPN encrypts data in a secure pipeline between your device and the VPN server, ideally located somewhere else. The remote server then processes your requests, obtains the data you requested, and routes it back to you over the same encrypted tunnel. Some things to look for in a good VPN service:
- transparency about where the servers are located, make sure the service is headquartered in a jurisdiction that does not require service providers to keep your personal information. You probably don’t want a Russian or Chinese VPN for example.
- some assurance of what happens to traffic logs. All servers have the capability to log traffic requests, IP data, and other PII. A good VPN provider does not store this information for longer than 24 hours to allow site reliability engineers to troubleshoot any possible network issues.
I recommend VPN Unlimited, a product of KeepSolid. The service supports macOS, Windows, iOS, Android, and several other platforms natively. And they have a pricing model that allows for unlimited, lifetime usage for a flat fee. If you have fewer than five devices a one-time charge buys you lifetime protection. PC Magazine gives them their Editor’s Choice Award so you don’t just have to take my word for it.
3. Consider protecting your HTTP traffic. In a “man-in-the-middle” attack, a hacker spoofs a host address and intercepts your data. They can even send back fake data, a website with false information for example, claiming to be a legitimate company. This is easy to do on public wifi and there are tools like Cain & Abel freely available to download. This is not sophisticated: I was doing this kind of attack as a high school student. Enforcing HTTPS is a way to deter hackers with malicious intent from sifting through your web traffic.
HTTPS is a form of the hypertext transfer protocol, the “S” stands for “secure.” The Electronic Frontier Foundation makes a simple browser extension called HTTPS Everywhere. This extension, which works in Chrome, Firefox, and Opera (no Safari, sorry), takes an extra step to rewrite standard HTTP requests as HTTPS requests. The project also makes it easy for webmasters to learn about how to deploy HTTPS on their websites to protect their users from potentially harmful attacks, thus growing the body of content on the web that supports HTTPS requests.
This article in Entrepreneur takes a less technical and more enterprise approach to the distinction. This may be something worth considering if you own a website. I’ve been using Github Pages for hosting lately because it’s completely free and supports static pages. Did I mention it’s free? (I recognize this blog doesn’t use HTTPS yet, I’m working on it).
In the wake of Edward Snowden’s reveals, a movement called CryptoParty has spring up with clones in many cities around the world. A grassroots endeavor, these parties promote adoption of basic, practical cryptography. You can find an event near you. Some technologies CryptoParties promote:
- Tor anonymity network — Tor = “the onion router” which is an analogy for the layers of an onion. Tor relays are open nodes that operate around the world with the single goal of routing anonymized web traffic. These servers are also the gateways to the “deep web” (websites that end in .onion TLDs which cannot be accessed from the “regular” Internet). Tor relays do not keep connection or traffic logs. The Tor browser is a Firefox clone which can be downloaded to your computer and used to surf the web anonymously. Tor is NOT a replacement for a VPN. Tor should never be used to transmit PII. Tor promises anonymity, not privacy. Since Tor nodes are open to the public and due to their anonymous nature, we can never know who is watching. Use it for looking up “alternative facts” which could raise red flags from your home or work network. For example, I have used it to research recruitment tactics of extremist groups in order to better understand how to disrupt them. But I don’t use it for ordering from Amazon.
- TAILS — is a complete operating system which is build atop the Linux kernel. TAILS routes ALL network traffic through the Tor network. Unless you have a dedicate “anonymous browsing” machine, it’s not practical to install on local disk as a primary operating system. I keep it on a bootable USB drive which I used once to do research on the dark web. I prefer this setup for exploring the dark web because it makes it very easy to “get out” if I’m compromised by accidentally stumbling upon a malicious application. If you want a bootable TAILS drive that will work from any computer, I can make one for you. Using TAILS is a fun learning exercise but I struggle to find “everyday practicality” because I’m not peddling wares on the dark web.
- Key signing parties — PGP works because you have a “public key” and a “private key,” by verifying the identity of a person and their private key, we can be sure that the communication pipeline between the two parties is secure. Signal has a neat built-in feature for doing this and alerts you when the key of someone you’re communicating with has changed— an indicator that their device may have been compromised or a third-party is attempting to spoof their identity.
- Disk encryption — If you’re on MacOS, there is a feature in your settings which allows full disk encryption. On my MacBook Pro, I’ve been using this feature for a few months and don’t notice any real performance hits. The operating system decrypts your disk once you log in, so it might take a fraction of a second longer after you type your password. If you’re on Windows or Linux, TrueCrypt is a standup option which has received a lot of praise in the tech world.
The right to be protected from government snooping is enshrined in the fourth amendment of the Bill of Rights and it’s something I personally take very seriously. Until recently cybersecurity was complicated and inconvenient. It is also our responsibility as users of the Internet to protect ourselves from those who seek to steal, cheat, or otherwise cause harm. With more and more sensitive, personally identifying, and financial data online every day, inaction is the only foolish choice.
Any thoughts? Concerns? Questions? Corrections? Leave them in the comments!