Big Brother Surveillance Threat, Part 3: Anti-Surveillance Guide
This is Part Three, of a series that Urban Survival Skills is calling "Big Brother Surveillance Threat" and is publishing, that are excerpts from a huge article titled "You Are a Criminal In a Mass Surveillance World – Here’s How Not To Get Caught", but David Montgomery and posted on Prepared Gun Owners.com
[http://preparedgunowners.com/2015/06/11/you-are-a-criminal-in-a-mass-surveillance-world-heres-how-not-to-get-caught/]
ANTI-SURVEILLANCE GUIDE
The following guide is 10 basic steps which involve using free software. It’s followed by a list of essential security practices. The guide is intended to be a “minimum effective dose” of security against hackers, fraudsters and mass surveillance. It may seem like a lot, but if anything I went light because I don’t want people to get overwhelmed and do nothing. This is an incremental process. If one of these steps is too difficult or intimidating, don’t bail on everything else. Every step substantially decreases your risk exposure.Good security is a habit more than anything. What may initially seem like an inconvenience will eventually not even be noticed, just like locking the door to your home. Suggestions for improvements and updates are welcome and appreciated.
STEP 1 – CLEAN AND PREP
Why: There’s a good chance your computer is already infected with malicious software (malware). Unfortunately malware attacks are a never-ending plague. You can’t spend time online and not be at risk of infection. This includes viruses, key loggers (which secretly record everything you type, like GROK or Magic Lantern) and various other programs that track you and send your private information to bad guys.There are thousands and thousands of malware programs out there with new ones being launched daily. It’s not just hackers, fraudsters, or governments who create and spread malware. Huge companies that you’d think would be fiercely protective of their reputation, like Sony, will infect you. Lenovo, the world’s largest personal computer vendor, is under fire for selling 43 models with pre-installed malware which dramatically undermines your computer’s security. This site shows if you’re infected. If you are, here’s how to fix it.
***For Apple desktops and laptops only***
Install and run the following programs:
CCleaner – Download the free version. After you’ve run a scan and fixed any problems it finds, close it and then move onto the next program. I suggest running CCleaner once per month.
Sophos Anti-Virus Home Edition – This program is free. Install and run a scan to make sure you’re clean. Macs are much less virus prone than Windows PCs, but infections are still possible. I recommend this program because phishing attacks keep getting more and more sophisticated, and it’s pretty easy these days to be tricked into clicking malicious web site links and opening malicious files. If you already have another anti-virus program installed, update and run it instead.
***For Windows PCs and laptops only***
First, let’s make sure your copy of Windows is up to date. Microsoft is constantly releasing security patches to fix security vulnerabilities, and your computer should be set to automatically install important updates. If you don’t know how to check if important updates have been installed, see this if you’re running Windows 7 and this if you’re running Windows 8. Windows 10 installs updates automatically.
Second, see if your anti-virus scanner is up to date and then run a scan. Both Windows 7 and Windows 8 come with free anti-virus software. If you already run a third party anti-virus program, update and run that instead. If you haven’t installed any third party anti-virus software, on Windows 7 load Microsoft Security Essentials and do a scan. If you don’t have it, install it free here (ignore this if you run Windows 8). For Windows 8, run a scan with Windows Defender (see here if you need help). Don’t continue until the scan is finished. Virus scans take a while (10-20 minutes), so it’s a good time to grab a drink or a snack. If you find any infections, quarantine or delete them.
Third, we’re going to install and run four free programs that protect against malware. They all work a bit differently and catch different infections. If you already have other anti-malware programs you use, you can decide whether to delete them and go with this suite or stick with what you have.
Reboot your machine if it’s been on a long time. (A fresh restart is generally a good idea when installing a bunch of new software.) Then install and run the following:
CCleaner – Get the free version. Make a backup of your registry when it asks. After you’ve run a scan and fixed any problems it finds, close it and then move to the next program.
Malwarebytes Anti-Malware – Get the free version. Check for updates before running the scan. Fix any problems it finds and continue to the next program.
Spybot Search & Destroy – Get the free version. Check for Updates and run a scan. After it’s done and you fix any problems, Immunize your system. Immunization blocks your computer from communicating with a long list of known malicious sites.
Malwarebytes Anti-Exploit – Get the free version. This program shields your browser from sudden attacks that malware companies don’t yet know about called zero-day exploits. You don’t need to do anything. Just install and it will work in the background.
I suggest running CCleaner, Malwarebytes, and Spybot scans once a month. You should also do it immediately if you suspect that you’ve made a mistake like following a link to a shady-looking site you didn’t mean to visit or opening a suspect file.
STEP 2 – REPLACE YOUR BROWSER WITH FIREFOX
Why: (If you already use Firefox, skip to the add-on section.) People get attached to web browsers, so please consider my reasoning if you recoiled in horror at this suggestion. Google’s Chrome is the most popular web browser in the world. That image of Google’s boss and Obama gives an indication of how closely tied to the government Google is. Google is not only one of the government’s key business “partners.” It’s the juiciest target for the government to infiltrate. Snowden showed us that it has. You can virtually guarantee that NOCs work at Google.Google’s business is literally mass surveillance. It collects more data about more people than any other company in the world. The business model is simple. Google tracks and records you and then turns you into a profile that it sells to advertisers. As Eric Schmidt said, “We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.”
The reason Google’s services are free is because you’re not the customer. You are the product. As Google itself says, “Our customers are over one million advertisers, from small businesses targeting local customers to many of the world’s largest global enterprises…” It’s biggest customer is of course the U.S. government (federal and state).
In contrast, Firefox doesn’t track you and sell you as a product. The developers of Firefox are highly vocal about being anti-surveillance. Firefox is open source, meaning any programmer can audit the code to see what it’s doing. And Firefox has add-ons that are necessary to thwart tracking and surveillance. (Chrome has add-ons too, though many of them contain malicious code.) Bottom line is the Firefox people aren’t in the surveillance business.
If you’ve been using Internet Explorer, know that it’s being phased out by Microsoft and has been plagued with security flaws. And it doesn’t support important add-ons needed to protect you.
If you’re on Mac, I recommend Firefox over Apple’s Safari browser as a matter of diversifying trust. At the end of the day we’re trusting all software we use not to exploit us. But Firefox doesn’t have the financial incentive like Apple does to track you. And while Firefox is open source, Safari is not. Also Firefox has a more robust collection of add-ons.
What to do: Install Firefox and set it as your default web browser. After you have Firefox running, click the Options button (the gear icon), click the Update tab, and select “automatically install updates.” Then install these security add-ons. (Each add-on puts an icon in the Firefox toolbar for quick access to its settings.)
HTTPS Everywhere – (click “Install in Firefox”). This increases the difficulty of bad guys intercepting what you see in your browser and makes it harder for them to set traps that can give them access to your computer.
Adblock Plus – This protects you from some sites that are set up to install malicious software on your computer. It also blocks ads from companies whose business is surveillance (like Google and Facebook which track you even when you’re not on their sites). If there’s a site whose ads you want to see you can easily tell Adblock to show ads for that site. When you install Adblock, a confirmation screen will appear. Scroll down and turn these switches ON.
Privacy Badger – (click the ‘download for Firefox’ link). This add-on pays attention to when you’re being tracked by a browser cookie and then deletes it. There is some overlap with AdBlock Plus, but Privacy Badger fills in some gaps because it doesn’t rely on block lists.
Random Agent Spoofer – When you visit web sites your browser sends information about its configuration that leaves a unique digital fingerprint. This fingerprint identifies you. If you’re curious you can see the print it leaves here. Install Random Agent Spoofer so you don’t leave prints wherever you go.
Ghostery (optional) – If for some reason you try AdBlock Plus and don’t like it, Ghostery is a solid alternative to try. I suggest using one or the other. If you use it I don’t recommend enabling GhostRank. (The program will ask when you install it, saying that its data collection is anonymized). Anonymized data collection isn’t necessarily anonymous.
NoScript (optional) – NoScript is optional because there’s a substantial learning curve. NoScript makes web browsing more secure, but the price is that many sites won’t display properly until you tell NoScript which parts of the site to allow. Once you set the permissions for a site, NoScript will remember them. But there’s that initial few seconds at a new site where you may need to allow the core parts of the site for it to display correctly. It took me a couple days to get used to it, but this article gives good guidance if you need help. If it’s not too intimidating, give it a try. You can always remove any Firefox add-on if you don’t like it.
STEP 3 – USE A SURVEILLANCE-FREE SEARCH ENGINE
Why: Google tracks and records your search terms along with when you entered them as part of its profiling analysis. Yahoo and Bing do the same thing. By analyzing every search you make, a shocking amount can be learned about you. You can get the same search results without being tracked and profiled.What to do: The good news is you can get Google’s search results without being tracked and recorded. StartPage is an anonymized version of Google, meaning it asks for search results on your behalf so that Google doesn’t know who is doing the asking. Go to StartPage and click “Add to my browser” and make it your default search engine. If you want non-Google search results, use Ixquick for a composite of several other search engine results. Both are excellent. Just make sure you set one of them as your default search engine. One other option is DuckDuckGo, which also doesn’t surveil you, though I prefer the search results of the other two.
STEP 4 – END THE PASSWORD NIGHTMARE
Why: Passwords are our bread and butter security measure. We use them every day to guard our accounts, assets, and personal information. The nightmare is that passwords as a security measure totally suck. The majority of passwords are so weak that they’re hacked within seconds. The security industry desperately needs to innovate beyond passwords, but we’re stuck with them for now.The reason passwords suck is it’s really hard to remember a strong password, much less a strong password for every account you have. So people end up using weak passwords, and they use the same one or two passwords everywhere. This is a security disaster.
Massive advances in computing power and password cracking software have made once-strong passwords a joke. Ed Snowden put it simply. The government can make 1 trillion password guesses per second. Free agent bad guys can make trillions of guesses too; it just takes them a bit longer. And the guesses are educated, not random, starting with databases of millions of real passwords which have already been hacked.
The disturbing truth is that 99% of the passwords people use are easy to crack for a reason. The same strategies we use to make passwords memorable are the very same strategies hackers exploit to crack them.
Hackers study how we come up with passwords – the most common words, the way we combine them, and the modifications we make. Then they write software that tests variations of those strategies using alternate spellings (like “l34rn” instead of “learn”), famous dates, names, movies, sports teams, addresses, combinations of your personal and family info, phrase and quote dictionaries, song lyrics, et cetera.
Even when we think we’re being really clever, we’re not. One site recommended taking an easy-to-remember password and then shifting your hands over a key to the right to type it. So Happydays would becomeJs[[ufsud. Seems like a great idea since the password now looks totally random. Except it’s not random at all. Hackers know this strategy too and can easily write software to apply the key shift strategy against all the other educated guesses they’re making.
Even if you do have a strong password, if you’re using it (or a slight variation of it) multiple places, you’re opening yourself up to attack. Even if the password is rock solid, the web sites we entrust our passwords to get compromised. Google, AT&T, Apple, Home Depot, Ebay, Target…all have been hacked at various times.
You can have the strongest password in the world, but if the system storing it is defeated, the attacker will have access to wherever else you use that password. And they’ll try variations of it too.
Given the disastrous state of passwords, we have to know how to make strong, unique passwords which can withstand sustained automated attacks. But what if you have 20, 30, or even 100 web site accounts? Fortunately the market has provided us with password management software that can generate and remember strong passwords with minimal effort. But the master password to access the manager needs to come from you and obviously be very strong. Same thing with the password to access your computer and phone.
What to do: Before we get to the password manager, it’s imperative that you know how to create strong, memorable passwords. I’ve researched a bunch of approaches and incorporated them into a basic methodology.
I can’t get overly specific about how to use the method because a specific strategy that’s public is easy to reverse engineer and crack. For example, people think the strategy of taking a famous phrase like “to be or not to be” and using the first word of each letter – tbontb – is a good password strategy because it looks so random. It’s actually a lousy password because it’s too short and that first-letter strategy is well known. Any good password cracker will run that strategy against databases of famous phrases, quotes, lyrics, poems, et cetera. So I’m going to show you how to make your own strategy using a modified pass phrase.
Unlike a password, a pass-phrase is several words. Every pass-phrase you make should be at least six words long. Here’s the catch. The words can’t be something you’d find in a database, like tobeornottobe, or variations of it like t0b30rn0tt0b3 or ToBeOrNotToBe! These are all readily cracked.
You need six words that mean something to you personally, but not to a bunch of other people. That’s the key. When people hear they should use a pass-phrase, they often pick something others would too, like newenglandpatriots or dancetillyoudrop. Not strong. It’s got to be 1) personal to you and 2) quirky. For example, mysizzlingloveaffairwithbacon is good because it’s pleasant to type, easy to remember, and the wording is quirky, not just a simple statement like ieatbaconeveryday. Even if you knew me and my affinity for bacon, mysizzlingloveaffairwithbacon would still be extremely difficult crack. (Don’t use this passphrase even if you share my love of bacon.)
So to review, we want personal and quirky – not literal information, like iwenttowaldonhighschool or ihavetwoyoungersisters or mymomisnamedsallysmith.
By the way, some people use totally random words like cowhandlestringredplentywindow, but I find that much harder to remember. It’s very secure though because it guarantees the user won’t pick an obvious or famous phrase. But a quirky, personal pass-phrase will not only be easier to remember, it won’t be annoying to type.
Make sure you use 6+ words. The difference in typing time between six or seven words versus two or three is only a couple seconds, but the difference in password security is gargantuan. The word count is much more important than the word length. blueantsfreakmybedout is strong even though it’s made of short words. Don’t skimp on word count.
Also know that you can include spaces in your passphrases (blue ants freak my bed out). I didn’t just to make the examples I’ve provided easier to distinguish from the text.
Now that you know how to make a quirky personal pass-phrase, we’re going to add one more layer of security. We’re going to apply a modification to the pass-phrase. Why? Because if an adversary figures out you’re using a pass-phrase, lower-case English words with no modification will be the first line of attack. The relentlessly increasing speed of computers means you might be vulnerable even if you use six words. Also if you unknowingly pick a common phrase like a famous quote or line from a song, the modification can save you from being cracked.
One example of a modification is to capitalize the first word of the pass-phrase – Mysizzlingloveaffairwithbacon. This modification is the most obvious one though, and bad guys know that, so pick something else. Pick anything that does something with capitals, punctuation, numbers, or any combination of those. Do your own thing, even if it’s simple. That’s better than a common modification like using leetspeak (e.g. substituting 3 for e, 4 for “a,” and 0 for “o”). Hackers have common modifications like this nailed.
It doesn’t need to be finger-twisting to type. You could even integrate the modification into the context of the passphrase itself, like eat8baconstripsEverymorningyay! That’s a deliciously strong password that you shouldn’t use.
An extremely powerful modification technique you should consider is swapping one or more of your pass-phrase words with a foreign language equivalent. Don’t bother with foreign words that are so popular that they’re used in English too, like nada or mucho. It doesn’t matter what language you pick, even Pig Latin, as long as you can remember the word. mysizzlingloveaffairwithaconbay turns “bacon” into Pig Latin, pun intended.
You’ll only need to invent and remember a pass-phrase to unlock your password manager and to log into your (soon to be encrypted) devices. The rest will be handled by your password manager.
If you’re nervous about forgetting a new strong password, you can write it down until it’s grooved. Some security people will tell you to never write down a password, but writing down a strong one is far better than having a weak password. Just don’t put the password someplace obvious, like next to your computer. The odds of somebody breaking your weak passwords online is exponentially higher than somebody breaking into your home and finding your passwords.
If you write down a password, here’s a technique in case someone finds the paper and tries to use it. Insert some dummy characters into the password that you’ll recognize as not being legit but which will fool others. You could add something, like your year of birth, as a decoy. So it would be, for example, mysizzling1980loveaffairwithbacon. If somebody finds and uses it, when it fails they’ll think you’ve changed your password.
Picking a Password Manager
A password manager does two critical things. First, it remembers all your passwords in an encrypted vault (except of course the password to access the vault). And second, it can replace your crappy passwords with automatically generated very strong passwords.After you’ve chosen a manager, you’ll want to make sure that you’ve told Firefox not to remember your passwords. Go to Options ? Security and uncheck “Remember passwords for sites.”
There are several password managers to choose from. They all have pluses and minuses. Here are a few I think are worth your consideration. Using any of them will massively improve your security, so go with whatever seems to suit you best. They are all free to try.
KeePass has been around a long time. It’s open source, free, and everything is stored on your machine. None of your passwords are uploaded to the cloud (a third party’s servers), so you don’t have to trust strangers to keep your passwords safe. But KeePass has a clunky interface that takes some getting used to. It’s also less convenient for the same reason that it’s more secure: Having your passwords in the cloud means you don’t have to worry about backing up the password vault or syncing your vault with other devices. With KeePass you have to back up your vault because if your computer dies or is stolen, you’ll lose all your passwords. And if you change a password, you need to manually sync the vault with any other computer or mobile device you use. KeePass was originally written for Windows, but because it’s open source there are multiple versions for all platforms to choose from.
Next we move to cloud-based managers. Dashlane has an elegant interface and is feature rich. Lastpass is the most popular manager and is also feature rich. They have a lot going for them, but both companies are based in the U.S. and subject to strong-arming. They promise that they store your passwords in an encrypted form that they can’t access, but there’s no way to know for certain because it’s not open source software.
If either company gets a government demand to divulge customer data or compromise their software with a backdoor, they will be legally gagged from telling people about it. I’m not making a value judgment against the companies – they seem very sincere and well-intentioned. But let’s not fool ourselves. Nobody at these companies is going to go to prison protecting your or my security. That said, Dashlane gives you the choice of storing your password vault locally (no copy in the cloud). If you’re willing to handle backing the vault up, that provides a substantial measure of assurance.
Another good choice for a cloud-based closed source manager is 1Password. One benefit it has over Dashlane and Lastpass is that it’s not in the U.S. The company is Canadian, and they point out that they have key people based in four different countries. If a demand was issued with a gag order, the principals in the other three jurisdictions could alert customers that their security was compromised without being tossed in prison.
Last but not least, my favorite choice is Encryptr, a free and open source cloud-based manager and e-wallet. Encryptr is zero-knowledge, meaning you don’t have to trust a third party to keep your passwords safe. You get the benefit of cloud storage without the risk of trusting closed source software. It’s not nearly as feature rich as 1Password, Dashlane, or Lastpass, but I personally like simplicity. And when it comes to all your passwords, open source transparency and zero-knowledge are arguably an overriding consideration.
I encourage you to try two or three out and see what feels right to you. Don’t stress about your choice. Whatever you pick, you’ll be massively more secure.
The final step with any password manager is to visit every site you have an account with and replace the old password with a newly generated strong password. Yes it’s an annoyance, but you only need to do it once. The payoff in security is enormous. (And don’t forget to turn off Firefox’s password storage: Options ? Security ? uncheck “Remember passwords for sites.”)
STEP 5 – ENCRYPT YOUR COMPUTER
This means your computer’s hard drive(s) and any external hard drives.Why: If you currently use a password to log onto your computer, that doesnot protect the information on your computer. The log-in can be circumvented with little effort by anybody with modest skills. Your drive needs to be encrypted, or your data is exposed to anybody with access to your computer.
If your computer is ever stolen, you’ll be out a computer but encryption means you won’t have to worry about being blackmailed, defrauded, stalked, or having your life otherwise hacked to bits.
If your internal or external hard drive dies and you chuck it or take it to get repaired, a stranger won’t be able to take it and recover all your data on it. They will only find an encrypted volume.
If your computer is ever confiscated at an airport, a border crossing, or in a government raid of your home, everything on it will be inaccessible rather than wide open.
***For Apple desktops and laptops only***
Apple ships its desktop and laptop computers with built-in encryption called FileVault. Follow these directions and turn it on. Don’t store your security key with Apple, and don’t store it on iCloud where Apple can be forced to disclose it or expose it in a security breach. Use the third recovery option: a strong passphrase. If you’re nervous you’ll forget it, print it out and store it someplace safe (not with the computer). And if you print it use the tip about printed passwords: Insert some dummy characters into the password that you’ll recognize as not being legit in case somebody finds it.
If you have external hard drives, you should encrypt those with FileVault too.Here’s how.
If you don’t want to trust Apple with your encryption (e.g. the possibility of a government back door), there is a free and open source solution. Veracrypt. It’s the successor to a highly respected encryption program called TrueCrypt. Unfortunately using Veracrypt is more complicated than File Vault, so expect about 30 minutes of learning curve. You can use VeraCrypt to encrypt your main computer drive and any external drives. It also can create an encrypted “file container,” which is like having a virtual hard drive of any size you choose where anything you put in it gets encrypted. For example you could make a 1 gigabyte file containers, put all your most important documents in it, and then put that file container anywhere – USB drives, the cloud, wherever – and your data is secure even if someone gets their hands on the container. (You can use Veracrypt to make file containers even if you use FileVault to encrypt your drive.)
Here’s the VeraCrypt documentation, most of which you don’t need to read to benefit from the core functionality of the program. (The default options are fine to use unless you need advanced features.) You can also search Youtube for several Veracrypt tutorials. The Beginner’s Tutorial is a good place to start. It will show how to make a file container. Once you feel comfortable making a file container (make and delete a couple just to get the hang of it), then try encrypting an external volume, like an external hard drive. The final step is to encrypt your main drive.
***For Windows PCs and laptops only***
Just to reiterate, having a Windows password will deter a nosey passer-by from going through your computer, but it is does not provide meaningful security.
You have a few decent options. The first is to use Microsoft’s disk encryption, which is called BitLocker. It’s free if you already are running Windows Vista Ultimate or Enterprise, Windows 7 Ultimate or Enterprise edition, or Windows 8 or 8.1 Pro or Enterprise edition. If you’re not you’ll need to upgrade to use BitLocker. Here’s a guide to get started if you want to got his route. My one criticism of BitLocker is it’s closed source, so nobody can tell if it has government backdoors. (Also new Windows 8.1 PCs ship with “Pervasive Device Encryption,” but Microsoft forces everyone to upload the encryption key Microsoft, so it’s not truly secure.)
The other option is to use the free and open source Veracrypt. It’s the successor to a highly respected encryption program called TrueCrypt. Unfortunately using VeraCrypt is a bit more complicated than BitLocker, so expect 20-30 minutes of ramp up. You can use VeraCrypt to encrypt your main computer drive (the one with your operating system on it), as well as any external drives. It also can create encrypted “file containers,” which is like having an encrypted virtual hard drive of any size you choose. Anything you put in a file container gets encrypted. For example you could make a 1 gigabyte file container, put all your most important documents in it, and then put that file container anywhere – usb thumb drive, cloud storage, wherever – and your data is secure even if someone gets their hands on the container file (assuming you used a strong passphrase).
Here’s the VeraCrypt documentation, most of which you don’t need to read to benefit from the core functionality of the program. (The default options are fine to use unless you need advanced features.) You can also search Youtube for several Veracrypt tutorials. The Beginner’s Tutorial is a good place to start. It will show how to make a file container. Once you feel comfortable making a file container (make and delete a couple just to get the hang of it), then try encrypting an external volume, like an external hard drive.
The last step is encrypting your system disk (your main drive, typically the C: drive). To do that you need a CD burner and a blank disk to make a Rescue Disk in case there’s a problem. If you’re not technical it’s a bit scary, and I appreciate how much it sucks to feel technically intimidated. So if you get freaked out, either use BitLocker if you have it, or make a big VeraCrypt container (they can be whatever size you want) and keep all your private data in there. A VeraCrypt container is pretty quick and easy to make, and you can copy it anywhere just like a regular file.
DiskCryptor is another free, open source alternative that is a bit easier to use (and has fewer features). Here’s a tutorial video that walks you through how to encrypt your main drive step by step.
STEP 6 – SECURE YOUR MOBILE DEVICES
Why: If your phone or tablet is ever stolen the last thing you want is to worry about is having all your contacts, email, photos and other personal info in the hands of bad guys.I know people who have had phones taken into back rooms during random airport security questioning. You really want your data encrypted with a strong password in a situation like that because all of your phone’s data can be cloned very quickly.
Because you can be arrested for trivial infractions such as driving without a seatbelt or having unpaid parking tickets, even the smallest crimes can be combined with narratives cops are trained to concoct about reasonable suspicion to pry open the door for a full-blown search of your digital life using sophisticated analytical tools. The only protection you have – and it’s great protection, thankfully – is to encrypt and password protect your mobile devices.
Needless to say, if a police officer or other government agent tells you to unlock your phone, politely refuse. If you comply, anything they find can be used against you. And it doesn’t matter whether you’ve been Mirandized or not. No matter how certain you are that you haven’t committed a crime (re-read the Into the Abyss section again if you think you’re innocent), there are officers who will plant evidence and fabricate testimony, so don’t give them rope to hang you. This guide provides essential guidance on how to interact with police.
***for iPhone and iPad users only***
TouchID – If you have an Apple device that has TouchID, I recommend using it.
Passcode – Many people don’t even put a passcode on their iOS device. Hopefully it’s clear by now that doing that is pretty much like begging for misery.
If you don’t have a passcode, from the home menu tap the gray settings icon. Then tap the “General” settings button and choose “Passcode Lock.” Tap the “Turn Passcode On” option at the top of the menu. Turn “Simple Passcode” OFF and choose a real passcode – at least 10 characters. Will it be annoying at first to spend an extra 2-3 seconds unlocking your phone? Yes, but you’ll get used to it.
People who use the “simple passcode” option might as well not have a passcode. Anybody who is determined can guess a 4 digit password within a couple hours, often within minutes since people pick obvious ones like 1111, 1234, 4321, 4444, 1357, 3579, et cetera.
If the extra 2 or 3 seconds to enter a real passcode is unpalatable, at the very least turn the “Erase Data” option to ON in the Passcode Lock settings page – and don’t use an obvious 4 digit code.
Don’t Trust – Apple’s attempts to make things automatic can lead to critical security breaches. Here’s one many iPhone users don’t know about. Say a coworker is going to put a file on your iPhone, like a sales video you both made together. You plug your iPhone into his Mac. Up pops a question asking if you “Trust” his computer. If you say ‘yes’ and you have your iTunes set to backup iPhone data automatically, ALL your iPhone data will be copied to your coworker’s computer – contacts, messages, email, photos, everything. So don’t “Trust,” or make sure you have automatic backup turned OFF.
***for Android users only***
Cyanogenmod – Manufacturers of Android devices install various software that they ship with the device. You really don’t know what that software is doing. It may track you, and it’s often “bloatware” that slows your device down. A solution is to install Cyanogenmod. If you have a device on this list, then you can use the Installer which makes things easy. If you don’t have a device supported by the Installer, I would skip it unless you want to roll up your sleeves and get fairly technical.
There are many advantages to Cyanogenmod. Your device will run faster and have some extra privacy features. Here’s a good roundup to judge if you think it’s right for you. If you want to give it a go, this is where you start.
Encrypt your device – While iPhones are encrypted by default, Android devices generally are not. (Some new Android models like the Nexus 9 are shipped with encryption on by default, and fortunately most other new Android devices will follow suit shortly.)
Be aware that if your Android device is more than a couple years old, encrypting it will make it perform more slowly. I think it’s worth it, but it bears mentioning since this is the case for older models. You can try it, and if it’s not workable for you, you can unencrypt the phone, but know that unencrypting it will factory reset it. Newer Android devices don’t suffer any noticeable performance hit.
When you enable encryption, you’ll need your phone to be mostly charged as well as plugged in. It takes about 30-60 minutes. Go to Settings->More->Security->Encrypt device. Here you’ll of course want to pick a strong passphrase that’s ideally easy to type. Remember without a decent passphrase there’s not much point to the encryption. Will it be annoying initially to spend an extra 2-3 seconds unlocking your phone? Yes, but you’ll get used to it. It’s worth it.
Be sensible – I agree with this article’s advice that you generally don’t need anti-virus software for Android devices if you’re sensible about sticking to legit-looking apps from the Google Store or other trusted sources that seem legit. Also avoid apps that demand unreasonable permissions to access to your phone. If you’re downloading a game and it wants permission to access all your contacts or dial phone numbers, for example, I’d skip it. The freeDCentral1 app lets you monitor what permissions your apps have.
STEP 7 – USE SECURE CLOUD STORAGE
Why: If you’re going to upload files to cloud storage like Dropbox, Google Drive, iCloud, or OneDrive, use a service that encrypts your files before they are uploaded. No matter what Dropbox claims about security (and they’ve been caught contradicting themselves), you don’t want to trust any company with your personal files. The Dropbox site says, “Dropbox employees are prohibited from viewing the content of files you store.” Saying people are not allowed to look at your files is not security you can count on, nor is it protection from the government surveilling your Dropbox.What to do: To quote Snowden, “Get rid of Dropbox.” Snowden’s suggestion is to use SpiderOak because it’s zero-knowledge, meaning they encrypt your files before they’re uploaded, making it impossible for the company to see the contents of what you store on their servers. The first 2GB on SpiderOakare free. An alternative to SpiderOak that takes a similar approach is Wuala, which gives the first 5GB free. Also worth considering is open source encrypted cloud storage such as Seafile (1GB free) or the mostly open sourceCyphertite (8GB free).
Any of these options are far better than Dropbox, Google Drive, et cetera. Since they all give free storage space, maybe try out two or three.
STEP 8 – SHUN SURVEILLANCE-BASED SOCIAL MEDIA
Why: Many people in this world are lonely. “Free” social networks like Facebook are designed to capitalize on this. In return for helping you feel connected to others, they study you like a lab rat and turn you into a product. I’m not exaggerating. As the founder of Facebook said, “They ‘trust me’ – dumb fucks.” Meanwhile he surrounds his home with empty lots and hundreds of acres of undeveloped land.Facebook’s “like” system is designed to reinforce whatever your existing beliefs are. Facebook is engineered to be a giant echo chamber which figures out what you like to hear so it can feed it to you. That’s how it hooks people.
It’s also the ultimate propaganda system. Recall Facebook’s notorious social engineering experiment which proved it could manipulate the mood of over half a million people by altering their feeds. The experiment received funding from the US Army Research office. The military funds research on the mass manipulation of a population’s mood? You don’t say.
As with Google, Facebook’s core business is mass surveillance. You’re the product, not the customer. Facebook collects and stores an insane amount of intel about every facet of your life. It not only tracks everywhere you go, it lets others track you too.
Facebook has developed software as accurate as the human brain to reveal your identity in any photo you or someone else uploads. And yes, even 4 years ago Facebook was tracking you and assembling hundreds of pages of intel on you even when you weren’t logged in. Now it’s thousands of pages, and the surveillance and analysis are much more sophisticated.
Every time people post photos of themselves and others to Facebook, Instagram (owned by Facebook), Twitter, Google, or other surveillance-based services, they are unwittingly building mass surveillance databases containing the details of people’s appearances, who they associate with, what they do, and when and where they’ve been.
A single innocuous photo can reveal a lot of information. Trillions of photosis a frightfully vast surveillance database to be exploited by regimes, corporations, and free agent bad guys. Mass surveillance depends on social media as a primary data source.
Every American technology mega-corp has backdoors. Snowden made it clear: Tech giants are surveillance proxies for the government. The government’s own top secret slide is worth repeating here as it just says it all.
The Mass Surveillance ComplexThe Mass Surveillance Complex
To put it plainly, Facebook and other “free” social media services are mass surveillance roach motels. Free is the bait to get you in the door, and surveillance intel is used to hook you on the service so you can become a forever profitable product. Yes they are slickly marketed, convenient, and ultra-popular. They are also a trap and indispensable to the mass surveillance scaffolding. Check out of the roach motel.What to do: It’s easy to share photos with friends and family without undermining our security by using encrypted cloud storage (step 7) or encrypted messaging and email (coming up). But to some the prospect ofopting out of Facebook or other social networks is unthinkable. But is Facebook actually improving the quality of your life? Are you now happy and fulfilled because of Facebook? If you’re willing to try, here are some suggestions for breaking the addiction.
If you’re unwilling to reject surveillance-based social media, at the very least adjust the “privacy” settings as tight as you can so that your life isn’t an open book to free agent bad guys. Facebook and Twitter are primary research tools for hackers and stalkers, and of course police and surveillance agencies. They use fake profiles to friend you and gather intelligence. Or impersonate you and use you as an unwitting honeypot. The NSA evenimpersonates Facebook.
You can replace surveillance-based social networks with non-surveillance alternatives. I’m a member of Liberty.me, a member-funded social and publishing network. Because its members are its customers, Liberty.me eschews a surveillance-based business model. Members can sign up with fiat money or bitcoin. Unlike Facebook which demands people use their real names, you can choose any name you’d like and reveal your identity only to those you personally trust.
I haven’t tried them, but Diaspora and Friendica are two other social networks which are not surveillance based, and there are others in development.
STEP 9 – ENCRYPT YOUR EMAIL, CHAT, AND TEXTS
Why: Your email, chat, and texts desperately need to be secure. They are a jackpot of personal information about your life that can be used to harm you in any number of ways. It doesn’t matter if you think your life is not particularly exciting. People who stalk, extort, kidnap, and blackmail don’t limit their targets to hard-partying celebrities. Your email gives a treasure trove of leads to bad guys about how and where else they can invade your life. Surveillance-based email options like Gmail are not encrypted, and your email is automatically scanned and analyzed for packaging you to advertisers.Companies that offer closed source software which claim to use robust end-to-end encryption are not worth considering unless there are no other options (and fortunately there are). A perfect example is WhatsApp, owned by Facebook. The company says it uses and likes open source, and yet WhatsApp’s code is not open source. Being closed source, people have no way to verify the quality of the encryption, whether there are bugs in the implementation, whether there are backdoors, and what is happening to your data behind the scenes. There have been several security breaches, but as with all closed source software, we don’t know how many security flaws are being quietly exploited right now.
The same issues make Skype untrustworthy despite its claims of secure encryption. Microsoft scans your Skype messages, and there have been back-doors in Skype and other Microsoft products for years.
The bottom line is no matter how exciting and promising the security claims, any closed source software, especially if offered by a U.S. based company with U.S. backers who fund military contractors, is fundamentally unable to provide reliable security assurances.
What to do: Replace your communications software with encrypted alternatives. Email, chat, texts, and phone calls. (Yes, even SIM card manufacturers have been hacked.)
Texting:
Open Whisper Systems – Signal for iOS. TextSecure for Android.Telegram – iOS, Android, Mac, Windows, Linux
Phone calls:
Signal for iPhone. Red Phone for Android.Chat:
CryptoCat – iOS, Mac OS X, Firefox add-onChatSecure – iOS and Android.
Telegram – iOS, Android, Mac, Windows, Linux
Adium – Mac OS X
Email:
If you like the convenience of using a webmail account, choose a provider who uses built-in encryption. I like Tutanota, Protonmail, Neomailbox, and Countermail. (I’d recommend Startmail too if they accepted bitcoin.) They all use an open source, gold standard encryption called PGP. Tutanota deserves particular recognition because it’s entirely open source. Some of them are subscription based, and some operate on donations. Unlike Gmail and its ilk, these all have robust privacy policies, are hosted outside the U.S. (making them harder to strong-arm), and make the encryption process seamless.By contrast, if you want to use a local email client like Thunderbird, the only way to do so securely is to configure and use PGP yourself. Doing that onWindows and on Mac is frankly a huge pain in the rear for non-technical people. Even Glenn Greenwald, the reporter who broke the Snowden story, couldn’t follow the tutorial Snowden made for him. Upstart Whiteout looks like it’s trying to make the process far easier.
If you’re dead set on using an insecure mail provider like Gmail, Yahoomail, or Outlook, your best bet is to use Mailvelope to incorporate PGP encryption. It’s still a hassle to use, though, compared to Tutanota and the others who do the encryption for you automatically.
I realize that switching email providers is a big deal (as far as these things go). But notifying people that you’re switching to an encrypted email provider is a desperately needed message people need to hear. Overcoming mass surveillance is more of a motivational challenge than anything else. Mass surveillance is packaged as just another news item to shake your head over. But personal action is the only thing that will inspire others to take it seriously. Mass surveillance is not a news items. It’s a silent war being waged against us.
When you choose an email address, consider not basing it on your name. There are constant security breaches at companies resulting in email addresses getting lifted along with other potentially embarrassing info. If your email address also reveals your name, it gives bad guys another piece of data to work with in taking you apart.
STEP 10: USE A QUALITY OFFSHORE VPN
Why: You have an ISP who provides you with internet access. The problem is that ISPs monitor and record your activity online. Net neutrality will onlyintensify the monitoring as ISPs are turned into government regulated utilities.The same monitoring happens when you’re at a coffee shop, airport, hotel, or other public wifi. But at those places it’s even worse because anyone with technical skill can monitor what you’re doing in addition to the ISP.
That’s where a VPN comes in. It stands for Virtual Private Network. The main benefit it offers is to encrypt your Internet traffic. Neither your ISP or the creepy guy at Starbucks will be able to track what you do online.
What to do: Choosing a good VPN is key. This is the one step in this guide where I urge people to avoid the free route. There are free VPNs, but they are slower and typically have lousy privacy policies because they target you with ads to compensate for the VPN being free. VPN services require substantial capital investment, so you really want to be a customer rather than the product for advertisers. It’ll cost around 15-20 cents per day. Hugely worth it for the security benefit.
What you want is a reputable VPN that uses strong encryption and a “no log” policy. You also want the VPN to be based outside the U.S. Otherwise the company can be legally gagged and crushed like Lavabit. I suggest choosing one of the VPNs from the list provided here.
ESSENTIAL SECURITY PRACTICES
Congratulations on taking action! The process of hardening your security gives great perspective on just how insecure our digital lives are. No wonder we’re constantly hearing about security disasters.The following practices are for the most part quick and simple to adopt. They can save you untold grief.
PDF and Word doc risks. Adobe pdf files can be rigged with malware. If you download or receive a pdf from an unknown or untrusted source, scan it with your virus scanner before opening it. Also disable Javascript in your pdf reader. If upon opening an untrusted document you are solicited to click on a hyperlink, it’s likely a trap. Same for Microsoft Word documents. Avoid opening them unless they’re from a trusted source.
By the way, if you’re tired of paying for Microsoft Office, switch to the free and open source Open Office. It reads and writes Microsoft Word, Excel, and Powerpoint files.
Recognize when “free” is a trap. Bad guys know that free things are enticing. There’s a lot of wonderful free and open source software (FOSS). But there’s even more free software out there that despite promising great benefits is malicious. Exercise caution and do some web searching first to see if a program is malware before you try it out. A little due diligence can quickly confirm what’s legit.
The same warning applies to free reports or books sent as pdf files or Word docs. Typically they promise to deliver health, sex, or money-making secrets. Documents can have malware embedded in them, as can the sites that promise to give you access to them.
Keep Adobe Flash up to date, or better, dump it. If you decide to use Flash (many sites and online games use it), make sure you keep it up to date because it’s been plagued with security flaws. Adobe Flash will also try to slip in McAfee Security Scan during the installation. The installer annoyingly opts you in by default because Adobe gets an affiliate kickback. I suggest notallowing McAfee to be installed (uncheck the box). It’s a crippled version of McAfee’s paid product that will say your computer is at risk until you purchase it, and it’s a pain to uninstall. If it slipped by you already and you want to uninstall it, here’s how. Or even better, uninstall Flash and see if you can get by without it.
Cover your webcam when you’re not using it. Even five years ago public school employees were remotely turning on web cams and secretly recording students at home. Plenty of malware and commercial stalkerwareout there does the same thing. Most desktop computers don’t have a camera or microphone, so you can disable them both just by unplugging your webcam when you’re not using it. And that little dot above your laptop screen where the camera lens is? Cover it up with a bit of post-it note or black electrical tape. It takes 3 seconds to cover and uncover the lens, so just groove the habit. Unfortunately there’s no easy fix I know of to physically enable and disable your computer’s mic.
If you have an Android device, here’s an inexpensive app that can disable your camera and microphone, which can be remotely activated and used as a surveillance device.
Use two-factor authentication (2FA). 2FA uses two security tests to permit access to information or physical resources. One example is an ATM card and a PIN code. Another is a password and a fingerprint. The more factors you add, the harder it is for bad guys to crack. Just going from one to two factors provides a huge increase in security. Many mobile devices can take advantage of 2FA. The downside is it’s usually more inconvenient to use. Bad guys are counting on you to be dissuaded by that, so use 2FA whenever you can. Here’s a directory of sites that support 2FA.
Have kids? Parental controls. Kids are a security nightmare. Gold stars to you if you teach them how to behave intelligently online. Just recognize that it’s highly unlikely they will always follow your instruction. Kids are particularly resourceful about things that are forbidden. If they ask you to buy a movie or video game for them and you say no – if they ask at all – they may decide to find it online. Whether or not you approve of that, “free” software is a honeypot for malware.
Bad guys are smart. They’ll offer a “cracked” copy of a video game, for example, but the act of installing it will also surreptitiously install malicious software that can do anything from stalking you to recording everything you type (including passwords) to sending files from your hard drive to bad guys. A lot of malware also turns your computer into a zombie that infects other computers on the web. If you care about not harming others online, use measures to avoid becoming a tool for bad guys to go after others.
Both Microsoft and Apple provide parental control settings for choosing what can be downloaded and visited on the web. There is also free third party software that gives you more options, as well as parental control apps for mobile devices. Consider these options carefully unless you have full confidence in your kids and their friends.
Encrypt individual files and folders. There are lots of reasons for encrypting individual files or folders. Maybe you need to email files to people who use insecure (unencrypted) email like Gmail or a corporate email address. Maybe you want to put files on a USB stick and take them someplace. Maybe you need to upload files to somebody’s Dropbox or Google Drive account who is unwilling to switch to SpiderOak. Maybe you want a person or organization to have files in their possession but not be able to access them until a certain event happens like an accident. Maybe you want to back up a big directory full of files and keep it at a location that’s handy but not secure like the desk of an apartment filled with roommates. Or maybe you just want an extra layer of protection for very important files in case somebody accesses your computer when you’re logged in and your hard drive is decrypted.
Whatever the reason may be, there are several free programs for encrypting individual files or folders. To encrypt a file or folder full of files, I suggest the free and open source 7-zip on Windows or Keka on Mac. Both programs compress your files but also give you the option of encrypting them. There are different compression formats those programs can use like 7-zip, zip, and rar. I suggest using 7-zip format because it’s Mac and Windows compatible and the compression is good. Here’s a quick how-to for both programs. Just remember compressing files won’t encrypt them by default; you also need to enter a (strong) passphrase. After you encrypt it the name of the file like “MyAccounts.7z” or “SurpriseVacation.7z” will still be visible.
Deleted files aren’t deleted until you shred them. Any file you delete isn’t actually deleted when you trash it. All trashing it means is that you’ve given permission for the file to be overwritten. To make sure that the empty space on any storage device is actually empty rather than filled with your deleted files, you need to use a program that writes dummy data over your real data a few times. A program we’ve already used, Ccleaner, does this (use at least 3 overwrites). On Windows another option is Eraser, which is open source. An even more comprehensive one is BleachBit. Mac users can shred deleted files by selecting Secure Empty Trash. More details on Mac file shreddinghere.
Securely deleting files on SSDs (used in mobile devices, lots of laptops, USB thumb drives, and many desktop computers) is a no-go for technical reasons. That’s why it’s all the more important to make sure the drives are encrypted. If you ever want to sell or give away your Android or iOS device, do a factory reset. The encrypted data will still be there but the encryption key will be erased, making the data unrecoverable.
Privatize your purchases. Your credit card transactions are recorded and distributed to multiple government agencies. As with tech companies, the government is a direct customer of the credit agencies who give them your financial information. Like surveillance-based social media, you are the product, not the customer.
A running record of every transaction you make along with when and where you make it is a mass surveillance wet dream. Like uploading your photos to Facebook, every credit card transaction helps weave the mass surveillance net. I don’t deny the convenience of credit cards or the benefit of “points.” But as with social media, the price is hidden but high.
Use cash when you can. It’s still relatively private, which is why the government hates it. But know that having a few thousand dollars in your possession makes you a criminal suspect. If found, your cash will likely beconfiscated. Its use is gradually being outlawed and several countries arerapidly going cashless.
Also know that if you try to withdraw a few thousand dollars out of your bank account you will likely be questioned and have a Suspicious Activity Report filed with the government. The same thing goes if you try to deposit a sizable amount in your account.
Precious metals are also difficult for the government to track. While they can be a great way to hold onto your savings in a zero-interest QE-driven world, the problem is it’s difficult to purchase things without resorting to barter.
So how to deal with the fact that withdrawing or holding cash in meaningful amounts has become a serious liability? More people every day are turning to non-government digital currencies. These non-government currencies are called cryptocurrencies because they are secured against counterfeiting through their use of cryptography. The most popular cryptocurrency is bitcoin.
There are many good reasons to use cryptocurrencies. The first is that you have monetary independence and privacy. You don’t have to fill out bank forms or get permission to access your money. You can send money anywhere in the world instantly without forms or questioning, and it costs only a few cents in fees. People who work abroad and send money home typically pay 10% in remittance fees. The compound savings by not getting clipped 10% every time is huge.
Hundreds of thousands of items can be purchased with bitcoin, including the recommended VPNs in Step 10.
The second is security. Accounts can be locked down and siphoned for bail-ins. Cash can be lost, stolen, and seized. You cannot walk around with a substantial amount of cash without making yourself a target. That is doubly true if you travel, where carrying $10,000 on a plane effectively makes you a criminal suspect.
You can carry any amount of cryptocurrency in a secure “wallet” on your phone, computer, USB thumbdrive, or even your camera’s flash card without anybody seeing what you have. Your wallet can be backed up the same way you would back up any computer file. If your phone or computer get stolen, the money can’t be spent without the key to your wallet. You can copy your wallet as many places as you want and even print it out as a paper wallet. You also can split your money into as many wallets as you want and store them different places if desired.
For the ultimate in portability and security, you can use a brain wallet. A brain wallet means that access to your money is literally only in your brain via your passphrase. There is no other way to access your wallet (so don’t forget the passphrase!) You can cross any border with just the clothes on your back while “carrying” any amount of money with you.
While bitcoin transactions are not systematically identity tracked and reported to corporations and government agencies, bitcoin purchases are not truly anonymous. While your name isn’t attached to purchases, the purchases themselves can be traced. There are techniques for anonymizing bitcoin, such as mixing. Another option if you want to make anonymous purchases is the DASH cryptocurrency, which is specifically designed for anonymity.
The third reason is cryptocurrencies allow you to hold your savings in a currency that is not being systematically counterfeited (the government term is inflated). Cryptocurrencies are new, so the primary risk in using them is volatility. Volatility can work for or against you. People love upsidevolatility; downside volatility is what makes people nervous.
The way to deal with volatility if it worries you is to dollar cost average (DCA) your cryptocurrency purchases. If you wanted to own, say, $5,000 worth of a cryptocurrency like bitcoin, you could DCA the purchases by buying $1000 in bitcoin per week for 5 weeks, for example. Or $500 per day for 10 days. The more you spread it out, the more volatility is reduced.
Lastly, use bitcoin out of principle. The government derives its power to do all the objectionable things it does from the monetary system. Fiat currencycan be created in any quantity by the government at any time and at zero cost.
Given the government’s ability to create money instantly at zero cost, tax collection today is mostly about social engineering. Paying taxes maintains the illusion that fiat money is scarce and therefore valuable. Yet with every additional trillion dollars that it snaps into existence, the government enriches itself while eroding the purchasing power of savers who treat the dollar as an article of faith. The fiat story never has a happy ending. Nobody is going to end (or audit) the Fed, but cryptocurrencies enable us to largely ignore it. That is truly liberating.
Torrent carefully. If you’ve never used Bittorrent, you’re missing out on a ton of quality content that is absolutely free. Bittorrent is a way for people to efficiently share files of their choosing with anyone else in the world. Many people think bittorrent is only for downloading copyrighted material like movies, TV shows, and music, but there are loads of copyright-free contenton bittorrent.
Whatever you download, be careful. It’s easy to download files that have been shared with the purpose of injecting your system with malware. If you’re going to use bittorrent, here are a few suggestions:
Use qBittorrent for your client. It’s open source, unlike the popular but closed source utorrent. For increased security use IP filtering andanonymous mode. For even more security use it with a VPN service that permits bittorrent use. (All the VPNs recommended in step 10 allow bittorrent use.)
Media files like mp3, mp4, avi, mov, and flac are safe to download. They don’t carry malware infections. I recommend playing media with VLC Player. It’s fast, free, open source and doesn’t spy on you.
Don’t download any software from bittorrent unless you trust the source or really know what you’re doing. Anything that requires installation (like an .exe file) is a big security risk. If you have kids, they may (will) download games from bittorrent which are likely malware carriers. (Just because a game runs properly doesn’t mean your computer hasn’t been loaded with malware.) To make matters worse, the directions for much of the software you see on bittorrent sites tell you to disable your anti-virus during installation. It’s true that anti-virus software can impede installation of some software, but disabling it for an untrusted source is a great way to get slammed with malware.
If you decide to download software from untrusted sources, at least sandboxthe program. Sandboxing is a powerful security measure, but it’s not a silver bullet.
Grow your knowledge – Once you feel comfortable using the security measures in this guide, I encourage you to investigate other ways to increase your protection. Liberty.me’s free privacy guide has some good advice that goes beyond online protection of your identity.
For more online security measures, this guide is a solid next step. Note that it’s still a beginner’s guide, which gives you an idea of how much can be done. It’s wise to remind ourselves as security beginners that we’ve only taken basic steps. This guide also offers some more in-depth advice when you’re ready. Both cover using your VPN in combination with TOR. There is a performance hit to your browsing speed, but you get substantially more privacy. Just don’t take the anonymity claim on the TOR web site as literal. There’s no such thing as bulletproof anonymity online, though when you use TOR properly, you can achieve an extremely high level of security that requires very sophisticated adversaries to defeat.
Donate – Many extraordinarily talented, principled, generous people who understand the horrific implications of mass surveillance work ceaselessly to provide free, open source solutions to protect us. I encourage you to send a market signal that their heroic work is sincerely in demand and appreciated. In other words, please donate here or to whatever open source projects you use. Also consider supporting critical resources that journalists, activists and whistleblowers depend on like SecureDrop, TOR, and Tails. They require continual development to keep pace with mass surveillance expansion. Without these resources we’d be in the dark about what’s being done to us.
Snowden is one of many who have risked their lives to expose mass surveillance and the other awful things regimes do in secret. As mass surveillance technology advances, if the tools to fight it don’t advance then resistance will become impossible. We depend on the ongoing diligence of skilled coders in a very real and urgent way.
AFTERWORD
Ok, I gotta ask. Did you skip some steps because you made a value judgment about your life? Maybe you decided to stick with Dropbox since you only put family reunion photos or cooking recipes there? Perhaps you didn’t switch to encrypted calls and texts since you think whatever you have to say will be met with indifference by those who record you.Every bad guy and every regime banks on you thinking this way so that you don’t take action. Mass surveillance depends on mass indifference. It’s not about whether files are sensitive or whether you’d share them with someone who politely asked to see them. It’s about your power to give permission. It’s about control. Universal control. Snowden wasn’t mincing words when he risked his life to expose the greatest weapon of oppression in the history of man.
When it comes to mass surveillance, principle is inseparable from risk. If you choose not to act, everything can and will be taken without permission. Whenever down the line you decide things have gotten insufferably out of control, it will be too late to do anything. Ignoring ugly truths is how we end up looking back and wondering how things got so bad. Don’t fall for it. If you haven’t already, please act now.
Gratitude for Alan Turing
Encryption is what empowers us, the governed, the peaceful outlaws. Without it we would have no shelter from the shadow of criminality politicians have cast over us.What breathtaking irony that the means to protect ourselves is owed to a heroic criminal named Alan Turing. The father of computer science and mastermind of cryptography, Turing broke the Nazi regime’s “unbreakable” encryption code, Enigma.
After providing the British government with its single most powerful weapon – the means to know everything the Nazis were going to do in advance – Turing was prosecuted by the regime in 1952 for being homosexual. The man who saved millions of lives by shortening war – that greatest of government abominations – was a criminal.
Alan Turing, heroic criminalAlan Turing, heroic criminal
Turing pled guilty to the crime. As punishment the government ordered him to be chemically castrated in a series of brutal medical treatments which led to his suicide two years later.
This man was a liberating force for humanity. We owe him our deepest gratitude.
Parting Thank You
The Internet is the most powerful tool we have to inform, protect, and help ourselves and others. By taking action, you are materially advancing the cause of human liberty. Our own psychology is the biggest risk in determining our fate. Will we succumb to learned helplessness? Or will we quietly and with determination cut the noose from our necks?Together we can thwart those who seek to dominate and control. Let’s take care of ourselves, help others wherever we can, and turn away from fear, the eternal enemy of freedom.