These answers are unlikely to make much of HN happy, but they are the correct answers.
1. Get an iPhone and use it in preference to your computer.
2. Enable "code-generating" or "authenticator app" 2FA on all your accounts, particularly email (this is called "TOTP").
3. Disable SMS 2FA on any account wherever you're using real 2FA.
4. Switch to Google Chrome, which is significantly more resilient against vulnerabilities than either Safari, Firefox, or IE.
5. Don't use Dropbox.
6. Enable your OS's built-in full-disk encryption (this is FileVault on a Mac, BitLocker on Windows).
7. Disable cloud-based keychain backups (OS X will ask you to opt-in when you configure your phone or laptop the first time; Windows will make you go out of your way to do it).
8. Install Signal and either WhatsApp or Wire on your iPhone. Use Signal when you can, and fall back to the less strict alternative app when you can't.
9. Don't use email to send sensitive information, full stop.
10. Install a password management application that doesn't store your secrets in the cloud. I recommend 1Password. Better though to rely on 2FA than on a password manager.
11. Do not use antivirus software, other than Microsoft's own antivirus software on Windows.
12. Turn off cloud photo backups and location sharing for your camera.
13. Don't accept or click on email attachments, or allow your peers to send email attachments.
1Password has a WiFi sync option that syncs your passwords between your computer and phone when they're both connected to the same WiFi network. I've been doing it Mac --> Android for quite some time and never had any issues.
Great recommendation, but how do you handle syncing passwords between your
computer and phone?
I use KeePass to encrypt my passwords and store the password vault in Dropbox. It's not a perfect system, in that an adversary can gain access to my password vault and try to brute-force my master password. But it's "safe enough", if you make sure to use a strong passphrase as the master password for the vault.
Your password might be a guessed in a dictionary attack if you have a weak password. Or if at some future date a KeePass specific vulnerability is discovered, someone might be able to use that.
But someone trying to brute-force your password isn't a problem anyone needs to worry about.
To my mind, the real downside to using dropbox to store encrypted stuff is that the existence of the encrypted stuff is not a secret. And recently it seems the spooks look upon encryption with ever increasing suspicion.
I'm not sure why tptacek specifically warns against using Dropbox. My guess (and I emphasize that this is just a guess) is that you can't rely on Dropbox (or Google Drive or Microsoft OneDrive) to keep your data out of the hands of a state-level adversary. However, encrypting your data before putting it into Dropbox should address that concern. Is there something I'm missing? Is it that cloud folders like Dropbox make it too easy to accidentally share information in cleartext?
If you have a device that's relatively well hardened against attack, why subvert those protections by giving a copy of your secrets to a third party who isn't (and can't be, from a legal standpoint) as well protected?
Why give a copy of your secrets to an adversary that's 10 to 20 years ahead of the rest of the world, crypto-analytically speaking?
> Get an iPhone and use it in preference to your computer.
When connecting to a computer or charging, never ever tap on "trust this computer". If I understand it right "trusting this computer" involves some irrevocable certificate exchange, in effect granting the computer elevated permissions.
Can someone correct me? What precisely "trusting" on iphone means except from the ability to decrypt backups?
4. a citation why chrome would be "safer" than firefox (or edge) would be appreciated. in terms of privacy, i wouldn't trust chrome as much as i'd trust firefox.
7 and 10: as others have noted, where is the security risk in storing the encrypted vault in the cloud? actually, choosing user-friendly solutions has a security benefit in itself because it doesn't make you switch to less secure alternatives ("i'll just use my standard password for this one thing) out of laziness
9. should mention PGP, although that's certianly not convenient and might not work for less tech-savvy people.
I think it's reasonable to trust Firefox's privacy more than Chrome's. But there are very few people in the industry who trust it's security more than Chrome's. Chrome has a more secure architecture and one of the best security teams assembled for any consumer product.
The iOS and Chrome recommendations are the things I'm saying that I believe to be somewhat unpopular here. But in the software security community, they've been commonly accepted for several years now.
I try not to recommend PGP anymore, not because it's unsafe but because it's difficult to use and discouraging for unsophisticated users.
Having said that: I actively warn against trying to use PGP for secure email. Email has inferior security even with PGP layered on top of it. Signal was designed for long-term asynchronous conversations; if you can use PGP, you can use Signal. Use Signal instead.
Yeah, its a mixed bag when choosing between Firefox and Chrome - especially if both security and privacy are desired. Personally, I trust and like Mozilla more than Google, but Chrome has better security from what I have observed.
The FBI has repeatedly found and exploited Firefox vulnerabilities. Chrome does all the dangerous bug-prone stuff (parsing) in a separate process that is sandboxed, so vulnerabilities are harder to exploit.
Chrome holds up far better in the annual Pwn2Own competitions than any other browser. The Chrome team really goes over the top on security and sandboxing. Firefox is unfortunately a CVE-fest.
Second, how much security does this provide and against what? For example, Moxie said once that Signal was designed to be usable and prevent mass surveillance, but not necessarily to prevent targeted attacks (my paraphrasing);[0] civil rights activists can expect targeted attacks.
Finally, the public needs real security professionals to do the work and provide a reliable, authoritative, updated guide - including pointing out where in the technology/solution stack we need better solutions. There are many guides out there, some cited below; like all the other unreliable information on the Internet, some are obviously flawed, some are flawed in ways that few will notice. There is no alternative to real security expertise. Also, it will need names on it that people know and trust. Crowdfund it; I will happily contribute.
There are several gradations more security we could specify if we relaxed the constraint that ordinary non-technical activists be able to reliably do things.
The level of protection you're getting here is from targeted non-state attackers, ambient opportunistic state-level actors, and non-specialist law enforcement. Some of this stuff would have helped Ross Ulbricht (I mean that non-normatively), for instance.
Google "you're gonna get Mossaded" for fuller picture of what we can expect for current state of the art against targeted state-level attackers.
Can one configure Chrome to not be a data-sucking kraken?
> 7. Disable cloud-based keychain backups.
That backup is encrypted, I'd hope? So, is the problem that getting hold of a cloud-backup facilitates off-line attacks on the encryption key?
I remember Filippo (FiloSottile here) publishing his encrypted private PGP key [1] (back when he was still positive on PGP). If that's safe, how is this problematic?
> 10. Install a password management application that doesn't store your secrets in the cloud.
Same question as 7. My understanding was that most password manager vulnerabilities have been related to browser integration, so that is the first thing I'd switch off.
There are also people who use Chromium, or particular configurations of Chromium, instead of Chrome. That's fine. But don't use forks of Chromium, no matter who maintains them, even if it looks like a sizable effort. You don't want your browser to be any number of days behind the Chromium patch cycle.
I use the browser integration for 1Password on OS X (I might not if I was on Windows). I'm generally not that worried about localhost privilege escalation. I am very worried about how well I can reason about cloud-based storage of any sort, and how it will interact with things like my browser.
KISS: keep your secrets out of cloud systems and your backups offline.
If you're very sophisticated, I like Tarsnap for online backups. But you have to be very sophisticated to use it.
If you're very sophisticated, I like Tarsnap for online backups. But you have to be very sophisticated to use it.
I think you're overstating this a bit. You have to be comfortable at a UNIX command line. Surely that alone doesn't qualify someone as "very sophisticated"?
1Password doesn't store secrets in the cloud, as far as I know. You have to manually back up the database and some users choose to store that encrypted db in the cloud.
I don't disagree with the list. But I do think that few political organizations are going to have the will and discipline to enforce it upon their members particularly in the US. For a political organization with the will and discipline to enforce such practices, effort would might be better invested in creating a cell structure that isolates access to information in terms of the social graph.
Or to put it another way, an organization that relies on technical means to maintain secrets is still subject to infiltration. Wikileaks shows how readily organizations with dedicated and expert security staff and meaningful budgets are compromised by lack of or weak compartmentalization. A Snowden knockoff just walks out the door with a thumb drive of documents and hands it over to people who aren't supposed to have access bypassing NSA level security. And that's in an environment where people are rigorously vetted, not one looking for volunteers to the cause.
If I have an issue with the answer, it's that it conceives of an adversary who is 'just like us'. But plant a bug. Tape a cell phone to a car. Hire a honeypot. All will bypass an iPhone and disk-encryption and the local police can do any of them legally with a little effort and just about anyone with a will and a few hundred dollars can do them illegally with even less effort. And in the political realm there are lots of people with lots of will and more than a few hundred dollars at risk.
How does Linux compare with either MacOS, Windows, or just using an iPhone? Any particular distros that are more secure than others, or software to include / not to include?
I assume Android is a bad idea because of the ease of picking up spyware and the privileges that such software can have once downloaded?
What's the best way to secure your web browsing & search history? Being an ex-Googler, I can think of a couple things to do - don't sign in to Chrome, turn off your Web & App activity, turn off location history and don't grant permissions to use the location service - but I'm curious what the non-Google threats would look like (honestly, I don't believe Google is your biggest threat for a freedom activist).
What would you recommend for sharing documents, source code, or other permanent work/organizing products?
"Android is vulnerable to several key-extraction techniques." [0] Another likely reason is the appalling update situation on non-Nexus/non-Pixel devices.
Hey you would probably be interested in a app that we make called Umbrella. Built by activists, for activists, Umbrella makes it easier to learn about and manage digital and physical security. It has short lessons and checklists on everything from sending a secure email to security at protests. It's free, open source and available on Android.
> Get an iPhone and use it in preference to your computer.
Color me surprised, but wasn't Apple involved with PRISM. Gives me reason enough to believe they maybe in on similar programs given there have been no drastic changes to their policy and whatnot
The problem is that PRISM has conflated two separate things, and it is unclear how much of that conflation occurred at the NSA and how much outside.
Apple was (and is) compliant in the "release customer details with a court order" thing, which it seems is part of the PRISM data.
However, there was a second part, where the NSA got bulk access to communications without a court order. It is unclear which companies were complicit in this part. We know Google wasn't (because the NSA slide decks show how they had to intercept Google's inter and intra-data center links which were unencrypted at the time - and Google undertook a crash program to fix that).
Apple's statements are pretty clear: they say they only release information with a court order. That means they weren't complicit in bulk collection - but they may have been hacked at the time like Google was.
PRISM = FISA - it's just the NSA code name for data collection under the Foreign Intelligence Surveillance Act of 1978. All tech companies were involved, because to do otherwise would've been illegal.
The press cycle around the Snowden declarations made it seem like the big tech companies were in bed with the government, but honestly they hated it as much as you did, and in many cases the programs had different names within the NSA from when they interfaced with the companies involved, or were done entirely without knowledge of those companies.
This might be naive, but would you recommend being on iOS Beta to get security patches earlier? Also do you prefer Touch ID or password/passcode unlocking?
TouchID has the issue that a law enforcement can make you unlock your phone. In short cops can get your fingerprints, which is on you, but not compel you to say or do something.
The right way to think about secure messaging software is this:
You want to be using a messenger based on Signal Protocol, no matter what. Nobody has thought more carefully about cryptographic messaging protocols than Trevor Perrin and Moxie.
It's good to have two secure messengers, one that favors usability and has a large user base, and one that can function as a laboratory for strictly secure UX.
The very secure messenger you should have should be Signal; as Trevor and Moxie and their team devise new cryptographic protections for things like contact lists and file transfers, you'll get them through Signal.
The more usable messenger should be WhatsApp or Wire. I don't have strong opinions about which; mostly, I'm just saying there's no other Signal-based messenger I trust at all.
Quick response and I'm no expert: their encryption technology isn't open source and from what I recall hasn't been verified by third parties. They claim that is sufficient but no one has been able to confirm that. "Security through obscurity" if you will.
OP used to own/manage a world-class security consulting firm in Chicago, and now runs the entire security team for several decent-sized startups. His expertise is the citation.
1. IPhone is closed source and any kind of rootkit can be installed by Apple/NSA secret court system. I suggest not using a smartphone if you are serious about security.
2. Good but difficult to anonymize
3. Good
4. Google Chrome is a botnet effectively and users lose their expectation of privacy there. Should switch to Firefox and use Chromium (Not Chrome) as a backup. Ideally Tor browser though.
5. Why? It's great for sharing encrypted files. Certainly if you trust Apple, why not trust Dropbox?
8. Signal transmits metadata that Google/Apple and by extension NSA/FBI/CIA/DEA know about now. Use something else that protects your anonymity and is secure. Something like cryptocat/Pidgin OTR is better.
9. You can use email to send encrypted information.
10. Unnecessary. Good strong password is good enough and you don't have a centralized password storage app. Another benefit is avoiding all the frustration that comes with using it when you are on someone else's computer.
11. Commercial AVs are better than Microsoft's native solution as repeatedly shown on independent tests. If you are tech literate, you're probably fine with the native solution or no solution at all.
12. Good idea. Best not to have a smartphone at all.
13. That's crazy. Just know your email app. Attachments should be read only and if your software is updated, it's very very unlikely you'll be compromised. If the email isn't signed and you are worried, use an alternative app to open common document formats. PDF.js for PDF, Libre Office for documents.
IPhone is closed source and any kind of rootkit can be installed by
Apple/NSA secret court system. I suggest not using a smartphone if you are
serious about security.
I absolutely disagree. While you are correct that in theory an iPhone can have rootkits and other backdoors installed on it by the NSA, in practice, I've found that the average user's computer can be compromised far more easily than their smartphone. Remember, we're not dealing with security professionals. We're not even dealing with people who can use PGP to secure their e-mail. We're dealing with rank newbies. In such a situation, it's far better for them to take incremental steps today to secure themselves (e.g. by using Signal to communicate, rather than e-mail) than it is for them to spend a year learning about encryption and having PGP key signing parties before they can set up a secure infrastructure.
Comments like these are why I have a deep frustration with the "security community". It's letting the perfect be the enemy of the good.
It's a silly argument anyway, as in the famous xkcd comic, technology probably isn't the weakest link. And if a state really wants to snoop on you in particular, they will.
Meanwhile, as mentioned elsewhere, Android is vulnerable to several key-extraction techniques and the speed of security updates depends on which model you have.
Literally every other phone on the planet is vulnerable. Even some garbage flip-phone you got at Wal-Mart thinking it's not smart and therefore secure is likely a joke for anyone to crack into. That software hasn't changed in years. It's full of unpatched holes.
1. Get an iPhone and use it in preference to your computer.
2. Enable "code-generating" or "authenticator app" 2FA on all your accounts, particularly email (this is called "TOTP").
3. Disable SMS 2FA on any account wherever you're using real 2FA.
4. Switch to Google Chrome, which is significantly more resilient against vulnerabilities than either Safari, Firefox, or IE.
5. Don't use Dropbox.
6. Enable your OS's built-in full-disk encryption (this is FileVault on a Mac, BitLocker on Windows).
7. Disable cloud-based keychain backups (OS X will ask you to opt-in when you configure your phone or laptop the first time; Windows will make you go out of your way to do it).
8. Install Signal and either WhatsApp or Wire on your iPhone. Use Signal when you can, and fall back to the less strict alternative app when you can't.
9. Don't use email to send sensitive information, full stop.
10. Install a password management application that doesn't store your secrets in the cloud. I recommend 1Password. Better though to rely on 2FA than on a password manager.
11. Do not use antivirus software, other than Microsoft's own antivirus software on Windows.
12. Turn off cloud photo backups and location sharing for your camera.
13. Don't accept or click on email attachments, or allow your peers to send email attachments.