Edward Snowden’s NSA spying declaration showcased just how much we have given in to the gods of technology and suitability something we used to take for granted, and once accepted as a fundamental human right – our privacy.
NSA is not alone. Governments around the world are in a hurry to introduce legislation that allows them to monitor and log every email, phone call, and Instant Message, every web page visited, and every VoIP conversation done by every single one of their citizens.
The press has drawn parallels with George Orwell’s dystopian world ruled by an all-seeing Big Brother. They are painfully accurate.
Encryption gives protection to your internet activities, communications, and data. However, encryption usage flags you to organizations such as the NSA for closer inspection.
Particulars of the NSA’s data collection rules are here. NSA examines data from US citizens but discards it if it’s non-interesting. Encrypted data, however, is kept indefinitely until the NSA can decrypt it.
The NSA is allowed to keep all data associated to non-US citizens indefinitely, but encrypted data gets extra attention.
If more people started to use encryption then over time it would become the norm and surveillance organizations would have a much harder time invading people’s privacy.
Following disclosures about the scale of the NSA’s intentional assault on global encryption standards, faith in encryption has taken a big blow. So let’s look at the current state of affairs:
Encryption Key Length
Key length is the fundamental way of determining how long a cipher will take to break. It is the natural number of ones and zeros used in a cipher. Brute force attack is the rawest form of assault on a cipher. It involves attempting every possible combination to get the correct one.
NSA is an organization that is capable of unearthing modern encryption ciphers, but to do so is quite a challenge. For a brute force attack:
- A 128-bit key cipher has 3.4 x10(38) possible keys. Going through each of them would require thousands of operations or more to crack.
- The fastest supercomputer in the word in 2011(the Fujitsu K computer located in Kobe, Japan) was capable of a Rmax peak speed of 10.51 petaflops. Figuratively, it would take Fujitsu K 1.02 x 10(18) (around 1 billion) years to crack a 128-bit AES key by force.
- The most potent supercomputer worldwide in 2016 was the Sunway TaihuLight, the NUDT Tianhe-2 in Guangzhou, China came in at a close second which by the way was close to 3 times as speedy as the Fujitsu K, at 33.86 petaflops, it would “just” require close to a third of a billion years to break a 128-bit AES key. That’s still a long time and is the figure for breaking just one key.
- A 256-bit key would need 2(128) times more computational power to break than a 128-bit one.
- The time required to brute force a 256-bit cipher is 3.31 x 10(56) – which is about 20000….0000 (total 46 zeros) times the age of Universe (13.5 billion or 1.35 x 10(10) years!
Until the Edward Snowden announcement, people accepted that 128-bit encryption was beyond crackable through brute force and thought so would remain the same for another 100 years (taking Moore’s Law into account).
Theoretically, it is still true. However, the extent of resources that the NSA seems willing to invest at cracking encryption has experts shaking. Consequently, system administrators around the world have been scrambling to upgrade cipher key lengths.
The time when quantum computers become available, then all current encryption ciphers will become redundant.
Theoretically, the development of quantum encryption will solve the problem. But, access to quantum computers will not be readily available as initially the most powerful and wealthy organizations, and corporations will get hold of it. Also, it is not in their best interest to democratize encryption.
In the meantime, powerful encryption is your ally.
Note that the US government deploys 256-bit encryption to secure ‘sensitive’ data and 128-bit for ‘routine’ encryption requirements.
But, the cipher it uses is AES and comes with its fair share of problems.
Encryption key length means the number of raw numbers involved. Ciphers are the mathematics applied to carry out the encryption. Algorithm rather than key length is the reason for encryption breaking.
The most common ciphers that one is likely to encounter are Blowfish and AES. Additionally, RSA is used to encrypt and decrypt a cipher’s keys. For data authentication, SHA-1 or SHA-2 are used as hash functions.
AES is considered the most secure cipher for VPN use and generally. The US government adopting it enhanced its perceived reliability and subsequently its popularity. But, this trust may be misleading.
National Institute of Standards and Technology (NIST) in the United States certified AES, RSA, SHA-1, and SHA-2. NIST collaborates with the NSA in the development of its ciphers. NIST algorithms are questionable given the NSA’s systematic efforts to gain a foothold on international encryption standards.
NSA was accused by The New York Times of introducing non-detectable backdoors or disrupting the public development process to break down the algorithms, thus nullifying NIST – approved encryption standards.
Reports that a NIST-certified cryptographic standard – the Dual Elliptic Curve algorithm (Dual_EC_DRGB) had been intentionally weakened not once, but twice, by the NSA was the nail in the coffin.
Back in 2006, a calculated backdoor in Dual_EC_DRGB was already noticeable as researchers at Netherlands Eindhoven University of Technology told that an attack against it was easy enough to initiate on ‘an ordinary PC’. Microsoft engineers also indicated a suspicious backdoor in the algorithm.
Whatever it is, where NIST leads the industry will follow suit. Microsoft, Cisco, Symantec and RSA all incorporate the algorithm in their products’ cryptographic libraries. This is primarily due to compliance with NIST standards which is a requirement for obtaining US government contracts. NIST – certified cryptographic standards are pretty much universal which is a little unnerving.
Cryptography experts are shying away from the problem because a lot relies on these standards.
Ideal Sophisticated Secrecy
Edward Snowden said in one of his confessions: “another program, code-named Cheesy Name, was aimed at singling out SSL/TLS encryption keys, known as ‘certificates,’ that might be vulnerable to being cracked by GCHQ supercomputers.”
The fact that these certificates could be “singled out” strongly suggests that 1024-bit RSA encryption is not as robust as previously thought. Therefore the NSA and GCHQ could decrypt it quicker than expected.
Additionally, the SHA-1 algorithm widely used to verify SSL/TLS connections is fundamentally shattered. In both cases, the industry was scrambling to fix the flaws as soon as possible. The industry moved onto RSA-2048+, Diffie-Hellman, or Elliptic Curve Diffie-Hellman (ECDH) key exchanges and SHA-2+ hash authentication. What these issues clearly highlight is the need for VPN connections for all SSL/TLS connections.
In a VPN connection, a private encryption key is generated for each session.
Using VPN, if one SSL key is compromised, it’s fine as new keys are generated for each connection. For someone to access communications, it would be an arduous task as new keys will often be generated and refreshed during connections.
Companies tend to use one encryption key which is dangerous as attackers can access all communications encrypted with it.
OpenVPN is the most extensively used VPN protocol. It is highly secure as it allows the use of ephemeral keys.
HMAC SHA-1 hashes routinely used to authenticate OpenVPN connections are not flaws. The reason is HMAC SHA-1 is less vulnerable to collision attacks than standard SHA-1 hashes. There is mathematical proof.
Is Encryption Secure or Not?
We cannot underestimate NSA, but encryption still remains the best option.
Arguably, strong ciphers such as AES and OpenVPN remain secure.
Bruce Schneier, encryption specialist, a fellow at Harvard’s Berkman Center for Internet and Society, famously said about this.
Remember there are many adversaries, but no one comes close to NSA’s ability to circumvent encryption.
The Value of End-to-End Encryption
End-to-end (e2e) encryption means encrypting data on your own device. Since you hold the encryption keys, it is next to impossible for attackers to decrypt your data.
Various products and services do not use e2e encryption. Third parties encrypt your data and hold keys for you. It is convenient; however, they could be compelled to hand over your encryption keys to authorities and government officials.
For example, Microsoft in 2013 gave encryption keys to unlock the emails and files of its 250 million worldwide users for inspection by the NSA.
Always prefer encrypting your data on your device rather than encrypting on host servers.
Granted that strong encryption has become headlines, but websites have been using strong end-to-end encryption for over 20 years now. Online shopping or banking would be redundant if sites were not secure.
HTTPS encryption protocol is the backbone of internet security as it secures users’ communications in websites.
How to tell if HTTPS secures a website – look for bolted padlock image to the left of the main URL/Search bar.
HTTPS has its issues but is generally secure. Case in point, the billions of financial transactions and transfers of personal data that happen every day on the internet.
The limitation to encryption is the collection of metadata.
An adversary or an attacker can know a great deal from the frequency and regularity of visits even though he may not know the contents. For example, Facebook will be able to tell who you are messaging on WhatsApp, its consistency, the duration and much more even though it will not know the contents as it’s encrypted.
NSA General Counsel Stewart Baker has openly admitted it.
It should be noted that mobile apps typically bypass any VPN and connect directly to their publishers’ servers, meaning VPN will not prevent WhatsApp sending metadata to Facebook.
Pinpoint Your Threat Model
You cannot defend yourself against everything so instead focus on things that you feel are troublesome.
NSA will always be there so let them be. Instead, you should avoid downloading an illegal copy of Game of Thrones as getting caught could land you in big trouble.
This externally linked article does a good job.
The alarming scale of the NSA’s attack on public cryptography and its deliberate weakening of common international encryption standards has showcased that not all software can be trusted.
The NSA has influenced hundreds of technology companies into building backdoors into their programs or rendering weak security in order to allow it access. The US and UK companies are prime suspects, although reports state that companies around the world have given into NSA demands.
The best solution is to use free open source software (FOSS). The source code is accessible to everyone to examine and peer-review. It reduces the chances of someone tampering with it.
Ideally, this code should also be compatible with other instruments so as to reduce the possibility of a backdoor sneak in.
However, it is possible for NSA agents to infiltrate open source and introduce malicious code without anyone knowing about it. Also, the sheer volume of code means it is quite impossible to fully peer-review all of it.
Despite its shortcomings, FOSS remains the most reliable with the least tempering probability.
Ways to Improve Your Privacy
The steps you can take to improve your privacy:
You can pay for things anonymously to enhance your privacy. Note that we are referring to online services and not delivery to actual address because that will give away the anonymity.
It has become increasingly common to find services that accept payment through digital currencies like Bitcoin and the like.
Bitcoin is a cryptocurrency that can be used for a transaction like your regular currency, but in the virtual sense. Bitcoin is still not as popular as the traditional cash currency yet but is changing fast. VPNs are prime examples.
How to Buy Bitcoins Anonymously
Most bitcoin dealers are located in the US and possess US-bank accounts. So for those outside the States, it can be a little tricky. But, there are methods to obtain Bitcoins anonymously.
For Utmost Anonymity:
- Use anonymous dispensable email addresses.
- Make a new Bitcoin address for each transaction – if you use the same address, then one wrong step could jeopardize your anonymity.
- Never real your actual personal information.
- Use a mixer service.
There are fundamental approaches you can apply:
- Purchase Bitcoins Anonymously, then ‘clear’ them with a mixer service.
It is reasonably priced and the most convenient. It has a high degree of anonymity.
When you purchase from an automated Bitcoin exchange like CoinBase and then “clean” them using a “mixer service like Blockchain.info‘s shared send feature, which uses CoinJoin technology it brings anonymity.
A mixer service essentially anonymizes your Bitcoins by interchanging them with other users. It can be chained back to you, but that would be a time-consuming procedure and extremely difficult. This is a paid service.
Your real-world identity is required by many automatic exchange services. So your Bitcoin purchase can be determined but not what happens afterward should you mix them.
- Use pre-paid credit cards
If you perform the transaction through throwaway email addresses, then you buy Bitcoins anonymously with pre-paid credit cards. You can also use the card to buy online services.
- Buy locally with cash
The website LocalBitcoins.com allows you to find Bitcoin sellers living near to you. You can contact for a meeting once you’ve got your preferred seller.
- Buy from an individual seller online
It can be carried out on LocalBitcoins.com, or in the #bitcoin-otc chatroom on Freenode (otc = over-the-counter). #bitcoin-otc uses an engaged feedback system. Take your time understanding it, and you will also require hashing out the payment procedure with the seller. Here is a list of IRC clients.
Other Anonymous Payment Methods
Internet Use Anonymized
VPNs and Tor network are the most popular for privacy on the internet. They mask your online identity.
They appear to serve a similar purpose but the reality is they are both different beasts.
VPNs are a set of technologies that:
- Give privacy by masking your internet activity from your ISP.
- Enable you to bypass censorship.
- Enable you to “geo-spoof” your location to access services blocked to you based on your geographical location.
- Secure you against hackers when connected to a public Wi-Fi hotspot.
- Let’s you to P2P download in safety.
To use a VPN, you must first sign up for a VPN service. A contract with a VPN Provider is needed to use a VPN.
Note: A VPN service can you provide you anonymity, but a VPN provider with logs can know your activities. For true anonymity you need Tor.
The Tor Network
Tor gives anonymity but compromises day-to-day internet usability. When running Tor:
- Your internet connection routes through no less than three random “nodes”.
- These nodes can be anywhere worldwide.
- The data is re-encrypted several times.
- Each node only knows the IP addresses “in front” of it, and the IP address of the node “behind” it.
- It means at no point does anyone know the whole path between your computer and the website you are trying to visit.
Tor is free, and you don’t need anyone’s trust. Governments try to block access to the network with varying degree of success.
Tor and VPN Simultaneously
You can use Tor and VPN together to get meaningful security benefits.
Tor Vs VPN
Tor is for people seeking absolute anonymity. VPNs, on the other hand, are a practical privacy tool for daily internet usage.
Alternatives to Stay Private Online
Proxy servers are quite popular. There are other services as well like JonDonym, Lahana, I2P, and Psiphon. You can combine these with services Tor or VPN for maximum security.
Securing Web Browsing
Along with the NSA, the advertisers are out to get you as well. They use sneaky tactics.
People who care are aware of HTTP cookies. Private Browsing is an excellent option to bypass it. But it is not enough as traces are left behind.
Clear Cached DNS Entries
For fast internet access, your browser caches the IP address it gets from your default DNS server.
- To empty the DNS cache in Windows, open the command prompt window and type: ipconfig /flushdns [enter]
- Empty the cache in OSX 10.4 and below by opening Terminal and typing: lookupd -flushcache [enter]
- To Empty the cache in OSX 10.5 and beyond, open Terminal and type: dscacheutil -flushcache [enter]
Remove Flash Cookies
The use of flash cookies is a subtle development. Disabling them does not necessarily block them. But similar to regular cookies they can be traced and manually deleted from the following directories:
- Windows: C:Users[username]AppDataLocal\MacromediaFlash Player #SharedObjects
- OSX: [User directory] /Library/Preferences/Macromedia/Flash Player/#SharedObjects
and [User directory] /Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/
A better solution is to use the CCleaner utility as it cleans out pesky Flash cookies and also rubbish that slows your computer and leaves traces of your activity.
Alternative Web Tracking Technologies
Internet companies have too much to gain to ever stop from tracking you. They deploy unethical and sophisticated tracking methods.
Your browser configuration combined with details of your Operating System makes you uniquely identifiable with a high degree of accuracy.
A small solution would be using the Tor browser with Tor disabled. It will help your fingerprint look identical like all Tor users and at the same benefit the additional layer of security built into the Tor browser.
HTML5 Web Storage
Built into HTML5 is web storage. Web storage is an analogy.
It has higher storage capacity and cannot typically be monitored, read, or selectively removed from your web browser.
By default all browsers have web storage enabled, but you can turn it off in Firefox and Internet Explorer.
Firefox users can regularly remove web storage with BetterPrivacy add-on configuration. Chrome users can deploy the Click&Clean extension.
ETags are markers deployed by your browser to track resource changes at particular URLs. Comparing these markers with a database, websites can follow you with a fingerprint build up.
ETags can respawn HTTP and HTML5 cookies and is a bad thing as associate companies can track you.
Clearing cache between each session or turning off your cache all together should work.
These practices are burdensome. The Firefox add-on Secret Agent prevents tracking by ETags, but as mentioned previously it will increase your browser fingerprint.
History snooping exploits the web’s design. It grants your visited website to uncover your past browsing history.
It is nearly impossible to evade. Using a VPN or Tor is one way of disconnecting your real identity from your tracked web behavior.
Recommended Browser Extensions
With Firefox leading the line, all modern browsers now support various extensions. They aim to improve privacy. A list of extensions is given below:
uBlock Origin (Firefox)
Ghostery (Chrome, IE/Edge)
Privacy Badger (Firefox, Chrome)
HTTPS Everywhere (Firefox, Chrome, Opera)
Self-Destructing Cookies (Firefox)
uMatrix (Firefox, Chrome, Opera)
Note: Note: If you use NoScript or uMatrix then uBlock Origin and Privacy Badger are not necessarily needed.
Most modern browsers include a Do Not Track option. It instructs websites to disable site and cross-site tracking when you visit them.
But, implementation is website owner based, so there is no guarantee of privacy.
Block Firefox’s “Reported Attack Sites” and “Web Forgeries”
They are useful settings to protect you against malicious attacks, but if tracking is too big a deal for you, then you might want to disable them.
Mobile Browser Security
Most mobile browsers have a lot of catching up to do in the security aspect. The good thing is many Firefox extensions work on the mobile version of the browser including:
- uBlock Origin
- HTTPS Everywhere
- Self-Destructing Cookies
On the bright side Private Browsing, Do Not Track, and advanced cookie management are all becoming regular features on all mobile browsers.
Non-tracking Search Engine
Most search engines, mainly Google log your information. They include:
- Your IP address.
- Date and time of a query.
- Query search terms.
- Cookie ID – this cookie is deposited in your browser’s cookie folder, and uniquely identifies your computer. With it, a search engine provider can trace a search request back to your computer.
The search engine sends this data type to the requested web page and also owners of third party advertisers. As you browse the internet, advertisers frame your profile and then post targeted ads.
Governments also request search data from Google and other search engines. Google’s Transparency Report on the number of User Data Requests received, and the number acceded to.
Fortunately, there are search engines that do not collect users’ data. These include:
The benefit of using a search engine that does not track is avoiding the “filter bubble” effect.
Deleting Google History
Visit My Activity by signing in to your Google account to view the information Google collects about you. From there on you can delete by topic or product. The fact that you are reading this privacy guide, you should probably Delete>All time.
Take it with a pinch of salt as we can only take Google’s word that they genuinely delete this data.
Go to Activity Controls to tell Google to stop collecting new information about you on your use of various Google services.
It won’t necessarily stop the NSA from spying on you, but it will prevent Google from profiling you.
Most if not all of us have a significant Google history and for anyone reading this article you know you should delete it. Next, perhaps change to one of the “no tracking” services listed above.
However, there are downsides to it as deleting and disabling your Google history will result in Google services not functioning correctly or ceasing to perform altogether. So have your pick between privacy and Google’s highly personalized magic.
Secure Your Email
A secure HTTPS connection comes to naught when the service provider themselves hand over your information to an enemy, as Google and Microsoft did with the NSA!
The answer to this is end-to-end email encryption. The sender encrypts it, and the recipient decrypts it. But, for this to function, both sides have to use encryption.
Most people view Pretty Good Privacy (PGP) as the most secure and private way to send and receive emails. Sadly, it’s not easy to use PGP resulting in low usage.
With PGP, the body of a message is encrypted, but not the header, recipient, send time, and so forth. The downside to this is that a nemesis can still use the metadata.
Limitations aside, PGP is still the only way to send email highly securely.
GNU Privacy Guard
PGP was previously open source and free but now belongs to Symantec. The Free Software Foundation took up the open source OpenPGP banner and with significant funding from the German government released GNU Privacy Guard.
GnuPG is an alternative to PGP as it is free and open source. It mirrors the OpenPGP standard and is compatible with PGP. It is accessible for Windows, OSX, and Linux. Nowadays PGP means GnuPG.
Generating a PGP key pair in Gpg4win
While the primary program uses a primary command line interface, more sophisticated versions are present for Windows (Gpg4win) and Mac (GPGTools). Varyingly, EnigMail adds GnuPG functionality to the Thunderbird and SeaMonkey stand-alone email clients.
PGP on Mobile Devices
Android users should be happy knowing that an Alpha release GnuPG: Command-Line from the Guardian Project is obtainable.
K-9 Mail is a reputed email client Android with PGP support built in. It can be merged with Android Privacy Guard to get a more user-friendly PGP experience. GPG guide on Android is available. iOS users can try out iPGMail.
PGP Usage With Existing Webmail Service
With PGP a pain to use, Mailvelope is a viable option. It is a browser extension for Firefox and Chrome that enables end-to-end PGP encryption within your browser.
Mailvelope works with popular browser-based webmail services such as Gmail, Hotmail, Yahoo! and GMX. It is not as assured as using PGP with a dedicated email client, but it makes using PGP as less painful as possible.
Dedicated Encrypted Webmail Service
Encrypted webmail services with a privacy focus have snowballed in recent years. The most known among them are ProtonMail and Tutanota. They are easier to use and, unlike PGP, hide emails’ metadata. Both services permit non-users to reply to encrypted emails sent to them by users securely.
Protonmail has better security than most webmail services.
The bottom line is they are easy to use but nowhere as secure as using PGP with a stand-alone email program.
Further Email Privacy Precautions
If you wish to protect files, you can encrypt them before sending by regular email.
You can also encrypt stored emails by encrypting the email storage folder a program like VeraCrypt.
The truth is emails are an outdated communications system. Email is fundamentally flawed as it jeopardizes privacy and security. End-to-end encrypted VoIP and instant messaging are more secure for communicating online.
Securing Voice Conversations
Regular phone calls are insecure be it landline or mobile. NSA and GCHQ are heavily involved but so are governments who are eager to record all citizens’ phone calls.
Let’s say you buy disposable “burner phones” to remain anonymous, but still, a lot of data can be collected through the collection of metadata. It’s not worth the effort.
VoIP with End-to-end Encryption
If you want your online voice conversations to be private, then you need a VoIP with end-to-end encryption.
VoIP (Voice over Internet Protocol) apps let you talk over the internet. You can also make video calls and send Instant Messages. VoIP has become extremely popular as they allow cheap or free calls anywhere in the world.
VoIP connections are secure, but if the provider blatantly hands over information, then there is nothing you can do about it. For example, Microsoft handing over Skype conversations to the NSA.
Competent Skype Alternatives
Signal (Android, iOS) – on top of being arguably the most secure Instant Messaging (IM) app currently available, it also allows you to make secure VoIP calls.
Signal leverages contacts in the same way as messages. If one of your contacts uses Signal, then you can engage in an encrypted VoIP conversation with that person. Reversely, if a contact does not use Signal, you can send an invitation to use the app or else talk to them via your regular insecure cellular phone connection.
Signal’s encryption for calls is not as strong as text messaging. The reason could be processing power as stronger encryption would negatively impact the quality of calls.
The encryption level is sufficient, but if you want the best standards possible, then you should stick to text messaging.
Jitsi (Windows, OSX, Linux, Android) – a free and open source software offering all Skype-like functionality. The difference is it uses ZRTP encryption which includes voice calls, video conferencing, file transfer, and messaging.
Jitsi is hard to resist as a Skype replacement for desktops.
Securing Text Messages
Many VoIP services have chat/IM functionality built in.
Signal (Android, iOS) – developed by crypto-legend Moxie Marlinspike, Signal is considered the most secure text messaging app available. Signal has its issues but is the industry benchmark currently.
Signal substitutes your phone’s default text messaging app and leverages your contact list. If a contact uses Signal, then any messages sent to or received from that person is securely end-to-end encrypted.
You can send invites to your contacts to use Signal or send an unencrypted text message via regular SMS.
Jitsi (Windows, OSX, Linux, Android) – is a highly secure desktop messenger app, but not as reliable as Signal.
WhatsApp uses the same end-to-end encryption developed for Signal. WhatsApp, however, retains metadata and has other flaws not present in the Signal app.
WhatsApp is really popular despite its issues, but the announcement that it would start sharing users’ address books with parent company Facebook by default is a detriment. You can disable it, but the majority of users will not bother to do so.
Let Go of Mobile!
Your movement can be tracked through your mobile.
GPS and phone towers can easily track any phone. Additionally, Stingray IMSI-catchers use has snowballed among police forces worldwide.
These devices can identify and track individual mobile phones. Furthermore, they can intercept phone calls SMS messages and unencrypted internet content.
Using Signal will prevent interception but not tracking. The solution is leaving your phone at home or buying one of these.
Securing Cloud Storage
Server-level storage is becoming cheaper as internet speeds escalate. The range of devices available to access the internet means that cloud storage is the future.
The primary goal is ensuring files stored in the “the cloud” remain secure and private. But tech giants like Google, Amazon, Apple and, Microsoft have come up short as they have all conspired with the NSA. They also reserve the right to look into your files.
There are some steps you can implement to make sure your files are secure in the cloud.
Manually Encrypt Files Before Uploading to Cloud
You can use programs such as VeraCrypt or EncFS to encrypt your files manually. The advantage is you hold all the encryption keys to your files, so it does not matter what cloud service you use.
Mobile apps running VeraCrypt or EncFS files exist which allow synchronization across devices and platforms. Characteristics such as file versioning will not work with individual files encryption container hiding them, but you can recover past versions of the container.
Using Automatically Encrypted Cloud Service
The services listed below automatically encrypt files before uploading them to the cloud and are available on both Android and iOS platforms. Forego any service that encrypts data server-side, as these are vulnerable to decryption by the service provider.
Any alterations to files or folders sync with locally decrypted versions before securement and transfer to the cloud.
There is a small security price to pay if you use these services as they briefly store your password on their servers for authentication.
- TeamDrive – this German cloud backup and file synchronization service is mainly aimed at businesses. It also provides free and low-cost personal accounts. TeamDrive uses proprietary software but has been certified by the Independent Regional Centre for Data Protection of Schleswig-Holstein.
- Tresorit – is based in Switzerland, so users benefit from that country’s strong data protection laws. It offers client-side encryption, although a flaw is that users’ data is stored on Microsoft Windows Azure servers. Given general distrust of all things the US, this is an odd choice. But as client-side encryption guarantees the cryptographic keys are kept with the user at all times, it shouldn’t be a problem.
- SpiderOak – accessible for all major platforms, SpiderOak offers a “zero knowledge,” secure, automatically encrypted cloud service. It deploys a combination of 2048 bit RSA and 256 bit AES to encrypt your data.
Keep in mind that all these cloud services are closed source. It basically means we have to take them for their word.
Syncthing for Cloudless Syncing
Syncthing is a secure decentralized peer-to-peer (P2P) file synchronization program that is capable of syncing data linking devices on a local network or over the internet.
Syncthing integrates files and folders across devices without storing them in ‘the cloud.’ It is similar to BitTorrent Sync except for it being completely free and open source (FOSS).
Syncthing enables secure backup of data without third-party cloud provider. You directly control the data backed up to a computer or server.
In tech circle, it is referred to as “BYO (cloud) model,” where you provide the hardware. The encryption is end-to-end, and only you can decrypt it as you hold the encryption keys.
The limitation is you cannot use it as an extra drive by portable devices with limited storage. But, on the bright side, you are using your own storage, so you never need to worry about cloud providers’ data limits.
Encrypt Your Local Files, Folders, and Drives
This article is about internet security and privacy, but one has to make sure that unwanted parties cannot access locally stored files.
Furthermore, you can also encrypt files prior to emailing them or uploading them to cloud storage.
Windows, Mac OSX, Linux. Mobile support for VeraCrypt containers is available via third-party apps.
VeraCrypt is an open source full-disk encryption program. With VeraCrypt you can:
- Design a virtual encrypted disk which can be mounted and used just like a real disk.
- Encrypt an entire division or storage device (for example a hard drive or USB stick).
- Generate a partition or storage drive containing a whole operating system.
Veracrypt is transparent in operation as encryption is performed on-the-fly in real-time. The capacity to make hidden volumes and hidden operating systems mean they can be denied so long as the correct precautions are taken.
Windows, OSX, Linux (Crypt4All Lite for Android). This cross-platform app is handy for encrypting individual files. The limitation of individual file encryption can be overcome somewhat by creating zip files out of folders and then encoding the zip file with AES Crypt.
Full Disk Encryption on Mobile Devices
iOS devices ship with full disk encryption. On Android devices, you can manually turn it on if it hasn’t been done so.
Antivirus/Anti-malware and Firewall Software
Always use anti-virus software, and ensure that it is up-to-date!
Viruses can wreck your system and allow hackers to enter it. A security breach of that sort would result in them accessing your files, emails, webcam, passwords, etc.
Remember, not just hackers but governments are also notorious for security violations.
Mac users not installing ant-virus software by citing the “fact” that OSX’s Unix architecture makes virus attacks difficult is hotly contested.
Free Vs Paid Antivirus Software
The general agreement is that free antivirus software is of the same level as paid software. However, the paid software gives better support and more features and functionality.
Most of the free software is for personal use, and businesses usually have to pay for a license. You may wonder how publishers offer free anti-virus products. The answer to this perhaps is selling data to advertisers. For example, AVG can sell users’ search and browser history to “make money” from its free antivirus software.
Major anti-virus products have a free version, but it would be wise to upgrade to a premium version of the software.
Proficient Anti-virus Software Options
Windows – the most widely used free antivirus programs for Windows are Avast! Free Antivirus and AVG Antivirus Free Edition. A lot of other options are also available. Then there is the Malwarebytes Free. A paid version of Malwarebytes runs automatic scan weekly and provides real-time protection.
Android – There are a good number of options, both free and paid. Avast! is a good option.
iOS – Apple denies about iOS vulnerability to virus attacks. It also seems crazy that Apple has removed antivirus apps from its app store.
A personal firewall oversees network traffic to and from your computer. It can be configured to monitor traffic based on a set of rules. It can be a little inconvenient but helps ensure that nothing is accessing your computer and that no program on your computer is using the internet on its own.
Both Windows and Mac OSX come with built-in firewalls. They are one-way firewalls as they filter incoming traffic, but not outgoing traffic. The pro is it makes them user-friendly, but the con is you cannot oversee or control the programs already installed on your computer are doing.
The biggest headache with using a two-way firewall is figuring out which programs are ‘ok’ to access the internet and which are potentially dangerous.
Some Proficient Two-way Firewall Programs
Windows – Comodo Firewall Free and ZoneAlarm Free Firewall are free and suitable. TinyWall is another option which is not precisely a firewall, but it can oversee outgoing connections to the built-in Windows Firewall.
Glasswire is technically not a firewall either as you can’t create rules or filters, or block specific IP connections, but it presents network information in a precise manner.
OSX – Little Snitch adds the ability to oversee outbound connections to the built-in OSX firewall.
Android – Avast!
iOS – Firewall iP, but it requires a jailbroken device to run.
Linux – There a lot of Linux firewall programs and dedicated firewall distros available. Iptables is packaged with almost every Linux distro. It’s a little tricky to master it. Then again there are also user-friendly Linux firewalls like Smoothwall Express or pfSense.
Various Security Hints, Tips & Tricks
Choose Linux over a Commercial OS
The NSA may have less likely compromised Linux. It is a stable and generally secure OS in comparison to its commercial rivals. But, it wouldn’t be far-fetched to believe that the NSA has tried to breach Linux.
Edward Snowden favors TAILS, a secure Linux distro. IceWeasel is the default browser, a Firebox byproduct for Debian that has the whole Tor Browser Package treatment.
Linux is less user-friendly making day-to-day usage a struggle.
However, Linux is the best option if you value privacy. The cool thing is you can run the entire OS from a Live CD, without needing to install it. It makes trying out different Linux distros easy. Furthermore, an extra layer of security is added when you access the internet.
The reason is that the OS exists wholly detached from your regular OS.
There are hundreds of Linux distros. They range from full desktop replacements to niche distributions.
Ubuntu – a very well-liked Linux distro because of its ease of use. You can also get assistance from an enthusiastic Ubuntu community. This is an excellent pick for those interested in using a much more secure operating system.
Mint – a popular Linux distro geared towards novice users. It is closer to Windows than Ubuntu, so Windows escapees find comfort using this over Ubuntu. Mint is based on Ubuntu meaning Ubuntu-specific tips and programs also function in Mint. This includes VPN clients.
Debian – Debian is the basis for Ubuntu. It is a highly flexible and customizable Linux OS and is a favorite among experienced users.
Tails – Edward Snowden’s preferred OS. It is incredibly secure and routes all internet connections via the Tor network. But, it’s a highly specialized privacy tool. It is not ideal for general users.
They are all excellent choices, but for newbies trying out Linux, Ubuntu and Mint would be widely recommended as starting picks. A comparison is available here.
Using Virtual Machine (IM)
A further level of security can be obtained by using a ‘virtual machine.’ They are software programs that mirror a hard drive onto which an operating system like Windows or Linux is installed. VM-ing OSX is problematic.
So the VM takes the form of a computer through software, which runs on top of your regular OS.
The best thing about this is that every file is self-contained within the virtual machine meaning viruses nabbed inside the VM cannot infect the actual computer. It is a hardcore P2P downloader’s paradise.
The VM can be wholly encrypted and hidden using programs like VeraCrypt.
They mirror your computer meaning they run a different OS on top of your regular OS. Modern computers can handle the substantial overheads concerning processing power and memory use of a VM resulting in minimal impact on performance.
It houses two parts, the first acts like a Tor gateway (known as Whonix Gateway). The second (known as a Whonix Workstation), is on a wholly isolated network. This tunnels all its connections via the tor Tor gateway.
The isolation of the workstation absent from the internet connection (and all isolated from the host OS inside a VM), makes Whonix incredibly secure.
Windows 10 is a privacy nightmare. It continues to send large telemetry data back to Microsoft despite all data collection options disabled. The Anniversary Update (version 1607) which removed the option to disable Cortana made it worse. You get a highly personalized computing experience but at the cost of your privacy.
If you care about privacy then ditch Windows altogether, Mac OSX is slightly better, but Linux should be your go-to OS.
If using Windows is absolutely necessary then some third-party apps exist to bolster security and privacy. They can be very handy as they adjust registry settings and introduce firewall rules to prevent telemetry sending to Microsoft.
But the apps have direct access to your OS meaning you have to hope the developers are honest and have no malicious intentions. W10 Privacy is a good pick but is not open source. There are other options as well.
BIOS Protection With Password
Veracrypt encryption is a great way to secure your drives physically. But, for optimal effectiveness, one must have strong passwords in BIOS for both starting up and modifying the BIOS settings. It is also wise to prevent boot-up from any device other than your hard drive.
The best practice is disabling flash in your browser.
Alter DNS Servers and Secure Your DNS With DNSCrypt
We type domain names to look for something on the web browser. But a computer understands a set of numbers known as an IP address.
For example, to translate the domain name jailbreakvpn.com to its IP address, the Domain Name System (DNS) is used.
The translation process is conducted on your ISP’s DNS servers by default. It means your ISP has a record of every website you visit.
DNSCrypt to DNS traffic is the equivalent of SSL turning HTTP traffic into encrypted HTTPS traffic.
DNS was built with no security features in mind making it vulnerable to attacks. The worst form of attack being DNS spoofing (or DNS cache poisoning). It means an attacker intercepts and redirects a DNS request.
So an actual request for a banking service could be redirected to spoof site created to gather victims’ account details and passwords.
The open source DNSCrypt protocol mitigates this problem by encrypting your DNS requests. Furthermore, it authenticates communications between your device and the DNS server.
DNSCrypt is accessible on most platforms (mobile devices must be rooted/jailbroken), but it needs support from your preferred DNS server. Server availability is given and includes many OpenNIC options.
DNS and VPNs
Your ISP usually performs the DNS translation process. If you are using VPN, all DNS requests should be sent via an encrypted VPN tunnel as your VPN provider handles it instead.
With the right scripts, a website can tell which server performed a DNS request directed to it. It enables them to pinpoint your public IP address and also determine your ISP.
This hinders geo-spoofing your location and allows police and other authorities to acquire your information from your ISP. ISPs keep records while quality VPN providers do not.
Nearly all VPN providers run their own dedicated DNS servers to carry out this DNS translation task themselves. You don’t need to alter DNS server or deploy DNSCrypt as all good VPNs encrypt the DNS requests.
Regrettably, a DNS leak occurs when DNS requests do not go through the VPN tunnel they are supposed to.
They are usually instrumental. But, many VPN providers provide “DNS leak protection” as an attribute of their custom software. These apps apply firewall rules to direct all internet traffic via the VPN tunnel, including DNS requests.
Use Secure Passwords
We all have been reminded on many different occasions to use long, complex passwords, using combinations of standard letters, capitals, and numbers. But the fact is not all of us can remember it.
Luckily, help is here!
Low Tech Tips
Given below are some ideas that will enhance your password security with next to no effort:
Put a random space into your password – a simple but effective measure. It brings in another mathematical variable into the equation, and most would-be crackers assume passwords consist of one contiguous word. They, therefore, focus on that aspect.
Phrase Password – a proven method where you can add lots of spaces and put in many words in an easy-to-remember manner. Instead of “football” as your password, you could use “football is my go-to game”.
Use Diceware – this is a procedure for creating strong passphrases. Rolling dice generates random individual words in the passphrase. It brings in a high degree of entropy in the result. The EFF brought in a new expanded Diceware wordlist targeted towards improving Diceware.
- More than four numbers for your PIN – Insert more than four digits for your PINs wherever possible. Same like words it makes the code mathematically harder to crack. Most crackers assume a four number pin.
High Tech Formulas
Software developers are daring and are not afraid to dive in. There is a vast selection of password management programs available. These are the cream of the bunch:
KeePass (multi-platform) – a well-liked free and open source (FOSS) password manager that generates complex passwords for you and stores them behind strong encryption. A surplus of plugins enable all kinds of customization and increased capability.
For example, you can use the Twofish cipher plugin instead of the default AES, while PassIFox and chromeIPass give full browser integration.KeePass is Windows exclusive, but KeepassX is an open source clone for OSX and Linux, as are iKeePass for iOS and Keepass2Android for Android.
Sticky Password (Windows, Mac OSX, Android, iOS) – a great desktop password solution that is capable of syncing over Wi-Fi and supports different browsers.
Its security measures are commendable. It also works really well on mobile devices which could be the compelling reason to choose this over its FOSS rival.
Social Networking is opposite to what privacy and security are all about. You are nudged to share your everyday life.
All social networks are nasty, some more and some less. For example, Facebook is more dangerous than Twitter regarding privacy as it sells your data to profiling-hungry advertisers. It also gives your personal information over to the NSA. But, the bottom line is all social networks thrive by sharing information.
On the other hand, commercial networks make profits from targeted ads and selling them to you having harvested your data.
It’s bittersweet, but if you want to maintain your privacy then you’ll have to delete all your existing accounts!
For the majority of the people, this is not possible.
Hence, given below are some ideas for maintaining a degree of privacy when you’re on social media.
Don’t post things that could you land in trouble. If there are things that shouldn’t be displayed, you shouldn’t.
Keep It Private
It’s all too common for people to discuss intimate information using public channels so better make use of social platforms to talk about intimate details. Of course, it won’t conceal your conversations from advertisers, the law, or the NSA, but it will prevent awkward conversations with your friends and loved ones.
You can use a false name on social platforms as your employers may routinely check your Facebook pages. You can lie about your personal bio as well.
On a more critical note, bloggers should use aliases if publishing posts threaten their life or freedom.
Keep tabs on your privacy settings
Facebook keeps changing the way its privacy settings work.
Make sure that posts and photos are only shared with Friends, for example, not Friends of Friends or “Public.” Make sure that “Review posts friends tag you in before they appear on your timeline” (under Privacy Settings -> Timeline and Tagging) is set to “On”. It minimizes damage “friends” can do to your profile.
Stay Away From Five Eyes based Services
Australia, Canada, New Zealand, the United Kingdom, and the United States constitute the Five Eyes (FVEY) spying alliance. Edward termed it as a “supra-national intelligence organization that doesn’t answer to the known laws of its own countries.”
Intelligence is shared freely among member countries, as they bypass legal restrictions on spying on their own citizens. It is, therefore, best to steer clear of FVEY-based companies.
In fact, there is a convincing argument that that should stay clear of any company belonging to the broader Fourteen Eyes alliance.
The US and NSA Spying
The potential of the NSA’s PRISM spying program is mind-boggling. Edward Snowden’s disclosure has showcased it has the strength to co-opt any US-based company. It involves overseeing information relating to non-US citizens and pretty much anybody else in the world. It also includes monitoring all internet traffic that goes via the US’s internet backbone.
No one seems able to attain the sophistication levels of PRISM.
Suggesting every US-based company is willingly handing over every user’s personal to a secretive spying organization might sound absurd. But if recent events are anything to go by then, it is terrifyingly close to the truth.
Keep in mind that due to provisions in both the Patriot Act and the Foreign Intelligence Surveillance Act (FISA), US companies must hand over users’ data. It applies to even users who are non-US citizens.
The UK and GCHQ Spying
The UK’s GCHQ is no different than the NSA. It also conducts some specifically heinous and ambitious spying projects of its own. Edward Snowden said, “they [GCHQ] are worse than the US.”
The Investigatory Powers Bill (IPB) “formalizes” this secret spying into law.
It is there highly recommended to avoid all firms and services based in the UK.
Is Privacy Worth the Effort?
This question is worth pondering. The fact is much of much of the cool functionality of new web-based services relies on knowing a lot about you! Google Assistant is an excellent case in point.
Privacy comes at a price. You have to think about what compromises you are willing to make, and how far you will go, to protect it.
The Importance of Privacy
Privacy is paramount, but maintaining is not easy especially in the modern world.
Privacy is a valuable but threatened artifact. By enacting even a few ideas covered in this guide, you increase your privacy and also make an important contribution to sustaining it for everyone.