6 Things You Should Never Do With a Burner Phone

I get a lot of questions about burner phones. What kind to buy, how to buy, where to buy. The problem is, people go buy them and then use them improperly—completely defeating the purpose.

There is most definitely a right and a wrong way to use a burner phone. We’ll talk about 6 things that you should never, ever, under any circumstances do with your burner. In fact, if you have one and you have EVER done any of these things, you can assume that anything you talked about or did while it was in your possession is already known by your adversary.

1. Buy your burner phone anywhere you normally are.

This one doesn’t necessarily deal with usage, but it’s necessary to mention. If your idea of tradecraft is going to the Wal-Mart 5 miles from your house instead of the Target that’s 2 miles from your house, then please slap yourself for me. Don’t buy it near your work, your home, don’t buy it at the gas station you normally go to, the quickie mart where you get your smokes at 10pm, or anywhere else you ever go to. In fact, it’s also a good idea to not go in your own car. Don’t do anything you normally do, don’t stop anywhere you normally stop, and whatever you do, don’t take your regular phone with you. Have a cover story just in case. Always have a cover.

2. Put all your contacts in your burner.

It might seem like common sense, but you’d be surprised at how many people go out of their way to purchase one “correctly,” and then immediately put their new phone side by side with their old one so they can put all their contacts in it. Or even worse, they simply log into their cloud account and download their contacts backup. I should not have to explain how beyond moronic this is. Burner phones are not for chatting people up. They’re for coordination, passing short bursts of time-sensitive information, etc. In other words, you use them if you have to, and only to speak to another burner phone.

3. Install all your regular apps.

Pay very close attention to these words from Grugq:

Just 4 apps are enough to reidentify users 95% of the time. A complete list of installed apps is unique for 99%.

Your burner phone is not your personal phone. Say that out loud to yourself until you understand it. Your burner has one purpose, and one purpose only. Don’t install Wickr on it and sign in with your regular username. Don’t install Candy Crush on it because that’s how you kill time with your regular phone. Don’t install that one app you can’t do without. Your burner is not your personal phone.

Read the rest at Patrick Henry Society. When you’re done, take a look at the Groundrod Primer class coming up. You need it.

LastPass Unsafe: Easy Attack Gives Access to Anyone

Do you use LastPass? Might want to rethink that.

Unless, of course, you don’t mind someone getting all of your passwords.

Judging by how people are with their digital security, what are the odds that your LastPass master password is the same password as a whole bunch of your other stuff…?

 

Signal vs. Wickr: How Secure is Your Secure Messaging App?

Bottom line: Facebook doesn’t cut it; in fact, if you’re still using Facebook to coordinate, recruit, and communicate about your activities (stop doing roll calls!), then you’re a liability to your contacts–there’s no two ways about it. You need secure messaging. No excuses.

Some of you have a secure messaging app you use—but is it secure? The Electronic Frontier Foundation released a Secure Messaging Scorecard that will tell you, and we’ll flesh those ratings out with information from other experts. Let’s see how two of the more prominent apps stack up.

Secure Messaging Criteria

EFF uses a list of criteria to grade each application on a simple yes/no basis; it uses the simple formula these are the features it should have. Does it, or not? Some of these criteria include whether your password or identifying details are stored on their servers, or whether the provider themselves can access your messages. While even a full green light doesn’t mean the app is completely government-proof, it gives you a good idea as to whether you’ll at least make them work for it, and whether the company is on the right track in terms of their goals and capability.

On FacebookWickr

Perhaps one of the most popular apps used by those in the movement, Wickr claims that their level of security is better than any other app on the market. It’s free to boot, which makes it highly attractive to many. It has a mostly green light from EFF, but the problem is that Wickr is missing two critical components:

  • Its code is not open for independent review and audit.
  • The security design is not properly documented; i.e., public.

One of the most important parts of the security process is ensuring that each app’s code is available for other coders and security researchers to audit. It’s a self-imposed accountability system that allows the community to ensure quality and that apps do what they say they are supposed to do. In addition, developers typically release a white paper or other technical document to explain in detail how their encryption process works–again, for accountability and transparency. If the system’s encryption process is solid, it doesn’t matter if every single line of code is publicly available. Audits like these have caught both backdoors and coding errors—resulting in a better product. When you’re talking about life and death communications, you need to have the most secure app available. Audits help achieve that through public disclosure of both the encryption and the code itself. The keys are what stay private.

Wickr, however, has not released its code (refusing to even consider it), and that’s caused an interesting debate in the security community. Security researcher Brian Krebs puts Wickr in a group of apps “that use encryption the government says it can’t crack” but others aren’t so sure. This video explains some of the reasons why you should perhaps think twice before trusting your secure information to Wickr. The video was made in 2014; it would be a good idea to check some of the documents he’s talking about to see if any of these issues have changed. (I can tell you from experience that his first issue—them storing your password on their server after claiming they do not—is not rectified as of yet. Also, check out his other videos, especially the one regarding your contacts).

Several other security researchers have also voiced concerns regarding Wickr’s lack of open source accountability.

 

“We have a kind of a maxim in our field, in cryptography, which is that the systems should be open,” says Matthew Green, a cryptography researcher and professor at Johns Hopkins University Information Security Institute. […] For Green, that means “if you don’t know how a system works, you kind of have to assume that it’s untrustworthy.” He adds that this is not about being an open source activist. But Wickr, he says, doesn’t even have white papers on its website explaining how the system works…”From my perspective I don’t think the company should be telling us, ‘Trust us, it’s safe,’ ‘Trust us, it’s encrypted,’ or ‘Trust us, it’s audited,'” says Nadim Kobeissi, a cryptographer and founder of encrypted browser-based chat service Cryptocat. “We should be able to verify ourselves.”

Others believe that Wickr’s refusal to make their code open to independent audit is just fine. Dan Kaminsky, a security guru, has said he personally audited Wickr’s code and it’s secure. However, Matthew Green sums it up thusly:

Should I use this to fight my oppressive regime? Yes, as long your fight consists of sending naughty self-portraits to your comrades-at-arms. Otherwise, probably not.

It’s each individual choice whether to use Wickr, and Kaminsky’s admonition that “nothing is 100% secure” is a fair one. I use Wickr myself, but not exclusively, and not for anything critical.

Signal

Another increasingly popular app is Signal (formerly RedPhone and TextSecure). Offering both texting and secure calling, the EFF gives Signal a green light across the board. It has all of the encryption features of Wickr, and also has open source code and documented encryption processes. Matthew Green says that it “does not retain a cache of secrets from connection to connection.” The Intercept also endorses Signal, with the caveat that any app you install is only as secure as the device you install it on. Other endorsers include Bruce Schneier, Edward Snowden, and Laura Poitras (for whatever that may be worth to you personally).

Like Wickr, Signal also has a desktop version. And, since it’s tied to the device, it doesn’t save your password on a server like Wickr does. From Signal’s website:

The Axolotl ratchet in Signal is the most advanced cryptographic ratchet available. Axolotl ensures that new AES keys are used for every single message, and it provides Signal with both forward secrecy and future secrecy properties. The Signal protocol also features enhanced deniability properties that improve on those provided by OTR, except unlike OTR all of these features work well in an asynchronous mobile environment.

For those who would like to audit Signal’s code themselves, you can find that here.

Conclusion

What you choose to use and trust is a personal decision. Nothing is completely secure all of the time; anything critical should be kept to face to face meetings. In addition, all standard OPSEC rules should apply. (For a real world case of security fails and how that ended, read this story.) For those who claim that “we aren’t doing anything illegal,” keep in mind that we have reached a point where that determination is made on a case by case basis these days, and the odds are not in your favor. I also daresay that there are quite a few people recently put in jail who, if they’re smart, are rethinking a lot of their OPSEC and security strategies. Besides, as world renowned information security researcher The Grugq points out that “OPSEC is prophylactic, you might not need it now, but when you do, you can’t activate it retroactively.”

I’ll do a future article on other apps such as Silent Circle, Telegram, Zello, and more. In the meantime, sit down and decide what your critical information is. Do some basic threat analysis. Next, do some research on the above programs and decide what you can afford to compromise in terms of security. For many users of secure chat, it’s a life or death decision. Keep that in mind.

Above all, take the time to research and learn. You don’t have to be a computer wizard, but you do need to learn the basics of encryption and how to protect  yourself. There’s an excellent beginner primer here (add this blog to your daily reads). For those who prefer a classroom setting, we have the Groundrod Primer class coming up in a few weeks. We highly recommend you check out both.

Whatever you do, for the love of Pete, stop using Facebook as a coordination, networking and recruiting tool.

CSG Groundrod Primer Class

This is the first course of the Groundrod series, which establishes the educational foundation of secure internet and device usage in the age of Pri$m.

The Groundrod Primer course is designed to incorporate a high level of student interaction. You will learn by doing.

* Understanding the current threat models in regards to nefarious collection of:
– Web browsing
– Phone calls
– Emails
– Chat
– Contact lists
– Location
– Private storage/data

* Options to counter the threat:
– Devices, hardware and software
– Human terrain, practicing practical tradecraft

* Implementation techniques
– Personal computer options
– Using a secure laptop successfully
– Using a secure phone / tablet

* Student lab / FTX
– Working in teams
– Establishing comms via secure accounts
– Covering your tracks / forensics

Need to bring:
Personal Laptop
Libertas Tablet (if you have one)
3 USB “thumb drives” (minimum) of at least 4GB capacity each
Note taking material

If you’ve been reading TOWR for any length of time then you understand why this class is needed, and why you need to be there. The bottom line is this: If you do not have the skills in this class, then you are putting the people you work with in danger. We are long past the point where lack of skills is acceptable.

This is NOT like our other classes. Participants will be vetted and approved to attend. Once you are vetted and approved, you will be registered in the class. Cost is $220 per person, but if there is a hardship, please contact us. Do not allow the cost to deter you from taking this course.

Dates: 26-27 March 2016

Class location will be given to each participant but not posted publicly.

This class will be taught by K@CSG. His bio can be found here.

The Groundrod Primer class is perhaps one of the most necessary courses you’ll take as a member of the patriot movement. Don’t miss it!

Registration:

  1. Email towr@whiterose.us and request vetting for the class.
  2. You will be mailed further instructions.

Tradecraft for Patriots: The Chess Game

In this second installment of our series on Tradecraft for Patriots, we’ll talk about what you’re protecting and what you’re up against. It’s no secret that the government does not agree with what you do. There’s a reason why they want your life open for inspection and your guns taken away. Their objective, of course, is control. Tradecraft makes it that much harder for them to achieve it.

Counterintelligence is the information gathered and activities conducted to protect against espionage, infiltration, surveillance, and other nasty things. It’s used by governments to protect against other state actors, but it’s also become one of the favorite activities of our own government against its citizens—especially us, patriots who stand against tyranny. TOWR, and many other patriot or III% groups, are not anti-government. We are anti-tyranny, and only seek a return to the constitutional form of government that adheres to the limits set by the Founders. That doesn’t matter, however. Patriots stand in the way of their agenda, and that makes us targets.

It all becomes a chess game, where the stakes are far higher than losing a piece on the board. It requires strategy, analysis, and a lot of careful planning and thought.

Continue reading “Tradecraft for Patriots: The Chess Game”