I listed Waiting for the Barbarians earlier today on a list of Sites You Should be Reading, and there’s a new post up that proves I was right about it being a must-read site. It’s an excellent list of software you should be using, and he takes the time to go into the pros and cons of each piece of software. If you care at all about your privacy (and you should), then you need to read it and then put it into practice.
Operating Systems: Obviously Linux wins that round. He doesn’t mention Kali Linux or Qubes (the two operating systems I currently run), but the ones he mentions are excellent for beginners and can do anything you need done.
Internet Browsers: The obvious choice here is Tor, as he mentions. He also explains the cons to using Tor:
As stated previously, the Tor network does not provide perfect anonymity. (Nothing does.) Using Tor to surf the Darkweb may also compromise your anonymity. Because traffic is bounced all over the world before arriving at its destination, using Tor is noticeably slower than using a traditional web browser. The current version of Tor is not perfectly stable, and is prone to crashing when large numbers of tabs are loaded.
He goes on to discuss chat programs and much more. I’m not sure that I’d agree wholeheartedly with his assessment of ChatSecure as worth using; a 2015 security audit found serious issues. That being said, most of the issues were addressed very quickly, and the program may be much better now. I’ll have to take another look at it; in the meantime, I’d say use with caution (which is basically what you should be doing with any app).
I do find his assessment of Signal to be spot on. While Signal has been a solid solution for some time, the recent vulnerabilities and its Google dependency is making me rethink its use for anything truly sensitive. At this point, I would have to say Unseen is the better client.
He has several other tips and I highly suggest you read the whole thing. One more point I wanted to make: Iron sharpens iron. We have to be able to learn from each other; his article pointed out something I wasn’t aware of, and I’m glad he pointed it out. This is part of why you need to be doing your own research. We all may miss things. We need to be able to fill those knowledge gaps.
Go read his whole article.
One of the things we consistently teach in classes is that what is a good solution today may not be tomorrow. The tech landscape—and by default, the threat landscape within it—is constantly changing. It’s our job to stay on top of those changes, so we can make the necessary adjustments to how we operate and stay ahead of the curve. Today it was announced that Signal, one of the best apps out there for ‘secure comms’ (nothing is completely secure) has been found to have certain vulnerabilities in it. For the detailed techie description of those vulnerabilities and how they were found, you can look at this article. For the basics, read on:
One of those vulnerabilities could allow potential attackers to add random data to the attachments of encrypted messages sent by Android users, while another bug could allow hackers to remotely execute malicious code on the targeted device.
Before you run to Google Play and update, however, note that the update isn’t available anywhere but Github at the moment. The developers are working on getting it into the Google Play store, and it should be available soon. Meanwhile, Open Whisper Systems—the company who makes Signal—had this to say:
“This was a really great bug report, but we consider its impact to be low severity at this time. It does not allow an attacker who has compromised the server to read or modify attachments, only to append a *minimum* of 4GB of unpredictable random data to the end of an attachment in transmit,” Moxie Marlinspike, Founder of Open Whisper System said.
“While that causes a denial of service, effectively corrupting a file in an unpredictable way and making it too large to open on any Android device, an attacker that has compromised the server could more easily deny service just by blocking your request for the attachment.”
The good news is that the problems are fixable (and if you know how to use Github, you can get the patch), and as the researchers who found the problems stated:
“The results are not catastrophic, but show that, like any piece of software, Signal is not perfect,” Aumasson said. “Signal drew the attention of many security researchers, and it’s impressive that no vulnerability was ever published until today. This pleads in favor of Signal, and we’ll keep trusting it.”
What does this mean to you, the Signal user? Here’s what you need to do:
- If you don’t understand Github and you are using Android, then stop using Signal for sensitive communications until there is an update on the Google Play store. (Maybe use Unseen instead.)
- Read the technical description of the vulnerabilities. If you find a word you don’t understand, look it up. You’re not going to learn or get any better unless you get WHY and HOW things work.
- Pay attention to when that update drops. I would guess it’ll be within the next week or so. When it does drop, get on it. Immediately.
- Moving forward, consistently pay attention to what you’re using for digital communications. What is its state? Is it safe? What are the reported issues with it? Use best practices.
Signal is still one of the best solutions out there. We just need to stay on top of things so that when it changes, we can adapt.
If you’re a fan of the secure text messaging app Signal (and you should be), there are a few things you need to know about using it properly. From The Intercept:
Lock Down Your Phone
Common sense thing #1. There is no point to having a (more) secure texting app if your phone doesn’t even have a passcode on it. And I don’t mean a 4-digit PIN that matches your birthday or ATM pin, either. Use the full QWERY keyboard password option. Yeah, it’s less convenient. Security always is.
And for the love of all that’s holy, don’t use the Touch ID/fingerprint option. That’s just asking for trouble.
Hide Signal Messages on Your Lock Screen
If you’re worried about people seeing your private texts enough to use Signal, then it stands to reason that it’s pretty stupid to allow the content of your texts to show up on your locked phone screen. At the very least, make it so the content doesn’t show. If you’re truly security conscious, you may want to disable notifications on your lock screen completely.
Verify That You’re Talking to the Right Person
Makes sense, right? Man in the middle attacks, interceptions, taps, you name it and it’s happening. If you’re trying to talk to someone about something, somewhere, someone is trying to listen to it. Signal has identity verification for the people you’re talking to. Use it.
Okay so you installed Signal, put a password on your phone, turned off notifications. You can text and text now, right? Sure…as long as you don’t leave the texts on your phone. Layered security is called that for a reason. If someone IS able to get into your phone, there should be nothing for them to find…at least in your Signal. When you’re done, archive it. Delete it. Get rid of it.
The original article has a how-to guide for all of the above. Go read it. And if you’re still using Wickr…..might want to think about that.