Page History
This is a simplified guide to encryption, security, and digital privacy. the programs and tools recommended here are tested and trusted by the us, but they are not the only suitable option. The goal of this write-up is to guide you towards the best level of privacy without adding unnecessary complications, to strike a balance between a solution that's "good enough" and easy to use.
...
- NordVPN (https://nordvpn.com/)
- They don't keep logs
- Based in Panama, can't be compelled to produce any logs
- OpenVPN protocol, most modern and secure.
- Kill-switch. When setup, if the VPN connection were to fail for any reason, the kill switch prevents your computer from quietly falling back onto the insecure connection.
- Plus
- Fast, reliable
- Works with Netflix
- Affordable
- Double VPN feature - Just a gimmick In my opinion, but not a bad thing
- They don't keep logs
- ExpressVPN (https://www.expressvpn.com/)
- They don't keep logs
- Based in PanamaBritish Virgin Islands, can't be compelled to produce any logs
- OpenVPN protocol, most modern and secure.
- Kill-switch. When setup, if the VPN connection were to fail for any reason, the kill switch prevents your computer from quietly falling back onto the insecure connection.
- Plus
- Fastest tested, reliable
- Works with Netflix
- More expensive than NordVPN, though consistently faster.
- They don't keep logs
...
- PersonalVPN by Witopia (https://www.personalvpn.com/) <- Overall not recommended!
- Overall, PersonalVPN is a solid VPN service that's relatively easy to use, fast, and reliable. However, at the time of testing, it has a serious privacy issue. Furthermore, it is slow to offer modern features, and still lacks behind competition in several areas. My recommendation is to switch to NordVPN or ExpressVPN.
- They don't keep logs, but they are based in the Five Eyes, so be careful.
- Very fast
- Leaks your DNS! This is a major flaw, potentially gives away your real IP address. Beware!
- No kill switch. Risky.
- On the expensive side.
Passwords
Dual Factor Authentication
Anti Virus
Encryption
We'll describe three types of encryption technologies/algorithms we recommend, and go into detail on how and when to utilize each.
If you're curious about another VPN service, get in touch with us and we'll try to assess it.
Passwords
...
Your emails or encrypted files may be secure, but it doesn't matter if an attacker can get hold of your password.
- Never reuse passwords!
The most common way an attacker gains access to an important online account (gmail, banking, etc) is not by defeating the security of the high profile services, but by trying the same password that was used on a less secure service. It's important to use unique passwords for all the accounts that matter.
It's vital that the difference between passwords be ambiguous. Do not use the same password differing only by including the service name, for example.
- Use a password manager
With more and more online services requiring account creation, and our growing dependence on online services, it can be difficult to keep track of and remember all the passwords for all the different accounts. For passwords to accounts and services aimed at insuring privacy, remember those by heart; for everything else (Netflix, Facebook, etc), use a password manager. A text document or a spreadsheet is not a secure way to store your passwords!
Password managers come in two flavors, local storage and cloud storage. Password managers can be used for a lot more than passwords, secure notes, credit card numbers, private encryption keys, and other sensitive information can be securely and safely stored in secure password management software.
- Local Password Manager
Local password managers store your passwords in an encrypted file that is saved locally on your device, giving you complete control over the data.
- You can save the encrypted password database file onto a USB drive for portability and ease of access to your passwords and other sensitive data when Internet access is unreliable or unavailable
- You don't have to worry about the password management service provider losing the data, or rely on them to properly back it up
- On the flip side, you have to make sure you properly back up your file.
We recommend KeePass for offline password management (https://keepass.info). It uses proven encryption technologies and has a proven track record of properly implementing them, it's open source, and it's portable (meaning you can run it off a USB drive, without installing any software to your computer.
- Cloud Password manager
Cloud password managers store your passwords in an encrypted file that is stored on the provider's servers
- You need an active internet connection to be able to access your passwords
- You don't have to worry about backing up your own database file
- On the flip side, there is a risk of the provider losing the data
We recommend LastPass for cloud password management (https://lastpass.com).
- Use a strong password
Your password, a short memorable phrase, is all that stops unauthorized access to all your data. Be sure to choose a strong and secure password. General tips:
- Don't use personally identifiable information
Birthdays, anniversary dates, pet or loved ones' names are all terrible ideas for password. So are favorite quotes, famous names, or any piece of information that can be easily guessed by knowing you or talking to you.
Your password should be chosen randomly, it should not reflect your thoughts or feelings.
- Entropy matters!
Forget conventional wisdom and outdated practices, random letters and numbers do not make the best passwords unless they are very long, which makes them next to impossible to remember. Your passwords (unless seldom used and stored in a password manager) should be nearly impossible to guess, but very easy to remember.
Consider the following two passwords: "yM&Lqg4?Sz" and "atone long pod wordy calve", we've been led to believe that the first one is the more secure password, but in reality the first password is more difficult for us to memorize, and far easier for the computer to guess.
| Info | ||
|---|---|---|
| ||
There are two types attacks to break into a password protected system by attempting to guess the password, brute-force and dictionary; these attacks are effectively useless against online systems, even if not secured properly, the latency alone makes them impractical. However, these attacks are very effective against local encrypted files (like your password database, or any other file you encrypt for privacy). Let's compare the two attacks against our two passwords. Let's assume the attacker is using an array of modern processors that is capable of going through Brute Force This technique relies on trying every possible combination of characters until the correct one is guess, hence the name brute force. If we consider |
Dual Factor Authentication
Anti Virus
Encryption
We'll describe three types of encryption technologies/algorithms we recommend, and go into detail on how and when to utilize each.
| AES |
|---|
| RSA/OpenPGP | Signal Protocol | |
|---|---|---|
Advantages:
Disadvantages:
Technology overview: Advanced Encryption Standard (AES) is a symmetric key algorithm ratified as a standard by the National Institute of Standards and Technology of the United States; AES-256 is currently labeled as sufficient to use in the US government for the transmission of TOP SECRET information. At present, there is no known practical attack that would allow someone without knowledge of the key to read data encrypted by AES when correctly implemented. As far as we know, intelligence organizations such as the NSA are not able to break it. A symmetric block cipher uses a single encryption key to encrypt and to decrypt a file, making it useful to encrypt personal documents but useless for sharing sensitive information with a third party. It's relatively easier to encrypt personal files with AES, and is recommended for encrypting your personal files, especially if uploading to cloud-storage providers (Google Drive, Dropbox, etc). | Advantages:
Disadvantages:
Technology overview: RSA is a public-key cryptosystem, which uses an asymmetric key algorithm. The most important concept to understand about asymmetric key encryption is that it uses a public-private key pair, the public key is used to encrypt data, and the private key is used to decrypt it. This allows you to share the public key freely, which a sender would use to enrypt their data before sending to you, and only you can decrypt the data with your private key. In contrast, when you want to send sensitive data to another person, you must use their public key to encrypt it. At present, there is no known practical attack that would allow someone without knowledge of the private key to read data encrypted by RSA when correctly implemented. As far as we know, intelligence organizations such as the NSA are not able to break it. | Advantages:
Disadvantages:
Technology Overview: Signal is similar to |
Simplified Example of symmetric cryptography in practice:
This is a story about Alice and Bob. Alice wants to send a private message to Bob, and the only easy way they have to communicate is via postal mail.
Unfortunately, Alice is pretty sure that the postman is reading the mail she sends.
That makes Alice sad, so she decides to find a way to send messages to Bob without anyone else being able to read them.
Alice decides to put the message inside a lockbox, then mail the box to Bob. She buys a lockbox and two identical keys to open it. But then she realizes she can’t send the key to open the box to Bob via mail, as the mailman might open that package and take a copy of the key. Instead, Alice arranges to meet Bob at a nearby bar to give him one of the keys. It’s inconvenient, but she only has to do it once.
After Alice gets home she uses her key to lock her message into the lockbox.
Then she sends the lockbox to Bob. The mailman could look at the outside, or even throw the box away so Bob doesn’t get the message – but there’s no way he can read the message, as he has no way of opening the lockbox.
Bob can use his identical key to unlock the lockbox and read the message.
This works well, and now that Alice and Bob have identical keys Bob can use the same method to securely reply. Meeting at a bar to exchange keys is inconvenient, though. It gets even more inconvenient when Alice and Bob are on opposite sides of an ocean. | Simplified Example of asymmetric cryptography in practice:
This is a story about Alice and Bob. Alice wants to send a private message to Bob, and the only easy way they have to communicate is via postal mail.
Unfortunately, Alice is pretty sure that the postman is reading the mail she sends.
That makes Alice sad, so she decides to find a way to send messages to Bob without anyone else being able to read them.
This time, Alice and Bob don’t ever need to meet. First Bob buys a padlock and matching key.
Then Bob mails the (unlocked) padlock to Alice, keeping the key safe.
Alice buys a simple lockbox that closes with a padlock, and puts her message in it.
Then she locks it with Bob’s padlock, and mails it to Bob.
She knows that the mailman can’t read the message, as he has no way of opening the padlock. When Bob receives the lockbox he can open it with his key, and read the message.
This only works to send messages in one direction, but Alice could buy a blue padlock and key and mail the padlock to Bob so that he can reply. Or, instead of sending a message in the padlock-secured lockbox, Alice could send Bob one of a pair of identical keys.
Then Alice and Bob can send messages back and forth in their symmetric-key lockbox, as they did in the first example.
| |
When to use AES: To encrypt your whole computer, or to encrypt files on the computer, which you don't intend to share with anyone. | When to use RSA: To encrypt sensitive information for sharing with a third party, primarily through email. You can also use your own public key to encrypt your own files as you would with AES, but it adds a few steps to the process. |
A concise guide on using the recommended tools will be added soon, but a more detail tutorial for using each tool can be found on their respective websites.
AES
Once properly encrypted, the files can safely be duplicated for off-site backups or removal from local device.
The tool I recommend using for encrypting personal files is 7-zip (https://www.7-zip.org/). 7-Zip is a free and open source compression and packaging program with a strong implementation of AES-256 encryption.
For MacOS X, Keka (https://www.keka.io/en/) is a port of 7-zip that offers the same level of encryption. A guide for using Keka can be found here: https://github.com/aonez/Keka/wiki/Compressing-with-Keka
What's great about 7-zip is that it's a very popular archiving tool, and it doesn't scream "I'm encrypting files!", satisfying the Security-through-obscurity principal.
For a more convenient - but less obscure - experience, I recommend VeraCrypt (https://www.veracrypt.fr/en/Home.html). It allows you to mount a logical drive (think a USB drive plugged into your computer), where everything you save to the drive is encrypted. You can then safely upload the whole volume (or "drive" file).
RSA
When sharing sensitive information, such as passwords or private encryption keys, always insure the data is encrypted end-to-end; that is, encrypted on the sender's local device, and encrypted on the receiver's local device. The use of public-key encryption is most commonly used not limited to
