TyperTech
Regular Member
- Joined
- Feb 26, 2024
- Posts
- 44
- Reaction score
- 0
- Status
- Offline
- Last Seen
Location > Location > Location
A Manual for Mastering Staying Safe Online
If you're under about 35, a grumpy old hag has probably told you about the old days without the internet and how everybody was so much better back then. If you're not, you surely know a couple of old hags like that but you aren't one- anybody reading this must be an amazing, kind, flawless soul! (Donations are always welcome, just so you know.)
Whatever side of the fence you're on, the fact that you're reading this means you go online. It brings great power that can greatly enhance your everyday life and your other constructed identities. Students of opsec will immediately recognize this comes at a cost, though- with great power comes great responsibility. For that we must be conscious of the danger every bit moving in or out of a computer brings, and how to mitigate it, starting at the very basics.
Cryptography
This section might as well be called PGPGP, because programmers' naming is so bad it's funny. An aside- if no-one had intervened, Linux would have been called Freax²⁹! I didn't want to scare you away before you even started reading though, so these details are buried further down. Or were, until I added this. Sigh.
Cryptography is about using math to produce private messages. Computers are luckily good at that, so the humans or lizards controlling them only need to understand how to command them. Luckily we have the power of LISTS!³⁰
Plaintext: This is exactly what it sounds like- boring, regular old text. It doesn't even have to be words. Any message that's readable by anyone who knows the format and language is plaintext, even if it's a picture of the Mona Lisa or my improved version of it. No, you don't want to see it. Trust me.
Encryption, Encrypting: The mathemagic that turns plaintext into...
Ciphertext: A confusing and uninformative jumble of letters and numbers and whatever else. If the encryption is any good, there shouldn't be any need to keep this private: only the intended recipient(s) can extract meaning from it anyway.
Decryption, Decrypting: Converting ciphertext into plaintext, like an intended recipient would and you hope an eavesdropper wouldn't.
Key: the important stuff. Like a physical key only allows the "right" people to open a lock, cryptographic keys are what lets the people involved encrypt or decrypt a message. Rather than hide the encryption method, it's common to just use secret information- the key- in it and keep that from adversaries.
Asymmetric Encryption: The lock analogy has just one problem: everybody needs a copy of the key to use the lock. That means you have to trust whoever you're communicating with, as well as have a private way to share the key in the first place. Thanks to some very clever mathematics developed in the second half of the 20th century, though, it's now possible to get around that. Instead there can be two different keys:
Public Key: A key for encryption only. It's safe to share with friends, family, old ladies in the street, convicted murderers, and undercover agents, because it's impossibly difficult to decrypt ciphertext with it. Often they contain a name, e-mail address, and comment, but these fields aren't verified in any way and can be pseudonymous.
Private Key: A powerful but fragile thing. Private keys are only for decryption, and anybody with yours can read all the messages sent to you privately. That includes servers, so perform any decryption on your computer and don't store your private key anywhere without encrypting it first. Sadly, such strict security also means private keys can't be recovered- so keep them secure, backed up (encrypted of course!), and password-protected. In particular, TAILS users beware- make sure your persistent storage covers any encryption keys!
Signature: Exactly what it sounds like. Digital signatures rely on using public/private symmetrically: the keys can be swapped to create a message anyone can decrypt but only the author can encrypt, so that sending an encrypted version of a "condensed" message alongside the actual message attaches it to the pseudonym that holds the key.
You might also hear about end-to-end encryption, which just means doing encryption the way you should be: encrypt a message before it leaves your hands and only decrypt it once it lands in the other person's. Anything else means somebody in the middle can read your messages, which is bad opsec.
To actually use this, of course, you need the right software. The recommended messaging programs in the previous chapter (Briar and Pidgin with the Off the Record plugin) both provide end-to-end encryption³¹ ³². For e-mail any client- not webmail- worth using supports the OpenPGP encryption standard, derived from the earlier software tool "Pretty Good Privacy" whose name parodied "Ralph's Pretty Good Grocery" from a radio show³⁵. This standard is also applied to messages outside e-mail or instant messaging, a task the program Kleopatra is perfect for. If you don't mind using the command line, the more widely used GPG (GNU Privacy Guard, not PGP- see what I mean about terrible names?) is also a very nice option. For just managing your key collection, "Seahorse" is a nice choice that comes pre-installed with TAILS, although it isn't necessary with one of these other two programs.
One more critical thing regarding encryption: it's also important to encrypt the files you store locally. Otherwise, what happens if your device(s) get stolen or seized by an adversary? Full-Disk Encryption, as it's known, is thankfully the default for the OSes recommended in Chapter 2. For legal protection in countries where withholding password is a crime, though, PC users may also want to research and set up VeraCrypt "Hidden Volumes"³⁶ or LUKS headerless partitions or similar, which make it impossible for authorities to prove a disk is encrypted and not wiped with random data just by analyzing its contents. Unless its existence is verified some other way, the plausible deniability is enough to prevent the situation from becoming a catch-22.
Just don't forget to remember your encryption password and back. your. shit. up. You can't just ring up Microsoft support to reset the password (do you want Microsoft touching your password?), but- much more seriously- encryption works on whole chunks of data. One damaged bit will ruin a complete block, so do not rely on one copy of all your precious bytes to be enough.
A Manual for Mastering Staying Safe Online
If you're under about 35, a grumpy old hag has probably told you about the old days without the internet and how everybody was so much better back then. If you're not, you surely know a couple of old hags like that but you aren't one- anybody reading this must be an amazing, kind, flawless soul! (Donations are always welcome, just so you know.)
Whatever side of the fence you're on, the fact that you're reading this means you go online. It brings great power that can greatly enhance your everyday life and your other constructed identities. Students of opsec will immediately recognize this comes at a cost, though- with great power comes great responsibility. For that we must be conscious of the danger every bit moving in or out of a computer brings, and how to mitigate it, starting at the very basics.
Cryptography
This section might as well be called PGPGP, because programmers' naming is so bad it's funny. An aside- if no-one had intervened, Linux would have been called Freax²⁹! I didn't want to scare you away before you even started reading though, so these details are buried further down. Or were, until I added this. Sigh.
Cryptography is about using math to produce private messages. Computers are luckily good at that, so the humans or lizards controlling them only need to understand how to command them. Luckily we have the power of LISTS!³⁰
Plaintext: This is exactly what it sounds like- boring, regular old text. It doesn't even have to be words. Any message that's readable by anyone who knows the format and language is plaintext, even if it's a picture of the Mona Lisa or my improved version of it. No, you don't want to see it. Trust me.
Encryption, Encrypting: The mathemagic that turns plaintext into...
Ciphertext: A confusing and uninformative jumble of letters and numbers and whatever else. If the encryption is any good, there shouldn't be any need to keep this private: only the intended recipient(s) can extract meaning from it anyway.
Decryption, Decrypting: Converting ciphertext into plaintext, like an intended recipient would and you hope an eavesdropper wouldn't.
Key: the important stuff. Like a physical key only allows the "right" people to open a lock, cryptographic keys are what lets the people involved encrypt or decrypt a message. Rather than hide the encryption method, it's common to just use secret information- the key- in it and keep that from adversaries.
Asymmetric Encryption: The lock analogy has just one problem: everybody needs a copy of the key to use the lock. That means you have to trust whoever you're communicating with, as well as have a private way to share the key in the first place. Thanks to some very clever mathematics developed in the second half of the 20th century, though, it's now possible to get around that. Instead there can be two different keys:
Public Key: A key for encryption only. It's safe to share with friends, family, old ladies in the street, convicted murderers, and undercover agents, because it's impossibly difficult to decrypt ciphertext with it. Often they contain a name, e-mail address, and comment, but these fields aren't verified in any way and can be pseudonymous.
Private Key: A powerful but fragile thing. Private keys are only for decryption, and anybody with yours can read all the messages sent to you privately. That includes servers, so perform any decryption on your computer and don't store your private key anywhere without encrypting it first. Sadly, such strict security also means private keys can't be recovered- so keep them secure, backed up (encrypted of course!), and password-protected. In particular, TAILS users beware- make sure your persistent storage covers any encryption keys!
Signature: Exactly what it sounds like. Digital signatures rely on using public/private symmetrically: the keys can be swapped to create a message anyone can decrypt but only the author can encrypt, so that sending an encrypted version of a "condensed" message alongside the actual message attaches it to the pseudonym that holds the key.
You might also hear about end-to-end encryption, which just means doing encryption the way you should be: encrypt a message before it leaves your hands and only decrypt it once it lands in the other person's. Anything else means somebody in the middle can read your messages, which is bad opsec.
To actually use this, of course, you need the right software. The recommended messaging programs in the previous chapter (Briar and Pidgin with the Off the Record plugin) both provide end-to-end encryption³¹ ³². For e-mail any client- not webmail- worth using supports the OpenPGP encryption standard, derived from the earlier software tool "Pretty Good Privacy" whose name parodied "Ralph's Pretty Good Grocery" from a radio show³⁵. This standard is also applied to messages outside e-mail or instant messaging, a task the program Kleopatra is perfect for. If you don't mind using the command line, the more widely used GPG (GNU Privacy Guard, not PGP- see what I mean about terrible names?) is also a very nice option. For just managing your key collection, "Seahorse" is a nice choice that comes pre-installed with TAILS, although it isn't necessary with one of these other two programs.
One more critical thing regarding encryption: it's also important to encrypt the files you store locally. Otherwise, what happens if your device(s) get stolen or seized by an adversary? Full-Disk Encryption, as it's known, is thankfully the default for the OSes recommended in Chapter 2. For legal protection in countries where withholding password is a crime, though, PC users may also want to research and set up VeraCrypt "Hidden Volumes"³⁶ or LUKS headerless partitions or similar, which make it impossible for authorities to prove a disk is encrypted and not wiped with random data just by analyzing its contents. Unless its existence is verified some other way, the plausible deniability is enough to prevent the situation from becoming a catch-22.
Just don't forget to remember your encryption password and back. your. shit. up. You can't just ring up Microsoft support to reset the password (do you want Microsoft touching your password?), but- much more seriously- encryption works on whole chunks of data. One damaged bit will ruin a complete block, so do not rely on one copy of all your precious bytes to be enough.