|Jim de G.||
In this post I'm going to talk about some important current events, then proceed to suggest three ways to make your email just a little more secure (with caveats).
First the important current events:
The link to the NSA papers leaked to the Guardian is >> here << and the two part video interview with Edward Snowden can be found >> Part 1 here << and >> Part 2 here <<.
It is believed that Mr. Snowden was using the Lavabit encrypted email service while he was holed up in Moscow airport.
Well now, two encrypted email services providers closed over last weekend (2013/8/9-10-11), Lavabit and Silent Circle.
Apparently Lavabit was in a six week legal battle trying to prevent the US government from accessing the personal records of its users, including private encryption keys which could be used to decrypt personal messages. They pulled the plug on their service rather than hand customer info over to the feds.
Lavabit owner Ladar Levinson, 32, wrote in a letter posted on the Lavabit website: "I have been forced to make a difficult decision: to become complicit in crimes against the American people, or walk away from nearly 10 years of hard work by shutting down Lavabit,"
He goes on further to say: "This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States."
He concludes a Forbes interview by saying: "If you knew what I know about email, you might not use it."
Hours after Lavabit shut down, another encrypted email service provider Silent Circle shut down their service as a preemptive measure i.e., they deleted all customer data and shut down the service before the feds could have a chance to come looking for it.
The bottom line is that although the contents of an email can be encrypted pretty well, the plain text headers that show who the email is from, who the email is going to, what time the email was sent, and other "metadata" are not encrypted and are captured and recorded by NSA.
In the interview linked above, Snowden talks about people who think that since they're doing nothing wrong they have nothing to hide or worry about. Snowden said that if something were to happen in the future and you became the subject of investigation, NSA could go into your entire history they've recorded and find anything they could use to criminalize you for their purposes.
And we all know what the government thinks of "Doomsday Preppers."
So what are we to do?
One step that I've taken is to use a Virtual Private Network (VPN) to change my IP address and encrypt all of my data as it traverses the Internet. I wrote about this in a different post. You can email me at the address below for more information on this. The service I use has servers in Sweden which don't adhere to the European Union Data Retention Laws, the EU being cousins to NSA.
Another step that I've taken is to move my email provider to one offshore in Columbia, South America, a country that doesn't have the data sharing agreement with the US. For about $10/month you can get email service from >> Jumpshipservices.co << I still have my Gmail account for light stuff but for anything important, mail me at Jim@HardGuard.us which is my special JumpMail line.
Another thing that I've done is that I've set up my home system to use the >> Thunderbird email client << with the >> Enigmail plug-in << that uses OpenPGP to encrypt the email's contents.
OpenPGP uses public key encryption and is Open Source.
Using Enigmail (or GnuPG on the Mac) you generate two encryption keys, a public key that you share with friends and a private key that you keep secret and forever stays with you. Your public key you share with others. There are even servers set up to distribute public keys (If you go to >> pgp.mit.edu << and search for email@example.com, you can find my public key).
Here's how public key encryption works: If you want to send an encrypted email to someone, you use their public key to encrypt the message using Thunderbird with the Enigmail plug-in. Then, only *they* can decrypt it using both the same software and their private key.
But back to Enigmail… when it comes time for you generate your private key when you're setting the system up (and you only have to do this once), you need to select a pass phrase. The security of your private encryption key is generated from the strength of that pass phrase.
If NSA were to try to decrypt your message the only way to do so is to use what's called a "dictionary attack" to try to figure out your pass phrase. These dictionary attacks can be quite sophisticated.
So here's the trick if you're going to set this up: When it comes time to select your pass phrase, *use a phrase in a different language than English*!!! This will make dictionary attacks much more difficult and the contents of your encrypted emails much more difficult to crack.
Sure NSA can get the metadata. But you can talk about being truly prepared all day to your friends who also have this system set up and it would take more time than it was worth for the feds to crack the code, even with their supercomputing powers.
So if anyone is interested, download the Thunderbird email client and Enigmail, follow the directions, get my public key and send me an encrypted email and we can talk about the next level of security, fairly securely... at least a little more securely than plain text.
When you follow the directions from the Enigmail site to use GnuPG on the Mac, it will work with the Mac Mail client, BTW, you don't have to use Thunderbird. Just follow directions for setting up the Mac on the Enigmail website.
If enough folks are interested in this topic I can produce a tutorial, just shoot me a plain text email to Jim@HardGuard.us
So I've talked about using a VPN to create an encrypted "tunnel" for your data to pass through, taking your email service offshore, and using freely available software to encrypt the contents.
Jim de Geus
PS - The current trend in email security is to avoid email altogether by using a paid service such as Silent Circle to encrypt your phone, video phone, and text messages in real time, point to point. This is a paid service, however and all your friends would have to subscribe to the service as well in order to be able to communicate with each of them securely. Since Silent Circle has control of the encryption point to point, they can assure complete security.
|Jim de G.||
Addendum: Steganography is the art of hiding information. >> SilentEye << is an Open Source, cross-platform application which hides messages in pictures or sounds and is designed for ease of use.
By cross-platform I mean that it will run on Windows, Mac and Linux. Since it's Open Source, it's free to use, free as in beer.
The messages can be encrypted with AES256 encryption (the best) and password protected. Just don't send the password you use in plain text email, and you should be ok. Use another medium to tell your recipient the password.
Remember, passwords can be guessed with sophisticated brute-force dictionary attacks, so be creative with the passwords you use. Use strong passwords with combinations of upper and lower case letters, numbers and symbols.