dark comms: a basic guide to secure communications

[red]

Jaeger had the brilliant idea to start a thread covering things like encryption, secure sms and etc. So, here it is. I am far from an expert but I know a little.


Secure SMS/MMS

Android/iOS: The best app out there right now is Signal by Whisper Systems. It allows secure and nonsecure SMS/MMS along with secure calling that features a randomly generated two word key at the bottom of the display.

[red]

Just to clarify, this was made as a group effort to share info about secure communications, not a thread where I spout off info (I'm not that smart). So... if you have some tips or ideas on the subject, please share!

[Bigshankhank]

For reference, I am still using an archaic iPhone 5c, same model as the San Bernadino shooters that the feds couldn't force their way in to. So am I better off keeping it? I have thus far refused to upgrade to IOS 10.

[motorpsycho67]

Why would I want to do this?

I'm not particularly paranoid. They're welcome to my boring texts/calls.

[DerGolgo]

Why would I want to do this?

I'm not particularly paranoid. They're welcome to my boring texts/calls.

Solidarity and plausible deniability. Signal to noise.

Even if you have nothing to hide, you have something to fear. You should fear the regime muzzling dissenting voices. You should fear the fascists turning the world around you into a giant ATM for their corporate masters, destroying democratic institutions in the process.

When the new US regime begins cracking down on dissenters, which won't necessarily happen in any manner resembling a traditional crackdown, and only those they crack down upon use encryption, they have no plausible deniability. If a large portion of the population uses encrypted communications, the regime would find it slightly more difficult to find someone for the cracking.
Such a crackdown might just look like that old gem, the no-fly-list. Just that it'll be a no-drivers-license list, a no-mortgage list, a no-health-insurance list. Any number of little things to ensure that anyone making a ruckus against the junta won't be able to even just get a job, never mind activism. They'd leave them cellphones and credit cards, because those things DO allow tracking, actually.

No, public outcries won't stop them from getting away with such. For one, the public won't outcry much about something if it's presented to them right, also the Trumpista likely won't even care about any outcry, and last but not least, it can likely all be done in secret. So much is done through database systems these days, DMVs, mortgage brokers, insurance agents. They only see what the computer tells them when whatever application they entered is being denied. Even their bosses don't have to know such little tricks could be hidden in their system. All it takes is someone walking into the office of whoever runs IT for the outfit, present them with a top-secret presidential order that security "monitoring" software XY must be installed, and that it must be double-plus secret and if you say anything it's orange jumpsuits for you.
There are any number of subtle little harassments one could imagine. Trump may be thick as two planks nailed together with a third plank for a nail. But the people around him aren't. They know what it'd look like and what noise they'd have to deal with if they just rounded up the dissenters. Much easier and equally effective to just exclude them from the infrastructure of modern life and society.

If only the people "with something to hide" refuse to put their phone on the tray for the x-ray, even the TSA can work out who to pat down, and will likely find something.
Recall the "jammers" from The Prisoner? Would talk about killing Number 2 so much and so often, they stopped being treated as genuine suspects.
In the end, the question is cost effectiveness, or rather a cost/benefit calculation that anyone looking would likely have to engage in.
Some stuff we think secure, they might just giggle about. Other stuff, they'll go "Hm". Even if it doesn't cost much money, having a highly qualified specialist decypher it creates opportunity-cost and may just not be worth it. Even if they decypher everything, unless they already have robust AI, someone still has to look over some stuff. Enough people use encryption, enough stuff to look over, enough opportunity cost to create blind spots that activism can hide behind.
Like with aviation in the 1950s and 60s, public knowledge is probably about a decade behind what the governments of the world can do in terms of cypher breaking and suchlike. When Ed Snowden revealed what he revealed, parts of what is publicly known were bumped forward a bit. But we hardly caught up, and TPTB Inc surely did what they could to ensure we'd fall even further behind in the aftermath. This entire discussion may be moot, there may be no secure communications left at all. But TPTB Inc don't deserve THAT benefit of THAT doubt.

Secure browsing
Commercial VPN services my be subverted by security agencies. Or may not. A proper VPN lets you do anything you do over the internet. But whoever is on the other side only ever sees the IP of your VPN service. As long as you don't let anything set cookies, that's good anonymity right there. Good services cost money, though.
TOR, meanwhile, is free. "The Onion Router" doesn't let you do absolutely everything, only what you can do through your browser, and doesn't support all plugins. But you don't get cheaper than free, and the routers therein are random volunteers somewhere in the world, not a server farm in Switzerland.
As it is, though, the TOR network may have, in large part, been subverted by the NSA, or so I recall hearing a while back. That may have changed, I don't know. Around the time I think I heard that there were a few spree killings, the usual cluster of events within a short period (thanks to the extensive media coverage motivating the next guy, as usual), and before anyone had even checked to see where the guns had actually come from, we were told "dark web! dark web! dark net! fear, fear, fear!".
The mainstream media here in Germany was desperate to tell anyone, even if they wouldn't listen, that if you just google "the dark web", and you don't have gym bag full of submachine guns, loaded and rounds chambered, in thirty minutes or less, you get a bazooka for free.

Encrypted Email and other text files
You can encrypt any text with PGP. A free implementation of which is GnuPG.
"Pretty Good Privacy" is an asymmetric encryption system. You start out with it and create two keys. One is the "public key", with which anyone can encrypt a message for you. That key is literally intended to be published. A message encrypted with it cannot be decrypted with it, thanks to mathematical vodoo I won't even pretend to comprehend (ha! gotcha! you thought I would try and explain!). You also generate a private key, which must be kept plus-top-secret. That is the one that can decrypt a message encrypted with the public key.

Instant messaging
For instant messaging, there is Jabber. That protocol implements PGP encryption in an IM system. Popular clients for Windows machines are Jitsi and Pidgin. I use Jitsi.
For Android phones, the client I know is Chatsecure. Though I haven't used that in a while and am not sure about how well it's being updated. I can't be arsed to check on that right now, but it's where you may want to start googling.

Encrypting larger files
For your larger, non-text files, there is VeraCrypt. It's like TrueCrypt, almost entirely identical user interface and functionality, only it's still being supported and updated, unlike TrueCrypt, which has been abandoned.
VeraCrypt lets you create virtual hd partitions that exist in reality as encrypted files. These are never fully decrypted when data stored therein is accessed. The software only decrypts the bits that are needed at the time. It's fast and offers a bunch of encryption mechanisms that can even be combined. It's not like simple password protection, like on a WinRAR file, but real encryption that takes the experts more then three minutes to get around.
Hypothetically, it should be possible to play Russian dolls with encrypted files, actually.
As an aside, you can also use it to create hidden partitions on your computer. Anyone looking would only find an unformatted part of your HD, entirely filled with random data.

[motorpsycho67]

TL;DR (as usual)


Sorry, but I'm not that paranoid.

Not saying it's not possible, just don't care to let it take up valuable real estate in my noggin.

[DerGolgo]

TL;DR (as usual)


Sorry, but I'm not that paranoid.

Not saying it's not possible, just don't care to let it take up valuable real estate in my noggin.

I've shortened.
If only dissenters use the "paranoid" way of communicating, they are too easy to find. Big old "look here" sticker. But if they don't, that's not helpful, either, for obvious reasons. Find one, you'd have it all, lacking safe comms.
Even the "happy birthday" message to your aunty should be encrypted if you want to help others dissent and engage in activism.

Why would I want to do this?

I'm not particularly paranoid. They're welcome to my boring texts/calls.

Solidarity and plausible deniability. Signal to noise.

Even if you have nothing to hide, you have something to fear. You should fear the regime muzzling dissenting voices. You should fear the fascists turning the world around you into a giant ATM for their corporate masters, destroying democratic institutions in the process.

[red]

TL;DR (as usual)


Sorry, but I'm not that paranoid.

Not saying it's not possible, just don't care to let it take up valuable real estate in my noggin.

Due to the increased threat of ransomware, I have to apply this secure mindset to all of my digital interactions, online, sms and etc. Being secure not only keeps prying eyes away, it keeps your personal data safe.

[Shhted]

May I suggest some basic OpSec for those who don't want to go totally Dark but want to improve their security perimeter. A lot of this may seem trivial, but it greatly decreases your attack surface.

1. Obtain and use a password manager. There are many out there. I use 1Password, and I'd recommend it. However, just use one. This is a key component of what I will cover in the following. It's worth it to spend $ here. Do NOT reuse passwords. The rule is unique account = unique password.
2. Your ISP connection, is it a cable modem or somesuch? Change the default password on the hardware to something long and unique. Store it in your password manager. Update the firmware on it frequently. Many are configured to obtain fresh firmware upon reboot. Otherwise do so on your own schedule by setting a calendar reminder for yourself. Search for the device model and firmware update from the manufacturer's website. Do this for all of your networking gear (routers, modems, hubs).
3. Your devices, regardless of OS or brand - update often. Update the OS via trusted sources (the manufacturer). Don't just think about your mobile phones and workstations, do the same for your smart devices too: TVs, Cameras, Game Consoles, Thermostats, etc. They are often the most dumb.
4. Have an email address solely for the purposes of receiving SPAM and other shit. Use that address to sign up for things. This is how I use Yahoo. Don't populate contacts with this account.
5. You should know not to click unknown links and such, but you should also be aware of how social media can leave you exposed. Review all of your social media privacy settings, and do so often. If you are looking for guidance many tech or security blogs detail how to do so per platform.
6. Get yourself a VPN. This is most important when leveraging free wi-fi. It doesn't secure you completely, but it does make you more difficult to attack than someone who isn't using one. Remember, with free wi-fi you get what you pay for. If you don't need to connect, don't.
7. Set your devices such that they do not autoconnect to available WiFi. Require that you interact to connect to WiFi.
8. Shut off any unnecessary services on your devices. If you're not using Bluetooth devices, shut off the capability.
9. The most important aspect IMHO, assist those who are connected to you but not savvy enough to save their own skins.

Stay vigilant, my friends.

[guitargeek]

Goes to look up SMS and MMS...

[DerGolgo]

Oh yeah, I should maybe chime in.
I've gotten me some VPN last year, simply because I value my privacy, actually. No, I'm not torrenting shit, even though I probably could do so with more or less impunity.
I pay for it, but the prices are reasonable, imho.
It IS sometimes useful if I want to watch something on youtube that's geo-locked (or whatever the kids call it these days) to the USA.

[red]

Still think this is all silly nonsense?

https://www.nytimes.com/2017/08/15/us/p ... tests.html

WASHINGTON — The Justice Department is trying to force an internet hosting company to turn over information about everyone who visited a website used to organize protests during President Trump’s inauguration, setting off a new fight over surveillance and privacy limits.

[DerGolgo]

Been using this with friends for quite a while:
https://telegram.org/" onclick="window.open(this.href);return false;

It's fully encrypted and cloud based. Which means you just install it on all your devices, and all your contacts are there, and all your conversations, no additional "syncinc" and such required.
It's what the lefty nerd scene (yes, that's a thing) recommends. Also does file transfers, conferences, etc.

[red]

What about mesh network messaging? I installed Bridgefy and Briar but looks like none of my contacts have gone that deep.

[DerGolgo]

I confess, I'm not familiar with mesh networks at all. Isn't that what the protesters in Hong Kong are using to organize?

For private messaging, I prefer Signal, these days. It's fully open-source, and dissenter groups in various parts of the world use it.
Ditto Telegram. I use that, but not as much, and not as present, due to computer woes. General problem: part of the Telegram source is proprietary and undisclosed, so it may be compromised. I was told that dissenters in Iran use it a lot.

For either application, just using it at all is an act of solidarity, as any new user adds to the noise that intelligence agencies and secret polices have to dig through to find the signal they are looking for.

[red]

I know it isn't secure, but I've started down the path of HAM radio. It's interesting stuff.

[DerGolgo]

I know it isn't secure, but I've started down the path of HAM radio. It's interesting stuff.

I do think I read about a digital communications protocol that's intended to let CB or HAM operators transfer digital data via radio. Until StarLink becomes publicly available, a bunch of people in a bunch of places probably depend on that sort of thing. I'm sure most of the continental US is covered by consumer-grade satellite internet services. But what about northern Alaska, northern Canada, all those bits of Scandinavia north of the arctic circle, where line-of-sight to satellites might not be an option?
Not to mention places like the Australian Outback.
Suppose such transmission is practical, transferring PGP encrypted data shouldn't be too much of a problem.
I wonder if one could run something like Signal over that, or perhaps even a TOR server. Bandwidth would have to be a little better than acoustic-couplers, I'd expect.

Hm, I wonder.
On the one hand, it'd make sense if intelligence services were still monitoring HAM radio transmissions. Just to make sure spies can't just radio home.
On the other hand, it'd make equal sense if intelligence was no longer monitoring HAM radio. Obviously, no spy would dare radio home where everyone can listen in, and encrypted email is just so much cheaper and easier.

With the internets going on. A curious situation exists.
On the one hand, it has never been easier for people to educate themselves about the subject, find and acquire equipment, get into it.
On the other hand, it probably never seemed more old fashioned and obsolete.

Off topic...

Show

I don't think it's enough to hang a TV show off on. But maybe a subplot for an episode of a political drama. Maybe the humorous thing happening in the background of a few episodes, the oldtimer intelligence vet and the millennial neophyte arguing about it. The millennial all excited about this strange new thing he found out about, and the oldtimer trying to shut it down because it was obsolete when he was new to the game himself. Either of them getting fired over it in a season finale.

[Jaeger]

I know it isn't secure, but I've started down the path of HAM radio. It's interesting stuff.

I don't have a transmitter, but someone did give me what appears to be a '60s-era broad-band receiver, tubes and all. Let me know where I can find you and when you're transmitting and I'll try to tune you in!

--Jaeger

[DerGolgo]

I don't have a transmitter, but someone did give me what appears to be a '60s-era broad-band receiver, tubes and all. Let me know where I can find you and when you're transmitting and I'll try to tune you in!

--Jaeger

[Jaeger]

Let's see if your spiffy new website can handle this attachment when I just click and drag it in...

RADIO GAGA.jpg

Well, fuck me. Ok, I like the new setup!

--Jaeger

[DerGolgo]

Let's see if your spiffy new website can handle this attachment when I just click and drag it in...

RADIO GAGA.jpg

Well, fuck me. Ok, I like the new setup!

--Jaeger

I confess, that sort of functionality hadn't even occurred to me.
And yet, I made it work! I impress myself!

[red]

I know it isn't secure, but I've started down the path of HAM radio. It's interesting stuff.

Hm, I wonder.
On the one hand, it'd make sense if intelligence services were still monitoring HAM radio transmissions. Just to make sure spies can't just radio home.
On the other hand, it'd make equal sense if intelligence was no longer monitoring HAM radio. Obviously, no spy would dare radio home where everyone can listen in, and encrypted email is just so much cheaper and easier.

Numbers Stations are still in use from various intelligence agencies from all over the world. I've managed to catch a few. They are pretty much impossible to crack since they typically use one time pads.

[DerGolgo]

Numbers Stations are still in use from various intelligence agencies from all over the world. I've managed to catch a few. They are pretty much impossible to crack since they typically use one time pads.

Oh man, I hadn't even thought of those!

I know (I think) that listening to those is actually illegal in the UK. I can't find whether it's legal here in Potato. But I wonder. Suppose someone just turns the frequency dial on his receiver, finds a signal. Hears the musical numbers they sometimes play. How would that person know he is doing the illegal stuff?

I wonder. In the 1980s, Warsaw Pact intelligence already used burst transmitters to shove compressed messages down a phoneline, it'd apparently just be a buzzing sound. Dunno whether that was analog or digital.
But. If anyone, anywhere, is still broadcasting analog. Wouldn't it make sense to hide encrypted digital signals in the noise? I'm sure it should be feasible, technologically. Finding the signal in the noise would be tricky, so probably low bandwidth (lower than anything in the audible spectrum would be in the first place). If they made the signal easy to distinguish, electronically, so that it only sounds like noise but does look like signal on an oscilloscope, they would be easy to find.

Hm. Is there an encryption equivalent to Nyquist–Shannon (or Shannon-Nyquist, if you will)? Minimum bandwidth/package size required to encrypt a message of size x with key-length y?

[mtne]

Educational as to why secure communications are important.

https://www.youtube.com/watch?v=ZB8ODpw ... B8ODpw_om8

[red]

Educational as to why secure communications are important.

https://www.youtube.com/watch?v=ZB8ODpw ... B8ODpw_om8

Good stuff! I"m currently working in creating a TAILS USB Stick to play around with. For some fun YouTube content, check out
Modern Rogue: https://www.youtube.com/channel/UC42Vso ... iXZSsD6eGg

[mtne]

Guessing a few folx here follow LPL, Devient, modern rogue, and some devcon or sec con or b-sides lecture stuff....... good rabbit holes.

[red]

Guessing a few folx here follow LPL, Devient, modern rogue, and some devcon or sec con or b-sides lecture stuff....... good rabbit holes.

I've been cherry picking from Modern Rogue's channel, I'll check out the others as well. Nothing like the growing tide of oppression to rekindle shadowy cyber fun.

Janky old laptop, check!
Bootable Linux jump drive, check!
Burner phone with SIgnal, check! (not really, not yet)

But, sometimes the old tricks are the best. Can't let the tech overshadow fun stuff like dead drops, one-time pads and etc.

[DerGolgo]

The youtubes recommended this video to me, which describes what appears to be a Cuban numbers station.
He mentions a piece of software, "Dig TRX" if I understood correctly, which the numbers station in question appears to use to convert text into a digital signal in the audible frequency range that they blast out along with their numbers.

[media]https://www.youtube.com/watch?v=LSQ8WYTytW0[/media]

[red]

The youtubes recommended this video to me, which describes what appears to be a Cuban numbers station.
He mentions a piece of software, "Dig TRX" if I understood correctly, which the numbers station in question appears to use to convert text into a digital signal in the audible frequency range that they blast out along with their numbers.

[media]https://www.youtube.com/watch?v=LSQ8WYTytW0[/media]

I have a few audio files that I managed to capture while listening to a web SDR. Is there a way to upload them to the board?

[DerGolgo]

I have a few audio files that I managed to capture while listening to a web SDR. Is there a way to upload them to the board?

Sorry. Hosting media is really not a feature of the board software.
Youtube maybe? Or Google Drive?