Next up we're going to look at securing your Internet traffic. There are a few ways to do this, with the most famous free variant being good old TOR.

So its too fucking bad that the US government owns about a third of all the TOR exit nodes in the USA. CP dealers and the early Silk Road were too tempting a target to resist, and the government decided a few years ago that allowing TOR to remain secure was too big a risk to permit. As rough as it is, they CAN and DO follow back TOR traffic across the network to track down people sharing information. TOR is out.

Our next best option is a VPN, or Virtual Private Network. https://en.wikipedia.org/wiki/Virtual_private_network

A VPN works a lot like TOR, but the network infrastructure is privately owned. If you pick one in a foreign country that isn't real keen on the NSA, you can be pretty sure they won't be in there nosing around in your traffic. For our purposes we want a free VPN, because we're all fucking brokeass chanfags. Meet Autistici.

https://www.autistici.org/en/get_service.html

A/I is an online support club for political dissidents the world over. They offer a variety of free services including anonymous email and a pretty decent VPN. Click the link and sign up for the free mailbox. The service includes access to their VPN. You'll need to wait a day or three for a response and give a convincing reason for needing their service.

Once you get your login information, configure your VPN according to their instructions. The access speed isn't too shabby - better than dialup and on par or better than TOR over a broadband connection. You can also post on chansites with it, unlike TOR.

Using the A/I VPN will secure your email, skype, IM, and other web traffic. That takes care of the bulk of your NSA worries.

Lastly we come to your home filesystem on your computer. Not much point in encrypting the traffic if they can come in and just gank your shit.

Ever thought about encrypting your hard drive?

No, I mean actually encrypting it. Not with "Microsoft Windoze Dick Encryptor.exe.OMGWTF" or the other kindergarden level "privacy" schemes that come packaged with most OSes.

Probably looked like too much of a pain in the ass, huh? Well lemme help you.

Most preinstalled "major name" disk encryption systems suffer from the greatest vulnerability of them all: Lack of absolute user control. Given what we know about PRISM and the like, you CAN NOT guarantee that the encryption keys you enter into your mainstream OS protection aren't being covertly held by the manufacturer for use by the state. In fact there is an excellent chance that they are. But if you look at third party solutions, there are so many to choose from it is overwhelming to try and decide who you can trust.

After some fairly extensive research I found the best way to pick a winner was to find out which one the government flat out hated the most. Looking into that, one name flew right to the top of the list: Truecrypt.

Since it came out years ago, more legal cases have been lost for want of encrypted evidence due to Truecrypt than any other disk encryption software. The CIA couldn't break it in 2002. The FBI couldn't break it in 2004, 2006, or 2009. It set a Supreme Court precedent that a person can not be forced to give up their encryption keys: The FBI wanted one poor asshole so bad they took him clear to the SCOTUS and got nowhere. The algorithm it uses is the same fucking one approved by the NSA itself for securing Top Secret data on their own shit.

There are two problems with Truecrypt: One is a major vulnerability discovered a couple years ago and the other is the fact that it no longer exists. Right about the time the surveillance state was ramping through the roof here in the US, Truecrypt mysteriously went out of business. There is a "current" version 7.1 out, but it actually won't let you encrypt anything - it serves only as a decryption tool for old TC encrypted files.

I went to the trouble of tracking down the last stable versions of the real, working Truecrypt. The file contains both the Linux .deb package and its FUSE-UTILS dependency as well as the Windows XPSP2/7/8 installer .exe. You're welcome.

http://www.operatorchan.org/z/src/Crypt.zip

Now we need to concern ourselves with that vulnerability problem. See, some Russian hackers discovered that if the encrypted space was accessible at the time the system was shut off, then the encryption keys were still stored in the active RAM image and could be recovered with some wizardry. If the Feds kick your door in at 2am and you leap out of bed and yank the power cable out of your PC, they could still access your shit with a special bootloader on startup. Bad juju. Fortunately also very easy to fix.

To use Truecrypt, you install and run it. There will be an option to "Create a Volume." This is the one you want - the other option, to encrypt the whole disk, is the most susceptible to that exploit since the keys will ALWAYS be in memory if the system is on.

When you select Create a Volume you will be asked to specify where to stick the file and how big the file should be. For the latter think of it like a mini-hard drive you're making - set it as big as all the shit you ever think you'll want to encrypt - make it like 500mb if you have the space. Put it right on your desktop and name it something like "Darkness of Enigma" for fun.

After asking what kind of Encryption you want (default AES is fine, but AES/Twofish is better still) it will ask you for a password: PICK A GOOD ONE. Remember, the way crackers work nowadays, a long, easily remembered sentence with a punctuation at the end is better than a forgettable string of Wharrgarbl. "Operatorsoperateoperationallyinoperations!!!" would take longer to crack than "Xdg3YY7imeg#". Pick your password well.

Next it will have you wiggle your mouse around to generate some randomness. Do this for like a minute, and click next. It will encrypt that volume of space and generate the "Darkness of Enigma" file on your desktop. You now have an encrypted file to put stuff in.

In order to USE that file, next you need to MOUNT it. Which is retard easy. Go to the Truecrypt main menu and click the Mount Volume button. Select your DoE file and it will ask for that password you set. Type it in and hit return.

BAM! Now you will get a new icon on your desktop: The actual encrypted folder itself will be mounted just like a USB drive. You can copy, paste, drag and drop, anything you like. When you're done with it, right click the icon for the encrypted "drive" and unmount it, or unmount it through the Truecrypt main menu.

The last thing to do is to beat that vulnerability for good. And this comes for imposing ONE GOOD USER PRACTICE on yourself:

ALWAYS mount that encrypted volume ONLY WHEN YOU ARE ACTUALLY GOING TO USE IT.

and ALWAYS UNMOUNT IT AS SOON AS YOU FINISH EACH TASK!

If you unmount the drive manually before shutting the computer off, it will purge the keys from the memory and Truecrypt will remain as unbreakable as you could possibly want. If you aren't a lazy faggot who decrypts his file on login and never unmounts it, you can keep that hitlist of terrorist leaders safe from the prying eyes of even the Pentagon.

All this assumes you're using a system that is independently secured in some way. A good Linux distro is your best bet since it is less vulnerable to the billion keyloggers floating around out there. If you must use windows, then keep it religiously clean of viruses, don't open odd attachments or use unknown thumb drives you yourself did not purchase.

Enjoy, and happy browsing.

Security is a process; not a product.

>>6973
>it becomes exceedingly easy to paint an innocent person to be guilty of something
"Find me the man, and I'll find the crime." - Lavrenti Beria
Useful quotation if you want to get people's attention.

>WiFi
Heads up: shit probably isn't secure. More so than just "lol WEP". Honestly, it's better not to have a phone if possible. Oh well, have this link:
https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy

>in total secrecy
Wrong. Do not trust your phone. It is probably backdoored already. There are a shitton of 0-days and built in backdoors for most phone OSs. Now think how much manpower the NSA has... yeah. Do not converse about such things. Never on or near non-FOSS, unaudited, relatively uncontrollable hardware. Especially if it is networked.

>nothing short of a dedicated NSA operation can really break it
Except a poor implementation of the code or PRNG or side-channel attack or an OS vuln or...

Seriously, there is something very important to know about this stuff... I can only think of one solitary thing that is actually "bulletproof". OTP with truly random numbers. That's it. Once you start taking any shortcuts, using computers, or repeat stuff, you sacrifice a significant amount of security. Start reading up on vulnerabilities and start realizing that there's more to this than just crypto algos.

>They can still track you via the GPS in your phone
Don't forget that passive cell tower data is monitored/stored by the NSA. They can and do use it to track your movements via triangulation and see who your potential cohorts are. I thought I covered this shit in another thread.

>>6974
>TOR is out.
Potentially. In some slides, they said that Tor is a thorn in their side. Could be misinformation or a limited hangout. Stay on your toes.

>If you pick one in a foreign country that isn't real keen on the NSA, you can be pretty sure they won't be in there nosing around in your traffic.
WTF? NO! No. Stop. That's where they attempt to break in the most. Using a VPN is tossing all of your trust on a single fail point. Did you not see the slides posted on Der Spiegel and the subsequent conversations afterwards? Remember the issue people had/still have with CAs and SSL/TLS certs? Yeah, centralized infrastructures are the low hanging fruit in front of the NSA. They often have logging requirements and they are often under gag orders or are required to install pipes directly from their server rooms to the spooks' offices. All of the incriminating evidence is in one spot. No, no, no, no, no. Stop that shit. VPNs are only good for non-state level adversaries.

>Using the A/I VPN will secure your email, skype, IM, and other web traffic. That takes care of the bulk of your NSA worries.
>email
Very wrong. Email is not secure. It is only as secure as when all parties involved practice good security. This means all servers and MTAs between you, the mail server you use, the servers and MTAs in between your friend, and your friend. If your friend opens the email in a webmail client and has his gpg key uploaded to it because he's lazy or some shit, or has browser vulns and uses x.509 certs or some shit in the browser, consider your message read.

Just the fact that the headers are public is incriminating enough.

Once again, there is WAY more to security than just all of this.

>skype
Don't use this shit. Unaudited proprietary direct feed to the NSA. Stop that shit.

>IM
Use OTR and don't use libpurple. Shit has more bugs than a coked out hooker with the sniffles.

>web traffic
At least use HTTPS Everywhere, noscript, request policy, and refcontrol. Also, tweak your browser settings to disallow shit crypto standards that are known to be flawed.

>>6975
>You're welcome.
>no sigs
>no hashes
Come on, man.

Here's an alternative:
https://veracrypt.codeplex.com/

Also, there is a project called CypherShed which aims to do the same thing.

If you're on Loonix, use dm-crypt/LUKS. If you're on FreeBDSM, use GELI. If you're on OpenButtSexDaily, use softraid, IIRC.

And just a heads up, Bruce Schneier uses PGP disk crypt, IIRC.

Related:
http://istruecryptauditedyet.com/

>If you unmount the drive manually before shutting the computer off, it will purge the keys from the memory and Truecrypt will remain as unbreakable as you could possibly want. If you aren't a lazy faggot who decrypts his file on login and never unmounts it, you can keep that hitlist of terrorist leaders safe from the prying eyes of even the Pentagon.
>All this assumes you're using a system that is independently secured in some way. A good Linux distro is your best bet since it is less vulnerable to the billion keyloggers floating around out there. If you must use windows, then keep it religiously clean of viruses, don't open odd attachments or use unknown thumb drives you yourself did not purchase.
This.

I know it sounds like I hate your guide, but I want people to know that there's more to it than just "download software... yay privacy!" There's stuff that needs to be corrected and people need to be aware of the dangers that they might miss.

Please point out anything I missed or got wrong. Assuming I have time, I'll ack the mistake or slap your shit for being wrong. Either way, let us learn and do better in security.

And remember... once again...

Security is a process; not a product.

>>6976

Only one problem I see:

You failed epically at Ease of Use on almost every point. Seriously who will realistically go without a phone? And A/I is used by Syrian dissidents among many others. They don't hand that shit out easy, it would get people literally beheaded. TOR is compromised, they just save the effort of getting into it for the biggest fish.

If you have any sensitive information of the kind that would make the NSA want to black bag you, on a computer connected to a public network, you're doing it wrong.

Also, if they do black bag you, rubber hose cryptography will prove quite effective against all known forms of encryption.

Fuck, if any of the three letter agencies even know you're up to something to the point where they want to look, then you done fucked up.

>If you have any sensitive information of the kind that would make the NSA want to black bag you, on a computer connected to a public network, you're doing it wrong.

Problem is the definition of

>information of the kind that would make the NSA want to black bag you

is changing, becoming broader and more widely construed, and indeed beginning to overlap with things that a lot of us take for granted as normal. Our lawmaking process is supposed to prevent this, but the gubmint has learned that it can ignore the protestations do what it wants anyway without repercussion.

You might not NEED this stuff today, but in the direction we're going you will sooner or later. Things you "have no reason to hide" now might cost you dearly when the rules change tomorrow.

While I wholeheartedly agree that we should all take preventative action against overreaching surveillance, one thing that always eats away in the back of my mind whenever I consider going ham and encrypting everything is that, surely, what with PRISM having existed since 2007 and only coming to the public eye 6 years later, we all likely have a mile-long record with at least SOMETHING that can be construed as "incriminating". At that point, it almost feels like a futile effort from an individualistic standpoint if the idea is to protect our own privacy and prevent the NSA from building up a record on us, and from a group standpoint (since the majority of the population can't be bothered to do half of this shit) if the idea is to hinder and spite the NSA.

  >>6978
>If you have any sensitive information of the kind that would make the NSA want to black bag you, on a computer connected to a public network, you're doing it wrong.

Sensitive information can mean a lot in a world where dialing the wrong number or being the friend/relative of someone on the government's radar can get you a running file and dossier on the NSA's hard drives.

We're not even getting into "slippery slope" territory shit here, either. Then again, when the BATFE can claim you having M16 diagrams and owning an AR15 means you're conspiring to construct illegal machine guns despite no evidence for this, we don't have to imagine what the government will be willing to try.

As Acid Man said, the adage "you have nothing to fear if you have nothing to hide" is no longer applicable (although even if it were true, it's still a bullshit argument to use when your rights are being trampled). Everyone has something to hide. Somewhere. Maybe your secrets aren't as damning as the guy that actually is part of a terrorist sleeper cell, but that doesn't mean it can't be used against you at some point.

I find it hilarious that you immediately head for out-of-the-us sources for data security due to government surviellance, when going oconus specifically opens you up to warantless surviellance

>>6986

Sad isn't it? Being IN the US still means you're permitted for surveillance under HR4681, only the NSA has easier access to the infrastructure that lets them physically do it.

Dropping some links for knowledge.

Cryptome
http://cryptome.org/
This is your granddaddy's leak site. Heavily disorganized, but has close to fifteen years of technical papers, manuals, and other cryptographic resources on hand if you don't mind rooting around in you favorite search engine a while.

Telecomix Blue Cabinet
https://bluecabinet.info/wiki/Main_Page
Compilation of surveillance and crypto info; not that well organized.

Bugged Planet
http://buggedplanet.info/index.php?title=Main_Page
Compilation of technical surveillance info; provides breakdown by company and country.

Green Bay Professional Packet Radio's Homebrew Projects
http://www.qsl.net/n9zia/
http://72.52.208.92/~gbpprorg/mil/
Similar to the NSA Playset listed below, attempts at making homebrew COMSEC solutions. Lots of schematics, instructions and link dumps for the engineer in you.

NSA Playset
http://www.nsaplayset.org/
Open source attempts at replicating equipment described in the ANT Catalog or devising countermeasures.

Project PM Wiki
http://echelon2.org/wiki/Main_Page
Founded by the soon-to-be imprisoned Barrett Brown, this site specializes in cataloging the activities of private intelligence companies and goes over some areas of crypto.

Wikileaks' Spy Files 1-4
https://wikileaks.org/spyfiles4/index.html
While I personally have a distaste for their grandstanding, I appreciate Wikileaks' thoroughness. More information on tech vendors; sales sheets, training videos, satisfaction surveys.

>>6975
Few notes about Truecrypt. Version 7.2 is the bullshit decrypt only version. 7.1a is the last real version. (AFAIK)

Attached is the version I'm using. Verify the exe however you feel is appropriate before running it.

I just went through the process of truecrypting my lappy and desktop computer. Not really to keep the 3 letter agencies out, but for the more likely threat of some motherhumper stealing my laptop from the hotel while I go be a productive American and work.

That said, I'm not as worried about keys being stored in RAM, so I type my password in once at the bootloader, then auto-mount favorite drives. Modern motherboards have AES en/decryption hardware accelerated, so it's no performance hit.

The other detail I've had to deal with was installing it on windows 8.1 which uses GPT partitioned disks. Truecrypt only supports MBR partitioned disks. This only applies if you're doing the full disk encryption, shouldn't matter for Acid's encrypted containers.

The solution was to back up the partitions, delete all the partitions, convert the disk to MBR, then use Ubuntu and "DD" to copy the partition back over. Then it was a matter of using a Windows 8.1 disk and the recovery console, rebuilding the boot sector, and rebuilding the MBR.

Rather than back up the partitions, I bought a new SSD (for the OS) and had another HDD for mass storage.

Piece of cake!

>>6993
Here's a little bit about other full disk encryption options that I looked at. I'm no computer security expert, but this is sort of a high level overview from what I remember.

Truecrypt 7.1a - Last real version. (AFAIK) Open source, different encryption options (AES Twofish Serpent), option to encrypt containers, partitions, or whole disks. Encrypts free space too. Takes ~16 hours to do 1 TB on a HDD. Works fine with SSDs, HDDs, external HDDs, and USB sticks. Works on Windows and Linux operating systems. (So if you dual boot, you can still get into your shit.) Uses it's own bootloader for full disk encryption, so I don't know how that works with your GRUB windows/linux/mac loader.

* Does not work on GPT partitioned drives, as mentioned above. Windows 8, I believe, is GPT partitioned by default. Also there's the detail that it was developed by some anon, who seems to have been partyvan'ed.

Truecrypt 7.2 - Bullshit decrypt only version. (Do not use!)

Cyphershed - The spiritual successor to TC with a stupid name. Last I checked, they're 2 weeks away from a release, 5 months ago. Developed by some Swiss fuckers, or something like that.

http://www.truecrypt.ch
https://ciphershed.org/

Symantec PGP Encryption - Closed source, costs money, my work laptop is going to this. Seems ok. Except that it's closed source, so there's no way to know if it's backdoored, and Symantec is shit. (Their anti-virus program drags my work laptop down to Pentium 1 windows 98 emulating a playstation 1 kind of load times.)

Microsoft Bitlocker - Windows 7+ (Ultimate editions) Requires a TPM (Trusted Platform Module) chip on your mobo. Also keyed to your hardware combinations. Swap out some hardware, computer no decrypt. M$ swears there's no backdoors in it. Works on MBR and GPT partitioned drives. Supposedly works well, except that M$'s licensing will probably fuck you at some point.

I think it's funny that I'd trust an open source program from some anon, over a security company's product and the guys who designed the operating system I use.

>>6977
>Seriously who will realistically go without a phone?
I would if my job would let me.

I so fucking would.

>TOR is compromised
[citation needed]

>>6979
>>6984
These. Very well put.

>>6980
AFAIK, your only hope is statutes of limitations. Sorry, brah.

>>6988
Which is why a distributed network is a much better option, IMO.

>>6989
Cryptome is excellent. You can learn some seriously interesting stuff. But then again, with any leak, I have to question if they're limited hangouts or not.

>>6993
>Attached is the version I'm using. Verify the exe however you feel is appropriate before running it.
Does no one have the signature or hash for this?

>>6995
>TOR is compromised

>[citation needed]


>The Tor Project Still Doesn't Know How Authorities Compromised Its Anonymity

>Nearly a week after government officials seized hundreds of Tor hidden services, the Tor Project is still unsure as to how the takedown was accomplished.

>Tor is an open source privacy network that encrypts messages through multiple network nodes. It’s supposed to keep users’ identities and locations discreet, but that has been called into question after Operation Onymous, a successful Europol effort that apparently infiltrated Tor and led to the arrests of 17 people operating vice-related sites on the network.

>In a Sunday blog post, Tor volunteers noted they were “as surprised as most” to hear about the seizures and were continuing to assess the damage after Europol seized hundreds of URLs hosted on about 27 websites, including the black market site Silk Road 2.0:

http://readwrite.com/2014/11/11/tor-privacy-post-takedown-vulnerability

>Tor anonymity service compromised by unknown attackers

>Tor's creators say that they hope the unknown attackers are security researchers - rather government agents

>The Tor network, an anonymising service used by privacy conscious internet users from law enforcement to criminals, admitted yesterday that the identity of its users may have been identified by government-funded researchers.

>In a 'security advisory' blog post the team responsible for maintaining Tor warned that anyone who used the network between 30 January 2014 and 4 July “should assume they were affected”, adding that it was “likely” the attack was connected to work conducted by two security researchers at Carnegie-Mellon University.

>The pair of researchers had been scheduled to give a paper showing how to identify Tor users at the Black Hat security conference next month, but the talk was cancelled by lawyers working for the university. The Carnegie-Mellon researchers were based in the university’s Software Engineering Institute whic is mostly funded by the US Department of Defense.

>The title of the cancelled talk was "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget,” and promised to explain how to crack Tor’s anonymity systems on a budget of $3,000 or less.

http://www.independent.co.uk/life-style/gadgets-and-tech/tor-anonymity-service-compromised-by-unknown-attackers-9639231.html

https://invisibler.com/tor-compromised/

>>6996
I think that was explained as an exploit in a completely different system, namely hushmail

>Ever believing Tor is safe