Don’t Let The Talking Heads Lead You

About That National Confusion Regarding Cyber Security…

For my friends, fellow LEO’s, investigative reporters, corporate leaders, government agents, Joe and Jane Citizen, and such, but please don’t let the “Talking Heads” lead you astray.

This is my “hopefully helpful” look into secure communications, encryption choices and perhaps why you should care about the subject in the first place.

But, right up front, before you become bored and start speed-reading or go somewhere else: If you care about your ‘net security, read this twice: DO NOT allow your browser or other computer or smart-phone program to “remember” your passwords! That is all.

The “Background of today’s modern communications encryption”:

Phil Zimmerman’s “Pretty Good Privacy” became the modern basis for personal encryption capability available to the common citizen, dot-gov, and today’s business. Over time, it sprouted offshoots that provided other choices of communication security for the masses. Much to the chagrin of some governments around the world. Historically, governments don’t like people who can keep secrets from them. Goes clear back to when soldiers were wearing sandals and leaders wore their favorite headdress, or crown, to show everyone they were the boss. Or “god”, as the case may have been.

Secure communication is valuable for folks dealing with investigations or sensitive information regarding people’s information or other sensitive communication.

If you are a LEO, whether city, state, or federal, don’t be the lightning-rod for an expensive lawsuit filed by someone whose investigation information became available to unauthorized third parties. Be professional, and always use best practice!

If you are an employee, don’t be the conduit for valuable corporate information to be stolen by competitors or foreign entities. Some nations make their living stealing other nation’s information. Much less expensive than affording their own R&D. When you open that laptop with connectivity to the corporate server, that “public access”, or other unsecured access point is your worst enemy. Read that twice also!

And for heaven’s sake, if you are a government employee or public official, use your officially-approved method of securely encrypted communications. Don’t be stupid or arrogant enough to think your communications are not highly desired by our National enemies. It does not matter one bit what the subject of your communication might be. Even if you want to tell your spouse some private family thing, it is a piece of the data our enemies are building about you and our Nation. Don’t be so arrogant as to think your private email or cellphone are secure against our adversaries. Their resources, designed to gain our National information, are way above your ability to even imagine. And even if you are among those rarefied air breathers who have an issued dot.gov secure smart phone similar to the SP4-H, don’t get arrogant or stupid; use only the procedures specified by your department policy.  And if your Department Policy “Sux”, simply “use best practice!”

So, hip-pocket training if over,; on with the discussion …

A Few Of The Choices Publicly Available For Communication Security:

(There are a lot more, but these are at the leading edge)

* * * * * * * * * *

First, IMHO, The “Gold Standard”: ProtonMail.com.

www.protonmail.com Email encryption, keyboard-to-keyboard, totally on Proton’s below-ground hardened Swiss servers. Or use your desk client if you absolutely insist. The Swiss Top Domain extension, “.CH”, is owned and controlled by Switzerland. A significant technical item for private encryption security, but not for this discussion.

ProtonMail also owns the “dot-com” domain for their “public face”, but on sign-up you choose whether you want to use their dot-.com or their dot-.ch server domain for your secured email account. The only problem I see with using the dot-ch Extension is that your friends or business contacts might be unaware that “.ch” is Switzerland; they might think it’s from China and delete it. Enlighten them beforehand, have them add you to their white list and explain the reason for you using the Swiss Domain Extension. You can enlignten your knowledge of the reasons for this difference by reading a short article at this report: http://www.wired.com/2012/03/feds-seize-foreign-sites/

To continue, ProtonMail, “IMHO”, is the “Gold Standard” of the easily usable Email encryption systems presently available to the public. Any administrator managing a valuable operation should require the staff to communicate anything that even remotely involves company business only with secure means. Period!

I understand that ProtonMail was started originally by the CERN Scientists to protect sensitive commo being exchanged between scientists. You know; regarding their daily discussions with the God of the Cosmos. Regarding His secrets they seek. No other existing security program on the planet was sufficient for the level of security these scientists required for their work. But eventually, having to listen to tear-stained, crying requests from friends and other people who found out about their system, the ProtonMail techies finally expanded their server and offered the use of their pride and joy to the public.

A small account is free, the paid account levels start about U.S. $45.00/yr., converted to USD$ from Euro €, and paid ahead by the year. Payable by credit card, PayPal or BitCoin. Don’t know about personal cheques, but doubt it. The paid accounts have several advantages including allowing you to operate encrypted communications right from your own domain. (If you control your own DNS Tables). Which would be, to Top Domain owners, the epitome of saying: “I’ve arrived”.  Or, with a company it would be totally invaluable for protecting intra-inter-corporate communications with proprietary secrets or sensitive contract negotiations, personnel lists, etc. at stake.

The “Proton” name is interesting, perhaps confusing to some, but totally logical since it was chosen by this particular group of CERN scientists. “What does “Proton” mean?” A “Proton” is one of those little sub-atomic particle objects the CERN Scientists work with. The Proton is the theoretical, unseen particle that everyone thinks exists, but cannot really prove it. Kind of like that “Dark Matter” thing. Even with the help of the very best electron microscopes the “Proton” cannot be seen. But for the rest of the atom to exist in it’s known format, there must be something else in there somewhere so the unseen mystery component was called a “Proton”. That is what they designed their encrypted communication system hardware and software to imitate; the invisible, can’t prove it’s there, but it must be there somewhere because this is an Email security service; the “Proton Email Message”.

The ProtonMail encrypted screen is very simple, intuitive and quick to use. Just share a password with the recipient so they can open the message. If the receiver wants to reply to your message and retain the encryption of the exchange they just click the button “Reply Encrypted”. The receiver does not have to have a ProtonMail account to reply to your message, even encrypted. The senders and receivers can both set a “self-destruct” time for the message. If it is not opened in a set amount of time it self-destructs.

You can also use the ProtonMail “app” on your smart-phone,. If someone steals your phone and tries to guess your passwords, (dual passwords for ProtonMail), and they fail (5 times?) you can have your phone App set to wipe the messages from your phone.

I use my Proton Mail entirely on the Proton Server for sensitive consultation messages. I don’t download messages to my own computer. Even though my home system is secured as well as any private system can be, the most secure practice is to maintain messages on the hardened Proton Server. The smart-phone app does maintain the PotonMail messages internally. Protected by the Proton “wipe” feature. Use your secure browser or your ProtonMail phone App with equal confidence.

I joined the full ProtonMail premium account because of doing consulting work for dot-gov folks that involved seriously personal information about other people. That was the only reason I began comparing today’s Email encryption offerings in the first place. Not because I needed the use of my own personal encrypted messages, nor that I needed to spend some more cash on something. I just did not want to be the lightning-rod for an expensive lawsuit when some citizen’s private information, or my report on the person, got cracked by some perp monitoring the folks I might be consulting for.

We have all been interested and amazed at the interesting work CERN does at their day-jobs in the below ground CERN Hadron Collider. That’s where they send speeding atoms crashing into each other in galactic-quality miniature explosions. Each time unraveling another small, or sometimes large, additional secret of the cosmos.

I appreciate being invited to join their Premium Galactic-class Email security circle. By joining the full program I returned the courtesy they extend to all of us. Each premium client helps to support the expensive requirements making their system what it is. And if you have your own TLD, you can use ProtonMail directly with your own mail server!

“By the way”, if our quaking, shaking USA politicians back in the ‘nineties had not had a serious case of brain damage caused by flunking High School Science, the “LHC” would have been built in the USA. If the boy fox had not stopped to take a look at the girl fox, he might have caught the rabbit. If our politicians had not been intently studying the tight fit of the girls’ jeans during High School science class, we would have had the LRC. “But”, as it turned out, both the rabbit and the LHC both got away.

You can meet the very pleasant Proton staff at the www.protonmail.com/about link on their website.

* * * * * * * * * *

www.hushmail.com Excellent choice among commercial encryption programs. Small Hushmail version free, or full program for $35/yr., both are the same security but the paid version adds space and support. Sender and receiver share a key word to encrypt/decrypt. Key word is changeable w/each message, or whenever the sender decides, and tells (“hints”) the receiver. Operates on Hushmail servers (dot-com, based in Canada). Participants can either use browser therefore leaving messages safely on Hush Servers, or use their eMail desk clients and keep messages on their own computer. HushMail is an excellent service for a very decent price, and the Customer service is quick, pleasant, and informative. The honest person can’t go wrong with Hushmail. If you want more information than their public-face page provides, try this technical link: http://www.wired.com/2007/11/encrypted-e-mai/

* * * * * * * * * *

https://www.symantec.com/products/information-protection/encryption This is Phil’s original PGP, now owned by Symantec, obtained and updated after some disasters by prior owners after Phil sold it. One of the prior owners stopped publishing the source code and suddenly nobody wanted PGP. (Read that twice, you who want a back-door in USA encryption programs!). After Symantec obtained the code and opened it for peer review they had a valuable product. If Symantec has to provide a backdoor their PGP security will suddenly not be needed by knowledgeable customers either.

* * * * * * * * * * * * * * *

www.code42.com Enterprise-level Client Security. (Business orientation).

* * * * * * * * * *

https://telegram.org/faq#secret-chats device-to-device, apps required, self-destruct messages, text, voice, photo-video. Both the sender and the receiver need the “App”.

* * * * * * * * * *

https://www.silentcircle.com/ Since Phil Zimmerman started this rat-race a long time ago with his PGP, and I was enthusiastic using that new toy, we’ll take a look at his present offering. And, as usual with Phil, he offers the “whole tamale”.

Silent Circle is Phil’s present main security endeavor. He has had it going for some time now and it is based and servered in Canada. (you will read about “why” later). His own encryption system is on the unlocked “Black Phone” he sells for eight hundred bucks. And before you gasp too badly, click the link above and read what Phil provides with the Blackphone-2. It’s a gorilla of a piece. The phone arrives “unlocked” and can be used with the carrier of your choice. Or, what the heck, ignore carriers; it can go strictly WiFi and save that hundred-fifty bucks a month! If you are conscious of protecting your sensitive communication this would be on your very-very short list before buying or distributing top-employee cell phones. (*And, “my two-cents”, take note you employers who don’t conduct thorough background checks of employees: How rediculous did the terrorist California murderers make San Bernadino look? Real nice of politicians to provide an expensive company iPhone for foreign terrorist murderers.)

* * * * * * * * * *

www.dochalo.com Medical Community system, patient security, HIPPA compliant

** * * ** * * * *

http://www.howtogeek.com/226535/how-and-why-to-encrypt-your-text-messages/ (just some interesting info in these two links).

http://www.gizmag.com/secure-text-messaging-phone-clients-comparison-ios-and-android/34000/

* * * * * * * * * *

https://wickr.com/ Free and enterprise level cellphone/computer encryption. I loaded this onto a laptop and the first thing it wanted to do was import all the addresses from my various email clients and accounts. I passed up that option, and later could find no way to manually enter an email address into a message. Is it basically just an address collector? Or did I miss something trying to make it work? Unknown. “Deleted”.

* * * * * * * * * *

http://smssecure.org/ Encrypted text, open source, joined at the hip with WhatsApp. WhatsApp and facebook are of course data collection schemas, spider-webbed with everything else they can catch. I didn’t load this program for evaluation.

* * * * * * * * * *

https://whispersystems.org/ Also Furnishes crypto code to other apps. Not marketing supported. Similar to PGP; you exchange a 72-digit numeric code with those you want to communicate securely with. Reputed to be secure and non-marketing, but their means of support is not readily obvious. Maybe I just didn’t look closely enough. I didn’t load this but it should work well. The only drag I see is having to scan the other person’s numeric code into your cell phone. Probably no worse than exchanging a key word though.

* * * * * * * * * *

https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en Open Whisper. Of course, Google is a data collector. Anything it can find out about you is fair game. Anything you transmit over an open medium such as WiFi etc. is fair game. Check out other similar information at locations such as https://p/rivacysos.org. Of course, Google is just one of the entities monitoring everything that flows around the planet. Hey, it’s just business and free enterprise, don’t get excited. “BTW”, in defense of Google’s Email security: Once I got a Gmail at my “other” email account, telling me that someone from Asia tried to check into my Gmail but Google blocked the attempt. “We know you are not in Asia, so we blocked them. It would be a good idea for you to change your password!” I was surprised (and quite pleased) at Gmail’s actions supporting Email security. And for letting me know what had happened.

* * * * * * * * * *

https://www.samsungknox.com/en Samsung KNOX (As in “Fort Knox”) device security, encryption, device-to-device, enabled by the device itself. Check their website for the Samsung cellphone models that have the security chip either already installed or installable after-market if you already have a Samsung. Also be sure to check out the user comments available in the various review forums. Use your “Google-esque” skills, Google will help you find out what you want to learn about this technology. 🙂

* * * * * * * * * *

https://gli.ph/ Based in the Philippines, commo security across platform, free and paid versions, accepts bit-coin. I did not look into them beyond their front page. But I’d want to know who they were if I was going to transmit any expensive info with them. Just the suspicious thing in my personality. You know “suspicious”; it’s a cop thing.

* * * * * * * * * *

http://bits.blogs.nytimes.com/2014/03/19/can-you-trust-secure-messaging-apps/?_r=0

* * * * * * * * * *

https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en

* * * * * * * * * *

http://www.wired.com/2015/03/iphone-app-encrypted-voice-texts/

* * * * * * * * * *

http://www.apple.com/ Encryption code and processing is proprietary, operates on Apple-owned U.S. Servers. Following the Apple-dot-gov flap, you can disregard everything they talked about. There is a next-gen version of the iPhone coming out that will invalidate most of the prior information as well as prior features of the iPhone. The dot-gov Bureau consultant broke their old system, so don’t count on the next one either.

* * * * * * * * * *

About PGP, “Pretty Good Privacy”, Phil’s invention:

https://www.gnupg.org/ Distributes today’s Open Source PGP, rescued from the commercial grab of Phil’s Code over the years. Original PGP was developed by Phil Zimmerman. This caused him extreme difficulty with the U.S. Government. (If you don’t already know this story, here is Phil today, very much worth the read: http://www.philzimmermann.com/EN/background/index.html).

You can install and use PGP on your devices, for yourself, by yourself. The functionality depends on the PGP code being on your device, then your PGP Program generating your “Key Set”. The “Private key” stays with you. Your “Public Key” is just that: Public. You use your Private Key to encrypt your messages. The recipient uses your “Public Key” to decrypt your message. You share your Public Key either personally with your contacts, or you share it publicly by posting it on a key repository. People find your Public Key by looking up your name or key in a key repository such as (http://pgp.mit.edu/). “By the way”, If you are a person of extreme financial, political or corporate importance, with communications that someone wants really bad, it is possible for someone with extreme resources to intercept your communications when using this particular system if your Public Key is available publicly. (By the way, it was a Russian Scientist who discovered how to do this and published it!) However, if you are not breathing that type of rarified political/financial air, this system is excellent. But then, it’s also difficult for your non-techie friends to participate in. Everyone has to have the other person’s public key. And if the recipient wants to respond securely, they have to have PGP installed on their devices and a key set of their own.

Want to try it? Start here https://emailselfdefense.fsf.org/en/ (And good luck; I used Phil’s original PGP successfully “back in the day”, and still have the last three versions he updated. I also have the first commercial version when he sold it, but that one won’t load on today’s OpSys’s beyond W-2000. (*Note: I do believe today’s flavors of *Nix come already loaded with some version of PGP, but not absolutely certain. I haven’t looked for any PGP feature on this box with Linux Mint-Cinnamon V-18). I can’t make the available new PGP versions work today on my work boxes. My laptop test box refuses to download the executable. Today most OpSys’s have decent encryption built-in for security of your files, folders, and hard drives. This is beyond the BIOS and OpSys passwords. 🙂

“But”: If current political clamor for back-doors in commercial USA encryption programs succeed in requiring a “back door”, your own PGP executable on your own devices, communicating with only others with the same setup, (and your Public Keys being held as not in the public arena), will be the only truly secure communications encryption schema you could find offered by companies in the USA. And then only if you and your friends always scrub your devices of opened messages. And if you don’t “scrub” correctly, don’t even waste you time as they can all be recovered.

If I were a banking CEO, or a medical practitioner, or a corporation with a mega-buck R&D budget, or someone dealing with other people’s private information, or… (use your imagination), I would not take the chance of using a security program that was not secure. The way foreign governments have been stealing U.S. Technology for the past 20 years (besides the rocket satellite technology so kindly gifted to china by the U.S. president in the 1990’s!) is by exploiting security holes in the communications programs used by industry and government. If a foreign agent offered the “right” government quisling ten million dollars cash for the back door key used by some U.S. security company they wanted access to, take a guess as to whether it would be sold or not. The number of recent traitorous quislings on our public payrolls, city, state, federal, in the U.S. has been … irritating, and unimaginably damaging to our National interests.  Even more common is the innocent worker at home with his unsecured laptop and wireless connectivity hooking up with the corporate server that has connectivity not only with corporate secrets but also has connectivity straight to dot-gov servers.  Read that as any corporation with a dot-gov contract.

More information on today’s PGP-based offerings (besides Symantec) are in the next two links:

https://www.propublica.org/article/the-worlds-email-encryption-software-relies-on-one-guy-who-is-going-broke

https://www.propublica.org/article/privacy-tools-the-best-encrypted-messaging-programs

** * * * * * * * *

https://www.anonymizer.com/ : This is a Virtual Private Network (“VPN”). VPN’s are reputed to be used to hide browser travels or transmissions. Some perps believe they can use a VPN to send untraceable threats, illegal offers etc. (Similar to the phony ” 911-swat” calls in Salt Lake County during 2016). Criminal activity via VPN’s can be traced by LEO’s with proper search warrant authority. So if you have a perp you find was using a VPN you do have ways to extract good information from the server for your case. “VPN” is simply that; “virtual”, “kind of like private”, but not really.

I cannot think of one good reason that I, or most people, would ever want to use a commercial VPN to try to hide Internet travels or transmissions. “However”, a business with sensitive contract contacts, or other expensive assets to protect might use a VPN as one layer of IT security to help defend their system from cracker access. So if your department is checking the computer of a suspect for criminal evidence check the hidden folders or encrypted files. Also check any difference between the stated capacity of a hard drive and the indicated capacity to indicate “invisible” encrypted sections. Taking into consideration of course, the normal hard drive operational space that is reserved on all modern hard drives.

There is a fee of some kind to utilize most commercial anonymous VPN’s, so financial records (credit card, paypal, electronic transfers, bitcoin transfers……) could also be used under warrant to at least start a trace, obtain evidence and get a search warrant for the VPN to continue the chase.

* * * * * * * * * *

(“JMHO”): The recent “Apple-FBI” flap was unfortunately totally counter-productive. All it did was raise additional intense public interest in communications security with not only the public but also academics and professionals across the globe. The friction between Europe and the US has been at a critical level anyway, recently (especially after the NSA records release) nearly collapsing billion$ in business between EU and US. The political push to further erode US communication security only raised the hackles of the EU members even more. Besides, the end result of the flap was zero anyway: There was no useable information on the County’s phone used by the terrorists.

The Obama administration successfully pushed the CISA program quietly into law in the dark of night during the 2015 Christmas week. “Quiet” will not be the case with the present push to run all U.S. communications security companies out of business by requiring a back door to their encryption schemas. Either there is encryption security, or there is not encryption security. If only just one present honest dot-gov employee has custody of the back door key, he will not be there forever. The next keeper of the key might be another in a long line of public official quislings for sale to the highest bidder. And that’s “MHO” no matter what one of my most all-time most respected Federal Agent says about preconceived bias destroying the chance for productive dialog on the subject. He is the definition of the proper, lawful effective Police Administrator.  Absolutely honest and totally trustworthy. The problem is that his next replacement could easily be a throwback to the 1950’s. “Back-door” is not what the Nation’s security wants or needs.

CERN recently had an excellent speaker addressing the subject of human preconceived bias. My opinion on any back-doors in security programs being a killer for US-based encryption vendors is not preconceived bias; it’s based on observation, history and solid logic. Network Associates simply decided to not open PGP code to peer review when they bought it. Therefore it was proprietary. Therefore security could not be verified. Suddenly it was no longer purchased by the customers seeking encryption and NA’s level of perceived PGP trustworthiness became non-existent. NA’s PGP business collapsed and PGP was sold again to Symantec. Symantec opened the source code to peer review and built a thriving business still available today. If there becomes a back-door (or call it whatever you want, a duck is a duck) then Symantec can kiss their PGP business goodbye also. So apparently we will have to agree to disagree on this matter of “either-or” regarding pre-concieved opinions on the subject of encryption security.

* * * * * * * * * *

http://www.bbc.com/news/uk-34713435 England’s Investigatory Powers Bill: Encryption program back-doors required for use by government. The title of the Bill is couched as an update to modernize police practices of privacy acquisition. A whole bunch of acquisition, similar to CISA. UK companies are required to decrypt encrypted messages and keep customer personal historical records for the Royal MDP to get around to looking at sometime. I haven’t researched deeply how EU is watching this, but there is a grand canyon between the communications security laws between much of Europe, Britain, and the U.S. Tensions are high already between EU and UK. With the “Brexit” vote coming up in the UK, it may become another scratchy item. Or not.

* * * * * * * * * *

http://www.nytimes.com/2014/01/28/world/spy-agencies-scour-phone-apps-for-personal-data.html (warning about those “free apps” that people download to their phones and computers. Marketing snoops and malware accompany most anything that is totally free at all levels)

* * * * * * * * * *

http://www.nytimes.com/2014/01/18/us/politics/obama-nsa.html (Just more of the usual political hot air, nothing of real substance…)

* * * * * * * * * *

https://www.facebook.com/ Rule #1: If Facebook is involved, it is designed primarily for public information intelligence gathering and marketing. 🙂

* * * * * * * * * *

www.business.att.com (Not checked, don’t know what they offer but it’s for business.)

* * * * * * * * * *

www.WhatsApp.com Facebook-owned messaging platform. Reputed by dot.gov to be an “enemy of law enforcement”. (?Is that complaint simply dot-gov disinformation?) But WhatsApp can actually be a valuable tool, so don’t dismiss them too quickly. This App is either free or 99-cents depending on which Playstore screen you look at. I didn’t load it because in order to use it your contacts have to load it also. Which might be OK for your situation, but not mine.

This has been a casual discussion of several popular communications security options. By no means is it complete, nor was it evaluated by a security professional. If you have argument with any of the evaluations above, you are kindly invited to reply with your corrections. Backed up, of course, by valid references, not opinions.

Best Regards, Ken