Thread for general discussion on sottware/hardware for secure communication.
>Signal Private Messenger (FOSS SMS and call Encryption for iOS and Android) whispersystems.org/
>ProtonMail (free-to-use encrypted email, maintained in Switzerland) >Messages are stored on ProtonMail servers in encrypted format. They are also transmitted in encrypted format between our servers and user devices. Messages between ProtonMail users are also transmitted in encrypted form within our secure server network. Because data is encrypted at all steps, the risk of message interception is largely eliminated.
What other software is must-have? What's your setup? How do you keep your activity on the web private?
a VPN and not using microsoft or google products/services
Andrew Foster
I use Not Being American 2016, serves me perfectly
Christopher Young
I do the same, but what the fuck kind of phone should I get? is there a way to run android that doesn't fuck you from a privacy perspective?
what happens when that stops working?
Ryder Anderson
>Signal no native client for GNU/Linux, Requires phone number, Uses gcm Also Android is a shitton of unaudited code written by a company(Google) who has a track record for not caring about privacy How about no. >ProtonMail only use disposable emails or host your own.
Setup for the paranoid: DM-crypt, LUKS Hardened Libre/GRsec kernel or Parabola GNU/Linux GnuPg OpenVPN Libressl Ath9k based wifi and router no phone
Ian Thomas
>ProtonMail (free-to-use encrypted email, maintained in Switzerland)
I would not trust switzerland. They have good laws NOW. But most people want less privacy because they want to give muslims a bad time. If you say "LESS PRIVACY, lets get the terrorists" then you might find yourself to be the local mayor in a few months.
Go for Iceland or some other place where the public want even MORE privacy and not less.
Ayden Garcia
Cell phone is a necessity. Especially if you view hardening and encryption as a platform for dissident communication. The answer is not no phone.
i like the rest of your list though, how much of it do you actually use?
Ryder Morgan
All of it execpt i have a phone. It stays until i can buy a laptop.
Also my hardware is not 100% libre compatible. because i have an Intel cpu, but i doubt it can do anything without loading in the microcode.
Chase Martinez
>Signal There just aren't any other messaging services that have been reviewed by a third party, until someone looks at wire I'm going to trust moxies judgement.
>GnuPg Not forward secure, so utterly user unfriendly that you'll probably make a mistake and compromise yourself.
>no phone Some of us live in the real world.
Asher Wilson
Moxie is a shill for Google. He refuses to use websockets over gcm for fucking PUSH NOTIFICATIONS, and even with the desktop version of Signal and even an android version implementing Websockets, he still refuses. He even made the guy who made the websockets port stop using Moxie's servers, thus discontinuing support for the app. And he won't put Signal on F-Droid because it's "too insecure", even though package signatures (which was one of his reasons), and trust over security (whether F-Droid would get hacked, even though Google is much more likely to backdoor Signal than the F-Droid maintainers are). tl;dr: Moxie is an arrogant hippie piece of shit that you shouldn't put all of your trust on.
Joseph Harris
package signatures were implemented*
Evan Cook
>There just aren't any other messaging services that have been reviewed by a third party, until someone looks at wire I'm going to trust moxies judgement.
Yeah thats true. I recommend XMPP or IRC encrypted with GnuPG
>Not forward secure, so utterly user unfriendly that you'll probably make a mistake and compromise yourself.
Thats where your research and effort comes in. I use Kleopatra for easier use.
Austin Collins
no phone or at least no "smart" phone if you're paranoid, else use Cyanogenmod as an android version (without the google apps package).
Connor Lopez
The double-edge of going with a dumbphone is that you obviously can't encrypt any of your communication from it.
Chase Rivera
The problem with the security world is that there are certain people that somehow got elevated to godlike status and no one even think of going against them. Moxie, the jew commie motherfucker, marlinspike is one of them. The best freedom respecting instant messaging app is Conversations.
Logan Carter
thingsandroidusersactuallybelieve.txt
Jayden Campbell
That's more of a problem. The NSA/CIA doesn't spy on American citizens, only on foreigners and foreign nations
Aaron Lewis
Yea his intolerance of other implementations is a little unusual but calling him a shill for google is extreme and unfounded. He stated his reasons for the web sockets implementation and f-droid, stop muddying the waters.
I think he's just a little jaded and tired of other people ignoring or writing over his work, that doesn't mean he's a sellout.
John Wright
>The NSA/CIA doesn't spy on American citizens, only on foreigners and foreign nations Ahahahahahahahahahahahaha
William Nguyen
Didn't showden show the exact opposite?
Adam Johnson
>he forgot usbkill dumbass the cops will get your cp
Bentley Reyes
>2013+3 >still believing this Get it together user.
The problem with the security world(and open source communities in general) is the existence of fuckwits like you who think your baseless opinion are important enough to derail legitimate discussions and forums. If you want to call people jews or nigger and get nothing done go to pol.
Landon Bailey
Moxie why don't you go back sucking Google's circumcised cock?
Logan Rivera
its a meme. Thermite on the other hand is not but its expensive. >cp nice meme. But its probably some abstract disorder for me. I cannot enjoy anything if it has to do with tracking DRM or in some cases nonfree software. Seeing friends logged into a google acc on their phone leaves a bad taste in my mouth
Josiah Russell
>its a meme. sure, if you're retarded. how is crashing your computer with no survivors just by pulling a USB drive a meme?
Jace Johnson
At least it doesnt have AI and 20 sensors that track you (gps, fingerprint, heartrate, browsing habits, you name it)
Samuel Brown
the disk in your hdd will be still readable. your RAM might be still vurnable to ColdBoot.
If you are scared of actual raids investing in thermite is a good idea
this is not the case for me fortunately
Sebastian Reed
>encrypt disk >usbkill wipes ram on crash do you even know what it is?
Bentley King
Doesn't rule41 apply to european citizens too?
Like, if you are being investigated for anything, they can ask the ISP if you use Tor or VPN and if you do, you get raided? It's fucking insane.
So the only way to not get raided is to not be investigated? I don't think I have done anything wrong, but for example imagine you fuck up on your taxes or something, the goverment asks the ISP if I use Tor or VPN, and I get raided because I didn't properly do my taxes. It's fucking ridiculous.
Jackson Stewart
What is the best OS to open sensitive material? I have a windows 7 installation in a HDD that I never use, and unplug modem when I access it. Should I encrypt the entire HDD with veracrypt or truecrypt? And what's the point of encrypting if you are forced to tell your pass to authorities anyway?
Zachary Brooks
>what's the point of encrypting if you are forced to tell your pass to authorities anyway? don't be a britcuck.
Adam Allen
>this is not the case for me fortunately If you ever used VPN or Tor its the case for anyone after rule 41. Again, you may commit a crime and you don't even know it, and you get raided.
Gavin Powell
>Cryptography/privacy general >doesn't mention anything specific about encryption why not just put privacy general?
also I've made an encrypted chat/server service it's currently using RSA but I want to make it have groupchats what's a good way to do this? my current thinking is having one keypair for each groupchat or maybe switching encryption to FiSHLiM - what should I use if the attackers are hackers and not government agencies?
Julian Jones
Im not, but I think every country will eventually have that law.
Maybe the plausible deniability hidden volume shit? Im not sure how that even works desu. Can you do that for an entire HDD?
Austin Howard
This thread is pure autism!
Cameron Long
>why not just put privacy general? My own ignorance, and hoping to see some Sup Forumsents bring encryption to the conversation. I will try to include more encryption info and a more comprehensive list of software options should I create a thread like this in the future.
Hunter Johnson
don't live in any of the countries that have those laws then.
Easton Sullivan
it's very rare Sup Forums talks about actual cryptography outside of /dpt/ all memes aside try reddit, /r/cryptography /r/ciphers /r/codes /r/privacy - you'll get more responses, just make sure to read rules before posting
Parker Carter
I dont use tor because i dont have business there also its a surefire way to get flagged at NSA HQ.
Also im not American and my goverment is too poor/stupid to monitor us 24/7
Eli Rivera
if its a serious project just use libGnuPg and be done with it.
Ryder Murphy
>The NSA/CIA doesn't spy on American citizens
And you say this even AFTER Snowden leaked his shit? This is the dumbest meme that anyone can think up.
There is literally NO evidence that the NSA does not spy on American citizens. Even NSA documents say that they do, the Patriot act that gave the NSA these new rights even EXPLICITLY states that it is mainly to spy on Americans to look for "domestic terrorists". This is in the public domain and is not even a leaked secret. All evidence that say anything about it shows that the NSA spies on American citizens.
What kind of mental gymnastics do you need to have to come up with such a outrageous claim?
He did, apparently Americans don't believe in leaked NSA documents and what snowden did was a waste of time.
Jose Gutierrez
In these times of propaganda induced insecurity and orwellian laws the easiest way to someone be truly private is security by obscurity.
While it might be fairly easy to an attacker to figure your system. One must not forget, that the attacker is a goverment employee that, as most cases, does not give a fuck.
Obsurity might not be best apllied if the attacked is someone that the attacker is emotionaly involved with. Think pardoned Snowden living in america.
Kevin Stewart
get a nexus or pixel and run copperheados. android is really insecure, just look at the technical overview section of copperheados.
Kevin Perez
There is a signal alternative called ring ring.cx it is on the F-droid repos
Ryder Jones
even before snowden this was known.they have been spying everyone pretty munch since the 70's
Sebastian Murphy
my president!
Lincoln Howard
huh, interesting. >App permission model including the ability to revoke permissions and supply fake data. Most permissions are based on dynamic checks for IPC requests, while a small subset make use of secondary groups >Chromium supports per-site-instance sandboxing
i'm very intrigued by this.
Michael Phillips
What is Sup Forums opinion on Wick? Is not FOSS but it werks and has end-to-end encryption
Bentley Nelson
he said all countries will have those laws mong
Noah Rivera
My understanding is this is an attempt to bring latent cypherpunks out of the woodwork. It would be nice to have these kinds of discussions on a fast moving anonymous forum such as g.
This is just a great place to conglomerate people.
Logan Walker
Use Conversations. It supports OMEMO which is basically the same as Signal without giving anybody your phone number or having to use GCM.
Wyatt Jones
>libressl It sounds good in theory. But trying to use it on a distro that doesn't have it by default is a pain - I tried it with a fresh gentoo install: Emerge fucking broke. And when I got it working barely any packages were comparable with libressl.
Aiden Smith
I use it with gentoo and it works fine, maybe you should have followed the wiki
Aaron Campbell
I did. Maybe I fucked up in some other way. I'm doing a fresh reinstall though - maybe I'll try again then.
William Bailey
Doing a research paper on IDS/IPS evasion.
So far got packet overlapping, obfuscation/encoding and fragmentation. Anyone knows of some cool attacks or interesting traffic one could generate?
Aaron Reed
Who is a good email service to use? I want to get away from gmail.
Camden White
>Protonmail >tutanota >cock.li
I use Protonmail and Cock.li regularly. I moved away from Tutanota just because the UI is shit.
Angel Sanders
>cock.li
are you retarded? Shit is hosted in Germany, they have been raided before for having domains such as hitler.rocks
Joshua Roberts
I know but I don't even use it for important shit. I use it for when I sign up to a shit website as a throwaway.
Hudson Gray
cock.li isn't even hosted in Germany anymore. It's in Romania.
Landon Cook
Tox for secure instant messaging. I tried it with a few anons, and it seems to work fine.
Owen Russell
GCM free Signal is coming soon dickhead. Stop expecting awesome shit to me made instantly.
Matthew Watson
>X General kys my man
Charles Garcia
Conversations is okay, but its harder to use and has no iOS client yet.
Ethan Morgan
>tox
Zachary Kelly
I tried it and it was a buggy piece of shit cross platform, hopefully it matures more
Xavier Cruz
How solid would it be to combine one of these with something like enigmail? for example protonmail claims to have no access to unencrypted content of your emails. however if your browswer/computer is compromised, your emails are potentially interceptable.
however, if you encrypt the contents of your email using PGP or public key encryption before sending them, and your correspondent does the same, would that actually help? or would it pretty much be redundant?
Thomas Bennett
nevermind. in the case of protonmail at least, it is not compatible with any 3rd party email client
Parker Gomez
They're supposedly working on it: >We are working on a solution that will allow you to use ProtonMail with other email clients in the future.
Not that user but people made a non-GCM version of Signal a while ago called Libresignal but Moxie freaked out and said it was against stealing intellectual property and that they weren't allowed to use the name Signal or its servers. He through a temper tantrum, making it clear that Signal is a "look but don't touch" FOSS that doesn't allow alternative clients. Libresignal shut down knowing it would be impossible to work with such a man child. Use Telegram, Conversations, Matrix, or any other messaging service that's actually FOSS.
Aiden Turner
>use Telegram The only part of this post I disagree with.
Anthony Nguyen
Any help is appreciated. I've been working for hours trying to install GPA, a front-end client for GnuPG. I assume GPA must be available through cannonical, but I've somehow found myself trying to compile and install this shit manually. Ubuntu 16.04.
At the bottom of that page is a snippet of code, a patch that claims to fix this problem. I have no idea what I'm looking at, and I don't want to put it in the wrong place and cause a disaster.
Again, any help is appreciated. Even a link to an appropriate resource would be great.
Hunter Parker
No, it's a US domestic law. US judges can't issue warrants for outside the US.
I mean, it's a pretty bad law (and I'm sure most eu countries will follow suit) but some of the hyperbole about it is pretty daft, and makes critics of it sound like tinfoil hat wearing retards, when the truth is there are very legitimate concerns with it
Michael Young
Signals' whole business model is to get acquired by either google or facebook as soon as possible, every technical decision they've taken was about boosting their value as a corporate asset.
wire server is not open source, though. only wire client is.
Ryder Collins
It's still better than the alternatives.
Too bad there isn't anyone in there.
Christopher Ross
That shit does not work
Blake Howard
All of this is made up black PR against moxie.
I find moxie an insufferable liberal cunt but I won't spread black PR about him. You can read his posts on HN he's debunked everything you've written, esp the VERY TINY f-droid incident that was blown up into a very big story by shills.
He's opinion for people derping about GCM/GAPPS proprietary apps is reverse it yourself if you care so much. There's plenty of projects around where you can use reverse engineered, GNUgapps. They work fine with signal just you may have some buggy lost messages.
There is also nothing stopping you from building the app yourself instead of trusting jewggle store, but it's more likely your own system is compromised than Moxie's systems.
If you need extremely adversary proof messaging, you want to use Subgraph OS's custom chat CoyIM which was rewritten in a memory safe language and the project is lead by guy's in the top tier of security research these days subgraph.com/sgos/