Encrypted communications November 10, 2016 7:25 PM   Subscribe

Listen up ya'll. We've got until January 20th to stand up encrypted communication networks to support each other.

All the other work we do during this administration relies on being able to talk to each other. Metafilter has been my home on the internet for 12 years, and I will sorely sorely miss you all. But, as a member of a group that's going to be specifically targeted, I probably won't be able to engage much with public open channels after January 20th. I will be going dark on this and other services, and relying entirely on trusted contact lists that I've already established.

Here's what I'm suggesting for anyone who's interested in being involved, but is feeling similarly threatened:
  • Get set up on keybase.io, which will let you authenticate your identity with others, and is a foundation of other public-key crypto communication and secure file exchange
  • Install Signal, and start exchanging contact lists of people you trust.
This is a foundational step and I'd welcome further suggestions.

keybase.io requires an invite from an existing user. Message me for one.

Signal registers users by phone number, so you'll need to exchange that somehow. I've put mine in my profile, for now.
posted by odinsdream to MetaFilter-Related at 7:25 PM (64 comments total) 76 users marked this as a favorite

I don't understand what this is about. Who is a target group? Besides anyone who isn't a white male?
posted by Oyéah at 7:41 PM on November 10, 2016 [7 favorites]


There's something about going underground to communicate that doesn't sit well with me. If I can't have my voice in the sunshine, I'm not sure I want it at all.
posted by HuronBob at 7:45 PM on November 10, 2016 [19 favorites]


I don't think we need to argue the premise here. If this isn't for you, then it isn't for you.
posted by Etrigan at 7:49 PM on November 10, 2016 [31 favorites]


Three things I saw linked earlier today (I'm not vouching for them, just collecting them for convenience while I'm thinking of it):

ssd.eff.org - Surveillance Self Defense, an explainer with tutorials from EFF

collection of links to security and privacy resources by TD Strange in a 2015 Mefi thread

privacytools.io - Big collection of misc security and privacy info
posted by LobsterMitten (staff) at 7:57 PM on November 10, 2016 [20 favorites]


I suspect that not "arguing the premise" enough is what may have brought us to this point to begin with.
posted by HuronBob at 8:02 PM on November 10, 2016 [10 favorites]


HuronBob, if you aren't concerned or don't want to do this stuff yourself, that's fine. This is a post for people who are concerned or do want to.
posted by LobsterMitten (staff) at 8:03 PM on November 10, 2016 [4 favorites]


Also: Information Security for Journalists (pdf) from the Centre for Investigative Journalism.
posted by LobsterMitten (staff) at 8:07 PM on November 10, 2016 [5 favorites]


It's in LM's links as well, but https://protonmail.com is an excellent secure email provider located in Switzerland. I can't vouch for how NSA-proof it is, but I'm a happy user.
posted by michaelh at 8:08 PM on November 10, 2016 [3 favorites]



Thank you. I was thinking about posting a thread about this. Some of the comments in the last to election threads were links to security info and it got my brain going.

Need to learn all I can about it right now.
posted by Jalliah at 8:09 PM on November 10, 2016 [1 favorite]


I'm actually totally lost. What is this? Is there something going on I don't know about? (Not rhetorical or arguing premises--genuinely confuzorzed!)
posted by Joseph Gurl at 9:17 PM on November 10, 2016 [3 favorites]


It's a good idea to be looking into how to protect your privacy, whatever the reasons. So, thanks for this.

To add to what LobsterMitten said about privacytools.io, I especially recommend this site because it does a great job of keeping its advice up-to-dat. It's my go-to for beefing up browser security.

And if you'd like a good riposte to the old "nothing to hide" non-argument, Snowden himself has you covered.
posted by Juso No Thankyou at 9:20 PM on November 10, 2016 [2 favorites]


I'm actually totally lost. What is this? Is there something going on I don't know about? (Not rhetorical or arguing premises--genuinely confuzorzed!)

A Western Hemisphere nation of some 320 million people recently elected as its head of state a man who has fascist tendencies. This nation also has a large surveillance apparatus.
posted by tonycpsu at 9:32 PM on November 10, 2016 [40 favorites]


I'm actually totally lost. What is this? Is there something going on I don't know about? (Not rhetorical or arguing premises--genuinely confuzorzed!)

Because of Trump and the types going into office there is a real a present danger that the security apparatus of the US State is going to be turned onto people in vulnerable groups or who they think are posing a threat. And there is the added bonus we now have stories about Russia turning from hacking DNC emails to going after US based NGOs.

This thread is about ways that could be used to defend against that.


And yes it is scary.
posted by Jalliah at 9:33 PM on November 10, 2016 [9 favorites]


An additional tool that might be useful for some purposes is Guerrillamail. Something like that is probably best used in combination with VPN or Tor or both.

A note about Tor. My understanding is that the exit nodes can be monitored by state actors, so if this is a concern, then using Tor by itself is probably not enough to guarantee security.
posted by StrawberryPie at 11:36 PM on November 10, 2016


I really hope you're wrong but that line keeps ringing in my head,

"When people tell you who they are, listen to them." and in light of that, thanks and to LobsterMitten for the links.
posted by From Bklyn at 12:57 AM on November 11, 2016 [8 favorites]


Here's what I'm suggesting [...]

You're probably going to have to explain in a lot more detail exactly what this is, who would want to use it, ho they would use it, and how to set it up: step by step, do this and this and this, here is how to exchange a test message to verify that it is working, here is where to go for help, etc.
posted by pracowity at 3:24 AM on November 11, 2016 [9 favorites]


I'm actually totally lost. What is this? Is there something going on I don't know about?

just to clarify on the technical front. what odinsdream (OP) is describing gives you a way to chat to people you know without the government (or anyone else) being able to listen.

to do this you need two things: (1) encrypted chat (signal) and (2) a way of being sure that the person you are chatting to really is who you think it is. the latter point is what keybase.io does.

together, those two technologies let you take things further if needed. that's why OP described them as "foundational". it's the basic toolbox you need in a digital age for secure communication.
posted by andrewcooke at 3:26 AM on November 11, 2016 [12 favorites]


Um. huh? I would like to participate I suppose but Huh?

I'll buy pizza for any prime factor of 18366. http://www.coolmathgames9.com/prime/prime18366.html
posted by vapidave at 3:56 AM on November 11, 2016


I'll just remind that the encryption is the easy part, key management, validation, verification and refutation (when needed) are not just hard technical problems but seriously tough social and logistical challenges. For instance, I'm certain keybase.io consists of fine well-intentioned blokes but can you(we) validate all the API's used in the tools they use to build and install their product?

Also unless you want to do an incredible amount of work learning and configuring stay away from TOR, it's quite literally dangerous to use - not my opinion but the security researchers at a recent meetup. (if you want to touch TOR the tor browser is fairly safe for purely looking around)

If you're quite serious I'd go back to the original PGP approach (now gpg?) but that requires personally meeting folks in person to trade keys, google for "key signing party". And using simple low tech approaches.
posted by sammyo at 4:58 AM on November 11, 2016 [7 favorites]


Yeah. Unless you can point people to something as simple as a browser plugin that installs with a click and then works like a normal chat window, most people are never going to do any of this. Which is a shame. All online communication should be encrypted.
posted by pracowity at 5:53 AM on November 11, 2016 [1 favorite]


Signal is great. It works exactly the same as your normal text message app so it's not like communicating via Signal is extra work. It even has a color picker for the LED notification (on Android anyway) which I think is a nice touch. Just download it and replace your normal text app with it. Then the first time you text someone, send the link to invite them too.

I also just signed up for protonmail which was super-easy -- unlike my normal gmail account, I chose an email address that does not identify me except by first name, so if it comes to that it's not something that can be linked to me.
posted by rabbitrabbit at 6:01 AM on November 11, 2016 [2 favorites]


Unless you can point people to something as simple as a browser plugin that installs with a click and then works like a normal chat window, most people are never going to do any of this.

Nothing like having the president elect of the most powerful surveillance state on the planet viewing you as a problem to be solved to make you a lot more willing to go the extra mile.

I'm gonna miss the voices that don't feel safe talking here anymore.
posted by Mooski at 6:02 AM on November 11, 2016 [9 favorites]


This is not a method of setting up secure communications.
posted by hawthorne at 6:58 AM on November 11, 2016 [4 favorites]


Hey as I mentioned I'm glad to have suggestions. I'm fucking trying here. You wanna just shit on the idea then, well, I'm not stopping you but maybe reconsider.
posted by odinsdream at 7:32 AM on November 11, 2016 [22 favorites]


This is not a method of setting up secure communications.


It's really very annoying to have someone jump into a conversation, fart and walk away. Especially when it's dealing with serious issue.

If this isn't what people should do then suggest what would work or at least say why what's being talked about wouldn't work.

If not what you've said here is an utterly useless string of words and you've wasted the time you took to type it.
posted by Jalliah at 8:04 AM on November 11, 2016 [13 favorites]


I am putting this here. I have a very limited Facebook presence. Some of the people I connect with are very connected, and through comments to their feeds that fed to mine, I noticed this one thing. Since they are saying white women of a certain age elected Trump. So, what I noticed is the Sexy Sock Puppet account. One guy appears in my feed as a friend of a friend. He is a very handsome middle aged man of undetermined age, his photo, is a very well done, casual black and white. He is from the page of a woman paralyzed by parkinson's who is a sister of a friend of mine. When I looked into his account, he had six months of posts, that is all. He claimed to be a trucker, newly divorced, still grieving, on the road a lot, so he couldn't get into a real relationship yet. The entire other content of his feed was hating Hillary Clinton. That was it. He would talk and message on line, flirt, and otherwise all he really did was talk smack about Hillary. He didn't say he was for anyone else, so you wouldn't get the feel he was a big supporter. But it was a sock puppet account. I started looking for them, and I have picked up a few, because I have family who is very active. As soon as the election was finished there is a spew of mansplainers with sock puppet accounts, and again, they are running ideology, in packs, on people with large followings.

So I advocated the block a troll Wednesday, put out a sympathetic post, and wait for the sock puppets, to block. I think this is a huge endeavor, I remember a while back a program that would give a single poster twenty identities to opine with. Push the button, you have said the same thing in twenty different dialects. I just put this here.
posted by Oyéah at 8:10 AM on November 11, 2016 [4 favorites]


I'm sure a lot of these things are imperfect, but I for one am very glad for this thread in a general kind of way because I think it's a good starting point for me to be learning more about this kind of stuff... and because I've been looking for a non-Gmail email provider for a long time and now I think I finally have proper motivation to go do that.

I don't think the chances are high that this stuff becomes necessary for ordinary activism. But I think the chance exists, and we should all know how this stuff works in case it becomes necessary. Not just because of Trump, but because we all have been relying for a very long time on the benevolence of a lot of large corporations who are not guaranteed to remain benevolent or even neutral. Because the US government even under Obama has not been a place of completely sunshine and rainbows. Because there are governments in this world which are even worse, and the more this information gets distributed, the more people use these services, the more they're available for the people who really need them.

It seems like there's never a bad time to know this stuff, and I've been putting it off as not that important, but I shouldn't.
posted by Sequence at 8:21 AM on November 11, 2016 [6 favorites]


Thank you for posting these. FWIW, I didn't need an invite for Keybase.io, which I just set up now.
posted by nev at 8:34 AM on November 11, 2016 [1 favorite]


Yeah, just to underscore this: it's okay for folks to be worried about privacy and communication security. It's also okay for folks to not be personally worried about that, or to have feelings about what a good approach for meeting those worries are. But there's zero harm in looking at this, thinking "not for me", and just leaving it at that thought and moving on with your day.

And if you feel like the idea has merit but the details need tweaking, offer those tweaks! If you feel like the notion is good but folks need a better guide or tutorial for the process, track one down or write one and share it! These are solid, constructive ways to take those concerns or skepticism and turn them into a contribution to the community.

Nobody has to do that. It's okay to just shrug and move on. But try to make that effort, if that's the case, to do just that instead of taking the time to unconstructively blarg at folks about it.
posted by cortex (staff) at 8:55 AM on November 11, 2016 [27 favorites]


You shouldn't be thinking you'll be safe from Trump until the 20th. The NSA archives tons of communications. At a minimum you should assume that your email; text messages; and meta data (like who you called and for how long) is already being captured by the government and will be available after Trump takes power.
posted by Mitheral at 9:23 AM on November 11, 2016 [9 favorites]


Honest question: why wouldn't iMessage or WhatsApp plus a VPN be sufficient for texts? They're both encrypted, right?
posted by Johnny Wallflower at 10:05 AM on November 11, 2016


The threat model has changed. We are going to need to protect against lawful intercept orders.
posted by odinsdream at 10:19 AM on November 11, 2016 [4 favorites]


I think this is incredibly useful. I'm figuring out if I'll need it or not - I'm pretty sure I'm going to be on a list somewhere, but I also may want to be able to give people advice and counsel that's not targeted. But I strongly endorse this, thank you for posting it.
posted by corb at 11:34 AM on November 11, 2016


The NSA archives tons of communications. At a minimum you should assume that your email; text messages; and meta data (like who you called and for how long) is already being captured by the government and will be available after Trump takes power.

Not only that, but they've classified encrypted communications as "foreign," which they are not required to minimize (filter out) like they have to do with traffic they know is domestic, between two people within the US. They can save this data forever, until they can decrypt it, if they want to. Which they do.

This is why the concept of Signal is important, because it uses encryption that is so far mathematically and physically (as in Physics) impossible to crack.
posted by rhizome at 12:04 PM on November 11, 2016 [4 favorites]


Signal is great. It works exactly the same as your normal text message app so it's not like communicating via Signal is extra work. It even has a color picker for the LED notification (on Android anyway) which I think is a nice touch. Just download it and replace your normal text app with it. Then the first time you text someone, send the link to invite them too.

I also just signed up for protonmail which was super-easy -- unlike my normal gmail account, I chose an email address that does not identify me except by first name, so if it comes to that it's not something that can be linked to me.


So up until now I've basically been the prototypical USian who, as a speaker at a conference recently put it, "will give away their social security number for a 50-cent-off coupon." I'm not even at a 101 level in terms of protecting my online privacy, so I apologize if these questions are incredibly dense. But I'm gathering that for any of this to work, you can only use it to communicate with people who are also using the secured systems?

Especially email--like, I can set up a separate email account but privacy is destroyed as soon as I write to my cousin's gmail account.

I want to get smarter about this but I'm really starting from scratch. Does anyone know of any good 101-level resources?
posted by mama casserole at 12:43 PM on November 11, 2016 [6 favorites]


But I'm gathering that for any of this to work, you can only use it to communicate with people who are also using the secured systems?

Yep, both sender and recipient need to be using the secured system.

Does anyone know of any good 101-level resources?

The EFF's Surveillance Self Defense site linked upthread has good walkthroughs and tutorials.
posted by zamboni at 12:55 PM on November 11, 2016 [4 favorites]


From a broader standpoint, how does this change look? Would one keep posting about movies on Fanfare, for instance, but take anything remotely personal or political into these other channels?
posted by tofu_crouton at 1:01 PM on November 11, 2016


Listen, it really is this simple:

1. Download Signal
2. Open it
3. Give it your phone number
4. Text people using Signal instead of your other apps. Invite them to install it as well.
5. There is no step 5.

There is a lot more to operational security, but this is a foundational step. This lets you talk with people that you already know securely, and you can easily bring new people onboard.

Talking is where other things happen, like learning about other organizing activities, or other more elaborate security systems.
posted by odinsdream at 1:22 PM on November 11, 2016 [4 favorites]


Listen, it really is this simple:

I hope my questions didn't come across as skepticism. I've already installed Signal (it was dead simple and only took about a minute) and invited the people I talk to most to do the same. I'm just trying to gain understanding.
posted by mama casserole at 1:34 PM on November 11, 2016


Metafilter: But try to make that effort, if that's the case, to do just that instead of taking the time to unconstructively blarg at folks about it.
posted by Melismata at 1:59 PM on November 11, 2016 [1 favorite]


some good resources, thanks for the announcement.
posted by clavdivs at 3:48 PM on November 11, 2016


Here is what Glenn Greenwald had to say about security under Trump (and Obama).

I get the impetus to take action now to protect privacy, but this is critical regardless of who is in office.
posted by AugustWest at 6:06 PM on November 11, 2016 [2 favorites]


It's certainly a product of our times, but this does kinda set a deadline.
posted by rhizome at 6:39 PM on November 11, 2016


Disclaimer: I have done some information security work in the past but I am far from an expert. Many activists, journalists, and other professionals know a LOT more than me. But I worry a bit that people coming here for 101-level answers will think some app is a silver bullet. Most of this comment boils down to, "remember tools are only a small part of the answer, and be careful who you trust".

I think it's really valuable to make computer security resources available and make more people aware of them. Many of the tools mentioned in this thread are really great, and I'm particularly fond of Signal for its ease of use. The EFF's resources are also great, and I highly recommend them. In particular, the EFF has a series of playlists of security articles aimed at scenarios like "activist" or "LGBTQ youth" to help introduce the most helpful topics.

But please remember: you can't make yourself safe by installing an app, and computer security is only a small part of your personal security. Being secure is a mindset, and it means you have to carefully think about what information matters to you, who you trust with that information, and who has an actual need to know it, and limit what you share accordingly. Most people are compromised because they trusted the wrong person, not because someone hacked their email.

In particular, I'm going to suggest not using Keybase for most people who are just trying to keep themselves under the radar. Keybase is very much about tying multiple online accounts together, so I can be confident that JoeRandom on Twitter is the same person as JimmyRandomized on Reddit and owns ThisIsJoeyRandom.com.

This is really helpful if you want to make yourself easy to contact securely (e.g., journalists or security professionals). But it also makes it a lot easier for a hostile person to deduce connections that might otherwise be less obvious, or at least more deniable. ("JimmyRandomized posted about a protest and JoeRandom has posted photos of his dog and ThisIsJoeyRandom.com is registered to an address in Miami.") If you want to exchange secure contact information, the safest thing is to do so one-to-one, with people you already trust, and in person if possible.

Also, please be aware that most computer security advice you will find online is aimed at protecting you against scams, criminals, general surveillance, or casual threats. For 99% of people who just don't want to get doxxed or harassed or their credit card stolen, this is probably fine. But if you think you are in more direct or personal danger than this, seek expert help.

Be careful out there, folks.
posted by fencerjimmy at 10:44 PM on November 11, 2016 [27 favorites]


It's really very annoying to have someone jump into a conversation, fart and walk away. Especially when it's dealing with serious issue.

If this isn't what people should do then suggest what would work or at least say why what's being talked about wouldn't work.

I was trying to intrude on the conversation as little as possible, sorry if I came across this way. To be (slightly) more specific and hopefully more helpful:
* Declaring that you are going to "go dark" draws attention to you.
* Posting a phone number in your profile "for now"(!) suggests that any electronic security steps taken now will not protect the "trusted contact lists [...] already established." I see in preview that fencerjimmy is making this point better than I, so I'll leave it there.
posted by hawthorne at 10:49 PM on November 11, 2016


But I worry a bit that people coming here for 101-level answers will think some app is a silver bullet.

That's the opposite of what I want and why I was asking for a little more clarification on how the encrypted services work. I did install Signal, because I didn't see that there was much to lose as long as I didn't lapse into a false sense of security. A whopping 2 of my contacts are already using Signal and no one accepted my invite. So I still don't see how "there is no step 5" because it doesn't seem to change anything until both sides of the conversation are secured. I don't want a magic bullet, I don't want to just install an app and forget about security, but I do need to start at a 101 level because that's just where I'm starting from, unfortunately. I don't want to stay at 101 but I do need to start there.

I am sorry for intruding into this thread with my remedial questions, and I'm grateful for those that personally vouched for the EFF resources. I've been going through some of the tutorials there, and I will butt out of this thread now and leave it to the experts.
posted by mama casserole at 5:36 AM on November 12, 2016 [2 favorites]


I wondered why I started getting keybase requests from mefites. Yes, do all the privacy, but some care is required:
  • Signal authentication via SMS is not secure or a guarantee of identity. Apologies for the tired.com link (with their obnoxious fullscreen adblocker-blocker), but this is a decent explanation of what can happen: So Hey You Should Stop Using Texts for Two-Factor Authentication
  • Encrypted e-mail still carries enough metadata to identify you as a suspect. Let's say two parties maintain a spirited encrypted communication over several months with large messages being passed back and forth. These messages suddenly stop, and an event that is deemed a terrorist action occurs shortly thereafter. The timing and IP addresses could make some very large scary people with big sticks and dreadful taste in music very uninterested in your alibi.
posted by scruss at 6:20 AM on November 12, 2016 [1 favorite]


Ah, I was wondering how they were doing authentication/verification. And as usual the hard part in popular encryption systems is being handwaved.
posted by Mitheral at 8:12 AM on November 12, 2016




I've started collecting good security how-tos and backgrounders, and I've mentioned a few on MeFi threads. Glad to see they're all here too.

My take on this issue is simple. Repressive, authoritarian states rely on identifying and monitoring anyone they think may be capable of acting effectively against them, and will use any and all methods to do this regardless. Modern states have already built and use exceptionally capable surveillance systems. So, if you think you may be identified as someone who opposes the state you're in, and you do not trust that state to accept your right to oppose, you need to understand what the state is capable of and how you can operate within it.

A concrete example. The state decides to act against a minority, say by identifying and deporting them, and criminalises attempts to help minority members evade identification or capture. You feel this is unjust and harmful to your society, and you want to organise with others who agree with you to oppose this and help that minority while also finding ways to undo the legal framework of oppression.

Congratulations! You are now an enemy of the state, which will devote state resources o finding and stopping you.

To hinder this, you need to be able to communicate with your fellows and manage your resources and actions. Here's what you need to learn to do:

1. Disguise the fact that you are communicating, in ways that are not amenable to automatic detection
2. Hide who you are communicating with, so that if 1 fails, only you are at risk
3. Encrypt your communications, so any compromise is of limited use.
4. Compartmentalise your communications. As little as possible to as few as possible as infrequently as possible, as safely as appropriate.
5. Understand threats.

All of these are hard, but 1 and 2 are hardest. 1, 2 and 3 can be undone by single mistakes or lapses of concentration. None of them is proof against a determined adversary.

You can't do any of this if you don't have a good idea of what it is you're trying to achieve. At the moment, my priorities are gathering information so I can help people start to learn how to think about data security in a hostile environment, and to learn as much as I can along these lines. This I can do openly.

I'm also taking steps to achieve 1 above - a good artist prepares his materials ahead of time. This means I use VPNs and Tor regularly for anodyne reasons, knowing that my usage is being flagged and recorded; if in the future I need to do things that require such tools, there won't be a sudden change in my usage patterns that could be correlated with other factors. I'm also getting useful experience and making my mistakes when it doesn't matter. I already know and am in normal communication with some of the people I trust and expect to be with me if 2 above starts to be a factor, and we know how we'll establish communication on delicate matters ahead of time. I use Signal wherever possible, and encourage appropriate contacts to do the same, but also practice splitting comms across multiple channels appropriately, so that if a channel thought secure proves compromised in the future,it's not fatal.

For example, if I want to give someone access to one of my self-hosted services, they'll know to expect the address in email in one format, the user name via IM in another, and the password via Signal in yet another. How do they know this? I've either told them in person ahead of time or whatever: the main thing is that if any automated keyword or pattern recognition process is going through my stuff (it is, and yours too), it won't trigger.

Things I don't do include using VPNs and Tor from systems that contain personal ID, or to access systems that require or can otherwise determine any ID data that can be linked back to me IRL. Some stuff I can't do much about, like vocab or writing style; however, the idea is always to make things hard for the other chap and require them to use more resources than they can justify, so keep them guessing.

If you're serious about this, there's no better preparation than to learn to think like the NSA - or like a bad guy. Read stuff. Get a taste for war stories from the espionage, intelligence and counter-intelligence worlds - because this is real.

God forbid your safety and freedoms depend on knowing this reality, I will not tell you it won't happen. I honestly and soberly think that it might.
posted by Devonian at 12:04 PM on November 12, 2016 [20 favorites]


Yup, one of those "war stories" involved a guy who was arrested and charged with being a spy in Iran just for seeing his relatives. After being tortured and imprisoned for years, without a shread of evidence, let go and flouted as a "hostage trade."

So the dangers of a totalitarian state are very real.
posted by clavdivs at 12:37 PM on November 12, 2016 [1 favorite]


If you're worried, but find all of this kinda complicated and scary in itself, you're not alone.
I started writing on my blog about this and related subjects on my blog (right here), and like I said before, I'm not an expert but I've been taught by experts, so I might be able to help a bit here and there.
I'm aiming at a tech level that my 70+, computer using, non-geeky parents can understand. I've just posted my second post and it's about e-mail providers.

Techie mefites, if you see me making mistakes and steering people wrong, please feel free to step in and correct me. I'll happily update the blog based on your expertise. I'm just making do with what I know because I'm so worried for all y'all and want to help. Thanks in advance, it's appreciated!
posted by Too-Ticky at 1:55 PM on November 12, 2016 [4 favorites]


Hey, just dropping by to mention that AT&T retains call records, voice data, SMS and probably anything else that has passed through their network, to varying degrees, reaching back to 1987. Making this data available to law enforcement without a warrant is a profitable arm of their business.
posted by indubitable at 6:14 PM on November 12, 2016


Traffic-flow security is another problem that our modern packet-switched Internet exacerbates. If you can see a (for sake of argument) a 1200-character message on one link to a server, and shortly thereafter a message of the same size leaving, you can, with a fair degree of certainty assume that if you work from the middle to the ends, you will discover who is communicating with whom. The linked article and its sublinks provide a starting point.

Real security involves a device known as a one time pad. Again, read the article. You can create a workable one-time pad on a modern computer in very little time, but the drawback is that you must physically send the keydisks to the recipients securely. In the ultimate OTP system, every pair of send-recieve parties has an individual, unique, key disk set. This is as close to unbreakable as you are likely to find anywhere on the planet.
posted by pjern at 9:47 PM on November 12, 2016 [3 favorites]


Some stuff I can't do much about, like vocab or writing style

Well now there's a use for Up Goer Five which I hadn't previously considered...
posted by the latin mouse at 1:44 AM on November 13, 2016 [1 favorite]


I've considered ways like that to disguise prose, but they all have flaws if your purpose is How Not To Be Seen. Something I continue to muse on, mind.
posted by Devonian at 5:22 AM on November 13, 2016 [1 favorite]


Up Goer Five as in
~The world is a large being. It is made of matter, thoughts, and light. All our minds are the same mind. We are one being. We are made of the same stuff, and it all runs the same way. My thoughts are made the same way as your thoughts. My senses are made the same way as yours, we sense the world the same way. We are almost all water. Our thoughts run through each other like tears in the rain. We are drops of light. ~
posted by Oyéah at 2:44 PM on November 13, 2016 [2 favorites]


I have an electric typewriter. No one reads letters any more, that seems safe to me, like the tree falling in the forest that no one hears.
posted by Oyéah at 2:49 PM on November 13, 2016


Most people are compromised because they trusted the wrong person, not because someone hacked their email.

Nthing this. Social engineering is real. Those easily-creatable fake Facebook accounts? You never know who's on the other end.

You guys have no idea how absolutely through-the-looking-glass-weird it is for me to go from "omigosh I wish I had a normal family so I could have kept all my friends and had a life in my home state and share things like normal people" to "holy shit thank god my family trained me to be paranoid." Nothing like your family trying to get people to tell them where you work on their surprise flight to France to make you glad your Facebook friends list isn't visible, you never post photos of your office, and you never post locatable photos of where you live.

Anyway. Use Signal, it's a good start. Update your Facebook privacy settings and especially, make them consistent with what you yourself give out as information in real life. This will act as a natural radar ping if someone says something about you, that you never tell people normally. Plus you'll have a good idea of how they got it, if you know what you tell to which people under which circumstances.
posted by fraula at 4:52 PM on November 13, 2016 [2 favorites]


Oh and for goodness' sake be careful with GPS activity trackers. Don't let them auto-share maps of where you run/cycle/whatever, doubly so if you always start off from around your home.
posted by fraula at 4:54 PM on November 13, 2016 [2 favorites]


"Because of Trump and the types going into office there is a real a present danger that the security apparatus of the US State is going to be turned onto people in vulnerable groups or who they think are posing a threat."

I agree that this isn't the place to hash out the justification for this post, but I would like to remind those of you who are younger just what kind of amazing things that J Edgar Hoover got away with until he literally died in office at the age of 77. Nixon was afraid of firing him. Everyone was afraid of him. And that was because he used the FBI as his personal fiefdom of internal US intelligence gathering. Today, with the NSA and the elaborate security state established post 9/11, the power represented by this amount of intelligence is truly frightening to the degree to which it might funnel into the hands of a single person, or, more likely, a cadre of people within Trump's inner-circle, people like Rudy Giuliani. This is not an overreaction. It's also not anything close to a certainty, but it's a genuine concern.
posted by Ivan Fyodorovich at 6:46 PM on November 13, 2016 [7 favorites]


Also, watch The Lives Of Others. Because that happened. And, if you can, go to the Stasi HQ in Berlin, and see just what a run-of-the-mill corporate business total state repression actually is - it's like visiting a regional HQ of a marketing company, except they ran the most intimate lives of millions of people without their consent.
posted by Devonian at 1:51 PM on November 14, 2016 [5 favorites]


I've been to that museum and holy shit that is an incredibly apt description.

(I can recommend both the museum and the book Stasiland by Anna Funder to anybody interested in the topic.)
posted by the latin mouse at 2:25 PM on November 14, 2016


If you're just worried about your messages getting archived and then eventually sucked up by some NSA trolling-for-keywords years from now, then the Signal apps appear to be a great way to do that. And never let the perfect be the enemy of the good, so I'm tempted to stop writing there.

If you're looking for a truly secure way to communicate, though, then the correct app to install on your phone appears to still be "Mu. Don't use a phone on either side of a secure communication." Signal appears to have a desktop application in beta now; maybe try that? Trying to keep a desktop secure from remote exploit by a skilled adversary is insanely difficult too, but insanely difficult is still a step up from theoretically impossible.
posted by roystgnr at 7:19 AM on November 15, 2016 [4 favorites]


« Older Grief and Coping Thread: Election 2016   |   Holidays, gratitude, and Metafilter Newer »

You are not logged in, either login or create an account to post comments