Category Archives: Open Whisper Systems

Secure Messenger Scorecard (May 2017)

This is a draft.

I’m starting my own Secure Messenger Scorecard based on the prior work of the Electronic Frontier Foundation.

I’ve created an editable Google Doc for further input and development.

Please scrutinize and contribute by Signaling me, emailing me or tweeting at me.

version one

version two

version three

Custom stamp for my Signal fingerprint

I ordered a self-inking, custom, wood “1.25 x 2 Rubber Stamp” from rubberstamps.net. I ordered it on a Monday and got it the following Thursday.

Text Line 1: +1.XXX.XXX.XXXX
Text Line 2: 05 b8 6d 44 95 5c 5b 6b f5
Text Line 3: 61 09 22 33 05 b2 c4 c5 db
Text Line 4: f3 85 4a 4b a1 e8 aa 12 36
Text Line 5: 70 20 19 00 0e 4c .. .. ..

Font: Courier New (for all lines)
Justification: L (for all lines)
Style: Bold (for the first line only)

Ink: (added separately) Versafine, crimson red

I added the “.. .. ..” at the end because the preview seemed like it was going to auto adjust toward the center a little bit. I did this to be safe, but it might not be needed.

With 3-5 business days shipping, the total was $29.12.

Top
IMG_20151119_175903

Bottom
IMG_20151119_175911

Card (before)
IMG_20151119_180048

Card (after)
IMG_20151119_180147

Highly recommended!

End-to-end encryption for organizing groups

This post has more questions than answers.

At TA3M Seattle and Seattle Privacy Coalition I’ve been pushing for the use of a better communications platform. Email is not a sound decision anymore. PGP is too high an expectation, even for privacy advocates because too many things can go wrong and it doesn’t scale when communicating with stakeholders (people without PGP). I’m trying to find a better way.

What doesn’t work

E2EE (end-to-end encryption) is a requirement for better communication, including metadata. PGP doesn’t protect metadata. StartTLS helps protect some metadata, but when 5 or 10 (or more) people are emailing each other, not even privacy advocates are going to check the StartTLS status of each recipient.

OTR (off the record) encrypted messaging, typically used with Jabber/XMPP, is not a solution either. Like IRC, people are not going to stay logged in to a service, so not all messages are going to be delivered to all stakeholders.

What might work

I’ve been focusing on using TextSecure/Signal. It’s not perfect either. It has modern E2EE, most importantly for group messaging. It’s open source and the mobile apps are free to download.

TextSecure/Signal have downsides, but I don’t think they’re disconcerting for the groups I’m involved with. Each participant has to share their TextSecure/Signal number with everyone else, and for most people this means sharing their real cell number. While members can be easily added to a group conversation, anyone group participant can add anyone else, but this is also a benefit. More importantly, group participants cannot be removed, they have to voluntarily leave. Another thing to keep in mind that I discovered by accident is that creating a group on your TextSecure/Signal device, even if you don’t send any messages, automatically creates that group “discussion” on each participants device. Be warned!

Another TextSecure/Signal drawback is that it is for short-form text communications. Email can’t be completely abandoned since long-form writing is often necessary.

Importantly, TextSecure/Signal messages, even if just for communicating project statuses or meeting details, will reach each group member, and they don’t have to reply or acknowledge the information. It will be on their device for when they need it.

Please email or tweet at me your suggestions or concerns!

How to use an iPod Touch as a secure calling and messaging device

Published: 2015-Sep-12
Updated: 2015-Oct-10, revision 64

IMG_20150922_152941-02

Modern communication technologies are abundant, but legacy phone calling and texting (SMS, MMS) are inherently insecure. Communications content in addition to metadata is collected and stored by various organizations and for many years. People have a responsibility to safeguard their personal communications with strong encryption technologies because only then will your friends and family be able help collectively defend your rights. In professions where privacy is expected between you and clients (law, journalism, etc), policy should dictate to either communicate securely or not at all.

Encryption technology is not new but default strong encryption in mass-market devices is. We’re slowly evolving. The political cost of default security is at an all-time low while the social expectations of strong encryption are at an all-time high. Modern telecommunications largely depend on legacy communications infrastructure which is unfortunate:

  • All cell phones transmit insecure content and metadata because cell networks were designed for surveillance.
  • All cell phones not broken, off, or in airplane mode can be easily tracked.
  • All cell phones contain baseband processors with system wide access that can be remotely controlled.
  • The majority of SIM cards require registration using government-issued ID.
  • Android’s default is unencrypted storage.
  • Androids get slowly patched, if at all.
  • Carrier modified versions of Android are poorly developed.
  • Until the next version of Android, apps have near limitless access to other local data.
  • Microsoft’s and Amazon’s phones are a joke in terms of capability and security.

“Nobody is listening to your telephone calls” –President Obama

President Obama is technically correct. It is not possible for the US government employees to listen to every phone call. The data requirements for maintaining recorded phone calls is feasible, but what is cheaper and more effective is to transcribe voice data to text. The solution is easy: don’t give it to them.

What is bad for the FBI is also bad for all other malicious actors. It is up to us to cause the social change that in turn lowers the financial liability and cost of default security.

The financial cost of surveillance equipment is also at an all-time low. Mobile IMSI catchers can be built and deployed by anyone technically savvy enough to learn how to build one, and law enforcement has large budgets for more feature rich devices. The most effective way to assure that you are not a victim of cell tracking or attack is to not use those systems.

The Apple iPod Touch

ipod2

The modern iPod fills a much needed space. WiFi only. Generations 5 and 6 support iOS 8 which is the minimum requirement for Open Whisper System’s free and open source Signal application.

Note: WiFi only iPads could also be used and may be a better solution for people with poor eye sight.

Please review my post Signal, TextSecure, and RedPhone ecosystem notes if you would like to learn more about Signal’s capabilities and limitations. Also review my post TextSecure, RedPhone, and Signal threat modeling if you would like to learn more about Signal’s threats and adversaries in comparison to legacy cellular telephony.

Advantages

  • Network: the iPod does not have inherent baseband insecurities or SIM card insecurities.
  • Network: you can control which WiFi networks to expose your device to.
  • Data at rest: The iPod employs default device encryption.
  • Data at rest: Signal employs default message database encryption and isolation.
  • Data in motion: Signal only uses modern protocols and state-of-the-art encryption.
  • OS security: Apple pushes security patches relatively quickly and the iPod is a more challenging device to infect with malware when used correctly.
  • Verifiability: Signal allows users to compare and verify encryption key fingerprints.
  • Verifiability: Signal is a free and open source software project that is publicly audited.
  • Scalability: other people with an iPod, iPhone or Android can freely install and use Signal.
  • Liability: when employed in a work place with supportive policy, work-oriented communications are compartmentalized from personal devices.

Disadvantages

  • Configuration: using Signal on an iPod requires additional steps to get setup.
  • Network: WiFi access is not as abundant as cellular data.
  • Privacy: iOS requires an Apple ID account to download apps — alternative information can be given if Apple is an adversary in your threat model.

Cost

If you use your iPod minimally to maintain good system health, there is no reason to get anything above 16GB. That is enough free space to upgrade to iOS 9. A new 16GB iPod has 11.7GB usable. A USB wall charger is not included when buying a new iPod, you must buy one or use an existing one (don’t plug it into any computer). If you will be making voice calls with Signal, a required additional purchase is any manner of corded headset.

Apple’s prices:

  • 16GB – $199
  • 32GB – $249
  • 64GB – $299
  • 128GB – $399
  • 16GB – 229€
  • 32GB – 279€
  • 64GB – 339€
  • 128GB – 449€

U.S. Costco prices, only available with membership:

  • 16GB – $189 in store
  • 32GB – $229 in store
  • 64GB – $289 online

Phone number

Signal, for the foreseeable future, requires a phone number to use for registration. Since an iPod does not have a SIM card or any other phone service, we have to use a phone number that you have SMS or voice access to. It is possible to use any manner of burner phone number, but this guide will not instruct how to do that since there are inherent risks with using a number you don’t have long term control of. If someone gains SMS or voice control of a phone number you use with Signal were to register that number with their own Signal device, you would no longer be able to communicate with that number, and someone else could impersonate you if your contacts blindly trust a new key fingerprint.

PC Magazine has a decent article covering VoIP options.

Below are some example procedures when using the following services, or modify them to fit your needs:

Landline

If your home or work has a landline phone number that can be called directly–no extensions to jump through–then you can register that number with Signal. This is ideal for journalists or lawyers who already have landline numbers that people already have in their phone books.

  1. Enter your landline phone number into Signal for registration.
  2. Click verify this device.
  3. Click call me instead.
  4. Open Whisper Systems will call your landline number and provide you an auditory verification code. Enter that code into Signal to verify.

Skype

Skype allows anyone to buy a phone number for $18 every 3 months or $60 every 12 months. Skype can’t receive SMS so you will need to install the desktop client onto your computer and be able to receive a Skype call.

  1. Enter your Skype phone number into Signal for registration.
  2. Click verify this device.
  3. Click call me instead.
  4. Open Whisper Systems will call your Skype number and provide you an auditory verification code. Enter that code into Signal to verify.

Google Voice

Google Voice is a great option for most people in the United States as long as you have a number you can forward calls to. Google will provide any US Gmail account a free, long term phone number. Voice has the added benefit of setting up voicemail which could be useful in case legacy phone calls attempt to call — you can let them know in voicemail to call back with Signal or RedPhone.

  1. Enter your Google Voice phone number into Signal for registration.
  2. Click verify this device.
  3. Open Whisper Systems will send a verification code to your Google Voice account via SMS. Enter that code into Signal to verify.

Twilio

Twilio allows anyone to register a voice and SMS number for $1 a month.

  1. Enter your Twilio phone number into Signal for registration.
  2. Click verify this device.
  3. Open Whisper Systems will send a verification code to your Twilio account via SMS. Enter that code into Signal to verify.

Operational security practices

Define a strict use case for your iPod for when certain groups of people ask. If you routinely travel, possibly through airport or border security, you don’t want to raise suspicion of your device. It is an iPod after all, people will have expectations that it is for listening to music. You may be coerced to provide access to the device to prove its legitimacy. Plan ahead.

  • If your iPod is for professional services (like law, journalism, etc) only certain groups of people, maybe clients, should be aware of your communications practices. Your organization may even make certain policy decisions like making it public information that you can be reached via Signal for secure communications.
  • If your iPod is for personal use, since you can’t risk connecting the iPod to computer systems to sync files, perhaps use it for photography and picture viewing.

Also:

  • Buy your iPod Touch in cash or at least in person.
  • Don’t risk infection or leave behind security certificates: do not connect your iPod into any computer system or automobile.
  • Only charge the iPod via wall charger or firewalled USB charger.
  • Don’t use any third-party apps that aren’t Signal. No Web browsing, social media, or email.
  • Keep the iPod physically safe — maybe even keep it in an actual safe when not in use.

Firewalled charging options:

Directions

Be aware that several privacy settings must be reconfigured once you upgrade to iOS 9. Review these settings once you update.

Set up your iPod:

  1. Connect to WiFi
  2. Disable location services
  3. Set Up as New iPod Touch
  4. Sign in, or Create an Apple ID
  5. Don’t use iCloud
  6. Don’t use Siri
  7. Don’t send Diagnostics

Configure your iPod:

  1. Settings > Bluetooth > Off
  2. Settings > Passcode Lock > Simple Passcode (Off – set an alpha-numeric passphrase)
  3. Settings > Passcode Lock > Erase Data (On)
  4. Settings > Privacy > Advertising > Limit Ad Tracking (On)
  5. Settings > Software Update > Download and Install

Set up Signal:

  1. Open the App Store
  2. Don’t install any new apps other than Signal.
  3. Search for an install “Signal – Private Messenger” by Open Whisper Systems
  4. Open Signal
  5. Enter the phone number that you’ve chosen to use (VoIP, landline, etc)
  6. Depending on how you need to verify Signal (SMS or call), perform that action (see examples above)
  7. If and when it asks, allow Signal to send notifications

Once Signal is installed:

  1. Settings > Notifications > Signal > Show on Lock Screen (Off)
  2. Signal > Settings > Privacy > Fingerprint (Tap to copy)

ACLU-WA encryption evangelism internship proposal

Goal

Further the use of FOSS encryption technologies within Washington legal and journalism circles.

Tor

Tor relay and Tor exit relay adoption by organizations because of resources and stability. EFF “Tor Challenge” is unsuccessful at gaining long-term relays because they are focused on individuals that are largely not focused or lack stable resources. ACLU-WA support could happen in three ways: write to local organizations who are likely to
deploy a Tor relay, provide written education or in-person training, and create public reports on successes and failures. Supporting Tor supports human rights work 24/7/365, globally.

HTTPS and StartTLS

Many organizations who require privacy lack website/service transport security. Focusing on specific types of organizations, such as law firms and news agencies, would benefit the public and overall Internet health. HTTPS is critical for keeping private specific pages and forms visited in addition to any transmitted information. StartTLS is critical for keeping entire emails confidential. In light of recent developments in Texas [1], it would be timely to push Washington state legal policy organizations to adopt similar rules. The “Let’s Encrypt” project has been pushed out to November 16th, 2015 [2] — it would be great to have 2 months to start an ACLU-WA parallel initiative (focused on law firms and news agencies, for example) when it launches in order to benefit and enhance the initial press.

TextSecure, RedPhone, & Signal

While HTTPS and StartTLS are important for public and private communication, mobile apps can greatly strengthen inter-org privacy. Classic telephony and SMS communications are insecure. The Open Whisper Systems ecosystem uses state of the art encryption, is scalable, and is free and open source software. Purchasing 5th gen iPod Touch devices is a small cost for law firms and allows lawyers to register their work phone number with Signal. Doing so would let anyone with their regular work phone number to leverage end-to-end encryption instead. No wiretaps, no SS7 tracking, no IMSI catcher tracking, and no baseband or SIM card vulnerabilities that are inherent with any cellular device.

SecureDrop

Whistleblowing is a critical part in a democracy by keeping the public informed and organizations accountable. SecureDrop, by Freedom Press Foundation, is a powerful tool that allows anyone to leak information to targeted organizations. SecureDrop has been around for 2 years and is largely used by news agencies. That being said, a very small fraction of news agencies support SecureDrop which creates two problems: overall diversity and market diversity. Overall, there are too few options in terms of trusted organizations for whistleblowers to choose from. If a specific person who has access to specific information is only comfortable providing information to a specific organization or person, but secure a whistleblowing platform does not exist, nothing will get leaked. Similarity, if only news agencies support secure
whistleblowing platforms, other NGOs who might be better equipped to handle response will not get leaks. ACLU-WA could work with Freedom Press Foundation to focus on evangelizing SecureDrop to NGOs.

Conclusion

It is ethics and education apathy that is preventing people from adopting FOSS security systems that provide privacy. It is one thing to be apathetic in our personal lives, but it is not acceptable in professions that demand privacy in order to keep people safe.

1 http://ridethelightning.senseient.com/2015/07/when-must-lawyers-ethically-encrypt-data-texas-answers.html

2 https://letsencrypt.org/2015/08/07/updated-lets-encrypt-launch-schedule.html

Using Google Fi for a relatively private phone service

Created 2015-Aug-24
Updated 2016-Apr-19

In this post I’ll discuss ways to leverage the new Google Fi service in ways that are possibly more secure or more private when juxtaposed to regular AT&T, Verizon, Sprint, or T-Mobile phone service. Good planning and good practices can help people who are sensitive to physical location data sharing avert certain kinds of passive surveillance and in turn may prevent future active surveillance. While this information may be useful, it is not intended to solve your specific needs. You are ultimately responsible for understanding why you are performing these actions and non-actions.

Regarding SS7 attacks, the common way for such attacks to work requires that an attacker know your real cell phone number. Google Voice numbers are not vulnerable to these attacks. The same could be said for a landline phone number or any VoiP number like Skype.

Regular, long-term cell service wrongs:

  1. Requires government issued ID, which basically means connecting your government issued identity to a SIM card and other hardware identifiers.
  2. Requests (and at times requires) a Social Security Number, which also, basically, means connecting your government ID to hardware IDs.
  3. Requests the availability of voicemail, a service that is remotely accessible and is unlockable by a simple 4-digit pin code.
  4. Does not support two-factor authentication for access to sensitive account information.
  • Google Fi does not ask for identification, period. It is also possible to use prepaid credit/debit cards. As of April 2016, the Google/LG Nexus 5X is the cheapest phone, and you can buy it online or from a local retailer. Related notes: AT&T locks the SIM, so you can’t use an AT&T Google Nexus until AT&T (or a third party service) gives you a SIM unlock code. T-Mobile does not lock the SIM.
  • Voicemail is also an option with Fi. Fi support has stated that “Once you have set up your voicemail with Project Fi, it is impossible to turn off your voicemail,” and, “It will not be turned on until you activate it.” However, I presume that once Fi voicemail is activated, it is remotely accessible like regular voicemail service. If you perform the below steps, you will have no use for Fi Network voicemail, so don’t activate it.

Steps

The following configuration utilizes Google’s Hangout Dialer app that you will install and leverage on your Google Fi Nexus. The Hangouts Dialer will be able to make and receive all calls and texts using a Google Voice phone number. Two Google accounts are needed.

If your personal Google account has Google Voice presently, you will be forced to either give up that number or make it your Google Fi phone number. Either way, you will lose Google Voice functionality completely and is why a second Google account is needed.

  1. Register for Google Fi service using Google account #1 including ordering a new Nexus 6, 5X, or 6P.
  2. Do not share your Fi Network phone number. With anyone. Not your friends, family, or any services. Period.
  3. With Google account #2, register a Google Voice phone number.
  4. Download Google’s Hangouts Dialer. Google account #1 will automatically log in. Log in with Google account #2 (the Google Voice account). Then sign out from Google account #1 — only sign out in the Hangouts Dialer app, not from the Nexus completely.
  5. Configure Hangouts Dialer as follows: Settings > Enable merged conversations (yes), > account2@gmail.com > Incoming phone calls (yes), Messages (yes), > Customize invites > People who have your phone number (can contact you directly).
  6. Give out your Google Voice number to friends, family, and services. Calls and plain SMS will come through in the Hangouts Dialer app.
  7. Always make calls with the Hangouts Dialer app so the receiver’s caller ID shows your Google Voice number. It is best to remove the regular phone dialer app from the Android system tray and replace it with Hangouts Dialer.
  8. Added security

    1. Employ Google Authenticator two-factor authentication (2FA) for both accounts as soon as possible for better security. Avoid SMS 2FA because of the inherent vulnerabilities.
    2. Download Signal onto the Nexus and register your Google Voice phone number in Signal. While Signal will open up showing the real Google Fi phone number, delete it and enter the Google Voice number. The SMS verification will fail, so wait for the 2 minute countdown to expire then click “call me” for automated voice verification.
    3. Through the Google Voice web interface, optionally create a voicemail greeting that requests people to install and call back with Signal. Enabling “do not disturb” will enhance this goal because then nobody can call you and can only leave voicemails.
    4. If you haven’t already, talk to your friends and family about our need for privacy and security and inform them about Signal.

    Added anonymity

    The following are added steps in case you wish to also have probable anonymity to the service providers, in this case, Google, Sprint, and T-Mobile:

    1. If anonymity from the cellular provider is your goal, you’ll need to use cash to buy a Nexus 6, 5X, or 6P from a local retail location with cash and a prepaid debit card for monthly service. If you go this route, you will still need to order a Fi Sim Kit from Google with Google account #1 and have it shipped to you. If anonymity is your goal, consider renting an AirBnB or a hotel room using a pre-paid debit card and alias during the window of delivery.
    2. During registration for Google Fi service, account registration will require a “service address”. Use the above mentioned AirBnB address or be creative. You can always change the service address at a later date. All billing is electronic.
    3. You can consider not using your Nexus phone in any anchor points, including home or work. To do this, you would need to keep the device turned off at all times except when out and about. This makes it harder for service providers to identify you, but keep in mind that Google, Sprint, and T-Mobile can see network metadata and they can always record your voice when not using Signal. It’s still a tracking device with a microphone and camera!
    4. Consider removing the microphone and camera.

    Creating Google accounts

    Use an Android to create one or more Google accounts (Settings > Accounts > Add account > Google). Creating new Google accounts this way does not require the creator to enter in an existing email or phone number. Creating new Google accounts while using Tor will result in an account auto-lock. However, once an account is setup with two-factor authentication, you can log in via Tor Browser or Tails elsewhere. If you are trying to stay anonymous to Google, you’ll have to use a new Android (device IDs never before used by your real identity) and turn it on at a location far from any of your anchor points. Keep in mind that Google will know where your Fi device is when using the Fi network, but depending on your preparation/operational security, will not know the identity of the user.

    In retrospect

    Google, in addition to sporadic use of Sprint and T-Mobile network infrastructure, will be the only ones who know the identity (phone number and hardware IDs) of the subscriber. But you have much better control over defining the data and information that is linkable to this service.

    1. Adversaries can’t “ping” your cell phone if they can’t determine what your phone number is. However, if they run around your house with an IMSI catcher, it will not be hard for them to determine what number you’re using for service. It’s good practice to activate airplane mode when you enter into your home neighborhood, especially if your friends and family predominantly use Open Whisper Systems apps (Signal).
    2. Remote adversaries can’t track your physical location via possible SS7 vulnerabilities if they don’t know your real phone number.
    3. Network adversaries (telecommunication corporations or federal/local governments) can still inject or monitor your activity to “better service you” (sell your data to advertising networks), but unless they can connect that activity to a known identifier, you, personally aren’t vulnerable to said forms of surveillance.
    4. Network adversaries may employ voice recording and recognition technologies. The employment of said technology will only increase since it is a biomarker that financial institutions have started using for account verification purposes. If network adversaries are using this technology, there is no way to hide a real phone number or hardware device IDs from them unless you step up your paranoia and use a voice changer. Using Signal (end-to-end encryption) will mitigate only the voice print vulnerability. You will always divulge your hardware device IDs to a cellular network when using cell service.
    5. Endpoint adversaries (medical offices, food services, financial services, friends with or without Signal, etc) may also employ voice recording and recognition technologies. If you make calls using your Voice number (caller ID) to endpoint services, doing so will make it hard or impossible for a third party to link your personal ID to hardware ID.