Security resources


#27

I put together a sort of "meta-guide" on current security resources. A lot of it is inspired by this thread. Check it out. https://medium.com/@mshelton/current-digital-security-resources-5c88ba40ce5c

You can also leave suggestions / comments for the document here:


#28

Tech Solidarity recently put together a security guide that excels at being as simple as possible, while also providing practical and effective advice.


#29

Ethan and others:

Any idea why Sigaint has been down for > 1 week? This problem was also noted by Micah Lee on The Intercept but no explanation was given.

Any thoughts on "Scryptmail.com"? It's a product from a programmer in Spokane, WA and appears to use GPG as a basis.

Thanks!
KAC


#30

Just use Gmail.

If you need to communicate anonymously, don't bother with email.

Unfortunately, there are no mature, easy to use tools for anonymous communications, right now. You could look into Ricochet, which is good, but still a little rough around the edges. Pond is no longer in active development. Riseup offers a Jabber service, served over both an onion address and a traditional domain, so using this with OTR is one option for anonymous communications, provided that both account holders set their accounts up anonymously and never break that compartmentalization (in other words, there are tons of ways to shoot yourself in the foot with this setup).

Using a Tor hidden service (the Tor Project apparently prefers the term onion services now) email provider involves trusting random sketchy people you have no reason to trust.

Setting up your own email server and configuring it as an onion service involves many opportunities to get the setup wrong, which would potentially make your mail server an easy target.

If you don't like any of these answers, then use Riseup for email. Unlike Gmail, which tends to require password re-sets from a non-Tor IP address if you try to connect to your account over Tor, Riseup works fine with Tor and doesn't require a phone number to open an account. Just keep in mind: you must always connect over Tor, never break compartmentalization, and this only protects your anonymity, not the anonymity of your correspondents.

In most situations where anonymity matters, you want to be anonymous. An anonymous service provider is an illusory benefit. Sure, this may protect them from law enforcement requests for a while, since law enforcement has no one to serve a subpoena to, but a.) this anonymity is fragile; unless all of their service traffic goes through a dedicated Tor hidden service gateway, law enforcement may be able to compromise their web application and ping home to discover the server's real IP address, and b.) since most people use plaintext email, you're giving random Onion Service admins the content of your communications. Google may give your emails to the FBI, but random-onion-service-email-provider may give them to organized crime, or just publish them on the internet for lolz.

Basically, an anonymous email account is sometimes a necessary first step in bootstrapping further conversations (this was certainly the case for Edward Snowden, for instance). However, his anonymous Lavabit account didn't hide the fact that someone was communicating with Glenn Greenwald, Micah Lee, and Laura Poitras.

For journalists, you typically don't need to be anonymous, your sources do. This is why it's great to set up a SecureDrop instance, if you can afford to do so.


#31

Ethan,

Thanks for the detailed and informative reply! Very helpful, as always.

Do you know what's happened to Sigaint?? It's been unavailable for nearly 2 weeks.

I've been using Riseup. Thanks for the info on that.

Any thoughts on:
1) ProtonMail?
2) Scryptmail?
3) What advantages does Lavabit offer over "the competition" (if any)?

Keith