User Panel
[#1]
This is very similar to the discussions the axis powers had in wwii.
You can't come up with a trusted platform to operate these supposedly secure networks. If you have your trusted device with a battery in it next to your personal phone, in time it is compromised, too. There is two types of secure, tactically secure, and strategically secure. You might be able to do tactical traffic depending on what the operation is, but given enough time, and skylining yourself, your long term communications will be compromised. There is no more obscurity. Your adversary has been sharpening its ttp and collection capabilities for YEARS against professionals with nation state funding. All it takes is a person on a tall enough bench to declare your activities terroristic, and they can swivel their telescope onto you, or find you from a compatriot on the same circuit, and remember, they collect way more than they review, much less decrypt. I'm not saying keep trying. I'm telling you no thing with even a toe dipped into the internet is any more secure than talking at a table in a restaurant. This is not the 80's, and there is no solution you can load from the app store. |
|
[#2]
Quoted: I’m sure a few people don’t want to hear this, like most of what I have to say, but encryption isn’t effective against certain organizations with the tools, and knowledge of how they work. Thinking they are is a recipe for disaster. I’ll leave now. View Quote No one is directly cracking GPG/PGP or other strong encryption. For GPG/PGP it would be much easier to exfiltrate your private key and leave a key stroke recorder to grab the passphrase than to directly attack the cryptography. Or black-bag you while you're walking down the street with your laptop. |
|
[#4]
Quoted: There is no more obscurity. View Quote I don't know that is a given or that it is an insurmountable problem. Network/meta-data analysis certainly narrows the scope of what to analyze. That is why it is important to use encryption all the time for the most mundane communications and with everyone that will use it. Broaden your network and fill it with unreadable traffic. Hell, maybe even send encrypted messages to imaginary "drop boxes" to just make meta-analysis that much harder. And again, to the topic of this thread: limit "secure communications with our compatriots" to in-person and away from phones, Alexa, etc. ETA When it comes to meta-data analysis, think of patterns that can be picked up and develop habits that break the patterns. |
|
[#5]
Funny how when I brought up OPSEC and COMSEC a year ago everyone flung poo and said "hurr durr what is there to worry about?" Hopefully people start taking this shit seriously. Use signal and set it as your default text messaging app. Use a VPN.
|
|
[#6]
Quoted: Funny how when I brought up OPSEC and COMSEC a year ago everyone flung poo and said "hurr durr what is there to worry about?" Hopefully people start taking this shit seriously. Use signal and set it as your default text messaging app. Use a VPN. View Quote Why? What exactly do you use a VPN for? |
|
[#7]
Quoted: Why? What exactly do you use a VPN for? View Quote With a VPN, ALL your web traffic is sent through an encrypted tunnel to one of the servers run by the VPN service. Your ISP sees all your traffic as going to that server. Can't do much traffic analysis on that. Each site that you visit sees you as coming from the VPN IP address as well. So, they know they have a visitor from an IP in a certain geographic area and it's registered to the VPN company. That's it. The VPN server COULD keep logs of all of the traffic, so they know everywhere that you've visited. The FBI or whoever could subpoena these log files, at least if the VPN company or servers are in an area where they have jurisdiction or an info-sharing agreement with that country's government. The privacy minded VPNs simply don't keep log files. Any of them. So they don't have to try to fight a subpoena. They can simply and truthfully say, "Hey, we don't have any logs for any of WhyTanFox's internet traffic. So sorry." That's one of many reasons to use a VPN. |
|
[#8]
Quoted: Right now, your ISP can see all of your internet traffic. Even though it's (mostly) encrypted over HTTPS and they can't see the content of the webpage you just requested, they can see exactly which websites you're visiting. You can tell a lot with traffic and pattern analysis. With a VPN, ALL your web traffic is sent through an encrypted tunnel to one of the servers run by the VPN service. Your ISP sees all your traffic as going to that server. Can't do much traffic analysis on that. Each site that you visit sees you as coming from the VPN IP address as well. So, they know they have a visitor from an IP in a certain geographic area and it's registered to the VPN company. That's it. The VPN server COULD keep logs of all of the traffic, so they know everywhere that you've visited. The FBI or whoever could subpoena these log files, at least if the VPN company or servers are in an area where they have jurisdiction or an info-sharing agreement with that country's government. The privacy minded VPNs simply don't keep log files. Any of them. So they don't have to try to fight a subpoena. They can simply and truthfully say, "Hey, we don't have any logs for any of WhyTanFox's internet traffic. So sorry." That's one of many reasons to use a VPN. View Quote being said - you MUST have a VPN you can trust because they can see what you're doing |
|
[#10]
|
|
[#11]
|
|
[#12]
On Wednesday during all the excitement at the Capitol, Signal's servers were struggling under the massive traffic of new users trying to verify their account. So the servers were sluggish or down for a while. They're back and just fine now.
Follow the @signalapp Twitter handle for official Signal updates. |
|
[#13]
Quoted: On Wednesday during all the excitement at the Capitol, Signal's servers were struggling under the massive traffic of new users trying to verify their account. So the servers were sluggish or down for a while. They're back and just fine now. Follow the @signalapp Twitter handle for official Signal updates. View Quote |
|
[#14]
|
|
[#15]
Quoted: How about using an enigma app to encrypt a message, enter that into original PGP, transmit via VPN...... View Quote enigma is way too weak cryptographically. Figure out how one time pads work. Get some 10 sided dice to generate keys/key books. Or scrabble letters out of a bag (less secure). the issue is key distribution, but you can absolutely use it by plaintext methods if you know how it works. Don't bitch out and use a computer to generate keys, use oold school methods. here's how. The OTP should consist of truely random characters (noise). (D10, scrabble, whatever you can map to letters) The OTP (i.e. the key) should have the same length as the plaintext (or longer). Only two copies of the OTP should exist. The OTP should be used only once. Both copies of the OTP are destroyed immediately after use. Only if the above rules are strictly obeyed, the OTP is absolutely safe. |
|
[#16]
Quoted: enigma is way too weak cryptographically. Figure out how one time pads work. Get some 10 sided dice to generate keys/key books. Or scrabble letters (less secure). the issue is key distribution, but you can absolutely use it by plaintext methods if you know how it works. View Quote |
|
[#17]
Quoted: I only know this from reading Tom Clancy books, but aren't one-time pads incredibly time intensive, limiting their usefulness? View Quote Nope time sensitivity is a non problem. The issue is key distribution, you get 1 code book, 1 other guy gets it. If you want less secure 1 way comms, master and multiple players have multiple books, but it only goes master->player via that codebook. but if anyone gets that book its burned. So the prefered method is 2 books only. Figure out how many characters and average communication will be for the type of message you want to send then add some characters to that. Always make messages the same number of characters. I.e. your text is 433 characters or 123 characters, each message you send will be 500 characters (just use the left over codes as blank). Otherwise its less secure. You can send it any which way, plaintext whatever, its secure as long as you solve the key problem. Its 100% secure, as long as there are only 2 books, with keys generated not-on-computers. The only real downside is the key exchange and its slow to do (not really hard tho). Generating large amounts of keys by hand is tedious though. |
|
[#18]
Most easy-to-use services have some centralised component (even for End-to-end encryption) that messages have to go through, and this becomes the easiest target for a state-level agency to take down.
There are some completely de-centralised methods, but they all require a lot more effort (up to and including physically meeting someone to exchange keys) in order to use. None of these are particularly easy for mass communications, but could be used. Here's a link (from some researchers exploring the options); https://secushare.org/comparison Ricochet, Retroshare, Briar, Secure-Scuttlebutt appear to be the easiest to get going on, and require NO centralised component. However, it'll be hard to connect with people with any of those (be aware of that). |
|
[#19]
Quoted: Right now, your ISP can see all of your internet traffic. Even though it's (mostly) encrypted over HTTPS and they can't see the content of the webpage you just requested, they can see exactly which websites you're visiting. You can tell a lot with traffic and pattern analysis. With a VPN, ALL your web traffic is sent through an encrypted tunnel to one of the servers run by the VPN service. Your ISP sees all your traffic as going to that server. Can't do much traffic analysis on that. Each site that you visit sees you as coming from the VPN IP address as well. So, they know they have a visitor from an IP in a certain geographic area and it's registered to the VPN company. That's it. The VPN server COULD keep logs of all of the traffic, so they know everywhere that you've visited. The FBI or whoever could subpoena these log files, at least if the VPN company or servers are in an area where they have jurisdiction or an info-sharing agreement with that country's government. The privacy minded VPNs simply don't keep log files. Any of them. So they don't have to try to fight a subpoena. They can simply and truthfully say, "Hey, we don't have any logs for any of WhyTanFox's internet traffic. So sorry." That's one of many reasons to use a VPN. View Quote View All Quotes View All Quotes Quoted: Quoted: Why? What exactly do you use a VPN for? With a VPN, ALL your web traffic is sent through an encrypted tunnel to one of the servers run by the VPN service. Your ISP sees all your traffic as going to that server. Can't do much traffic analysis on that. Each site that you visit sees you as coming from the VPN IP address as well. So, they know they have a visitor from an IP in a certain geographic area and it's registered to the VPN company. That's it. The VPN server COULD keep logs of all of the traffic, so they know everywhere that you've visited. The FBI or whoever could subpoena these log files, at least if the VPN company or servers are in an area where they have jurisdiction or an info-sharing agreement with that country's government. The privacy minded VPNs simply don't keep log files. Any of them. So they don't have to try to fight a subpoena. They can simply and truthfully say, "Hey, we don't have any logs for any of WhyTanFox's internet traffic. So sorry." That's one of many reasons to use a VPN. So let's be clear: the only thing you are accomplishing is moving the data collection point from the ISP to the VPN provider. We "know" ISPs are working with the government. We don't know shitte about VPN providers, except that the space is full of shady shit: * 101 VPNs run by just 23 companies, including China-based companies * "No log" VPN leaks logs, user PII, and plain text passwords * Nord VPN looks like a dumpster fire Using a VPN as an Internet ingress point hides your traffic from your ISP and nothing more. ETA And every other method of profile building and activity tracking still work. |
|
[#20]
Quoted: So let's be clear: the only thing you are accomplishing is moving the data collection point from the ISP to the VPN provider. We "know" ISP are working with the government. We don't know shitete about VPN providers, except that the space is full of shady shite: * 101 VPNs run by just 23 companies, including China-based companies * "No log" VPN leaks logs, user PII, and plain text passwords * Nord VPN looks like a dumpster fire Using a VPN as an Internet ingress point hides your traffic from your ISP and nothing more. View Quote At some point, you have to trust someone when you get on the internet. The free VPNs are not to be trusted, since you are the product. And there have been plenty of reports of them logging and selling your activity. Hardly better than your ISP. But privacy minded organizations like the EFF and others have recommended VPNs and several of the VPN companies that appear to be more reputable have opened up their processes and servers for outside experts to audit, including their claim of not logging anything. As such, I disagree with your last sentence. You can't prove anything to 100% certainty. But if you use companies that have had some vetting, based in countries that have strong privacy laws, you improve the odds greatly. Use one or don't. Your usage doesn't affect me. |
|
[#21]
Quoted: Use one or don't. Your usage doesn't affect me. View Quote Sure, I get that: "you do you". I just see "use a VPN" thrown around as a panacea and with no discussion of the pros and cons. I find it telling that the person I asked, jonathan2421, has not responded. I'm willing to bet he doesn't know why he uses a VPN, beyond "it's just something you're supposed to do". A VPN is great if you're on an untrusted network, say a public wifi. It is great for a secure point-to-point connection to tunnel unencrypted protocols. Other than those two scenarios the benefits are more dubious. And I'm not saying don't run a VPN, just understand why you're running a VPN and what doing so does and does not accomplish. "Run a VPN" is ARF's new "hide your SSID". |
|
[#22]
Quoted: Sure, I get that: "you do you". I just see "use a VPN" thrown around as a panacea and with no discussion of the pros and cons. I find it telling that the person I asked, jonathan2421, has not responded. I'm willing to bet he doesn't know why he uses a VPN, beyond "it's just something you're supposed to do". A VPN is great if you're on an untrusted network, say a public wifi. It is great for a secure point-to-point connection to tunnel unencrypted protocols. Other than those two scenarios the benefits are more dubious. And I'm not saying don't run a VPN, just understand why you're running a VPN and what doing so does and does not accomplish. "Run a VPN" is ARF's new "hide your SSID". View Quote View All Quotes View All Quotes Quoted: Quoted: Use one or don't. Your usage doesn't affect me. Sure, I get that: "you do you". I just see "use a VPN" thrown around as a panacea and with no discussion of the pros and cons. I find it telling that the person I asked, jonathan2421, has not responded. I'm willing to bet he doesn't know why he uses a VPN, beyond "it's just something you're supposed to do". A VPN is great if you're on an untrusted network, say a public wifi. It is great for a secure point-to-point connection to tunnel unencrypted protocols. Other than those two scenarios the benefits are more dubious. And I'm not saying don't run a VPN, just understand why you're running a VPN and what doing so does and does not accomplish. "Run a VPN" is ARF's new "hide your SSID". It's not a panacea. It is just one tool that can be helpful. |
|
[#23]
Quoted: Is your phone/tablet/ computer back doored? If yes then.. View Quote Learn from the Antifas/PSLs. They have published documents on how to do this. The short version is "Don't use your regular phone". Since all phones are back-doored, that will only lead back to you. The longer version: - wear a mask or other disguise to the store. Buy your burner phone with cash, no credit card. - DON'T POWER THE PHONE ON. - Once you reach your "event", power your phone on, and install signal. - DON'T CONNECT TO ANY WIFI - Use the phone at the event - When finished, destroy the phone completely BEFORE YOU LEAVE THE EVENT. |
|
[#24]
Quoted: Learn from the Antifas/PSLs. They have published documents on how to do this. The short version is "Don't use your regular phone". Since all phones are back-doored, that will only lead back to you. The longer version: - wear a mask or other disguise to the store. Buy your burner phone with cash, no credit card. - DON'T POWER THE PHONE ON. - Once you reach your "event", power your phone on, and install signal. - DON'T CONNECT TO ANY WIFI - Use the phone at the event - When finished, destroy the phone completely BEFORE YOU LEAVE THE EVENT. View Quote A step further: leave your normal phone at home when you go buy the burner. Throw it in a faraday bag before you get to your car. Don't take it out of the faraday bag near your phone or near anyone in your normal network of people and places. Hell, if your car has any kind of bluetooth or other networking capability do not use the burner anywhere near it. Which opens another can of worms: how does one get to and from events without their car being recognized? LPR, toll transponders, bluetooth transceivers, ... We're straying from "encrypted comms" to "anonymous comms", and the latter is even harder. Metadata and network analysis turns up a ton of information. |
|
[#25]
Quoted: Isn't https://keybase.io/team/det_disp a gun community that communicates with each other over encryption? I think they have a strong focus in 3d printing. View Quote I use keybase, can't stop the signal. |
|
[#26]
Quoted: At some point, you have to trust someone when you get on the internet. The free VPNs are not to be trusted, since you are the product. And there have been plenty of reports of them logging and selling your activity. Hardly better than your ISP. But privacy minded organizations like the EFF and others have recommended VPNs and several of the VPN companies that appear to be more reputable have opened up their processes and servers for outside experts to audit, including their claim of not logging anything. As such, I disagree with your last sentence. .... View Quote VPNs do blind the 24x7 recording going on by your ISP and increase the complexity required to put the picture together for your behavior and habits. This limits the number of organizations with this information. |
|
[#27]
Quoted: VPNs are a good idea, but none can be trusted. Even if the VPN does not log any data, if they will attract the attention of passive network monitors running outside the gates of the VPN servers. Every time you click refresh on ARF you generate a data point with an incoming VPN message and an outgoing ARF message with a size and timestamp. These are recorded by the passive monitors. Even your PC could run the analysis to link the dots and come up with 99.9% certainty linking the source user and site traffic. Network carriers and ISPs have invested billions in passive monitors and data recording. The DEMs have more power than ever to 'ask nicely' for data. VPNs do blind the 24x7 recording going on by your ISP and increase the complexity required to put the picture together for your behavior and habits. This limits the number of organizations with this information. View Quote View All Quotes View All Quotes Quoted: Quoted: At some point, you have to trust someone when you get on the internet. The free VPNs are not to be trusted, since you are the product. And there have been plenty of reports of them logging and selling your activity. Hardly better than your ISP. But privacy minded organizations like the EFF and others have recommended VPNs and several of the VPN companies that appear to be more reputable have opened up their processes and servers for outside experts to audit, including their claim of not logging anything. As such, I disagree with your last sentence. .... VPNs do blind the 24x7 recording going on by your ISP and increase the complexity required to put the picture together for your behavior and habits. This limits the number of organizations with this information. You know you cannot trust your ISP. You may not be able to trust your VPN |
|
[#28]
Quoted: enigma is way too weak cryptographically. Figure out how one time pads work. Get some 10 sided dice to generate keys/key books. Or scrabble letters out of a bag (less secure). the issue is key distribution, but you can absolutely use it by plaintext methods if you know how it works. Don't bitch out and use a computer to generate keys, use oold school methods. here's how. The OTP should consist of truely random characters (noise). (D10, scrabble, whatever you can map to letters) The OTP (i.e. the key) should have the same length as the plaintext (or longer). Only two copies of the OTP should exist. The OTP should be used only once. Both copies of the OTP are destroyed immediately after use. Only if the above rules are strictly obeyed, the OTP is absolutely safe. View Quote View All Quotes View All Quotes Quoted: Quoted: How about using an enigma app to encrypt a message, enter that into original PGP, transmit via VPN...... enigma is way too weak cryptographically. Figure out how one time pads work. Get some 10 sided dice to generate keys/key books. Or scrabble letters out of a bag (less secure). the issue is key distribution, but you can absolutely use it by plaintext methods if you know how it works. Don't bitch out and use a computer to generate keys, use oold school methods. here's how. The OTP should consist of truely random characters (noise). (D10, scrabble, whatever you can map to letters) The OTP (i.e. the key) should have the same length as the plaintext (or longer). Only two copies of the OTP should exist. The OTP should be used only once. Both copies of the OTP are destroyed immediately after use. Only if the above rules are strictly obeyed, the OTP is absolutely safe. That was a joke. OTP seems to be the way to go. |
|
[#29]
When you are given “free” use of a product or platform understand that you are the product.
You leave a digital footprint everywhere you go. Including this app. |
|
[#30]
Quoted: I believe Signal is gone, and if not it will be shortly. View Quote Signal is so heavily used, that even if the Feds or Apple or Google went full retard and tried to ban it, the developers would simply move overseas and march on (followed by huge jump in funding due to the controversy). Also, Signal is used by TONS of big power players (Hillary's campaign in 2016 is one example), so hassling the developers would not go over well in DC. |
|
[#31]
|
|
[#32]
Quoted: Yep, talk with your friends face to face and leave the electronics home. View Quote View All Quotes View All Quotes Quoted: Quoted: We are now considered Domestic Terrorists. The .gov will be cracking down very shortly on ANYTHING that is online and encrypted, that is not directly related to your specific business needs, such as financials or health records. I guarantee there will be nothing by the end of the year that is a secure way to communicate personal messaging. Yep, talk with your friends face to face and leave the electronics home. get an old computer and use pgp to send email |
|
[#33]
Quoted: They have been having that wet dream for 30 years. The cat is out of the bag and not going back in. Strong encryption is basically so ubiquitous at this point that scanning the wire for it to find "violators" would be impossible. Everything required to do it is open source and fairly easy to get working. For example, if Signal were banned from the app store tomorrow, I could take the source code I have downloaded, compile it on a Mac and sideload it onto my phone without much issue. The genie isn't going back in the bottle. View Quote View All Quotes View All Quotes Quoted: Quoted: We are now considered Domestic Terrorists. The .gov will be cracking down very shortly on ANYTHING that is online and encrypted, that is not directly related to your specific business needs, such as financials or health records. I guarantee there will be nothing by the end of the year that is a secure way to communicate personal messaging. Right, so encryption has been spreading, and recently very rapidly. That helps citizens and privacy advocates; makes the govt job harder, because it's hard to focus on people sending encrypted comms when everyone is doing it, generally. "HTTPS Everywhere" helped with the web, by making it affordable for small or hobbyist site owners. Mail is a massive CF. How many people here have the ability right now to encrypt an e-mail? And how many actually do it? How many know what a public key is? And even with end-to-end ... you still have to trust the hardware you use. The fairly recent problem with Intel seems in scope, plus Spectre/Meltdown ... and whatever else is buried way down in those chips, whether bug or undocumented "feature." |
|
[#34]
I hadn't heard of it until last week when Elon Musk mentioned it in a tweet. That said, I'm liking it, and it turns out several acquaintances in security and defense are using it. The VOIP quality is stellar, although, as stated above, the video chat could use some work.
Now, to get SWMBO, not the most technically astute individual, to adopt it so we can get off Duo and I can tell Alphabet/Google to sit and spin. |
|
[#35]
What happened to subjugating a small un-contacted tribe for your code talker?
|
|
[#37]
Quoted: It is time we all start thinking about ways to secure our communications with our compatriots. I urge you all to look at Signal. Everything is encrypted end to end. It is open source and the source code has been audited for chicanery. It works on your phone, tablet and PC. You can piggyback on top of a VPN for extra security. Anyway, I just wanted to throw this out there and maybe help some folks out in these uncertain times. View Quote You did not say "in these uncertain times" did you? Do you write radio commercials in your day job? |
|
[#38]
Quoted: You did not say "in these uncertain times" did you? Do you write radio commercials in your day job? View Quote View All Quotes View All Quotes Quoted: Quoted: It is time we all start thinking about ways to secure our communications with our compatriots. I urge you all to look at Signal. Everything is encrypted end to end. It is open source and the source code has been audited for chicanery. It works on your phone, tablet and PC. You can piggyback on top of a VPN for extra security. Anyway, I just wanted to throw this out there and maybe help some folks out in these uncertain times. You did not say "in these uncertain times" did you? Do you write radio commercials in your day job? |
|
Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!
You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.