How to conduct a secret correspondence in a world where you are constantly being watched: methods Edward Snowden

Part 1

When you pick up the phone and make a call, send SMS, email, post to Facebook or Google Hangouts, others can track what you say, who're talking and where you are. This personal information may be available not only to the service provider who acts as a mediator in your conversation, but telecommunications companies, which provides access to the Internet, the intelligence services and law enforcement agencies, and even a few teenagers that can track your actions in a Wi-Fi network using the application Wireshark.

However, if you take the necessary steps to protect your information, you will be able to send secret and anonymous online messages. In this article I will in detail tell about how to do it. We will consider the methods by which two and a half years ago, I used the informant and ex-NSA employee Edward Snowden to contact me. In other words, I will show you how to create an anonymous account for online correspondence and exchange of messages using encryption Protocol called Off-the-Record Messaging, or OTR.

If you don't want to read the entire article, you can skip to the section where the phases described how to create account on Mac OS X, Windows, Linux and Android. When you have enough time, go back to the beginning and read the important points that go to these sections.

First, you need to make sure that you are using encryption between end users []. end-to-end encryption]. In this case, the message is encrypted on one end – say, on a smartphone – and decrypted by the other – for example, on a laptop. No one, including your Internet service provider will not be able to decrypt your message. Compare this encryption type with another type when you establish the connection via your ISP, for example, via HTTPS connection. HTTPS will protect your message from potential snoopers on Wi-Fi like teenagers with Wireshark installed or your service provider, but will not be able to protect the message from the company on the other end of your connection – for example, Google or Facebook – as well as from law enforcement and intelligence services, requesting information from those companies.

Another, no less important is the need to protect not only the contents of your communication, and its metadata. Some metadata, such as who is talking to whom, can play a very important role. If someone is going to contact the journalist, one of encryption of a letter will not be enough to hide the fact of correspondence with the journalist. Similarly, if you are star-crossed lovers trying to connect with each other and keep it a secret from their warring families, you will have to hide not only the content of your love letters, but the fact that you basically go to the link. Let's briefly examine how it can be done.

Concealment linetypescale that Juliet is trying to get in touch with Romeo. They both know that if they use phone, email, Skype, or other traditional methods, they can't hide from their powerful families and the fact that they are in contact. The trick is to hide rather not what they communicated and what they are – Romeo and Juliet.

Juliet and Romeo decided to have a new account for communication. Juliet took the pseudonym "Ceres", and Romeo took the name "Eris". Now that Ceres and Eris can exchange encrypted messages, to find out what these names are Juliet and Romeo, will be much harder. If the account Juliet will check for the existence of a relationship with Romeo and her irascible cousin, to put it mildly, a bit arrogant, then no evidence will not be found.

Of course, it is not enough just to rename myself. At this stage it is still possible, and sometimes even quite simply, to find out what Ceres is hiding under Juliet, and under the Erys – Romeo.

Juliet comes in to your account under the name "Ceres" from the same IP address that it uses for other purposes on your computer (for example, when associated with his brother Lorenzo via e-mail). If her activity on the Internet is tracked (and it is, for sure, because all of our activity online is tracked), to compare the number of facts will be easy. If the service is forced to hand over IP address from which the user "Ceres" is coming on line, it can easily be mapped with an IP address of Juliet. The same problem arises and at Romeo.

From independent services, such as telecommunications companies and email domains have access to private information about their users, and, according to the "doctrine of the third person" the users "can't expect hiding" such information. This principle applies not only to the secret lovers: journalists can obtain a number of privileges in accordance with the First amendment of the US Constitution, should closely monitor those who are responsible for the services their communication. In 2013, the U.S. Department of Justice received information about a number of phone calls made by Associated Press journalists, in the course of the investigation about the leak of information. Many news outlets not immutableimage mail service: the New York Times and Wall Street Journal use Google mail, USA Today uses the services of Microsoft – so the US Government can request data. (Published by The Intercept uses its own email service).

Anonymityin order to conceal his private correspondence, Juliette must make a clear distinction between the account of Ceres and his real personality. By far the most simple and safe method is to use a decentralized anonymous network, open source under the name Tor.

Tor is for anonymous use of the Internet. It is a decentralized network of random "nodes" – computers, which transmit and execute the queries on the Internet on behalf of other computers. Tor allows you to stay anonymous by connecting you to the Internet through a series of such nodes. If at least one of the nodes was placed in a series of intentional, no one will be able to know who you are and what you do: you either know your IP address without knowing what you are doing on the Network, or to find out what you do online, and not know your IP address.

Most of those who heard about the Tor network, and know about the eponymous browser that you can use for anonymous browsing web pages. But in addition, its software can be used anonymously and for other purposes, including messaging and emails.

If Romeo and Juliet use the Tor network to access their accounts, Eris and Ceres, and if they will exchange messages with the encryption Protocol OTR, they will finally be able to organize your personal online correspondence regardless of whether to follow them or not.

Romeo and Juliet secretly to exchange encrypted messages with an anonymous account

Hackers are all around us from all storeapart when Romeo and Juliet have created a new anonymous account in the Tor network, let's test all the parts of our system in the presence of faults.

From Juliet: an attacker that monitors Internet traffic Juliet, will be able to see that her traffic partially goes through Tor, but can't understand why Juliet uses it. If hackers will start to check to whom Juliet writes e-mails, with whom she communicates via Skype who calls and who sends the messages, the signs of her relationship with Romeo is found. (Of course, the use of the Tor network itself can arouse suspicion. Therefore, The Intercept for anonymity encourages from your PC network connection, not connected with the organization of the service provider. In other words, to protect yourself, Juliet could access the Internet from Starbucks or the public library).

From Romeo: an attacker monitoring the Internet traffic of Romeo, will be able to see that traffic partially goes through Tor. If this person will scan all mail, calls, messages, and activity in Skype Romeo, then Juliet it is not.

From the chat server: the messaging service itself can keep track of what someone with an IP address in the Tor network have created a user "Ceres", someone with an IP address in the Tor network have created a user "Eris", and both of you exchange with each other encrypted messages. You don't know what Ceres is actually Juliet, or that Eris is in fact Romeo, as their IP addresses hides Tor. It is also impossible to know what Ceres and Eris speak to each other because their messages are encrypted using OTR. These accounts could just as easily belong to the informant and the journalist or human rights activist and lawyer, not two lovers, who exchange verses.

Even after the adoption of these measures remains a small proportion of metadata that can leak, if you act carelessly. Here's what you need to remember:

  • Be sure to use Tor when creating an account to exchange messages, not only when you are in conversation.
  • Never go to your account, if you are not in the Tor network.
  • Make sure that your username do not reveal your true identity: for example, do not use the login that you have once enjoyed. Instead, you can take a random name that has nothing to do with you. Often, many believe that the anonymous account should be your "second self". These people come up with a cool username, and then become attached to it. However, it is better to treat its new name, as something disposable or temporary: your task is to hide the hidden identity, and not to put it on public display. A set of random characters like "bk7c7erd19" fits as a name much better than "gameofthronesfan".
  • Do not use a password you already use elsewhere. Reuse of passwords not only will reduce your level of safety, but also to expose you if the account that is somehow tied to your real identity, enter the same password as in your anonymous account.
  • Be careful with whom you contact and through which one of the anonymous accounts. If one of your contacts is not protected, it can increase the chances that other contacts will also be unprotected. It would be logical to create a separate account for each project or contact, to reduce the risk of exposing the whole network of anonymous contacts.
  • Do not enter any personal data in the messaging service.
  • Keep track of your habits. If you log in to your account in the morning when start to use the computer and get out of it in the evening after work, the service will store information about in what time zone you are in and what time you work. For you it may be not so important, but if important, it is better to negotiate with the partner about a time when you will be online.
  • Be careful how you use your IP address to Tor. If you use Tor for anonymous account and a regular account which has to you something, the record in the server log can indicate the relationship between your anonymous account and your real personality. With a unique login and password for the SOCKS Protocol you can configure Tor so that in each of your accounts will work in different communication channels. In the future, this will be discussed in more detail.
 Tor is not perfectTor network provides a high-level anonymity, but ensuring this anonymity problem, the solution of which is almost impossible to find. There is a real arms race between the developers of Tor and scientists on the one hand, and influential hackers wishing to opportunity secretly to expose or censor users, on the other.

Tor has never been a reliable defense against "global observer" – forces that can monitor all network nodes in real time around the world. These forces could monitor the traffic of Tor users are within the network, monitor the movement of traffic around the world and then watch as this traffic leaves the network, thereby explaining what traffic belongs to a particular user.

But despite all this, the Snowden documents published by The Guardian, indicate that the joint spy force "Five eyes" [eng. Five Eyes] (USA, UK, Canada, Australia and New Zealand) are not yet considered to be "global observer": at least, they were not considered as such in July 2012, when there was held the presentation of these top-secret materials. As it turned out, Western intelligence agencies can only expose a random unlucky user for their own benefit and have never been able to expose a specific user on demand.


See also

New and interesting