How to reach matt mitchell privately?
based on barton gellman’s “how to reach me securely”. Formerly known as “How to reach Matt Mitchell securely”.
TL;DR: hit me up on wire (username: geminiimattx)
last updated: February 15, 2019
This isn’t a story but its probably my most important post. Here I lay out how to reach me on various secure communication tools or as some call them “secure comms”. I may move you off the method you choose to contact me, to one more appropriate for the conversation. Please take the time to read this post carefully and to practice the steps mentally before doing them, thats the best way to be safe and secure when contacting me.
When you do reach me, be sure to verify through another channel that it is indeed me. That can be as simple as requesting me to tweet something or to Twitter DM you. Or it can be using two of the methods below. One to message me the other to verify. Stay safe & secure.
Below are the services I use to communicate, also most importantly why and how i use them. So revisit this post for updates, because things change.
whatsapp: ( hit me up for the details, but i dont recommend this platform)
signal: +1 (415) 570–9606 ← this may change soon
fingerprint: 381A B2F0 0378 2939 B00C 467F 0B87 70AA 0704 6231
threema: geminiimattx ( R3WRR4V2 ) ← recently changed
xmpp/otr/jabber: firstname.lastname@example.org ← this may change
email: geminiimatt protonmail ch ← only if emailing from protonmail.com
BUT WHO IS MATT MITCHELL & WHY CONTACT HIM?
why…wire.com: i use wire the most, reach me there. wire is a paid app with some free options. these steps below are how to use it for free. i use it mostly for encrypted group (“conference”) calling & encrypted group video (only available in their paid wire pro product). If you want to have a one-to-one conversation with me I use wire (you will get a fast response) but also Signal (expect slower response, but I will get back to you). You can check out Signal below.
Wire, arrived on the scene to much fan fare at the end of 2014. The company was founded by one of the co-founders of Skype Janus Friis. wire.com’s security uses the thinking and open source code of Open Whisper System’s Signal app. wire allows for group encrypted voice chats as well as allows me to communicate with you without knowing/finding out your phone number. phone numbers store a lot of information about you that you don’t realize, i am in the business of teaching folks to lessen their digital trails. not to create more metadata. wire isn’t perfect ( wire stores a list of the people you have communicated with, it’s stored on their servers and its kept until a user deletes their account. signal does not keep a list of your contacts.) and has been criticized by the makers of signal, but it works for my purposes. Using aliases and creating your account first from a web browser (instead of the phone app) helps mitigate some of the issues, also asking me to send you an anonymous wire pro edition “guest room” link.
when will i get back to you?: I check this account everyday. i usually hit people back within 48 hours depending on whats up.
how…to set up an account on wire.com and reach matt.
pseudonymous or let matt know its me? The first decision you will need to make is if you want to keep your identity secret(ish) or let me know who you are. I recommend you try for pseudonymity. if you want to remain pseudonymous first create a new email address on Protonmail or Tutanota , (if you use tor browser you will probably want to go with tutanota). When you sign up on wire use an alias or nickname. Also I would recommend doing all this from public WiFi like at a library. Otherwise go to the next step.
- Create an account using your web browser so wire only needs an email address. Go to https://app.wire.com on a desktop or laptop machine not a phone. click on “personal use” to create your account.
[ figure #1]
- Create an account using your email and a strong password. A good password is a phrase or sentence with 9 or more words in it. Make it memorable, as the longer the password the stronger it is. DOUBLE CHECK YOUR EMAIL IS CORRECT. If you ever have problems logging in or forget your password it is used to help. You will need to enter this in to sign into wire on new devices or once you log off.
[ figure #2]
- Search the wire user list for the person you want to add. You dont need to share your contacts with Wire.com if you know the wire.com usernames of the people you want to speak to. In this case, me at “geminiimattx” Click on the icon of a person in the lower left corner and then type my username into the search field.
[ figure #3][ figure #4]
- Add wire.com to your smartphone so you can reach me on the go. Once you have created an account, have a password, and have tried to connect with geminiimattx then you can go to the google play store or apple iphone store and install wire.com.
- Turn on timed messages so they disappear after I read them. Timed messages don’t work the way you probably think they do. A timed message has a dot to the left of it. Timed settings (at the time of this post) are DEVICE SPECIFIC. This means if we are talking on the wire app on my mobile phone and i set my message timer to “self-destruct” in 5 seconds. If I switch to the wire.com browser and continue the conversation there the timer is set to off, i have to change it here to 5 seconds. If I then open the wire desktop app, then continue the conversation from there the timer is set to off, i have to change it here to 5 seconds too. What are timed messages anyway? This feature means soon as I open my app and read the message a timer begins on it. It will disappear after the time you set. If you send me a message set to time out in 5 seconds it will disappear 5 seconds after you send it from your device and 5 seconds after I read it from my device. If you are in a group chat, anyone who changes the timed message timer effects all the messages from that point on. However something that may be unexpected to people is if you are on a 1-on-1 chat, changing timed messages only effects YOUR messages. Not the other person. If I am offline for a week the count for my device starts once I am back online and read the message. If you don’t know how long to set it, I recommend the maximum amount of time, which today is “4 weeks”.
- did you want to be pseudonymous ? if you were one of the people who decided you didnt want matt to know it was you, then you should be pseudonymous . Using an alias works on humans but if you want the wire server to not link your account with your device there is one way to do that. Wire keeps identifiable information about your device linked to your account. so when you are done chatting you should remove this information. Log onto your account from a public computer or device, on the mobile phone click on your face then the settings cog. on browser just click on the settings cog. click on DEVICES and for the devices you are not using you can click on them and REMOVE DEVICE. One device will have to remain that is the device you are currently using.
why…protonmail: protonmail is a paid service with some free options. email was never designed to be secure. there is little we can do to fix that, although many smart — minds are trying. when we send an email message to our friend’s inbox, we are basically writing a message on a post card and asking a mail carrier to drop it off. that mail carrier might even in turn pass it on to another mail carrier who passes it on to another, all of whom can read ( and even get a copy of) the message. to avoid this its important to use an email provider that encrypts email messages as they are sent, effectively putting them in an envelope. Services like Google’s Gmail offer encryption for messages as they travel to where they are going, but only when you send from gmail.com (or google suite) email address to another gmail.com email address. The message is effectively going from side of Google’s server to another. If you write someone who it outside of that system all best are off. The only problem with the way Google encrypts your email is your inbox itself is not encrypted, meaning that technically you are not the only one holding the keys to it. A judge can grant access through legal means, or even a rogue employee or server data breach can lead to inbox leakage. Protonmail provides you with the same protonmail.com to protonmail.com email address encryption that google provides, they also encrypt your inbox using a key that only you have, scrambling the email content to everyone else.
Furthermore Protonmail is based in Switzerland a place with strong data protection laws, and laws that say you must be alerted about legal requests like subpoenas. wait, why not gpg encrypted email? i love gpg. we need more noncentralized non blockable/bannable ways to send encrypted messages. i list my encrypted email public key for those of you who want to send me an encrypted email. I dont list it as a way to reach me because it takes time to learn to send an encrypted email properly. i dont want to throw large hurdles up between first hearing from folks. wait, why protonmail and not tutanota then? Ok time to get a little geeky… I really like the tutanota project, it is a refreshing approach to rethinking email and digitally safe encrypted email. You should definitely check it out and its modern, future proof approach to rethinking how we encrypt email. It has features like “forward secrecy” because it isnt using GPG/PGP email encryption in the background. However this also means you dont get the traditional private key/public key pair that you can share with non-tutanota users. With protonmail i̶t̶ ̶s̶ ̶ ̶n̶o̶t̶ ̶p̶r̶e̶t̶t̶y but you can download your public key and share it with non-protonmail users who encrypt their emails using Mailvelope, Enigmail, GPGtools, GPG4Win, or some GNUPG technology. You can even put it on a keyserver. As you know I am a big fan of this GNUPG technology. I am even in a little fundraiser “commercial/web documentary” with them. Protonmail even has a (n̶o̶t̶-̶e̶x̶a̶c̶t̶l̶y̶-̶u̶s̶e̶r̶-̶f̶r̶i̶e̶n̶d̶l̶y̶) way for you to add other non-protonmail encrypted email user’s public keys to your account so you can write them encrypted emails. H̶o̶w̶ ̶p̶r̶o̶t̶o̶n̶m̶a̶i̶l̶ ̶d̶o̶e̶s̶ ̶G̶P̶G̶ ̶k̶e̶y̶ ̶m̶a̶n̶a̶g̶e̶m̶e̶n̶t̶/̶i̶n̶t̶e̶g̶r̶a̶t̶i̶o̶n̶ ̶c̶a̶n̶ ̶u̶s̶e̶ ̶i̶m̶p̶r̶o̶v̶e̶m̶e̶n̶t̶ ̶b̶u̶t̶ ̶I̶ ̶l̶i̶k̶e̶ ̶t̶h̶i̶s̶ ̶a̶ ̶l̶o̶t̶.̶(* NEW *) Protonmail now has full GPG support and Address verification, you should read more about this if sending messages to the correct person is important to you. These GPG based features are simply not an option for tutanota & its important to me.
when will i get back to you?: I check this account everyday. i usually hit people back within 48 hours depending on whats up.
how…to set up an account on protonmail.com and reach matt.
pseudonymous or let matt know its me? If you want to hide your identity some what be sure not to leave a recovery email when signing up. Using a nickname in your email account sign up is one way to be pseudonymous on protonmail. By design its not easy to create a protonmail email address that is completely metadata free. The best method i have come up with to avoid proofs , is to use a public wifi when signing up while in incognito or private browsing mode. I could write a full post on best ways to achieve this however for most of you trying to reach me its not necessary so i will leave it at that.
- Create an account using your web browser. Go to https://mail.protonmail.com/create/new on your web browser.
[ figure #1]
- When you write me at email@example.com ( thats a CH not a COM) be sure to set the message to expire in 4 weeks by click on the hour glass in the compose window. [ figure #2 ]
why…signal: signal is free, developed and designed by privacy aware digital rights advocates. signal encryption is arguably the best ever created, this is why signal has been integrated by facebook, google, whatsapp, & skype. thee integrations is how signal pays to operate as a free service. its one of the most trusted teams and tools around. in short use it. when we use a cell phone to send a text message or make a voice call to a friend, it leaves a lot of metadata in the hands of people & companies. your location, possibly their location, and the content of your message or call are not private and secure. this can be a problem when you are reaching out to a digital safety expert for help. because signal uses your data plan or wifi and not cell towers, it doesnt even make a lot of the information you would normally share. signal also will encrypt all text message and voice messages that you make with it.
when will i get back to you?: I check this account weekly. i usually hit people back within 1 or 2 weeks depending on whats up.
how…to set up an account on signal and reach matt.
pseudonymous or let matt know its me? as discussed in another part of this document your phone number reveals a lot about you. because signal uses your phone number as your “username” it might be a good idea to use a different phone number for signal. technically signal just needs to be able to text or call you ONCE to that number for you to use it forever as your signal number. however for digitally safety reason it should be a number you have control over if you can help it (for example i wouldnt recommend using a pay phone on the street, even though you could). if you are a google user from/in the united states i recommendusing google voice to create a number you use to set up signal. if you are not in the usa or dont want to link your signal to a gmail account consider using a virtual number created by an app like burner app (least expensive), cover me app (encrypted), & hushed app (international numbers). If you are technical i recommend using a software number like those provided by twilio it is the smartest option. Also you may want to just buy another phone or sim that isn’t attached to you because you bought it in the part of town marginalized folks have been pushed to.
first take time out to watch this video: my friends micah & harlo star in the really nice video that explains how to use signal. when you use signal turn on disappearing messages, if you dont know what to set it to make it “one week”.
What about Whatsapp, why don’t you list it here?
Since July 2018, WhatsApp offers free encrypted group conference call & video (up to 4 people) for free, yet I still use wire for this. Whatsapp is the number 1 most popular global messenger and most people have it on their phones. However of the “backup” problem, where the app stores an unencrypted copy of your chats in a file that takes up space on Google Drive for Android users, or ICloud for iPhone users. Combine this with the founders leaving after many disagreements with parent company, Facebook, comments from one founder , & security staff is why I steer completely clear of whatsapp. For Android users concerned about some being able to restore unencrypted copies of their old backed up Whatsapp messages, Whatsapp cleared all backups from before November 12, 2018 but you should still check your Google drive apps to make sure it’s cleared out. There was a New York Times article written on January 25th, 2019 about Facebook looking to fold whatsapp into the fold in order to monetize it. ( full disclosure: i used to work for the new york times )
- setting up signal: TBD
why…jabber: before the days of fancy apps their were protocols designed to communicate securely that ran on almost anything. xmpp/jabber is one of those things. it allows for off-the-record messaging, if you are using a client like adium, be sure to turn off logs. i use jabber to reach out & here from the most technical / 1337 of y’all out there. It’s easy to make a mistake in your jabber config or the server you connect to that leaves you insecure. So it’s best to use jabber if you have some experience with it.