What is GPG and why should I use it to earn me $$$ ?

It used to be that as an average citizen if you wanted to speak privately with 
someone it was easy to do. You wouldn’t worry about someone reading your letters
in the mail, or someone recording your phone calls when you order out for food. You could reasonably count on being able to have a private conversation with 
another person.

In the digital age, that’s no longer true. Many conversations happen online. 
E-Mails, instant messages, texts, documents are passed around without much 
thought given to who’s really looking. You are given the illusion that when you send an email or other communications that only you and the person you are 
communicating with are able to see the message.

Sadly, this is not the truth.

There’s now a long list of people who have access to everything you do and say online. Internet service providers commonly monitor and carefully record your activities and messages. A few internet service providers have even been caught injecting malicious tracking numbers into requests for websites(Sometimes called Super-Cookies) to collect data on its customers. Marketing companies buy and sell your shopping habits, personal data and search requests on a daily basis. 
Governments watch and record what you do in order to find if you are a criminal,an activist, or even just if you are someone who holds a view that’s contrary to the current political agenda.

For example, the commonly used e-mail provider GMail (and many others like it) searches all messages you send and receive for keywords. These keywords allow them to learn more about you and to offer ads to you based on what you are 
sending and receiving. If you’re receiving or sending messages about shoes, you may get ads for shoes. If you’re sending a message about cars you’ll get ads for
cars. Over time it will learn and the ads will get more specific as it builds a 
profile about you. That data is then used to show you more ads that you are 
likely to click. They also may sell this data to other marketing companies for 
use in their own ads.

A private conversation is no longer private.

But there is a way to take back your digital privacy.

I recommend a program called GNU Privacy Guard

GNU Privacy Guard (also called OpenPGP, PGP or GPG) is a data encryption and decryption computer program that provides cryptographic privacy and 
authentication for data communication. GPG is often used for signing, 
encrypting, and decrypting texts, e-mails, files, directories, and whole disk 
partitions and to increase the security of e-mail communications.

You can run the program on Windows, Linux, Mac and Android.
Windows: GPG4WIN (http://www.gpg4win.org/)
Linux: GPG (https://www.gnupg.org/)
Mac: GPG Tools (https://gpgtools.org/)
Android: APG (http://www.thialfihar.org/projects/apg/)

Why do I keep hearing about PGP/GPG/OpenPGP/etc? Whats with all the different 
names?

PGP was the original commercial program written back in 1991. The source code for it was released to the public in the form of a book when the United States Government tried to shut them down. In the form of a book, it was covered by the First Amendment as free speech. Also with the code released to the public ,it was no longer possible for the government to “put the genie back in the bottle” so to speak. GPG was based on that source code and is by far the most commonly used version as it was created and distributed as an open source program free to all forever. In order to keep compatibility between the different programs a standard was written called the “OpenPGP Standard” which defines how PGP/GPG based programs should function so they can work with each other.
Most of these terms are interchangeable in that as long as you’re referring an 
OpenPGP standard compatible program it doesn’t matter if you call it PGP or GPG.

So what can GPG do for me?
1. Encryption

Encryption allows you to take messages and/or data that you wish to keep private
and modify it in such a way that it is impossible to read without the correct 
password. But GPG takes it a step further and uses a public/private key pair as well as a password to secure your messages. The public key file can be shared 
with anyone freely. Thats why its called the public key, its meant to be public.
It can be used to encrypt a message and to verify the authenticity of a message but it cannot be used to decrypt or sign a message. The private key file is the 
one you keep secret. It allows you to decrypt a message signed with your key and it also allows you to sign a message or file so that others can verify its 
authenticity and that it has not been modified in any way. Without the private 
key file AND the password it is not possible to decrypt the message.

2. Signature
As mentioned above GPG is able to digitally sign an e-mail, attachments, 
documents and files so that anyone who has your public key can verify that it is authentic and has not been tampered with. If even one bit of the message or file has been altered in any way GPG will notify you that the file is NOT authentic. 
This is very useful if you’re concerned about “man in the middle” attacks where messages are intercepted and changed between people exchanging information.
You simply distribute your GPG public key and anyone who has it can use it along with the program to authenticate the message.

Common questions:
Question: I heard the government can break any encryption easily.
Answer: FALSE. If you had EVERY single computer in the world trying to crack a GPG encrypted file with a strong password it would take well beyond your
lifespan to break. Instead agencies like the FBI/NSA/CIA rely on backdoors 
hidden in the encryption software, poor passwords or malware to spy on you and get the key that way. Encryption WORKS when applied properly. That’s why the United States Government has been pushing for more backdoors so hard in the last few years.

Question: What is a backdoor?
Answer: A backdoor is a hidden piece of code in a program to allow someone access.
In this context, a backdoor would be a hidden piece of code in the encryption 
program that alters the encrypted data in such a way that the government 
(or hackers) can bypass the encryption with the right secret code.

Question: How can I check for a backdoor?
Answer: For most commercial applications, you can’t. In order to really tell
for sure you need to look at the source code and typically only the programmers have access to this. The source code is what programmers write that gets turned into a working program you can use. This is where GPG really shines as its 
completely open source. Anyone can examine the source code and have your own computer build it into a program if you wish. The source code for GPG is peer reviewed and analyzed for hidden code and security weaknesses regularly and in an open manner.

Question: How common are these backdoors?
Answer: Very common. For decades the NSA and other organizations have put a large amount of pressure on various companies to either build a backdoor into encryption software that would allow them access to messages that have been encrypted or to force them to use very weak encryption protocols so that its 
easy for them to break. Examples include banking software, pharmacy software, popular websites, operating systems, cell phones, etc. We’ll never know for sure how many as most companies when pressured to do this are also placed under a secret court order not to reveal that its been done.

Question: This sounds really technical. I’m not really a “tech” guy. 
Can someone like me use it?
Answer: Yes. The process to use it is actually pretty simple and there are many 
tutorials and youtube videos that show you how. No math or advanced IT knowledge is required to use the program.

Question: Will it work on Tor?
Answer: Yes! In fact many sites on Tor require a working knowledge of
GPG for security.

I hope you find this article useful and take a look into encrypting your data
and communications.

If you want to learn more about GPG and how to use it i recommend this tutorial 
for the windows version (GPG4WIN) at: 
https://www.deepdotweb.com/2015/02/21/pgp-tutorial-for-windows-kleopatra-gpg4win/

And of course the main homepage as well: https://www.gnupg.org/

2. Introduction to StingRay

Over the past few years you may have heard about the secretive device used by the FBI, DEA and various state and local law enforcement agencies called 
“StingRay”. StingRay is essentially a portable fake cell phone tower that can 
be deployed anywhere to track people and to intercept data, messages and phone calls. Law enforcement have a standing policy to keep all details on StingRay 
hidden from the public, at almost any cost.

StingRays can come in many sizes, designed for a car, or plane; for small mobile deployments or large scale towers. There are even cases of StingRays that can be worn or carried by hand to assist in the short-range location of suspects.Perhaps one of the more worrying uses of the StingRay is the practice of using it on a large aircraft flying over an entire city or across the country by the 
FBI and other law enforcement agencies. When using a plane or other large size StingRays they can intercept cell phone signals for entire cities.It works by simulating a cell tower. When a cell phone detects this tower it 
attempts to connect to it and the device forwards the calls/texts/etc to another separate but real tower. This is known as a “Man in the middle” attack or MITM for short.

Man in the middle attacks work by intercepting and possibly even tampering with messages and data going in between two points.

For example:

When you turn on your cell phone to make a call, your phone will search for a 
tower to connect to. It will attempt to connect to whatever tower is closest.
It will find the StingRay device (simulating an AT&T/Verizon/T-Mobile/etc. 
tower) and will make contact. The StingRay will accept the connection and route 
it to the nearest real tower.

In the meantime, it gets to intercept all data going back and forth and 
potentially tamper with it if desired by the StingRay operator.

/-\ / — — -\ ( ( ( — — — — ) ) )
| | |Sting| |
| | — — → | Ray | — — -> |
\-/ ← — — \ — — -/ ← — — Cell|Tower

Outgoing call: Cell phone — → StingRay — → Real Cell Tower
Incoming call: Cell phone ← — StingRay ← — Real Cell Tower

All incoming and outgoing calls/data/messages are intercepted by the StingRay.

Many cell phones incorporate encryption to prevent such attacks but the 
encryption used is very weak. Also, most phones include a “rollback” 
feature which allows the cell phone to revert to its most weak form of 
encryption in order to function with old cell towers. This is the primary 
mechanism by which the Stingray operates.

Once the encryption is broken, it’s a trivial matter to intercept all calls and 
messages sent and received by the cell phone.

Another troubling way StingRay can be used is to identify members of a protest or group. Imagine being with a group of people protesting a new law, or protesting police brutality. Meanwhile, the identities of everyone in the crowd at the time are being recorded by StingRay and could be added to a “Watch List”.

How can I protect myself?

At this time, there are no foolproof, easily deployable ways to deal with this. 
That being said, there are a few options…

1. If you don’t need to use your cell phone, turn it off. Leave it at home. 
Or turn it to Airplane mode. This will disconnect it completely from the cell 
phone networks and any StingRay devices.

2. If you accept that you can be physically tracked while the phone is ON, but 
don’t want someone to be able to listen in on your phone calls or text messages, use encrypted programs like:
 ChatSecure — https://chatsecure.org/
 RedPhone — https://whispersystems.org/

3. Use experimental software like Android IMSI-Catcher Detector. This is highly 
experimental and may not work as you expect. But it’s leading the way (at the 
time this article was written) in software detection of StingRay devices and 
other major security issues with modern smart phones. It’s worth having a look, 
but understand it is not 100% and may not work.

Android ISMI-Catcher Detector: 
https://github.com/SecUpwN/Android-IMSI-Catcher-Detector
 
3. Metadata: The dangers and how to scrub it from common files

How often have you ever posted a document online? Or a photo? Most of us simply examine the contents of the document or picture before posting.

But hidden within these files are hidden pieces of information called Metadata that tell much more about you than you would like.In this article i’d like to give you a brief primer on what Metadata is, how it 
could be used against you and how to protect yourself from it.

Metadata is data about data. For example, in a document the metadata might be the author, date/time it was written, how many words, what word processor it was made on, the kind of computer it was written on, a history of the changes that 
have been made to the document and so on.

For a picture it could be the camera settings, the date/time the picture was 
taken, the GPS coordinates of where it was taken, what model of camera, the 
serial number of the camera, and much more.

Imagine you are writing a document that you intend to place on Tor. You 
carefully write the document and make sure that there’s nothing written in it 
that could be used to identify you. You save the document and post it online.Then someone downloads your document. They put it under a metadata analysis 
program and find:

Name: John Q. Public
Company: John’s Plumbing Services
Software: OpenOffice 4.0.1
Computer: John’s PC
Written on: 08/08/2015 2:16 PM CST

You carefully took out everything in the document itself without thinking about the metadata that comes with it.
Using the above information, it would be trivial to locate you. I could pick up 
a phone book and do it.

Also, knowing the exact software you’re using could allow a hacker to look up 
known vulnerabilities for the version you’re running and send you one in return.

In this case, OpenOffice 4.0.1 contains a serious vulnerability in its Calc 
program that would allow a hacker to create a Calc spreadsheet that contains 
malware.

There have been cases where photos have been used to arrest people based on its metadata. For example, assume the following scenario:

Lets say you’re a vendor on a Tor marketplace. You sell “recreational” 
substances. You want to take a picture of the goods you are selling so you take 
out your iPhone and snap a quick picture. You’re careful that nothing in the 
picture itself could be used to identify you.

You then post it online under your vendor account.

A few days later, the DEA/FBI/LE show up at your door.
How did they find you?

Modern smart phones have cameras and will always by default include the GPS coordinates in the picture. In this case, the photo would have the name of the 
iPhone “John’s iPhone”, the date and time the picture was taken, the GPS 
coordinates, the model of iPhone, etc.

It would be a simple matter for anyone to examine the picture and look up the GPS coordinates on Google Maps or any other mapping website.

The solution to this is actually fairly simple:
1. Use formats that contain very little metadata when possible 
 (TXT files instead of PDFs, DOCX, etc)
2. Use a metadata scrubbing program.
 These programs will detect and remove unwanted metadata from files.
 Metadata Anonymization Toolkit: (Linux) https://mat.boum.org/
 ExifTool: (Windows & Linux): http://owl.phy.queensu.ca/~phil/exiftool/

Always run a metadata scrubber on files before posting them online.
Metadata is everywhere and its found in almost every type of file you can 
imagine. So next time you consider posting something online take a moment to carefully scan the data and scrub out the unwanted Metadata. Or it could come back to haunt you in the future.