Security tips for Democrats.
Hey. If you’re reading this and currently are or are going to be a democratic activist, journalist, advisor or politician, it’s in my best interest to make sure you have a decent grasp on how to not be a headline.
The thing is, we haven’t been very good at this lately and now that the election is over let’s just see what we can learn real quick for next time. I’m not going to mention the people who fucked up, but send this to them I guess.
There are 4 main goals in infosec as a field that we’re going to be discussing today: Confidentiality, Integrity, Availability and Anonymity.
Use good passwords to ensure the integrity and confidentiality of your data:
Your dog’s name is not good enough. Neither is your favorite swear. I’ll give you two options that are.
Pick 4 random, space-separated words that have nothing to do with your work or personal life and add a digit to it.
Generate a random alphanumeric code like “hUX6eqAd9”. Throw a special character at the end. These can be memorized without too much difficulty by generating new ones until you find one that has component parts that can be pronounced fairly easily: In this case like “hucks” and “equad.” These pronunciation cues should be enough to trigger your memory. I admit that this second one is the harder option, but I like my passwords the way they are.
People will tell you to not use the same password for multiple sites and to change them frequently. These are great advice but not the most important thing. The most important thing is that your password isn’t “pussy” or “123456.” Everyone thinks like you. You are not quirky. Those are literally the first things any hacker will try.
Use PGP for ensuring files and messages are sent confidentially.
Her email wasn’t secure. Yours isn’t special either. It’s vulnerable to all sorts of attacks.
Download GnuPG for your operating system and sign messages with the RECEIVER’S public key when you send a file. When you receive something, decrypt it to cleartext with YOUR private key. I know this isn’t clear so I’ll elaborate and use some metaphor.
If you are sending something that MAY be used against you or the party by the wrong hands, we need to make sure that doesn’t happen, and we can practically guarantee that with just a little bit of learning and effort.
Just use PGP, which stands for pretty good privacy. It’s, ah, how do you say this? Pretty good? The essence of this process is simple. Imagine a lock that takes two different keys: one to unlock and one to lock. Each key can be copied infinitely (only one should be).
The best way to ensure you can receive confidential emails is to publish visibly the “locking” key: the public key. There is a spot for this in your Facebook settings so that people can message you and send you data securely. Many journalists who interact with sensitive sources also include it in their twitter bios. This way anyone can send you something “locked” with encryption that only you can open, and you can easily unlock it with your private key, which you NEVER SHARE. I can’t stress enough that the security all depends on the private key to unlock files: without it you can’t open any, and with it your enemies can open anything. Back it up, encrypt it with a password that you memorize and don’t use on any websites, and put the encrypted key in a folder called “Suspicious Folder.” Your hackers will think it’s porn and won’t bother.
To send someone something, just copy what you are absolutely sure is their public key and run the encryption in GnuPG before sending it to them. If someone hacks their Facebook or other profile, they will replace the public key with their own, and all files locked with that public key can be intercepted by the hacker.
If there is any doubt about the correct public key, set up a single, secure, in-person meeting to perform key exchange. Other than filtering them out of positions of power: nothing will ever stop idiots from sending confidential data non-securely. Once someone sends something unencrypted, it’s in the hands of whatever entities happen to be monitoring the two of you.
Maintain backups to ensure information stays available
Buy a 16GB flash drive or a hard drive if you have that much important information. Keep it encrypted with a secure password as discussed earlier.
Phones get wet. Hardware components in your laptop fail. Disks get corrupted, either by malicious attacks, random chance, or negligence.
Anything you can’t afford to lose needs to be in at least 2 places, if not more.
What can you afford to lose? The programs that take up a lot of space. You can re-download google chrome, photoshop, your games, and whatever else you use on that machine whenever you want from the internet. To save space and make things easier, keep all of your document folders and mission-critical program data in it’s own folder that you can then just copy over to the backup disk when you make backups, which you will do frequently.
RAID is not a backup, don’t fall for it. The great thing about digital information is that it CAN be cheaply and easily copied, so please make the most of this attribute.
Every weekend transfer all the new important information to the disk. Keep it encrypted with the password. This is part of your job, so do it.
Don’t run random shit on computers you can’t afford to lose data from
If it’s really that important that you install the sketchy program from the porn site, create a virtual machine. This is a computer within a computer and you can keep the data on the internal computer quarantined so any viruses can’t affect the main system.
I have never lost the confidentiality, integrity, or availability of my important data. If you follow these principles you won’t either. Be better than the last generation was with your data.
Bonus section on anonymity: AKA how to get away with shit.
Look. You’re probably going to want to do some things you don’t want people to know about at some point. In cases where the law is ridiculous or not a concern, I’m not going to judge you and I’m going to help. But as a forewarning, I ask that you don’t sacrifice your moral high ground by ordering an assassination on the chair of the federal reserve. It’s all we have. Okay, let’s do this.
Get TOR browser
This is a relatively simple step. You install the program and you run it like a normal browser. Your ISP, webservers and so on will be able to see that your address is using tor, but they won’t know what you’re trying to access because the service bounces your request through a bunch of other locations first. You can also access .onion websites with this browser, also known as the “dark web.” Your connection will be so slow you will get nostalgia for the glory days of the John Kerry campaign.
Employ a VPN too
This will mask your IP address and works as a one-two anonymity punch with tor. Unlike tor though, any decent one (one that isn’t logging your usage and sending it to everyone you know and their mother) will cost you a monthly subscription of around $5 a month.
Use tumbled bitcoin for paying people or getting paid:
Download the bitcoin core client on your laptop. You’ll need some space, about 100GB because it has to download every transaction ever made in bitcoin. I know that seems insane, but it’s how bitcoin works. Don’t buy drugs from the internet — I mean — whatever you’re doing if you can’t handle this.
Buy or have your connection buy the bitcoin for making the transaction securely and discreetly. Find a website to do this.
Have the bitcoin tumbled into a temporary, single-use wallet before sending or receiving it. There is a permanent record of all transactions, stored on every bitcoin users computer. The security lies in wallets being anonymous and plentiful. Bottom line: this ensures that nobody can really tell where it’s coming from or going to because bitcoin is fungible and the service obscures the source of the money by intermingling with thousands of other transactions over a few hours. They also charge a 1.75% fee. Check out other similar services if that’s a concern.
Send or receive the money, which will take a few minutes depending on the transaction fee you set, and have it exchanged back to cash. Or not. Bitcoin might be a pretty good investment and is up 168% since the Trump inauguration.
Good luck with the IRS on all this shit. I have no clue about how you would even think about filing this literal nightmare, so talk to an accountant. A really expensive one, probably. You know what? Forget I mentioned any of this part, it’s probably for the best.