What’s Wrong with Signal, Whatsapp, Telegram, Protonmail, Tutanota?

I’m a public interest technologist. I’m here to educate. You are losing your Internet privacy and Internet security every day if you don’t fight for it. Your data is collected with endless permanent data mining. Learn about a TOR router, a VPN, antivirus, spyware, firewalls, IP address, Wi-Fi triangulation, data privacy regulation, backups and tech tools, and evading mass surveillance from NSA, CIA, FBI. Learn how to be anonymous on the Internet so you are not profiled. Learn to speak freely with pseudo anonymity. Learn more about the dangers of the internet and the dangers of social media, dangers of email.

Interesting, while I concur with your observations, to some extent, it’s unavoidable short of cutting yourself off from the Internet. Even with a private server, metadata can be gleaned by monitoring port 25 traffic from the server, and any traffic to a foreign host will show reply-to addresses, recipients, etc. even if the actual content is encrypted (which, honestly, is highly unlikely). From this, an intruder could build their own copy of your most frequently used contacts. Short of establishing a separate address for each contact (can you imagine giving separate emails adds to your banks, broker, mutual funds, insurance carriers, etc.), anyone you correspond then has your contact. When their list is compromised (as you discussed in your FB), you now show up as a known associate.

Even if you did use separate addresses for each type of contact (1 for work, 1 for side business, 1 for family, 1 for college friends, 1 for HS friends, etc.), unless they’re all on different services under different registrars, there is a high likelihood a determined intruder could associate any or all of these addresses with you.

A cardinal rule of honest security consultants is there is no point in spending more on security than the value of what you are protecting. In this context, spend refers to more than money, it also means time, effort, and usability. There are so many easy targets, why would the average criminal go after a tougher target? In most cases they won’t, they’ll target people fool enough to publish PII on their open FB account. If they target an individual, the attacker probably has a reason to believe the target has something of value or there is another motive (revenge, rivalry, etc.). Perfect security is a fool’s errand: the goal is to raise the cost to the attacker.

Bottom line: yes, metadata is a threat vector; yes, contact lists are a threat vector; and yes, using a “secure” app doesn’t compensate for unsecure practices surrounding the app.

Using multiple identities becomes much easier with QubesOS. You can use VMs for the same but QubesOS should be more isolated, secure and thus better at compartmentalizing your internet usage. Getting rid of the metadata and friends circle trail is much harder. At the moment I’m thinking about setting up a Matrix server so at least the metadata isn’t as easily collected centrally. One issue with this setup is of course that adversaries can track who uses my DNS name and other users can have all of those Facebook apps installed on their phones.

Some are quick to promote apps as being safe for your use just because they are encrypted. I will talk about how many of the popular apps that are commonly thought to be safe because of encryption are actually wrought with danger because pundits who claim this knowledge haven’t really thought about the flaws of each of these apps.

The main flaw is something called a relationship map. Because of the meta data surrounding the use of each of these apps, this flaw can result in complete identification of all parties involved in a conversation and their profiles. I will explain how this occurs and how understanding how this works is part of what the intelligence community calls SIGINT (Signals Intelligence). Click on the link to download a pdf file with description how this works.

SIGINT is the gathering of military or other intelligence by interception of electronic signals and consisting of COMINT and ELINT.

What is Signals Intelligence?

SIGINT involves collecting foreign intelligence from communications and information systems and providing it to customers across the U.S. government, such as senior civilian and military officials. They then use the information to help protect our troops, support our allies, fight terrorism, combat international crime and narcotics, support diplomatic negotiations, and advance many other important national objectives.

NSA/CSS collects SIGINT from various sources, including foreign communications, radar and other electronic systems. This information is frequently in foreign languages and dialects, is protected by codes and other security measures, and involves complex technical characteristics. NSA/CSS needs to collect and understand the information, interpret it, and get it to our customers in time for them to take action. Our workforce is deeply skilled in a wide range of highly technical fields that allow them to this work, and they develop and employ state-of-the-art tools and systems that are essential to success in today’s fast-changing communications and information environment. Our researchers are working constantly to help us anticipate and prepare for future developments.

2. How are the activities of the NSA/CSS regulated and who monitors them?

The U.S. Constitution, federal law, executive order, and regulations of the Executive Branch govern NSA’s activities. As a defense agency, NSA operates under the authority of the Department of Defense. As a member of the Intelligence Community, NSA also operates under the Office of the Director of National Intelligence. NSA/CSS activities are subject to strict scrutiny and oversight both from the outside and from within. External bodies such as the House Permanent Select Committee on Intelligence (HPSCI) and the Senate Select Committee on Intelligence (SSCI), the President’s Intelligence Oversight Board, the Foreign Intelligence Surveillance Court, the Department of Defense, and the Department of Justice provide oversight to ensure the Agency’s adherence to U.S. laws and regulations. Internally, the Office of the Inspector General conducts inspections, audits, and investigations to make certain that NSA/CSS operates with integrity, efficiency, and effectiveness, while the Office of the General Counsel provides legal advice. Most importantly, each NSA/CSS employee is charged with knowing, understanding, and obeying to the fullest the laws of the nation.

3. What Defines the Intelligence Role of NSA/CSS?

Executive Order 12333 (EO 12333) authorizes agencies of the Intelligence Community to obtain reliable intelligence information, consistent with applicable Federal law and EO 12333, with full consideration of the rights of U.S. persons. Pursuant to EO 12333, NSA is authorized to collect, process, analyze, produce, and disseminate Signals Intelligence information and data for foreign intelligence and counterintelligence purposes to support national and departmental missions, and to provide signals intelligence support for the conduct of military operations. The executive order, however, prohibits the collection, retention, or dissemination of information about U.S. persons except pursuant to procedures established by the head of the agency and approved by the Attorney General.

A life example how SIGINT works

Watch and learn about this little puzzle that will challenge your brain and your thought process.

India may be working with the American National Security Agency (NSA) to intercept email, chat, VPN data, VoIP and voice call records among others. This is based on documents that were newly released by Edward Snowden to Danish newspaper Dagbladet Information and The Intercept. You can download the files here. Also see these documents that were used by The Intercept editor Glenn Greenwald for writing his book on the issue.

According to these documents, India is an “Approved SIGINT partner” with the NSA. SIGINT is a common term used in intelligence circles that stands for signals Intelligence, and refers to capturing of communication between two people. Decrypting of messages, traffic analysis etc. are also part of SIGINT. The agency then taps these SIGINT partnerships for creating two major programs called RAMPART-A and WINDSTOP for collecting data in transit between the source and the servers, as opposed to collecting data from each Internet company (Google, Microsoft, Yahoo) separately. Considering WINDSTOP only partners with second parties, primarily the UK, to access communications into and out of Europe and Middle East, third-party partner like India should fall under RAMPART-A.

Approved SIGINT partners

RAMPART-A provides NSA with collection against long-haul international leased communications through special access initiatives with world-wide SIGINT partnerships. RAMPART-A has access to over 3 Terabytes of data per second encompassing all communication technologies such as voice, fax, telex, modem, e-mail, internet chat, VPN, VoIP and voice call records. This program has “TURMOIL” capabilities according to the documents, which means that these sensors can passively collect vast amounts of data. It may also be used for spotting common internet encryption technologies that the NSA can exploit.

New Delhi is mentioned in another slide that lists all units that are part of SIGINT platform. The NSA has Computer Network Exploitation in 50,000 locations around the world and from the graphic above it looks like there are at least five of them in India that are part of SIGINT. It is not clear where exactly these are or which companies they are.

These documents also talk about FAIRVIEW, which has corporate relationships with ISP and Telco’s and collects communications data from fiber cables and various infrastructure through which data passes through. These documents don’t however mention if FAIRVIEW has relationships with Indian companies.

Data collected upstream internationally are of two kind according to these documents: DNI selectors has all information about a user’s activity online, while DNR selectors are meta data of voice calls made and messages sent through Telco’s.

How Indian embassy was targeted

Another document leaked by Snowden shows that Indian embassy in US was monitored. The NSA used the following methods for collecting information from the embassy and officials there:

– Implants (sensors or recording devices possibly) in the Indian embassy to collect data.
– Screen grabs. Method is called Vagrant
– Created images of disks. This is bizarre considering that India is a part of SIGINT.
– It also used a method termed ‘magnetic’ through which a sensor collected data from magnetic emanations. We’re not sure what this means.

This document is from 2010 and it indicates that snooping from these offices were dropped shortly afterwards.

These new documents also mention the amount spent by NSA on foreign partners to create and maintain the RAMPART-A and WINDSTOP programs. However, there is no country-wise split so it is not clear how much was spent in India or paid to Indian companies.

What about NATGRID, CMS and Netra?

Indian government has been building Central Monitoring System (CMS) for monitoring all online communication in India, Netra for keyword based tracking of online content and NATGRID for linking all available personal data of people in India. This year, India made it to the Enemies of the Internet report published by Reporters Without Borders for the first time, along with US, UK and Russia, for creating these three monitoring tools. That being the case, we don’t know if these projects are already part of RAMPART-A or if the government is considering sharing this data with the NSA in the future.

With these three projects, Indian government will be able to intercept all online communication in India, but it does not have the decryption code for deciphering these messages. It had approached the US government last year seeking help to decrypt messages sent over services such as WhatsApp and Skype. It had similarly fought long and hard to get these codes from BlackBerry as well. However, by the time the mobile phone manufacturer agreed to hand over these details, the popularity of Blackberry handsets had already declined in India.

Proton Email Client

EMAIL systems claim to be highly secure. The newest of them, ProtonMail, attracted widespread attention. But just how secure is it?

Email applications that say they’re strong enough to foil government snoops and advertisers too often have chinks in their armor. In 2014, a federal judge forced the now-defunct secure email company Lavabit to turn over its encryption keys to the government, though Lavabit earlier claimed its service was “so secure that even our administrators can’t read your email.” Going further back, we learned that encrypted email provider Hushmail was totally cool with spilling secrets to the government, which it did by grabbing user passwords to decrypt email and turning them over to law enforcement in plaintext. It, too, claimed that even its own admins couldn’t read the encrypted email.

But ProtonMail, founded in August, 2013, by scientists who met while working at the European Organization for Nuclear Research in Geneva, seems to offer protections other email services don’t. The service claims on its website that it “cannot decrypt or share your data with third parties.” It also boasts extra legal protection because it’s based in Switzerland, a country with strict privacy laws. And it’s attracting loads of backing it raised $2 million in seed funding in March, and about half a million users have requested an invitation for a free 500MB account.

The Good

Let’s start with ProtonMail’s security advantages. It requires two passwords, which provides an added layer of protection.

“It’s actually really nice that they have two sets of passwords,” “The login password gets sent to the server, and that’s how you prove that your username is actually yours. And the second is the mailbox password, which never gets sent to ProtonMail’s server. The second password runs in your browser and decrypts your messages there.”

Another significant security perk is ProtonMail stores your email encrypted to disk, which means the emails would be undecipherable without your password if a government agency compelled the company to hand over your communications.

Of course, this doesn’t mean ProtonMail couldn’t give the government plaintext messages—just that it would require ProtonMail to actively attack you and steal the required password. Most email services can much more easily hand over your communications because they store them in plaintext or in such a way that the service could easily decrypt them.

The Bad

Now let’s address ProtonMail’s weaknesses. One of the big issues is that it isn’t easy to know whether a message sent to another ProtonMail user is being encrypted to the recipient’s correct public key, which is stored on ProtonMail’s key server. For example, if Alice sends Bob a message encrypted to his public key, it’s harder for anyone else to read the message. But since ProtonMail distributes the encryption keys to users, it has the technical ability to give Alice its own keys in addition to Bob’s, thus encrypting the messages in a way that would allow it to eavesdrop.

This problem is not unique to ProtonMail. Apple’s iMessage and the now-encrypted WhatsApp have the same flaw. (Services like Text Secure, Silent Circle, and Threema, on the other hand, allow users to verify fingerprints to assure that they have the proper keys for one another, thus mitigating that threat.)

ProtonMail does allow you to export your public key and send it to another person, but you can’t easily confirm whether your ProtonMail messages are being sent to the same key. It would take serious tech chops to verify the key. “They could look at the network request or open the browser’s JavaScript inspector, both of those are able to show them. And a normal UI that I wouldn’t say that’s a reliable defense against man-in-the-middle attacks,”

This isn’t ProtonMail’s only weakness. It could also serve malicious code to a targeted individual (based on a specific IP address, for example) if legally compelled to do so. “You have to completely trust that the server is not compromised because every single time you load the page, you download a new copy of the JavaScript” “They could just wait until you load the page and give you a malicious version of the JavaScript. This would be much more difficult to do if it was a browser add-on or a native program you install because then if they wanted to make their client malicious, they would have to add a backdoor and make it malicious for everyone, and everybody would have evidence of that backdoor.”

The Tricky Legal Questions

This brings us to ProtonMail’s legal advantages. As we’ve established, ProtonMail would have a hard time decrypting your communications, but the service is not so secure that it would be impossible. And while ProtonMail cites its location in Switzerland as added protection, it’s certainly not a fail-safe. That’s because Switzerland has a mutual legal assistance treaty relationship with the United States. These treaties require foreign governments to hand over to a requesting government any information legally available to their local authorities. That means that Switzerland would have to give the US access to any data that it could itself access. So, if you’re planning to use ProtonMail to sell steroids, leak government secrets, or engage in FIFA-style wire fraud/money laundering/racketeering schemes, Swiss law probably won’t help you.

People seem to think that data privacy laws in Europe or in foreign countries pose problems or would be a roadblock but that’s just not the case, because under those treaties the countries obligate themselves to cooperate as broadly and as much as possible.”

ProtonMail isn’t exempt from Swiss laws. “We have just intentionally selected the framework that gives the best possible protection to our legitimate users. The greatest protection, of course, comes from the underlying technology.”

As mentioned, ProtonMail encrypts your emails to disk. Unfortunately, it’s an open legal question whether a government could force ProtonMail to falsify keys or serve malicious JavaScript to users.

“It is fairly standard for the government to require companies to turn over information about their customers already in their possession. The critical legal question is whether the government can compel companies to do more than that,” a staff attorney in the ACLU’s Speech, Privacy and Technology Project. But, there’s a big distinction: “There is an important difference between requiring a company to turn over information it already has and conscripting it into becoming a spy for the government … the latter raises serious constitutional questions.”

Android devices

Google is scared shitless. Their censorship is going way too far. Let’s fight together for freedom of speech! All software should be open source, with respect for user-privacy and freedom of speech. Your Android phone is the biggest spy device in your life, let’s do something about it! https://android-privacy.com/

Just need to finalize hardening that internal NextCloud VM first

Links that maybe would be in some degree helpful:

Leave a Comment

Verified by MonsterInsights