FAQ

FAQ

Answers to some of the more common questions I’ve received. If the information here doesn’t help feel free to send me an  e-mail.  My GPG public key is available here.

Who are you?

Machello is a fictional character from the Stargate Universe. His world was invaded by an alien species but he used his superior knowledge of science and tactics to help protect his people from them by waging a very successful guerilla war against them. More info here.

You say on your site it’s safer for me to use Linux than Windows, why is this?

There’s a number of reasons for this. Most people still use Windows including businesses so computer viruses are made for that system. Also Linux is developed as a community so when any bugs or security flaws appear in the code (which is published online) it gets picked up on and fixed very quickly. Microsoft do release updates but sometimes it can take months or years.

I’m new to all of this and would feel more comfortable sticking with Windows.

I understand how you feel. Six years ago I’d never used it either. That said the two most popular distributions Ubuntu and Linux Mint are very user friendly. Mint will play DVD’s/MP3/Farmville on Facebook out of the box. Don’t forget you can still use Windows day to day provided you keep your private activites on Linux.

OK I’m sold, where can I get Linux/

If you just want it for privacy reasons, head over to the website for TAILS Linux which you can then burn onto a DVD and boot into when you need to keep your activities private.

Is it true that the Government/Police are reading all our e-mails/Facebook posts/Tweets etc. ?

The answer seems to be a qualified yes. Recent revelations have shown that they probably didn’t want to spy on you specifically but are more than willing to hoover up your data in their bid to find terrorists and if it so happens you’ve been doing something they think is suspicious, a warrantless search isn’t beyond them either.

I’ve nothing to hide, so don’t mind the Police reading my e-mails/monitoring my online activity/inspecting my hard drive, so why should I go to all this trouble?

First, please watch this video. That should free you from the notion that talking to the Police is ever a good idea. Next please google ‘Edward Snowden’. Conspiracy theory has become Conspiracy Fact ; you’re only paranoid if you’re wrong after all. 🙂

Incidentally if you still think this is a bogus notion, try walking up to a Police Officer with a video camera in your hand, point it at them and ask, “Do you mind if I ask you a few questions?”

Only a paedophile or terrorist would want to hide their activites.

Tell that to Human Rights workers in China or freedom fighters in Syria, I’m sure they’ll appreciate the comparison.

How do I choose a good, strong password? I imagine the longer it is the better?

Size does indeed matter but so does entropy (see also my post on randomness and its importance for secure cryptography). One good and easy method to use comes from the good people at Diceware . What’s important is that you have a good mix of numbers, letters and symbols in your password. Where possible I’d also recommend the use of keyfiles.

My computer is protected with a password already. Does that make it safe?

It depends what system you’re running. For most people the answer is likely to be no. A password screen might put off a casual intruder but a determined adversary like a hacker or a Police Officer wouldn’t be slowed down very much. It is possible to encrypt your entire system with either Truecrypt if you’re running Windows or LUKS if you’re running Linux.  Both Ubuntu and Linux Mint will give you the option to encrypt your entire system with a password when you’re first installing, which I strongly recommend.

Which encryption algorithm is the most secure?

If you’re unsure on this point then I would suggest sticking with AES which has become the industry standard. The other two heavyweights are called Serpent and Twofish. If you use Truecrypt or tcplay (see my post on this) then you can use all three together. The short answer is that none of these three have currently been broken. Serpent and Twofish are actually stronger than AES but don’t work as quickly.

OK, so do you have a personal favourite?

I I had to choose, probably Serpent. There’s also another Cipher called Anubis which is one I use for my most sensitive files, which was developed by the same people who created AES, although it’s stronger. Please bear in mind this is just a personal preference!

What’s the no. 1 thing I can do to keep my data safe aside from switch to Linux?

This is the point where some self styled security guru smirks and says, “Go live in a cave!” – Which is silly and unhelpful! I would suggest that you use system encryption as outlined above, also make sure that you’re the only one who uses your device if possible. Finally head on over to the Tor Project website and use their browser when you’re accessing sensitive data online.

How can I make sure my e-mails aren’t being intercepted?

It’s difficult to stop them from being intercepted but you can make the interception a moot point by using GPG to encrypt them. My favourite program for this is called GPG4USB. As the name suggests not only can you store the whole program safely on a USB stick but there are some excellent tutorials on the website which will introduce you to some of the basic concepts of public key encryption as it’s called and help you get started. If you want someone to try it out on, please feel free to send me an e-mail using my public key above.

How can I be sure that people aren’t listening to my phone calls?

This is one of those situations where I have to agree with the pony-tailed middle aged self styled gurus – you can’t. The signals on your phone are relayed back to a central processing centre before being sent elsewhere. If the Police want to listen to your calls they can just ask your phone company to start recording them.

Your best bet is to either use an encrypted VOIP solution like Ostel or RedPhone if you’re using an Android phone which will work over the internet. I am wary though about putting my voice over the airwaves. Unless there is a special reason why you need to talk to someone over voice, you consider using Off the Record Messaging such as that used by Pidgin. Implemented properly you could even use Facebook Chat or Google Hangouts safely in this way.

Which e-mail provider offers the best security?

If you look into this you’ll find there are any number of websites out there offering supposedly secure e-mail. One such provider a few years ago was Hushmail which supposedly encrypted all e-mails to and from other accounts. Unfortunately a few years later the local Police got antsy about this and Hushmail promptly handed over all the data they asked for.

What we learn from this is that a provider needs to be based outside a jurisdiction where they can be required to retain data about you or hand over e-mails. You can also help the situation by creating and using the e-mail address only via the Tor Browser (make sure you turn javascript off by following the instructions here) and make sure you encrypt the e-mails yourself (see above post about GPG), rather than relying on another company to do it for you.

What about pen and paper ciphers? Can you use them to safely send a message?

Although most classic ciphers can be broken by computers in seconds, I am still a big fan. Aside from the fact they’re fun(!) it helps you to think along the same lines as a code breaker, which helps you stay safe.

To answer your question, there’s no reason why you can’t combine a hand cipher with more modern forms of cryptography to add another layer to your security. Also you can use it to encode passwords. Even a simple Caesar Shift cipher would make sure that your password contained no ordinary words, making a dictionary attack much more difficult.

To answer the original question though, there are still hand ciphers which cannot be cracked easily by computers. The Solitaire Cipher which works using an ordinary deck of cards to generate a One Time Pad is unbreakable provided the cards are kept in the right order, are randomly shuffled and are kept out of the hands of an adversary.

Book Ciphers  work by numbering the words in a piece of text and then encoding a message that way e.g if the 3rd, 17th, 29th and 67th words in a book were LET’S MEET AT EIGHT, you would write 3-17-29-67. This would be very difficult for even a supercomputer to crack without a digital copy of the book in question. As with a one time pad the security of this system depends on keeping the identity of the book a secret. The more often you change the key text the better. Of course you can increase security by penning something yourself such as a treatise on butter production in Bangladesh and only share it with those people with whom you want to communicate.

Hand ciphers can of course be sent by mail which is more difficult to intercept than asking the phone company to bug your line. If this is the way you want to communicate, I would suggest you meet up with your friends/colleagues to agree on a nomenclature e.g you could decide to give your local train station the name ‘Ruby’ so when you say in your message, MEET AT RUBY, the meaning is obvious to your friends but not to anyone else.

I’m interested in Cryptography, can you recommend any sources/links?

Certainly, I’d suggest reading Simon Singh’s Code Book which got me hooked initially as well as David Kahn’s The Codebreakers.

In terms of more modern concepts, I’d suggest Bruce Schneier’s Cryptogram newsletter, the Security in a Box website, although be warned some of the info there is a little dated and also the Security section of the StackExchange website.