What If your threat model are NSA FBI CIA?

What If your threat model are NSA FBI CIA ?
What will be your privacy setup ?

Laptop:
OS:
Phone:
Phone OS:
VPN:
Email:
Encryption Tools:
Cloud Storage:
Search Engine:
VM:
Online Payment:
Anything else:

1 Like

Laptop:don’t use
Os:whonix
Phone:pixel (i don’t recommand using phone)
Phone os:graphene (i don’t recommand using phone)
VPN:use tor
Email:don’t use
Cloud: don’t use
Search engine:duckduckgo
Payment:monero
Anything alse: get out of US

2 Likes

You do better than Osama Bin Laden’s opsec

Pixels belong to Google, and NSA leaked document said, they worked together with Google, under Prism project, and they have direct access to Google’s database. And if not mistaken, phone privacy is more related to hardware and firmware, rather than OS. Also Prism project is intended to put non-US citizen under surveillance, so get out of US will help, but will not solve the problem.

Do you think Tor can protect us from tracker ?
Either fingerprint based tracker, or cookies based tracker.
I think it obscures our IP and Geo-location only.

And why don’t use email, cloud, encryption software ?
I thought, some countries are trust-able in term of privacy,
for example: Panama, Canada, Switzerland, Norway, etc.
We can use their email, cloud and service.
Do you think NSA can decrypt encryption tools ?

I wonder how North Korea manage to protect its privacy, while the whole world put them under surveillance. For example: the eyes.

For pixel you should find a reseller and north korea dosn’t even have an internet and we all trust encryption tools but i don’t trust emails or clouds because you can’t trust 3rd party with your data just put them in some usb also emails leak metadata and don’t support forward secrecy so use instant messengers instead

why reseller ? to buy second hand pixel ? so Google may consider it as someone else phone ?
but after we use some apps, to communicate with people, or after we insert card, then somehow I think it will be identified as new person.

Some 3rd party clouds use end to end encryption, not trust-able ?

Umm to prevent google from knowing that you bought the phone?
Well you did said your theat models are nsafbicia so it’s better not to have your data stored somewhere

Do thay use real pgp? Like you are the only person who has the key also can i ask the name of that provider?

okay, that is actually make sense

okay, this one makes sense too, we don’t have the key, they have it.
for example: sync, tresorit, nordlocker

Maybe start with Librem Phone built in US. I truly can not afford it.

Consider, https://theintercept.com/2020/06/15/protest-tech-safety-burner-phone/

Which mentions a phone that is now several years old. I also have found that some companies continue to use the same model number for a device while changing some of the component parts.

Phone uses Android. Which some folks who are more knowledgeable than me think can be configured to be safe. But is that for Privacy, or real Security.

I have just noticed the post here. someone advocating installing Graphene OS on a Pixel phone. https://evanmccann.net/blog/snowden-smartphone Interesting, https://grapheneos.org/ I may do that myself.

Some suggest use only phones, with software like Signal or . . . .

There is a fictional book about a character who lived through these questions.

“Little Brother” by Cory Doctrow. Available free on Gutenberg. https://www.gutenberg.org/ebooks/30142

Or for purchase.

I have a problem with much security advice, in that it is dated. Someone is saying do this, and the information is old enough that some one, as time goes by, that tidbit is no longer safe.

For a computer. There is Qubes, and for single use messages, I would think of Tails Linux, with end to end encryption.

Qubes takes some time to learn how to implement and use. Qubes is more about privacy, and preventing ones OS from being insulted by Malware, Unless one does a very knowledgeable, many of hours studying, how to implement to create security.

Tails is small and run from USB flash drive. Has their own documentation on how to safely use their product. Tails uses Tor. Tor was originally written by US Navy. I read is partially funded by US Government. For use by Whistle Blowers. The maintainers of Tor, and Tails appear to be an international group who are computer competent, and not in support of any government. And I am pretty sure, do not want their project to be used to help violent people do violent things.

EasyOS is from Barry Kauler. Puppy OS Founder. Might be interesting to try. But I do not feel it is tested by a large number of people. It is more about using EasyOS and it not be penetrated by others. Not high security.

For those who are much more experienced than I, Pen Testing versions of Linux.

I would not do highly secure communications from home, as that is where your ISP can watch, or even manipulate what you do. Some might point out some highly specialized Routers meant to keep ISP out of your business. I do not know anything about that, and such Routers are not cheap.

A lot of places which offer free WiFi, have services provided by companies, like AT&T which are known associates of the NSA. And by using public WiFi, you are giving up some of your legal protections. But if you have provoked three letter agencies, then they can get a FISA Warrant for your communications. If I was a FISA judge, and some Justice department lawyer brought me a FISA warrant to sign. I would have a very low threshold to signing the warrant, because as a judge, I would choose to believe the three letter agencies are good guys who will do mean or unnecessary harm to anyone. Some folks do not believe the three letter agencies are such well meaning people of good integrity.

I suspect in this age, any cyber company would roll over if pressured by government agencies. Cyber Companies may have “Canaries,” and will adhere to their principles. Promises they have not given up their stated principles, and want to adhere to them, but when government agents come, the government has given them laws they can enforce.

I would build a personal ‘recipe book’ of how to, to keep track of what computer or phone procedures I will do in what situations. There is an old adage about breaking codes, most codes are broken in practice, not in theory. Meaning the math of encryption may be unbreakable for all reasonable purposes, but there are other ways to gain entry to you. Like your using the wrong connection at the wrong time. Beware, online advice for security procedures can be dated.

Avoid doing things to provoke the three letter agencies. Like violence, illegal behavior. is part of volunteering to be watched, and interfered with.

What I am concerned with, is; Finding a means for those who are, like Chinese Dissidents, who want to document the wrong doing of power structures. Or Hong Kong protestors, reporting on their situation.

They need a single, one time download, which includes advice about what not to do. How to be safe as well. Preferably that they could obtain from someone else trustworthy who downloaded it.

If I was advising a would be Cyber Journalist in China about trash mouthing the Chinese Government, or other power structure, like a Chinese company. “Don’t” The odds of being caught are too great. I doubt the NSA are a bunch of slouches.

LAPTOP:
This may sound creepy and weird, but if your laptop has a webcam built into the screen, cover it with tape :slight_smile:

OS:
I would use Tails, or Void Linux. The slackware guy seriously neeeds to build a package manager but i dont think he wants to … whatev

PHONE:
lol…I wouldnt carry one :slight_smile: If it’s just meta-collection avoidance - then ya im sure it would be fine to carry one… something not a smartphone :slight_smile:

  • Prepaid.

  • Also feel free to change your phone number on a whim. its pretty cheap to do.

  • About phones in general: they ping the cell phone towers much like the way some OS’s sometimes check the time via the internet lol

  • If you’re using a phone that allows you to take out the battery, then you can do that as well. It is not necessairly uncommon for certain ppl to take out their cell phone batteries when having a meeting that…ppl want to spy on.

  • lead shields/prevents phone communications. ever wonder why u dont have cell reception in elevators sometimes

PHONE OS:

  • lol so if you need a smartphone, at least encrypt your photos stored on your phone…
  • also disable wifi & bluetooth when its not in use…or even airplane mode.
  • Also those cameras built in…probably need tape over them :slight_smile:
  • If you think someone may be eavesdropping on the data leaving your phone before it hits the servers: VPN and/or Tor on your phone as well
  • don’t forget to scrub/make sure there is no exif data from pics :slight_smile:
  • ever wonder if your phones keyboard makes http/https request each time you type on the virtual keyboard ?

VPN:
Tor instead

EMAILl:
either none or one that allows you to sign up via Tor :smiley:

ENCRYPTION TOOLS:
GPG/PGP

CLOUD STORAGE:
lol no , but if you need to - just encrypt it first before uploading :slight_smile: something at least 512 bit

SEARCH ENGINE:
I would use duckduckgo.com/html or a nice searx instance, or even metager, maybe mojeek (all over tor)

VM:

ONLINE PSYMENT:
lol … i think the crypo payment ppl can answer this one better

ANYTHING ELSE:

  • P2P whenever possible with a tor proxy is pretty nice. That is cozy :slight_smile:
  • <3 self-hosted as well :slight_smile: You can actually even use mumble with a tor proxy XD
  • A nice firewall (I use ufw & gufw)
  • run a oacket sniffer too :slight_smile:
  • if you’re using firefox brand mozilla, then try an experiment: run a packet sniffer monitoring ports 80,8080,and 443 and then startup firefox , type something in the url bar like ‘a’ and without pressing enter - check the packet sniffer :slight_smile:
  • dont use password123! as your password to anything XD
  • i only like 2FA with the random number generator key-fob, but not the phone number type :slight_smile:
  • your own instincts can probably guide you as well… like if you sign up to something and you think…“why do they want my phone number for ?” why does this site not work over tor (lul), why does the website break with js disabled, why are there so many captchas, why does my OS check the time via the net all the time when it does desync with NTP disabled, etc…

The world often tries telling ppl they need things that they truly do not need, they tend to be things or practices that spy on you. Amazing idea: pay for things in cash. Oh does your car have a GPS, wow imagine that - you can look up online who to disable it :smiley:

once you go techicnolgically black, you don’t go back (?) :o
hehe one of these shapes is not like the otherssss

DO YOU THINK NSA CAN DECRYPT ENCRYPTION TOOLS ?
My impression is they can get past SSL/https and VPN/SSH connections
I would like to mention something else tho about encryption… quantum computers are advancing so… its not a great idea to rely on something less than 512-bit encryption for this reason alone

oh btw, ever wonder if anyone can hack your car ?

I WONDER NOW NORTH KOREA MANAGED TO PROTECT ITS PRIVACY:
I don’t know, BUT…if I were a dictator I would likely be doing the following:

  • Underground facilities to protect from satellites, …ideally lined with lead walls to prevent communication surveillance as well as from other satellites, lenses.
  • get a nice national firewall
  • ban microsoft and zoom lol…
  • ban smartphones or create my own national-brand smartphone
  • ban GPS in vehicles
  • any sort of import i would have electronically scanned to make sure they are not emitting any sort of radio waves
  • def close borders with lots if not all countries lol
  • enforce strict cybersecurity measures across all government agencies
  • i would also develop my own national internet across the country in case the regular global internet is ever disconnected or shut off

oh and i would get a pretty box on my desk made of gold that is lined with lead inside so i can keep my cell phone in there whenever in doubt

aaaand i would also invest a lot of money into emp-based weapons to disable things like drones, planes, etc and i would be like “tehehehehe good luck outrunning an emp pulse”

anything of any importance would of course be underground and i would make sure there is a nice subway system too

3 Likes

As i said it in above North korea dosn’t have an internet i can confirm as a south korean

o thnx thats good to know

ya i’m not korean at all

Thank you, that’s very juicy.

To check keylogger ?

Do you have suggestion, the authenticator app name ?

If not mistaken, GPG is the standard encryption, installed by default in most Linux distro.
So, between many options, why choose this one ?
Or maybe, they all use same algorithm options ?

Suggestion so far:

  • Laptop: cover laptop’s webcam
  • OS: Whonix, Qubes, Tails, void linux
  • Phone: pixel, librem, use not smartphone, take out battery, encrypt inside data, airplane mode, cover tape camera, vpn, tor, signal, root android remove all google related app then unroot, use glasswire packet sniffer
  • Phone OS: Graphene
  • Messenger: Signal
  • VPN: iVPN
  • Browser: Tor
  • Email: use one that can sign up via Tor
  • Encryption: GPG/PGP (RSA 4096 bits)
  • Cloud storage: preferred no, but encrypt not less than 512 bit encryption, to surpass quantum computer
  • Cloud service:
  • Search Engine: duckduckgo, searx, metager, mojeek
  • Video Conference:
  • Payment: monero, crypto, cash
  • Anything else: P2P + Tor proxy, nice firewall (ufw, gufw), packet sniffer, strong password

Test:

  • run packet sniffer monitoring ports 80, 8080, 443, open Firefox type something without pressing enter, check the packet sniffer

Email cons:

  • leak metadata

Have no problem with 3 letter agencies, use them as an imaginary threat model case example only, with expectation to figure out the maximum solution for privacy and security, considering in term of technology, they may have most advanced of surveillance technology.

VPN: Ivpn but remember to sign up using tor and pay with monero

1 Like

“If not mistaken, GPG is the standard encryption, installed by default in most Linux distro.
So, between many options, why choose this one ?
Or maybe, they all use same algorithm options ?”

Well GPG allows for up to I believe 4096-bit encryption with RSA. It has also been tried and tested and widely used and made by a very smart guy. (It’s good to use 4096 bit because quantum computers are advancing )

Despite certificate passing, it’s handy and convienent - you can encrypt plain text, files, etc.

I encrypt EVERYTHING lols so if there is anything better I would love to know as well.

lols, now I scared about your data.

umm, because in the most best encryption list I search, it is rarely listed as the first one.

okay, so can we conclude that the bits is more important than the algorithm ?
or maybe, choose the algorithm that can provide the most bits ?

Choose the algorithm and use the highest bit

1 Like

I recall on of the features of gpg/pgp is that for communication, it has a WOT, “Web of Trust.” To help me list on my own keychain whether I trust (should trust) the Public Key from another person.

Tails Linux has some documentation written about how to use WOT.

I know that GPG/PGP has other encryption schemes, in addition to different sizes of keys. My hunch is that those who really know encryption, put their best choice first.

A site which describes the intricacies of using GPG/PGP is https://riseup.net/en in a more secure manner than some here mention. Notice the documentation on SubKeys.

riseup.net advertises to be an advocate of non-violent Anarchism, and who has rolled over to give up those on its own encrypted email server. Notice riseup does warn people. This is encrypted but.

I think it has been mentioned that some believe that a USB fob be used to create Key. I am thinking this is using (something similar to) NitroKey. Rather than use the "Randomize r on the Mobo, which is usually tied to a corporate made Chip, like Intel. Meaning it is not obvious to me what Intel might have done, whereas Nitro Key seems reviewed by a lot of Security Experts. To be fair, I don’t see Security Experts who criticize the Randomization function of the Intel chip. I could be wrong, anyone know better.

I am curious about the statement’ North Korea does not have internet. I had thought the ordinary North Korean does not have Internet. The North Korean government does, and has some hackers working for the government.

Insofar as Lenovo being suspect for allowing their computers to be pawns to the Chinese government.

I see this story: https://www.schneier.com/blog/archives/2021/02/chinese-supply-chain-attack-on-computer-systems.html

Other texts suggesting that the only thing Lenovo did wrong was to allow a bit of Spyware onto their system, which has since been removed. That the Bloomberg story was wrong. ? Or referring to a different incident/story?

Also some story about Servers having spy chips added.

If you want to hide your cell phone from being seen, besides pulling the battery, you can buy an EMP electrostatic bags. Might be better or worse that a “Potato Chip” bag like was used in the movie “Enemy of the State.”

I am a fan of nested Encryption folders/discs on hard drive. Such as, the hard drive is encrypted, then Documents has a folder which is Encrypted, and inside that I have groupings like my record of communications with the “Big Giant Head,” And my clandestine communique with the Martians. (I think the “Big Giant Head” may have a dispute with the Martians, best they don’t know I talk to the other.)

In the early 2000’s , US television rumored that when Terrorists came to US, they communicated to their handlers overseas by logging into a website group chat, like say, knitting. and sent innocuous looking phrases that had special meaning - meaning.

I am sure I am inaccurate in some of what I posted. Please keep others from believing me.

I do not advocate the internet be used to try and create harm to ordinary people, and by extension, legitimate government. I do advocate that individuals, such as college students be able to do things like create ideas which can be profitable, and should be profitable to the one person who created the idea. And to be prepared to keep the ideas of the companies they work for in the future to the value and use of the company. So Encrypt Away.

Oh just found this: https://www.schneier.com/blog/archives/2013/09/surreptitiously.html

Which bottom lines to the Intel processor Randomizer used by, I thought GPG/PGP, has been reduced to 32 bits. Maybe I better get all the coins out of the couch to buy a USB tool that does Randomization for me.

is the following annoying?

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGAq5ocBEACeCwHYOGZ12f9jh7H3AwHlSz+MbA16CiDyrh/zEwDO7H4Kpxxa
XlogwVjixaIM+28LlhTeUyGRwYGMyw2O+ulrKglpBCvpdWOH+vcfYJezrPIriz7W
6O2VKLZD606iY3Vd5QUCIP6Bpe09eAWFUN1/WQevxGacSvJhCCFYkjYc2vp/wo5C
15NLz1dEW3GwdPQueiToDpUtU8H1R9GRnjmTOVk+HI4YFWruHe2ARy5OoPaJQN6J
BK0uePXE2NJNATBkSwVL1O20gpTzba4ZfLs5UQy9IlASPQuPmX+RU5BkzsRZADko
TI0bDfQ+FptaGWCe34N0wIHA0JXKGNBB3svBAdOgs/pwd7zkJnpLJpQbcP49WcY/
r6/KZLwD/wiMPPsahiEs36oI+o9UCvne3gEcrovRMXMcgz+9AGDUtkAesZ99nFHC
vZG/1JEmxvnN5qSH9Ge6wJlBpiRM1XEKlC/hj8TpVkRqEV7USzvuek0BL+dxvFo+
/LuPZpMVM4VnzeUzW6Rti7XAIGg3X8sPAUyk0y7JOU+us/8+tuEgFsiO1ZQkGoWC
jEM31oR1zDKubV6v1RxgIuyLgKD0vdvBLtnsr+e7y/nFlaQbcij4/TUq49mqrVuL
uesqRliWTjcjwuvk6GUy9JTBoN0PBX/7UDQbbf5zT8Zkuc+Qvq3zu7zHDwARAQAB
tBxNaWNoYWVsIEIgPGdnZzM5N0BnbWFpbC5jb20+iQJUBBMBCAA+FiEEeod7hpcd
BuAGs+Z86FwuHuERUJwFAmAq5ocCGwMFCQPCNxkFCwkIBwIGFQoJCAsCBBYCAwEC
HgECF4AACgkQ6FwuHuERUJwnPBAAhdNMCCn3/C68rZpRSudrsCgdKhBc3EHBWs2v
yJXY2//8KJkAjvp37qth5Aacg7lqqBS1d0cFJA8CaYc885sMnco9SxZcc4IUbAr1
Xnvpgc0g1dX1WaSHbIj7ueN0kphO0PQ9V3bLeBqSRSfRRKWypdGgaHbr80mdDwAv
rC0KijEgovZMGCyO8n3unKvu4O1YUNKlJwlabMXF0g5NNpuoSAGcOkoVlgT94KOC
rpf0BMkjXMrRhCZhDX1KoxiHmrxVie7yUm0IRlsaopAiHigE5zin6f0qjZerh3dC
rPQODfuhbcT5H27ojZ1kg+NubVUvOcNoE7Y7Vre1yL3jjHiezOGBIaadI6rd4l3z
nqMG01DcudZzvHfib+7GwQqali6ti+zYCnaWX0vN6Q7/rqnhVhE39cJGgItmLHUn
IzlkROHnV5olRSfCUR2Ckv+6Xz/QyV8yGFhmytSdOhrGsHBppjb6zFhBPugZeXS7
YtuyoufvSf7oHRkSsdoBxSzsgVRMlHIG1L8PBe4zmuqYV9wDykvLr8mbVRjSvjc9
PZJ1MsVS26qiYjRxTa4FsSHHQDskZN2SVcti/lhB1NLdD5LjNw8OD19T1Yz/Amn3
gMXore3Cz3UU3Fpr7YzilX4bTSIWp95uGeQ1osxJ6xudCvRLPV6DLJG3mEgfxYN5
jXbGkbW5Ag0EYCrmhwEQAJOmnHxKxrPrPCcxMUksqeUTtZUdBAeMoRqBnIf2ypfI
U/qcBdURYZVaS8mw1ViogQ8HXkv2cNNt+O3yUPiVgqr+tiHltujuVI9RTaYhsYz2
s4Zd9NStZMiMI7OxJEgCmDuLeGcnYUeQf6z94A18JDMfFxlWvf2B4dm2uevK4Owg
a4Db+Hro4oeWRsGwXMrPiIIQjKPe2rE6vf2Yd+ukoPVDVVaisrW35ynB0yLeC7ck
valIbA2sjp5lfcB5Z0wM0/Pj1mcu5RPvO+mpJ0yWEcO3LF6lzWRs3NABlS9zLiBS
6y1JyU6TTUsO4toAIEskJ2lSQsnw6Iy6TM8Uxsx+wta/f6GVU69faGJ6fbwuScZW
s0ECVt58HvHFu/2bxOCQvkmoEKRPsM+sPf95mQnCQALGwTa3q9LfxxDyl1Wontjp
OMf/ieckJtoJmfe0gHCR6tR1ZOaElAPsIe2DP2cHM3xWwb+/nIykp7y4kf51zHFT
p05xAdO8T+Vzm9UlgoWVtuU10hmbRnWQTGzkF5jgXq4VtUjJT1b3vAzSRoh5bqzS
kIiTpB6ERfPTw4eDR3+/ZmxEpIGjtr7iTxk7e/LTGsjXLyOMHatd4lBjVIIikpsi
XOOf4oBAfFWSGTN7E+LAa12rFF62h3dG5B6fiH0o74pTOeK4uxKe5exM8ly48LqB
ABEBAAGJAjwEGAEIACYWIQR6h3uGlx0G4Aaz5nzoXC4e4RFQnAUCYCrmhwIbDAUJ
A8I3GQAKCRDoXC4e4RFQnDiDEACK/PuJ3t19veJSu7ERdPVyNYLvHCZeY4PX8dR6
9b2PuMIEKeDnLgSVAKxdBRXSo4eMBipd2v+qH4sOSqqkX+tqV2ntMxrpAvlU7xLi
1dc5Xd74H4uqYSAKQGy99TwLj/WZNg5Ya7CKH6Xk0LqeValScE6WFZuCJI0yqfj9
h9QpU9//hCHhCSCCh9ErYSH4tt9Xco7WjncK0m31FipXqCzgzgsOmAmgCrZUso7Z
fgD+pWbIb24AkxqF6dWyw6dLJAlcAOG9AMKFSr1h/oQGjfEANC1o8WSVmXBR2dhL
zbZnGPhU8zd0wlREA39C1oIYXaHksLDXzsZD1z5prCUDWcOXpppl5Hibdq/GHw+F
tPcwJd6NlaBfvAA/beXtVO3EMQANnK69ywWj0rD9T+Kn5HuZc2Q5IpUrJHUzeQlO
anlN6g6VFuNucU6SwrV2952FpV/N75AtXk+jjIDyfmRKeEdQ3uVjKUZax4QaDmNZ
9hj4RYwh7BD3Pv17vnXU0ZFzolPrmCP88ZYhKgTQdj5EMW2/GhokimhANvNjdcaj
G1U9KO03ymLTYANjKB1FyDMnJ4MsNlNLtF+s1rm9vZMMNAEx3E7Lt3MY0KTya6iX
u82PRc2rt5VWomBycbOUYuP0fR21GbhNL//DijQ0BZ8btcR6OwPGN0IdeW2cY/zQ
FWb66w==
=SFdh
-----END PGP PUBLIC KEY BLOCK-----