Today, let's take a detailed look at the methods that informant and ex-NSA employee Edward Snowden used several years ago to contact journalists.
Encryption
Make sure that you are using end-to-end encryption specifically. In this case, the message will be encrypted on one end – say, on a smartphone and decrypted on the other-for example, on a laptop. No one, including your Internet service provider will not be able to decrypt your message. Compare this type of encryption with another type when you establish a connection through your provider, for example, over an HTTPS connection. HTTPS will protect your message from spies on the Wi-Fi network and from your communication service provider, but it will not be able to protect the message from the company on the other end of your connection for example, Google or Facebook or from law enforcement and intelligence agencies requesting information from these companies.
However, it is not enough to encrypt the correspondence, you also need to eliminate the fact of its existence. Let's see how to do this.
Concealment of identity
Imagine that Juliet is trying to get in touch with Romeo. They both know that if they use the phone, they won't be able to hide the fact that they've been in contact from their families. The trick is to hide the fact that they are Romeo and Juliet.
They decided to start new accounts for communication: Juliet took the pseudonym "Ceres", and Romeo took the name "Eris". Now they will be much more difficult to solve. However, this is not enough.
Juliet logs into her account under the name "Ceres" from the same IP address that she uses for other purposes on her computer. If its activity on the Internet is tracked, then it will not be difficult to compare a number of facts.
Anonymity
In order to hide her private correspondence, Juliet must draw a clear line between Ceres account and her real identity. To date, the simplest and most secure way is to use a decentralized, anonymous, open-source network called Tor. It is a decentralized network of arbitrary "nodes" - computers that transmit and execute requests on the Internet on behalf of other computers.
If Romeo and Juliet use the Tor network to gain access to their Eris and Ceres accounts, and if they exchange messages with OTR encryption, then they will finally be able to organize personal online correspondence, regardless of whether they are followed or not.
Hackers are all around us
From both sides: an attacker who tracks Romeo and Juliet's Internet traffic will be able to see that her traffic partially passes through Tor, but will not be able to understand what they are using it for. However, if you think about it...
From the chat serverside : the messaging service itself can track that someone with an IP address on the Tor network created the user "Ceres", someone with an IP address on the Tor network created the user" Eris", and both of these users exchange encrypted messages with each other.
Even after taking these measures, there is still a small amount of metadata that can leak out if you act carelessly.
Tor is not perfect
Tor can't always hide your identity, especially if you're already under surveillance. A Prime example is the arrest of Jeremy Hammond. The torus is not something supernatural; it is only a tool. The person who uses it should consider the activities of the FBI if they wish to remain anonymous.
Workstation security
If a hacker breaks into Romeo and Juliet's computers, they can find out what they were doing. You can reduce the risk of hacking your computer if you use a separate device exclusively for a secure connection, because the computer you use for everyday tasks will be much easier to hack.
In addition, you can use a tool such as Tails for personal correspondence . This is a portable operating system that can be installed on a flash drive and run anonymously from it, even if hackers break into your regular operating system.
First contact
In order to make first contact with Romeo, Juliet must create an anonymous account specifically for this purpose, which will allow her to contact Romeo's public account. She can poison Romeo with an email from her anonymous mailbox. Most email services require the user's phone number when creating an account, and some block access to all users of the Tor network, which makes creating an anonymous account more difficult.
When contacting Romeo for the first time, Juliet must specify the chat server where she created the account, her username, OTR fingerprint, and the time when she will be waiting for him online. In addition, she can give Romeo the necessary instructions to create an account, possibly by referring to this article.
Jabber and Off-the-Record
When I talk about "chat servers", I actually mean Jabber servers, also known as XMPP. Jabber is an open Protocol for instant messaging; it's not a dedicated service like Signal, WhatsApp, or Facebook. Jabber is a decentralized integrated application similar to email.
Since Jabber is decentralized, a user with a Jabber account is like [email protected] can correspond with [email protected]. But if both parties – Romeo and Juliet in our example-use the same server for their Jabber accounts, then the metadata of their correspondence will be better protected. Messages will be stored on a single server and will not be transmitted over the Internet.
Off-the-Record (OTR) is an encryption Protocol that can add end – user encryption to any messaging service, including Jabber. To exchange encrypted messages, both parties must use software that supports OTR encryption. There are several options: Adium for Mac users, Pidgin for Windows and Linux users, and ChatSecure for Android users. ChatSecure is also available on iOS, but the app is not fully compatible with Tor on iOS devices.
Choosing the Jabber server
The server will not be able to detect who you really are (you will connect over the Tor network) or what you write in your messages (you will use the OTR Protocol to encrypt your messages), so you don't need to worry about it.
Ready to get started?
Select the Jabber server. Create a username that has nothing to do with your real identity. Create a password that you don't use anywhere else. Create a Jabber account using the Tor browser. Now write down the details of the server where you created your account, your username and password, and proceed to the next section.
OTR on the example of Mac OS X
For this example, I created a Jabber account on the xmpp server.jp and took the username pluto1. Download and install Adium, a Mac messaging client that supports OTR encryption. Make sure that the Tor browser is open, otherwise Adium will simply not be able to connect.
Open Adium. After selecting the contacts window, click on the menu bar at the top of Adium and select preferences. Make sure that the "Accounts" tab is selected at the top of the window. Click on the " + " button in the lower-left part of the window to add a new account. Then select "XMPP (Jabber)"from the drop-down list. After that, a new dialog box will appear where you can set the settings for your account. Before proceeding to the next step, switch to the "Proxy server" tab (Connect using proxy) and select the "SOCKS5" type from the list, and enter the data of the SOC that you have available (you can get it in the Internet). Create a username and password for this account and enter them in the appropriate fields.
Go to the "Security" tab (Privacy). In the "Encryption" field, change the value from "Encrypt chats as requested" to "Force encryption and refuse plaintext". Go to the "Options" tab. Change the "Resource" field to "anonymous". In addition, in the "Security" section, check the box next to "Require SSL/TLS" (Require SSL/TLS).
Now go to the "Accounts" tab. Enter your Jabber ID. User name-pluto1, Jabber server name – xmpp.jp, so the Jabber ID will be written as [email protected]. Enter your password and click OK to log in to your account. Adium will now attempt to connect to your anonymous account via Tor. If everything goes well, your account should appear in the list of accounts with the signature "Online".
Encryption keys and fingerprints
Anyone who wants to use the OTR Protocol must generate their own key. This key is a file stored on the device that you use for messaging.
In the contacts window, click on the Adium menu bar and select preferences. Go to the Advanced tab and click on The encryption sidebar. Select your anonymous account and click on the "Generate" button to generate a new key. After completing the procedure, you will receive a new fingerprint with OTR encryption.
In our example, I created a new key using OTR encryption for my pluto1@xmpp account.jp с отпечатком C4CA056C 922C8579 C6856FBB 27F397B3 2817B938. If you want to start a personal correspondence with someone, tell that person your username and server name, as well as your OTR key fingerprint. After they create an anonymous Jabber account and generate an OTR-encrypted key, ask them to also provide you with their username, server name, and key fingerprint.
Adding contacts and personal correspondence
I'm trying to start exchanging private messages with my friend. He informed me that his Jabber account – [email protected], and the OTR fingerprint is A65B59E4 0D1FD90D D4B1BE9F F9163914 46A35AEE.
After I have created my pluto1 account, I want to add user pluto2 to my contacts. First, I select the "Contacts" window and then click on the "Contact" menu button and select "Add contact". In the" contact Type " field) I select XMPP, and in the Jabber ID field, enter "[email protected]". Then I click on the "Add" button to add the user to the contact list. I select his contact and click on the button" Allow me to add me to your contact list " (Authorize).
Before sending my message, Adium started a session with OTR encryption. Pay attention to the inscription "personality [email protected] not confirmed" ([email protected] ' s identity not verified). This means that during the exchange of encrypted messages, I cannot be completely sure that an intermediary attack will not occur.
Result
We created an anonymous Jabber account via the Tor network. We have set up an Adium messaging program and can log in to this account via Tor. We have created a new OTR encryption key for this account. We added one contact to our account and checked their OTR encryption fingerprint. Now we can exchange messages with this contact with a fairly high level of information security.
Encryption
Make sure that you are using end-to-end encryption specifically. In this case, the message will be encrypted on one end – say, on a smartphone and decrypted on the other-for example, on a laptop. No one, including your Internet service provider will not be able to decrypt your message. Compare this type of encryption with another type when you establish a connection through your provider, for example, over an HTTPS connection. HTTPS will protect your message from spies on the Wi-Fi network and from your communication service provider, but it will not be able to protect the message from the company on the other end of your connection for example, Google or Facebook or from law enforcement and intelligence agencies requesting information from these companies.
However, it is not enough to encrypt the correspondence, you also need to eliminate the fact of its existence. Let's see how to do this.
Concealment of identity
Imagine that Juliet is trying to get in touch with Romeo. They both know that if they use the phone, they won't be able to hide the fact that they've been in contact from their families. The trick is to hide the fact that they are Romeo and Juliet.
They decided to start new accounts for communication: Juliet took the pseudonym "Ceres", and Romeo took the name "Eris". Now they will be much more difficult to solve. However, this is not enough.
Juliet logs into her account under the name "Ceres" from the same IP address that she uses for other purposes on her computer. If its activity on the Internet is tracked, then it will not be difficult to compare a number of facts.
Anonymity
In order to hide her private correspondence, Juliet must draw a clear line between Ceres account and her real identity. To date, the simplest and most secure way is to use a decentralized, anonymous, open-source network called Tor. It is a decentralized network of arbitrary "nodes" - computers that transmit and execute requests on the Internet on behalf of other computers.
If Romeo and Juliet use the Tor network to gain access to their Eris and Ceres accounts, and if they exchange messages with OTR encryption, then they will finally be able to organize personal online correspondence, regardless of whether they are followed or not.
Hackers are all around us
From both sides: an attacker who tracks Romeo and Juliet's Internet traffic will be able to see that her traffic partially passes through Tor, but will not be able to understand what they are using it for. However, if you think about it...
From the chat serverside : the messaging service itself can track that someone with an IP address on the Tor network created the user "Ceres", someone with an IP address on the Tor network created the user" Eris", and both of these users exchange encrypted messages with each other.
Even after taking these measures, there is still a small amount of metadata that can leak out if you act carelessly.
Tor is not perfect
Tor can't always hide your identity, especially if you're already under surveillance. A Prime example is the arrest of Jeremy Hammond. The torus is not something supernatural; it is only a tool. The person who uses it should consider the activities of the FBI if they wish to remain anonymous.
Workstation security
If a hacker breaks into Romeo and Juliet's computers, they can find out what they were doing. You can reduce the risk of hacking your computer if you use a separate device exclusively for a secure connection, because the computer you use for everyday tasks will be much easier to hack.
In addition, you can use a tool such as Tails for personal correspondence . This is a portable operating system that can be installed on a flash drive and run anonymously from it, even if hackers break into your regular operating system.
First contact
In order to make first contact with Romeo, Juliet must create an anonymous account specifically for this purpose, which will allow her to contact Romeo's public account. She can poison Romeo with an email from her anonymous mailbox. Most email services require the user's phone number when creating an account, and some block access to all users of the Tor network, which makes creating an anonymous account more difficult.
When contacting Romeo for the first time, Juliet must specify the chat server where she created the account, her username, OTR fingerprint, and the time when she will be waiting for him online. In addition, she can give Romeo the necessary instructions to create an account, possibly by referring to this article.
Jabber and Off-the-Record
When I talk about "chat servers", I actually mean Jabber servers, also known as XMPP. Jabber is an open Protocol for instant messaging; it's not a dedicated service like Signal, WhatsApp, or Facebook. Jabber is a decentralized integrated application similar to email.
Since Jabber is decentralized, a user with a Jabber account is like [email protected] can correspond with [email protected]. But if both parties – Romeo and Juliet in our example-use the same server for their Jabber accounts, then the metadata of their correspondence will be better protected. Messages will be stored on a single server and will not be transmitted over the Internet.
Off-the-Record (OTR) is an encryption Protocol that can add end – user encryption to any messaging service, including Jabber. To exchange encrypted messages, both parties must use software that supports OTR encryption. There are several options: Adium for Mac users, Pidgin for Windows and Linux users, and ChatSecure for Android users. ChatSecure is also available on iOS, but the app is not fully compatible with Tor on iOS devices.
Choosing the Jabber server
The server will not be able to detect who you really are (you will connect over the Tor network) or what you write in your messages (you will use the OTR Protocol to encrypt your messages), so you don't need to worry about it.
Ready to get started?
Select the Jabber server. Create a username that has nothing to do with your real identity. Create a password that you don't use anywhere else. Create a Jabber account using the Tor browser. Now write down the details of the server where you created your account, your username and password, and proceed to the next section.
OTR on the example of Mac OS X
For this example, I created a Jabber account on the xmpp server.jp and took the username pluto1. Download and install Adium, a Mac messaging client that supports OTR encryption. Make sure that the Tor browser is open, otherwise Adium will simply not be able to connect.
Open Adium. After selecting the contacts window, click on the menu bar at the top of Adium and select preferences. Make sure that the "Accounts" tab is selected at the top of the window. Click on the " + " button in the lower-left part of the window to add a new account. Then select "XMPP (Jabber)"from the drop-down list. After that, a new dialog box will appear where you can set the settings for your account. Before proceeding to the next step, switch to the "Proxy server" tab (Connect using proxy) and select the "SOCKS5" type from the list, and enter the data of the SOC that you have available (you can get it in the Internet). Create a username and password for this account and enter them in the appropriate fields.
Go to the "Security" tab (Privacy). In the "Encryption" field, change the value from "Encrypt chats as requested" to "Force encryption and refuse plaintext". Go to the "Options" tab. Change the "Resource" field to "anonymous". In addition, in the "Security" section, check the box next to "Require SSL/TLS" (Require SSL/TLS).
Now go to the "Accounts" tab. Enter your Jabber ID. User name-pluto1, Jabber server name – xmpp.jp, so the Jabber ID will be written as [email protected]. Enter your password and click OK to log in to your account. Adium will now attempt to connect to your anonymous account via Tor. If everything goes well, your account should appear in the list of accounts with the signature "Online".
Encryption keys and fingerprints
Anyone who wants to use the OTR Protocol must generate their own key. This key is a file stored on the device that you use for messaging.
In the contacts window, click on the Adium menu bar and select preferences. Go to the Advanced tab and click on The encryption sidebar. Select your anonymous account and click on the "Generate" button to generate a new key. After completing the procedure, you will receive a new fingerprint with OTR encryption.
In our example, I created a new key using OTR encryption for my pluto1@xmpp account.jp с отпечатком C4CA056C 922C8579 C6856FBB 27F397B3 2817B938. If you want to start a personal correspondence with someone, tell that person your username and server name, as well as your OTR key fingerprint. After they create an anonymous Jabber account and generate an OTR-encrypted key, ask them to also provide you with their username, server name, and key fingerprint.
Adding contacts and personal correspondence
I'm trying to start exchanging private messages with my friend. He informed me that his Jabber account – [email protected], and the OTR fingerprint is A65B59E4 0D1FD90D D4B1BE9F F9163914 46A35AEE.
After I have created my pluto1 account, I want to add user pluto2 to my contacts. First, I select the "Contacts" window and then click on the "Contact" menu button and select "Add contact". In the" contact Type " field) I select XMPP, and in the Jabber ID field, enter "[email protected]". Then I click on the "Add" button to add the user to the contact list. I select his contact and click on the button" Allow me to add me to your contact list " (Authorize).
Before sending my message, Adium started a session with OTR encryption. Pay attention to the inscription "personality [email protected] not confirmed" ([email protected] ' s identity not verified). This means that during the exchange of encrypted messages, I cannot be completely sure that an intermediary attack will not occur.
Result
We created an anonymous Jabber account via the Tor network. We have set up an Adium messaging program and can log in to this account via Tor. We have created a new OTR encryption key for this account. We added one contact to our account and checked their OTR encryption fingerprint. Now we can exchange messages with this contact with a fairly high level of information security.
