apple juice

Revelations about the NSA’s practices continue to be released, and each additional leak is more and more disturbing to me. It’s not disturbing to me in the sense that I have secrets that I need to hide from the government. Rather, I think it serves as a big wake up call about how a democracy should work, all of our safe-computing practices in general.

I believe in the liberty of your thoughts, writing, and communications. I don’t think any of us want to have all of our letters opened by the postal service, our library lending history turned over to the NSA or our Amazon.com shopping history shared with the government.

It is important to remember that emails are plaintext (like postcards), your SMS messages, and unencrypted browsing sessions are all out in the open. What you share on Facebook, on twitter, on your blog (hah!) are essentially public information.

In conjunction, there is a big difference between communications you intend for your friends, loved ones, colleagues, and the communications you intend for the public internet. Given this, we should treat these different classes of communications differently.

Finally, many of us carry a computing device with us at all times. These devices typically carry our entire address books, email, social networks. In short, our digital lives.

So, I’ve been reading a lot encryption and security recently (some people in this house might say I’ve been a little obsessed) and I wanted to share a few easy things that I think can enhance your computing security. These essentially fall in to two categories – physical security and data security.

Physical Security

The physical security recommendations I have are pretty simple:

• Put a passcode on your phone and tables. (How to add a passcode on iPhone or iPad)
• Turn off auto-login on your laptops and desktops, and enable the screen-saver lock. (System Preferences -> Users & Groups for the auto-login setting. Security and Privacy for the screensaver lock)
• Use FileVault or similar on your laptops and desktops.

FileVault is a feature I recently enabled on our computers. Basically it encrypts the entire hard drive so that if someone stole your laptop, they would be unable to extract any information from it. Apparently, people in the security community are unsure if there are NSA backdoors in FileVault, but for your average thief, it’s going to prevent your information from getting out there.

If you decide to enable FileVault, make sure you copy down the recovery key – there is no way to recover your data if you forget your password or lose that key. I’ve printed it (on paper) and stored the key in a safe location.

The other two items are common sense to me, but according to Apple (when they released the new fingerprint login feature, so appropriate skepticism applies) only 50% of people put a passcode on their phones.

Now as far as the security of your data in transit, things get a little more difficult, as each type of communication is a little different, and has serious tradeoffs.

Email, Chat, Text Messaging, Web Browsing

I’m only going to recommend things that I actually use. One could go crazy, using Tor all the time, but I find it to be a bit over the top.

Web Browsing
Install the https everywhere plugin for Firefox or Chrome. This will encrypt your browser communications wherever possible. Simple.

Email

I’m using GnuPG/PGP – but no one else is. Well, not no one, but basically no one I know and communicate with regularly. And why not? Perhaps because it has a couple flaws in day-to-day use:

1. Your phone/tablet probably can’t read the encrypted message easily. There are solutions I have not explored yet. However, the first post I found regarding Android phones was 19 steps long. The post concludes with, “Thats all it takes”. Unfortunately, this is about 16 steps longer than most people will endure.
2. If you want to read your email via webmail (Gmail, perhaps) you will have a very hard time doing so.

And yet, Email is important to me. Emails to friends and family are basically letters, and when I write a “real” email, I think it carries nearly the same weight as an actual handwritten letter. Granted, there are plenty of throw-away emails sent, one-liners probably better suited for chat or text messaging, but email still holds a reserved spot in my mind. I’ve decided I’m going to stop abusing my email (at least personal email – what do I do about work email?)

So, if you are on a Mac, I invite you to check out GPGTools. It is fairly straightforward, they have a nice “Where do I begin” setup guide and GPG Tools will integrate with a variety of Mac mail clients.

Basically, once set up you can sign or encrypt your email. Signing sends the email in plaintext, but allows the recipient to confirm that it came from you and was not modified in transit. Encrypted email does the same, and prevents it from being read in transit. Signed emails can be read on the phone or in webmail, but they include a little block of text with the digital signature.

I put up a new page containing my PGP Public Key, if you’d like to add it to your keyring and communicate with me over email securely, please do. It’s kind of fun in a James Bond-ian way as well.

Chat and Text Messaging

If you’d like to encrypt your instant messaging, download the free Adium for Mac (clients for Linux and Windows exist as well) and enable the encryption feature. Works like a charm.

If you use iMessage (the blue bubbles) on an iPhone, iPad or Computer, your chats are encrypted in transit. Yay! SMS messaging is in plaintext, so between devices, one would have to use a cross-platform messaging app. Too much trouble, I’ll deal with the plaintext nature of these communications.

Summary

There are fairly simple ways to increase the security of your computing, I hope you’ll join me in creating a more secure environment for yourself.

Tons of additional information is available on the subject, but here are a few final resources:

The Electronic Frontier Foundation
Wikipedia: Pretty Good Privacy
Gnu Privacy Guard

Update

I wrote up this entire post, and then found iPGMail, which appears to be a solution for reading encrypted mail on your iPhone. If so, that would solve one of the major hassles with encrypted email.