Getting Paranoid

Given the recent NSA scandals, the discussion and other events, it’s time to improve my IT security and privacy a little. A good ressource to find software is

Criteria for the chosen apps are:

  • works on Mac and Android, as this is what I use
  • preferably works on Windows, Linux, iOS, whatever, as others need to use it as well
  • should not involve spending weekends debugging obscure programs
  • should be easy to use

As you might want to do similar, here is what I have currently:

Secure Communications

On my Android phone I have installed textSecure from OpenWhisper Systems. This replaces WhatsApp, Threema, … as a secure instant messenger. It is encrypted, open source and seems to be audited. It was recommended by Edward Snowden. For iOS this App is called Signal.
Voice Calls
As an alternative to Skype there is RedPhone which does encrypted phonecalls. This was also recommended by Edward Snowden. When you route the phonecalls through the Tor Network this seems to be the most secure communication currently available for free. RedPhone is also integrated in the iOS App Signal.
GnuPG (an open source implementation of PGP) is very good for signing and encrypting e-mails. For the Mac I use GPGTools together with a plugin for Firefox called Enigmail. On Android I use k-9 as Mail program, together with APG as GPG tool (although it hasn’t been updated in the last 1.5 years it’s the only tool I got to work easily). If you want to communicate with me encrypted, please find my key with the ID AB0DB4F5 on any keyserver.

Other Tools

I used to have too few passwords for all the webpages, mail accounts, etc. As my amazon account got hacked once (nothing happened, but I had to change the password immedeately), I finally understood that I need more and complicated passwords. I am currently trying out a KeePass implementation called MacPass on the Mac and keepass2Android on my mobile. According to the intarwebs, sharing the keyfile via cloud is not problematic, as it is highly encrypted. However I am not 100% sure about that… Probably I will keep the file local on my Mac and create a small subset of the keys I need mobile on my phone.
2 Factor Authentication
Google and some other webpages already provide 2 factor authentication, where you have to type in a code sent by SMS in addition to your password. This method is safer than a password as you also need to have access to my phone in addition to my passwords. It can also be used for access to other things, like the password manager. I ordered a YubiKey, which allows authentification via USB and via NFC, so that I can unlock the password database on my PC and my mobile phone with this key. It can be used to generate strong one time passwords which can be used with OAuth to log into webpages, blogs, etc. which I will try to use as well. It has not yet arrived, but I will update this post as soon as it works. (Basically trying what this German Article in Die Zeit says…)