Crypto toolbox, Part I I think I was about 15 or 16 when PGP was making headlines for being classified as munitions by the US government and was (supposedly) banned from export. While I wasn’t a subversive type at the time, I got a very strong sense that any software that scared the mighty USA so badly was something I ought to play with and try to understand – even if I didn’t need it.
Coming up to nearly the present day, I have fallen into a personal and working relationship with investigative journalist and occasional Reg contributor Duncan Campbell.
Among other things, such as interpreting tedious corporate MS Access databases for our work on the Offshore Leaks tax haven investigation, and now getting involved with his forensic IT work, I ended up being personal tech support for anything Duncan can't sort directly or doesn’t have the time to research. This has also led me to presenting the technical side of our work on Offshore Leaks at a couple of journalism conferences.
And then Edward Snowden, Laura Poitras and Glenn Greenwald changed the world. Or perhaps they just revealed that we'd been living in a fantasy world for a good long while.
Suddenly, Duncan “Echelon” Campbell was getting back in to serious top-tier investigative journalism again. And my opinion and assistance were sought on the tools people were telling him to use.
After I assisted some of The Register's team with the necessary crypto tools to discuss Duncan's recent articles securely, group editor Joe Fay approached me and asked if I would write something myself about the tools and how they fit together.
It should be noted that these are not the only potentially suitable tools – just the ones I'm directly familiar with. There are some alternative options at Reset The Net's Privacy Pack site.
The tools I'm going to outline here are not going to improve your productivity. They aren't here to make your life easier; rather, they're to make the lives of anyone trying to snoop on your stuff harder. If you have a big team project and nobody apart from one or two crypto-fans have ever used PGP before, the feel-good factor that might be gained from being all techno-futuristic will be very rapidly overshadowed by the feel-bad problem of not getting any work done.
At the point I joined the team for ICU’s Offshore Leaks project, Duncan had just finished winning an internal battle about the use of PGP. Specifically, convincing everyone NOT to use it.
If you have a big team project and nobody apart from one or two crypto-fans have ever used PGP before, the feel-good factor that might be gained from being all techno-futuristic will be very rapidly overshadowed by the feel-bad problem of not managing to get any work done.
Duncan wisely pointed out that the threat model for the project did not include governments – as we understood it, they had already received the same data we were working with and reporting on. So, there was no need to go to Defcon 1 in order to try to keep them out. A slow and convoluted manual PGP-and-email arrangement was replaced with a dedicated private forum system (provided by team member Sebastian Mondial) which was invite-only and delivered over SSL – but not specifically trying to be secure against government-level adversaries.
However, during the preparation of Duncan's recent articles about NSA GCHQ and the Snowden papers, all of the top-tier tools were absolutely in play.
Don't feel you have to use the tools in this article at every possible opportunity. Consider who you're trying to keep secrets from when deciding how much extra effort to go to.
Local storage: Truecrypt
Truecrypt can encrypt an entire physical drive (HDD, USB flash stick, whatever you like), or you can create a "container file" of a fixed size to hold the data you want to store securely. When you run Truecrypt, enter your password and mount your encrypted volume, it shows up as a new drive on whatever drive letter you choose.