SO YOU’RE TAKING A PHONE TO A PROTEST: PART 4

[ Previous Tech&Sec articles can be found on our website: https://unoffensiveanimal.is/category/technology-security-101/ ]

The situation is this: there is a slaughterhouse blockade. One of your aims is creating as much media as possible, and give updates on a regular basis. You want to use social media so many people can see photos or take secondary action during the blockade (like calling the press, or pestering the business via email!).

Locking on (or even just being the “press contact”) at an action whilst connecting a smartphone to the social media of your group is a sure way to give away A LOT of information to the cops when they decide to arrest you. Certainly, as we previously have discussed, you should not carry your personal phone, but if you must take a smartphone to a demo to take photos or videos and update social media, we should really avoid risking the log in credentials or the identity of comrades to an arresting cop.

So how do we communicate, share updates and photos, whilst keeping people safe? Here is an idea that could work for you!

Consider first communications. In one hand, you might want to keep in touch with someone you just met at a demo, but you sure do not want to give them your phone number!!! That would be a huge privacy concern! On the other hand, if you need to communicate with folks away from the action, keeping their numbers saved in a device that could (or will) be arrested is handing over the details of your friends to the enemy.

How do we avoid that? We use an encrypted messaging app that does not need to use telephone number to log in. Good bye Signal, hello Session! Session or Briar do not need you to give a telephone number to register an account. We would advice to use Session just because Briar is p2p (see our “let’s get encrypted” series on our website) and depending on the connectivity, messages or images might not get through. Session will allow you to keep in touch with someone you just met but you might not trust, but it will also allow you to communicate with friends without having their telephone numbers saved into a phone that might get nicked.

Now, instead of you logging in to socials whilst locked on or whilst outside the gates of the slaughterhouse, let’s organise a third party to manage social media. They can have a Session account where you send photos, videos, urgent calls for action or updates, and from the comfort of a cafe in the next city over, they can update social media for you. They then can pass on important information too if someone sends intel to the social accounts, or if somebody sends words of encouragement. Depending on the workload, that same person can be a press contact for the group (using a different device!).

Once the action is over, all burner smartphones should also be destroyed, including the one used for social media. The filth really likes to throw conspiracy charges to journalists, so why risk it?!

TO SUM IT UP:

  • Don’t take your personal phone if you know you’re being arrested, or if there is a good chance that you will.
  • Use an encrypted messaging app that does not need telephone numbers, like Session.
  • Don’t log in to socials whilst in the demo, blockade or action.
  • Pass on information to someone else away from the action for them to spread the word.
  • Treat the devices used during the action (including the social media phone) as burners. Don’t turn them on near your home, and destroy them after the action is over!

We keep each other safe!

Your local anarchist cyber-counsellor.

SO YOU’RE TAKING A PHONE TO A PROTEST: PART 3

[ Previous Tech&Sec articles can be found on our website: https://unoffensiveanimal.is/category/technology-security-101/ ]

In the last episode we talked about burner phones and that you should not turn them on next to your personal phone. Today, we are going to discuss IMEI and IMSI, which should explain not only WHY you shouldn’t do that, but also why you should consider what other devices are around yours when you have your phone on!

IMEI and IMSI are both ID numbers. Whilst there are ways of spoofing them (making them different), they are not common for everyday activists, and for all purposes in this article we will understand IMEI and IMSI as unchangeable IDs, like human fingerprints! IMEI is the fingerprint ID of your device (a phone, a wifi camera, a tracker), whilst IMSI is the fingerprint ID of the SIM card installed in that device. If you have a phone and change the SIM card, your IMEI number will stay the same. If you buy a new phone but still use the same SIM card as before, you are transferring the IMSI number to a different device.

Both numbers are used by cell companies to identify who is requesting a call or a text or the use of data. They also have another use which is a lot more concerning for our privacy and security. Using those IDs, cell companies can triangulate the location of your device, even if the location is turned off in your smartphone! The accuracy of the triangulation will depend on how many towers your device is able to connect to, which makes things somewhat easier in more built up areas where there are more towers and a little more difficult in the countryside, where the triangulation MIGHT give a much more general location.

This location triangulation is used by the police regularly in order to establish if YOU were at a specific location or not, or, in case of less common locations, they are able to check what devices where in the area at a specific time to narrow down the investigation to a few people.

If you pay for your phone with anything other than cash, the IMEI and IMSI of your devices is connected to your bank account, which means it is connected to your name and potentially your address. This is why we always recommend to NEVER pay for phone credit (or any other cell service) with anything but cash.

It is also worth noting that the IMEI and IMSI numbers can be used to create association of devices. Let’s say you want to meet with a friend, and you both take the phone with you, but leave it in your respective cars before going for a walk and a chat. If the cars are parked near each other, the filth is now able to deduce you two met. Equally, if someone is doing an investigation and uses a tracker, the tracker too has IMEI and IMSI IDs, so if they travel with their phone and the tracker on, those two devices are being registered by the cell towers as “together”.

Here are a few bits of advice:

  • If you must take your phone with you but you do not want the cell towers to triangulate your location, consider turning it off AND putting it inside of a faraday bag well away from your meeting point. This should stop all connectivity, thus stopping the tracking of the IMEI/IMSI.
  • Both SIMs and devices should be recycled regularly. Your IMEI creates a map of your locations and a map of your relationships, so sell your phone every six months and get a different one. If you’re buying used, you should manage to buy/sell with little loss or maybe a little profit! You should do the same with your SIM card and never transfer your actual telephone number. They should be refreshed at the same time.
  • Don’t carry trackers or wifi cameras or other SIM devices alongside your phone unless you are isolating them separately with faraday bags.

Stay safe, and stay dangerous!

Your local anarchist cyber-counsellor.

SO YOU’RE TAKING A PHONE TO A PROTEST: PART 2

[ Previous Tech&Sec articles can be found on our website: https://unoffensiveanimal.is/category/technology-security-101/ ]

Burner phones are sometimes discussed, but rarely used correctly. We need to clarify what a burner phone is. A burner phone is a phone that aims at keeping you as anonymous as possible, not leaking your personal details. A burner phone is a single-use phone. It is turned on, used for what you need to use it, turned off and discarded. It isn’t a “field phone” or a “second phone”. It is a throwaway phone!

If you have decided you must take a phone to a demo but that taking your personal phone does not fit with your threat modelling, using a burner phone might be the best idea. A burner phone does not need to be a brick phone, it can be a smartphone (if you have sticky fingers or unlimited funds!), but if it is paid for, it should always be paid for in cash. The same goes for the SIM card inside the phone, you should buy one that does not require your details (for some folks this might even mean having to ask friends in a different country to send a few SIM cards!), and the credit inside should also be paid with cash. Purchasing burner phones should be done away from your town/city and certainly away from the shops you frequent. You should also consider aging burner phones, so that you always have some in stock for when they are needed, and so that they’ve been purchased quite some time in advance.

Once you have acquired your burner phone, SIM and credit, you should understand that if you turn that phone at home, that phone will ping your specific location, telling the phone provider where you live. For that reason, a burner phone should be turned on AWAY from your home and potentially even your city! Equally, you should remember that if you take your personal phone with you, then turn the burner phone somewhere else and then leave your personal phone in the car to go to the demo with your burner only, those two phones are now pinged in the same location, defeating the whole purpose of using a burner phone.

You should never have the burner and your personal phone together. If you are needing to take a burner phone to a demo because you want to ensure you can call your comrades on OTHER BURNER PHONES they’ve set up in case everything kicks off, you must leave your personal phone at home, turn the burner well away from home, and once the demo has ended, destroy the sim and the device and get rid of it for good. It isn’t enough to turn it off and take it back home, even if you haven’t used it! If it’s been turned on and has gone to a demo, a riot or a spikey action, that phone must disappear.

This is for a very simple reason which we will discuss more in depth in future articles, but your phone has an ID that tells the cell company where you are. If you think “well I never used it so I’ll keep it safe for the next one” and then you are arrested with it at the next demo, they can now connect you to the last demo too! It is not enough with changing a SIM card, you must get rid of both the card and the actual device.

TO SUM UP:

– A burner phone is a single-use phone

– It should be purchased with cash, never card, and never where you normally mingle

– It should only be turned on away from your home and other devices

– It should only talk to other burner numbers

– If you’ve turned it on for a demo, you must destroy device and SIM before returning home.

In the next episode we will talk about IMEI numbers. If you have questions about burner phones, please drop a comment!

Your local anarchist cyber-counsellor.

SO YOU’RE TAKING A PHONE TO A PROTEST: PART 1

When going to a protest or an aboveground action there are risk factors to analyse before taking a phone. Sure, someone is doing social media and needs to take some photos and sometimes we might feel vulnerable without a pocket device that can call friends if something happens and you are left stranded in the middle of a field. The issue is, telephones are little spying devices, they are able to spy on you live if they have been previously infected, and even if they haven’t, they hold so much information about you and your activity and behaviour that if they are to be arrested, they can really unearth extreme amounts of information about you and your friends.

Over the next few episodes, we will discuss different ways we can protect ourselves from harming our safety or our comrades’ safety when handling technology at demos and protests, but remember that threat modelling is crucial and you should be able to analyse what your current threat model is, and what the threat model of the action is, making decisions about your best course of action relating to your phone!

To start with, even tho we have talked about this multiple times in the past, we will give two pieces of advice that apply not only to when you are going to a demo, but at all times:

1- NEVER USE BIOMETRICS.

FaceID and FingerprintID are incredibly convenient. You don’t need to introduce a very long password to access your phone, and on a day-to-day basis, it is difficult for other people to try and replicate your face or your finger! The issue is there are huge vulnerabilities with using biometrics. In case studies, folks have managed to 3d print fingerprints out of data or replicate a FaceID verification with a flat photo. But do you know who has your fingerprint data as soon as you are arrested? The police.

This is not just about some sophisticated method to print and implement your fingerprints either. Whilst passwords are memorable things and you could potentially forget your decryption password if you were to be forced by the police to decrypt your device, you are simply not able to forget your fingerprints or face. The police have been seen forcing people’s fingers into screens to unlock devices or holding the head of activists in front of the smartphone’s camera to trigger the faceID. YOU SHOULD NEVER, EVER, USE BIOMETRICS!

2- STRONG PASSWORDS ARE A MUST.

We have talked about this in the past, but your smartphone’s lock screen password is most likely your smartphone’s decryption key. You should have a long, alphanumeric password that you are able to remember but that would be very hard to guess. You can read more about how to create a smartphone password by reading “CREATING A SAFE PASSPHRASE FOR YOUR SMARTPHONE” on our website.

In future issues of “So you’re taking a phone to a protest” we will talk about burner phones, IMEI numbers, messaging and managing social media from a protest, not taking phones to a protest and more. Tune in for the next one and please drop a comment if you have any questions!

Your local anarchist cyber-counsellor.

HOW TO (NOT) USE INSTANT MESSAGING APPS (LET’S GET ENCRYPTED) – TECHNOLOGY AND SECURITY 101

By now you should’ve learnt about the key points to analyse before choosing an instant messaging app and those apps we advise against as well as three apps we like a little more, but there are a lot of nuances to add at the end of this series. In this last chapter, we will discuss how to use the applications and how you should analyse what you communicate online.

To start with, let’s quickly talk about threat modelling. Threat modelling is an easy way to understand what level of security you need. Someone who simply uses their phone for trivial things does not have the same threat model as a journalist reporting on human rights or as an activist targeted by the government. Because an increase in privacy and security comes with the tradeoff of less usability, one should understand their threat model and act accordingly.

When we have talked about applications that respect your privacy, they are very good at avoiding big corporations to steal your data, and moderately good at stopping governments from targeting a big majority of people. What we mean with this is that anyone talking to their friends about how good last night’s party was should avoid using Instagram direct or WhatsApp not because they are concerned about their security being compromised, but because those companies make a profit from selling our data, and the more technology self-defence we practice as a community, the less powerful those mega-corporations are.

That does not mean that you should discuss illegal activities on signal. When thinking about what you should or shouldn’t say on a messaging app, ask yourself “do I ever want this message to be read in court?” If the answer is no, DO NOT send it.

No application is safe if there is spyware installed on your devices, which means that if your threat modelling puts you as a vulnerable target to spearfishing attacks by industry or governments, you should take extra steps, like only communicating about specific things face to face in a public space and not messaging anything online, regardless of how encrypted the messaging app is.

If you need to use technology to discuss things that you believe are a concern, you should take a few extra steps. Using a burner device that will be disposed of after the action, or after all the information has been gathered to write an article might be a good solution. Throwaway accounts that are not connected to any identifying information like emails or telephone numbers (using Session could be a great idea for that) is also a useful suggestion.

Within those communication apps, you can also toggle on-screen security, which would stop the application from allowing screenshots. This would help if there is spyware installed on your device that is trying to record your screen.

A quick note on “code” communication. There was a whole ass Cold War going the last century, with many intelligence agencies spying on each other. Your code words to describe situations “There is a lot of lemonade in my shopping trolley” will be easy to decipher by a judge, let alone an intelligence officer. Just don’t.

Ultimately, it is up to you to decide how much information you are putting on your device. Encryption means nothing if someone is directly spying on your phone, and if you wouldn’t say in front of a cop what you’re about to type to your mate, just don’t type it. Meet with them, have a chat whilst you walk around in the woods WITHOUT your phone and agree on your next meet up date face to face.

For everybody else who does not feel the government is a direct threat to their privacy, data companies ARE a direct threat to your privacy. This is a major problem that involves us all, and you should practice community self-defence. Ditch those spying apps from your phone and move over to stuff that respects you and your friends a little more. It only takes about a week to get used to a new application!

PRIVACY IS SELF DEFENCE!

UA Tech&Sec support.

PS: We spend a great amount of time and energy learning to teach the public about this kind of stuff. If you appreciate our work, please consider donating to our project. UA is everybody, and within all of us, we can make a platform that will hopefully help in the revolution. Monero and Bitcoin donations are recommended (find our wallet addresses on the website), but if you can’t we also have PayPal and Patreon.

Patreon: www.patreon.com/animalliberation
Paypal: unoffensive_animal(aatttt)tutanota(cddddot)com

CHOOSING A BETTER MESSAGING APP (LET’S GET ENCRYPTED) – TECHNOLOGY AND SECURITY 101.

This post continues from the one before, which you can find HERE.

By now you would’ve understood key components that make or break a messaging app and should’ve read the list of common applications we would advise against. Today, we would like to mention three applications we feel are much better in terms of respecting your privacy and security.

SIGNAL: Signal has, unsurprisingly, become the gold standard for encrypted messaging applications. Its Sealed Sender capabilities have managed to reduce a lot of the metadata sent out to their servers, it has a very simple and easy to use interface, allows for group chats, group phone calls and group video chats and it is of course open-sourced and end to end encrypted by default. There are two drawbacks to signal that are still important and should be considered depending on your own threat model. The first one is that Signal is centralised, which means if a government decided to block Signal servers, Signal would not work in that specific country (Belgium has just said they are thinking about doing exactly that!). It means there is a single point of failure, and although it would be very difficult to decrypt any information, all that data is being funnelled through a single point. The second big problem with Signal is that it requires user data in order to set up an account. That user data is also not some silly, throwaway email, they need your telephone number. In many countries around the world, obtaining a SIM card without an ID is a problem in itself, but even when that SIM is anonymous, leaking a phone number that is continuously attached to your device could mean being targeted via connectivity networks and being geolocated by telephone towers. Telephone numbers tend to be something personal, and sometimes you do not wish to give someone you just met your number. Those are the two main drawbacks in an otherwise very powerful application.

Read more at www.signal.org

SESSION: Session App is the youngest app on our list, but it has made incredible progress and we would go as far as saying that we prefer it over Signal. It is a decentralised, open-source app backed by about 1800 nodes around the globe that routes all your traffic through onion routing, which means there is no IP leak and other identifying metadata is stripped off. The biggest and most important feature that makes Session stand out is that you do not require ANY personal information to sign up. No email address. No telephone number. No name. NOTHING. How fucking cool is that?! The fact that they’ve now implemented voice and video calls, onion routed and in a very user-friendly way, has won all the points needed for us to push it to n1! Let’s not forget about drawbacks tho. Because it is decentralised, it takes a little longer for the message to be received by your friend. This is barely noticeable on text and even photos, but it might take a few extra seconds for a video to send or to download! The second, more important drawback is that Session does not enforce Perfect Forward Secrecy. This is a complicated system where encryption keys get substituted regularly so if someone was to steal the key somehow they would only be able to decrypt some messages and not entire conversations. Session does not implement PFS, but as the encryption key is saved in your device, if your device was compromised the text would already be in plain text. Whilst we understand Session’s mitigation against that attack, they should implement PFS for extra security. Session is the app we would advise for all of you to talk to each other on a regular basis.

Read more here: https://getsession.org

BRIAR: Briar is an incredibly interesting application. End to end encryption by default and an open-source application that will only run on Android devices (sorry iPhone users). It runs through P2P connectivity, which means no server or nodes to depend on. When you message someone on Briar, the message travels through the TOR network directly to your friend’s device without depending on any specific centralised systems. Briar is also a very useful tool when the network is down. Police will, during intense riot situations, jam the network in order to stop any form of connectivity. Briar circumvents those problems by allowing users to connect through a Bluetooth mesh or a wifi mesh, without depending on the telephone network. This, of course, has a distance limitation. The drawbacks should be obvious. A P2P connection is not anonymous. The message is encrypted and if someone was sniffing the connection they would not be able to read your texts or see the photos, but the recipient of your text is able to work out the network you connect to and some device identifiers which could be used to de-anonymise you. As mentioned before, it only runs on Android, so compatibility might be a problem. Finally, briar has a usability problem. Because it is P2P and your messages are not stored in a server, they cannot be sent to your friend unless your friend is also connected. Briar is an incredible app and we highly recommend it, but we would advise you to use this app for specific situations and only with people you trust. Briar is without a doubt, the app we would use when the armed revolution starts!

Find Briar here: www.briarproject.org

Keep an eye for our next instalment of this miniseries, which will be a more practical use and advice on how to talk to each other.

Remember that apps only know what you tell them. We will talk about what to say and what not to say in our last instalment about messaging apps! 



PRIVACY SHOULD BE FOR EVERYONE.

UA Tech&Sec 101 support.

PS: We volunteer our time, but we cannot volunteer all our funds too in order to keep this project alive. If you have the means and like what we do, please consider donating a few coins. Monero is our favourite way, you can find the wallet address on our website, but if you don’t use cryptocurrencies you can donate over Paypal and Patreon too!

www.patreon.com/animalliberation
PayPal: unoffensive_animal(aaattt)tutanota(ddddot)com

PUT TELEGRAM IN THE BIN (LET’S GET ENCRYPTED) – TECHNOLOGY AND SECURITY 101.

alf cuts a vent to a chicken farm with boltcutters

This post is a continuation of a series, the previous post can be found HERE

We have talked about the different key points that make a good instant messaging app, and it is time to name and shame applications you should never use for any communications (from organising a demo to organising a coffee date, fuck using the apps below!)

SMS (Text) Messages. We’ve already talked about this but your SMS are sent in plain text and literally, everybody can read them. Don’t use text unless necessary.

FACEBOOK, INSTAGRAM AND SOCIAL MEDIA MESSAGING: Facebook Messenger, Instagram Direct and other social media private messaging apps are NEVER safe to use. They work in a centralised network, they are (for the most part) not encrypted and they only serve one purpose: to collect your data. All the big social media names also have no problem complying with governments when requested, so your metadata, text and media will be shared on request. WhatsApp is an incredibly common instant messaging application you should delete from your phone immediately. Since it was acquired by Meta (Facebook) this has become an even more important thing.

WHATSAPP: WhatsApp is a closed source application (which means no one can read the code to tell if what WhatsApp says is true) and although they say it has End to End Encryption, Facebook can read any texts that have been marked as abusive, which brings into question the truth about their encryption. They collect heaps of metadata (location, time, date, users involved in the conversation and so on) which is not encrypted and they have an extensive track record of collaborating with the government. Move your family away from WhatsApp and delete the app. Seriously.

iMESSAGE: iMessage is also heavily advised against. For iPhone users only, iMessage was a very useful app when it was first introduced, making texts free for a lot of people! There are many problems with iMessage but here are a few important ones. The app’s code is closed. Their encryption protocol is trash. They collaborate with the NSA and will give information to governments on request. It is not a safe app.

TELEGRAM: Telegram needs to be completely trashed and put in the bin. This will divide many people and might make you feel uncomfy inside, but telegram is NOT a safe app. They have managed to sell themselves as a privacy and security messaging application, but the amount of problems with the application is staggering. To start with, Telegrams encryption is not enabled by default. This is such a massive problem that should make you uninstall the app immediately just because of it, but there are a few other bits to talk about. Telegram collects user information, does not hash it and permanently shares that information with the parent company. They DO NOT encrypt metadata (so the conversation logs are available) and thanks to a not-so-open-sourced code dealing with their bespoke cryptography, the company CAN READ YOUR MESSAGES even when encrypted! Telegram is so not an application to use, not for group chats, not for private chats, not for anything. There are much better alternatives to explore. In the next article, we will give you a few options for better messaging apps to use. Keep an eye out!

FIGHT BACK AGAINST THE TECHNOLOGY DYSTOPIA.

UA Tech&Sec Support

PS: If you appreciate the work we do, please send a few coins. We could do with some support.

Crypto addresses are on our website but PayPal and Patreon you can find just below! www.patreon.com/animalliberation
PayPal: unoffensive_animal(aattt)tutanota(doottt)com

STOP USING WHATSAPP! (LET’S GET ENCRYPTED).

Let’s talk about instant messaging communication. Since smartphones have become more and more embedded in our lives, instant messaging apps have taken a primary role in how we communicate. They are simple, they are fast, and they allow for photos and videos and even video calls over the internet, taking a huge step forward from the SMS/MMS capabilities of phones in the past.

But technology has more to it than accessibility, and instant messaging apps are not all created equal. In the next instalments of this series, we will talk about the apps we recommend and those that we advise against, but for now, we would like to define a few concepts that are very important for you to choose how you communicate with friends.

SMS/MMS texts are a decades-old protocol to send texts or media. They are reliable, but they are completely visible to telecommunication companies and governments as well as anyone with sufficient knowledge to connect to a telecommunications antenna. Stay away from them!

End to End Encryption BY DEFAULT should be the gold standard. Encryption is a process where the text sent is scrambled and can only be transformed into plain text by the recipient, who possesses a private key able to understand the “language” of the scrambled text. Many apps have encryption features, but only those that are encrypted by default (not as a “private conversation” feature) should be used.

Metadata is the information about the text, image or video you are sending. The metadata of a message could be the time and date it was sent, who the sender is, who the recipient is, the location of the sender and whatever other information an app collects and sends with the actual message. Applications that do not leak metadata are of course preferable when communicating with others.

Centralised, Decentralised and P2P Networks are different ways that your messages travel from your phone to your friend’s phone. 

Centralised networks work as follows: You send a message, it travels (hopefully encrypted) to a centralised server, and the server then sends that message over to your friend. The problem with Centralised networks is that there is one single location that has all the power. It means that the government can enforce censorship by blocking the servers, and even simply by raiding the servers and taking them away. There is a second problem with centralised networks. Even if your message is encrypted, depending on the app you are using the server will have various degrees of metadata knowledge. That means that if someone can access that centralised server, they can tell who is sending and receiving messages, at what time and even locations. Signal app is an example of an Encrypted, Centralised Messaging App.

Decentralised networks solve this problem. They use multiple nodes, so your message travels from you to a node, from that node to another and so on until it arrives in your friend’s app. This fixes a couple of problems. The first one, you cannot simply take down one server to stop someone from communicating with somebody else. In the second one, you can add extra layers of encryption on each node (like a TOR network), rendering any leftover metadata useless). The drawback of decentralised networks is that they are slower than centralised ones (sometimes by nanoseconds, but sometimes it’s a lot more noticeable!). Session App is an example of an encrypted, decentralised instant messaging app.

P2P or Peer2Peer is more of a connection than a network. When you use an instant messaging app with P2P the users will synchronise without the need for a secondary server or multiple nodes. This method makes things a lot safer. There is no risk of a compromised server, or of someone running multiple malicious nodes attempting to either deanonymize you or somehow collect metadata. There is one big problem with this. Both you and your friend need to be connected at the same time for that message to travel from your device to their device. If you send a message when your friend is offline, and then you go offline, even if your friend connects that message will still sit on your phone, as you are no longer attempting to send it. A second problem with encrypted P2P connections is that they do not anonymise you. Your friend could be able to tell information about your device and network as you are both connected.

Now that you know a few of the parameters you should consider before messaging someone, we will be able to talk about which apps we would advise to uninstall and then set on fire, and which apps are recommended to use, but we will do that on future instalments to not bore you to death with technical knowledge!



PRIVACY IS A HUMAN RIGHT! 



UA Tech&Sec Department.

PS: UA is a collaborative, not for profit project that never makes enough money to cover costs. If you enjoy our content, please consider donating. We have crypto addresses on our website (for ultimate privacy we advise you send through Monero, not Bitcoin), but there is also Paypal and Patreon.

Please consider sending even if it is a single coin, it all helps!
Paypal: unoffensive_animal(aaaaatttt)tutanota(doooot)com
Patreon: patreon.com/animalliberation

WHAT EVEN IS TWO FACTOR AUTHENTICATION?

In past instalments we’ve talked about creating a safe password for your smartphone and how to use a password manager for all other accounts, but something was left behind that needs addressing.

As we mentioned before, data leaks can happen, and even tho the passwords to access an account on any internet platform tend to be stored hashed, it can be unhashed by people with the right tools.

So there is no point having a great password that then gets leaked and cracked, right? We can do something about this too.

Multifactor authentication is a way of ensuring whoever is sending the credentials to an account is actually the person who owns that account. It normally uses two of these three:

  • Something you know (usually, your password!)
  • Something you have (your smartphone, or a hardware key, or some other object)
  • Something you are (fingerprints, biometrics and so on)

We have talked about the dangers of biometrics already and we would highly advise you to not use them. That said, you still can use two factor authentication (2FA) by giving something you know (your password) and something you have (either a hardware key, or an application on your smartphone).

This is how it works; when you log in on Facebook, you are asked for your email and password. You have done your job right and know that the password is complicated and stored in your Bitwarden account. So you select it, then add that little bit of password that only you remember, and hit enter. A second screen appears that asks you for a code. You check your smartphone, introduce your code, and you’re in!

Ideally, that code will be a one time use code and change every time, making things a lot safer.

That means that if someone was to get your password, they still wouldn’t be able to access your account without also having that code, which should be in your pocket!

You have already done this before, normally over telephone number. Amazon asks you for a mobile number, they send you a code over text, and then you introduce it in your log in screen to get in. But texts are sent and stored in plain text, and SIM Swapping (an attack where someone manages to acquire your telephone number without you realising) is a very common vector of attack.

Instead of using your telephone number, you can choose to use a hardware token if you feel you need to go the extra mile with your security (like YubiKey, go read about it!) or you can use a software based 2FA authenticator.

Our recommendation for a software based 2FA authenticator would be the open sourced Aegis Authenticator if you’re using Android, as it offers a few extra features like password access and back up options, or TofuAuth if you’re using iOS, also open sourced and designed for iPhones.

The process is simple, you go to your account, find 2FA and enable it. You then grab your phone, scan the QR code that the website offers and it will automatically add it to the account. Now the app and the website will be able to talk to each other and nod in agreement when you give them the right code!

This is an incredibly easy, yet very effective way of keeping your accounts safe. Please head to your accounts and enable 2FA, connect it to your phone software and stick your middle finger to whoever might try to gain access to your accounts!

UA Tech and Sec department.

If you like what we do, consider donating a few coins, we have very little funds left
Paypal: unoffensive_animal(at)tutanota.com
Patreon: www.patreon.com/animalliberation

PASSWORD MANAGEMENT

We have talked in the past about how important a passphrase is to unlock your smartphone, instead of a numerical code, or if you’re still not up to date with how law enforcement abuses their powers, especially don’t use biometrics like your fingerprints or FaceID.

If you have not read about smartphone passphrase, you should start here: 
https://unoffensiveanimal.is/2021/03/16/creating-a-safe-passphrase-for-your-smartphone/

Now that you have read that, we MUST talk about all other passwords you use to log in to every other account you own.



Passwords are normally stored in the servers of those accounts (let’s say Facebook for example), as hashes. That means that people cannot simply access your password as plain text. But many tools are able to unhash and find your passwords. 



So how do we protect ourselves from a major data leak, that would release into the internet the key to open every account you own? 



Firstly, we need to visit a few rules: 



  • You should NEVER reuse your password. It doesn’t matter if it is for an account you don’t care about. Just DO NOT reuse your password. If it leaks for one account, it will leak for all accounts!
  • Your passwords should be complicated and should be lengthy. There are many ways of “creating” passwords, but we will explain a very simple one later on in this article.

So once we have learnt those two rules, how can we create, manage and memorise very long, complicated passwords, that are single-use so you do not repeat them in every single account? 



The answer is using a password manager.



A password manager is a vault that keeps all those passwords safe and away from prying eyes. For most of our readers, whose threat level is probably low, we will recommend a cloud-based password manager due to its ease of use, but if you believe you should go a step further, once you’ve read about password managers check KeePass, a completely off-cloud alternative.

Our recommendation for a cloud-based password manager is Bitwarden. Bitwarden is an open-sourced password manager capable of storing all the information you need, but also able to generate new passwords on demand and synchronising within all your devices if so you wish. 



Storing all your passwords in a single drawer sounds like a huge, scary thing doesn’t it? This is why you should think before you even create a new account with Bitwarden.

1- Create a new, never-used-before email address. Only use it to create that password manager account, so it doesn’t leak. That means it is more difficult to try to brut force the password manager credentials if the attacker doesn’t even know what email address you could’ve used.

2- Create a MASTERPHRASSE. Remember how we talked about a passphrase for your smartphone? Follow those rules, but double it, or even triple it in size. Write it down for a few weeks until you are 100% sure you will not forget, and practise using it. Make it the longest, most complicated password you can create whilst being able to remember it because it is the password that will rule all the passwords. 



Now, you can log in to Bitwarden, and start storing all your account’s passwords. And because we know what your like, this is the moment we prompt you to CHANGE THE 6-YEAR-OLD PASSWORD YOU’VE NEVER IN YOUR LIFE CHANGED. Seriously, go on Facebook, change your password. Go on your proton mail, and change your password. Go on your amazon account and CHANGE-YOUR-PASSWORD.



You will find this a very good little tool within Bitwarden. When you’re changing a password in whatever account, you can click on “generate password”, choose the length and how complicated you need it to be, and the software will create the password for you. You copy it, change the password in the account, then save the new credentials in your Bitwarden and voila! You are done! 



But I can imagine more than one person complaining about putting all the vegan eggs in a single, steel basket, and hoping that that does not fuck things up. 



And you people are right. That master passphrase could be broken. All your accounts, compromised. And we also have remedies for those problems.

In a future instalment, we will talk about 2FA and how to use it (not the one where google sends you a text with a code mind you!). but for now, this is a cool little trick you can use to secure your accounts a step beyond the password manager. 



Let’s imagine that the FBI has decided to check out all the nudes you send over Instagram DMs. They try to enter your IG, but they are unsuccessful. Sadly, they find a plaintext of your password manager master passphrase, and they learn that your Instagram login credentials are: 



User: @thegreensheepinthehill
Password: z3JtBqGT$ZRjWY!cf&ppaY@xbe *(a very nice password created by the PW generator within Bitwarden!)



When they try to log in, “username and/or password are invalid” prompts the screen! 



Why? Because you did not put all the vegan eggs in one steel basket. You kept half an egg to yourself.

That metaphorical egg is “something you remember”, an add on to your password, something extra that you don’t forget. 



For example, let’s say that you really like plants, and your favourite plant is a pothos. Maybe that something you remember can be {p0th0%s}, and when you are creating new passwords to all your accounts, you keep adding “{p0th0%s} at the end of the randomly generated password that Bitwarden is giving you.



When you save your passwords, you are not saving {p0th0%s} alongside it, but you simply remember it, so when you need to log in to IG for example, Bitwarden gives you this: 


User: @thegreensheepinthehill
Password: z3JtBqGT$ZRjWY!cf&ppaY@xbe

But you remember that the actual password is:

Password: z3JtBqGT$ZRjWY!cf&ppaY@xbe+{p0th0%s}



And tada! You made your life a little safer by spending a couple of days learning a new tool that will really, really help you in the long run. 



Enjoy, and for the love of bunnies, stop using “password123” as your password, please. 



UA Tech and Sec department.