Build & Defend Newsletter 19

One email a week - something from which I hope you'll get real value. We talk about things we can build, and how to defend them. That can apply to cybersecurity, physical buildings, digital products, and .... just about anything. It gives me a lot of latitude in what I can write about, but the two concepts are important for progress - as individuals, and as society.

Today's topic is: Piracy. Er.... Privacy. One of those. Maybe both.

So, you want to be a pirate? Arrrrright then. (Don't worry, I don't plan to make a lot of pirate puns. Just a few, matey.)

The fun thing is there's a great overlap - at least where technology is concerned, between the things that you would use to be a digital pirate, and the things that you would use to just keep to yourself and keep your privacy intact. Hence the piracy/privacy duality. 🏴‍☠️

Just because I can tell you how to keep private does not mean that you should then turn around and engage in piracy. But you could. If you wanted to. But you don't, right?

🔨 BUILD: Your Piracy Stack

So, what does it mean to have such a stack, whether for privacy or piracy, or both? Well, in order to keep to yourself, and to keep other people (busybodies are everywhere) out of your stuff, you essentially need encryption. Encryption itself has been around for a long time, but it was popularised in the computer world by a guy named Phil Zimmerman who created "PGP" ("Pretty Good Privacy") in 1991. Yes, before you were born, probably. (The median age of all earthlings is 31, so anything more than 31 years ago means most of you couldn't have experienced it. (Yes, this newsletter probably skews a bit older.)) So, how do we build such a stack?

The first thing is that you generally need an Operating System (OS) that can provide you with reasonable privacy. (Wait, I hear the older-skewing folks say - what about the Basic Input Output System (BIOS) that connects the hardware to the software? To which I dutifully respond - well, you're correct, that is something to worry about. However, for our purposes, that's a step too far into the rabbit hole, and for practical purposes we don't have to worry so much about it just now.)

I always use a Unix-based system whenever possible. That can be Mac or Linux for the most part. If I'm doing something that requires privacy, I use Linux. Ubuntu is fine for these purposes. We're looking to keep prying eyes away from our system in 99% of use cases; if an NSA tech rocks up to your door with a cross-connect cable (what?) and Claude Fable on a Mac Mini under his arm (let's be real, it'll be a guy (sorry, Wendy & Amanda)), well, I probably can't help you and you need to do more research after this newsletter is your starting point.

So, generally when you install your OS, you get the opportunity to encrypt your disk. I'm not talking about enabling File Vault, but the kind of encryption that means you can't get into the OS without putting in a password. Use that. Here's a screenshot I pirated, er, borrowed, from jumpcloud.com:

This enables Full Disk Encryption (FDE).

So now you've got an OS that no one can get into without the password. That's a good start.

However, what about your media? (Pirates have media?) Sure, you could store it on your fully encrypted disk (tm) but why not add another layer? Enter: external media. And veracrypt.

Veracrypt (at veracrypt.fr) is the continuation of what was previously TrueCrypt. TrueCrypt allowed you to, and veracrypt still allows you to, create encrypted spaces, either as files, or as entire disks. (It also allows for hidden encrypted spaces, but again, thwarting Jason Bourne is not our goal for today.) So, if you were to be downloading files (ahem, in tiny pieces from multiple other machines?) and wanted to store them somewhere, you could use veracrypt to encrypt your entire disk. Then when your files come to you in a torrent (ahem) you could store them in an encrypted disk, which generally should (in my humble opinion) be an external one. There's a couple of cool bits to this: one, you get the additional layer of privacy by creating an entirely encrypted disk that then attaches to your encrypted OS, but then you also get a consistent mount point from which to operate from then on. (Ie, if your software for file transfers stores files in /media/veracrypt1, you can always mount it that way and even when you disconnect and reconnect it will always resume based on that and it's entirely consistent.)

This screenshot, pirated from arcanecode.com, shows mounting a file, but you can mount entire encrypted disks.

The last portion of what we need to build is the transfer process itself. You should ALWAYS use encryption ("Require encryption", not just "Allow encryption"), and ideally over a VPN. (Wait, I thought VPNs weren't cool anymore? Well, they are if you have the right ones and they're actually for privacy. I use Mullvad.)

So your software should be encrypting all information in transit, over an encrypted network connection, from an encrypted disk, that is attached to an encrypted operating system. That's four layers that someone would have to get through (and redundant encryption for transit) just to figure out what's going on.

What you choose to do with this information is up to you - I'm just telling you what can be done, not what should be done.

🛡️ DEFEND: Your Privacy

So, how do you defend your privacy? Well, the first thing is that you need to be aware that it exists and is important. (If you've read this far, check that off in Sunsama.) The second thing to note is that it requires you pay attention to the details. (Add that as a recurring task in Sunsama.) You can't be half-assed about it - you need to be aware that encryption needs to be a thing all the time. The order in which you do things is important; the VPN should be on before the "Require encryption" traffic. Will it still be encrypted if you don't do it in that order? Sure. However, you're only using one layer instead of two if you do it in the other order and Agent Mojtabai is probably more likely to get through one layer than two. (Let's be honest, that dude could get through anything.) (Also, let's be honest, I'm mixing way too many metaphors and pop culture references here.) It requires: constant vigilance! (Yes, that's a Mad-Eye Moody quote so that I can now also engage the Harry Potter fandom.) It requires not bragging about it, or god forbid, creating an entire newsletter about how to do it. You need to be aware that anything you want to keep private needs to be kept private all the time. As Mark Twain said, "Two people can keep a secret as long as one of them is dead." (And you though piracy puns were going to be the issue.)

💰 STACK: Encryption Understanding

All this is well and good - you can use encryption and privacy without really having to understand them. The math behind it works whether you know what it is or not, but it's also fairly easy to get a decent understanding of encryption and privacy with just a bit of reading. Most of it is based on prime numbers and factorisation at the core, and even though it's slightly more complicated in practise, it relies on the basic math you learned in grade/elementary/primary school. (I have an international audience you see.) Essentially, encryption (which ultimately enables your privacy) works because some maths is easy in one direction but really hard in reverse. Multiplying two big prime numbers together you can do straightforwardly, but if I only give you the answer, figuring out which two numbers I multiplied could take a a long time - even for a computer (think millions of years). That's the "lock" that keeps your data safe, and when your data is safe, and its transit is safe, you can maintain privacy.

🔗 LINKS

Ubuntu
ubuntu.com

Veracrypt
veracrypt.fr

qBittorrent
qBittorrent.org
(What? It's legitimate!)

Mullvad VPN
mullvad.net

The Code Book
https://amzn.to/43mjuVN

Cracking Codes with Python
https://amzn.to/3Qfn94B

Serious Cryptography 2nd Edition
https://amzn.to/4ebu3zU

The Mathematics of Secrets
https://amzn.to/4ezABcQ

Sunsama
https://sunsama.com/share?refId=6649d24ea7776200012ddb2c

💬 ONE THING

I'm sure you're thinking about a million other ways in which your privacy could be invalidated, and that this is one small example. You're correct. There are a million ways, from facial scanning (I almost typed "scamming") at airports, to DNA collection from coffee cups, to things as benign as someone intercepting your mail at the post office and steaming it open like you're in a 1920s spy novel. All of that is true. However, I pick one topic that involves building AND defending. It can't all be defence. But yes, you will start down the rabbit hole if you really stop and think about all this, but you can only control so many things.