My Ultra-Private iPod Phone 4

At this point in the process, the iPod has been initally setup, and the settings modified to make it as organically secure as possible.  At this point it is necessary to fund the iTunes account.  Even if you only plan to use free applications, the account must be funded before you can download apps.  The smallest denomination gift card you can purchase is $10 (I was unable to find anything below $15).

Continue reading “My Ultra-Private iPod Phone 4”

My Ultra-Private iPod Phone 3

Yesterday’s post covered the initial device setup for my Private iPod Phone.  Today’s post will go through the settings that impact privacy and security.  The goal of these settings is to make the device as inherently hardened as possible.  These changes are designed to lower the footprint of the iPod by limiting the amount of information it transmits, making it less trackable, and generally less “noisy”.  These are all important factors to me when creating my ultra-private iPod phone.  Many of these settings can also be applied to your iPhone. Continue reading “My Ultra-Private iPod Phone 3”

My Ultra-Private iPod Phone 2

Welcome back to Part 2 of my attempt to create a private and secure iPod phone!  When I started this series I thought it would consist of three parts: procurement, setup, and use.  Setup took far more time than I expected, however, so I am going to cover this stage of the process somewhat more slowly.  One of the reasons I wanted to do this experiment was to see what roadblocks I might run into.  True to form, I ran into a couple of problems right off the bat.  This post will cover setting up the iPod phone intially, and modifying basic settings for privacy and security.

Continue reading “My Ultra-Private iPod Phone 2”

My Ultra-Private iPod Phone 1

Some time ago I read an amazingly good article on using an iPod Touch as a secure/private phone.  I love the idea, and I have thought about it for quite a while.  An iPod Touch is remarkably similar to an iPhone, but potentially far more private and secure.  Recently I decided to try it for myself and see how easy (or hard) it would be to set up.  I also had unanswered questions about its actual use.  Part 1 of this article will cover device procurement and the lengths I went to for anonymity’s sake.  Part 2, 3, and 4 will cover setup, and Part 5 will cover actually using my new, ultra-secure and private iPod phone. Continue reading “My Ultra-Private iPod Phone 1”

How-To: Tor Browser Bundle

My last post covered threat modeling the Tor Network.  While I have a very nuanced opinion of Tor, I do think it is ideal for certain use cases.  Unless contraindicated .  Using Tor is not difficult, but there are some potential pitfalls to be aware of.  This post will cover how to use the Tor Browser Bundle.

Download and Install the Tor Browser

The first step is to download the Tor Browser from  Before you install it you should verify the integrity of the file. The Tor Project has an excellent tutorial on how to do this here.  Additionally, I will begin to post checksums for the Tor Browser this month.  After you have verified the file, install it.  If you use a Mac, double-click the .dmg and drag the icon into your applications folder.  A few more steps are required if you use Windows, but setup is not difficult.  Instructions are available here.

Tor Browser Bundle

Begin Browsing with Tor

You are now ready to begin browsing.  Double-click the Tor icon.  Tor will as you to choose between “Connect” and “Configure”.  For the vast majority of use-cases connecting directly is your best option.  The “configure” option gives you the ability to use a bridge or proxy.  Using a bridge or proxy may be necessary if you are in a country or on a network that blocks Tor traffic.  Configuring a bridge or proxy is fairly intuitive, should you need to do so.

Tor Browser Bundle

When you connect to the Tor network, your request is first routed to a directory server.  This server will create your custom “circuit”, the network of three nodes through which your traffic will be routed.  When your connection is established, the Tor browser will open automatically.  You are now ready to browse through the Tor network.  The Tor Browser is a modified version of Firefox.  Browsing with Tor is superficially no different than browsing with Firefox with one or two exceptions.

Using Tor-Specific Features

Clicking the Onion button opens some options not available in Firefox.  It also displays your Tor circuit and allows you to change the following options:

  • New Identity:  This closes all open tabs and discards any browsing data, like cookies.  A new, clean instance of the browser is then opened.  I do not recommend this
  • New Tor Circuit for this Site:  This feature builds a new circuit for the tab that is currently open.
  • Privacy and Security Settings:  See below.
  • Tor Network Settings:  Allows you to configure bridges and/or proxies if needed.
  • Check Tor Browser for Updates:  Always keep your browser up-to-date.  I recommend checking each time you open Tor because updates are frequently released.

Tor Browser BundlePrivacy and Security Settings:  Click this to open an additional dialogue.  The privacy portion has four radio buttons.  Leave all of these checked.  The security dialogue contains a slider and allows you to choose a desired level of security (low, medium-low, medium-high, high). These settings correlate roughly to threat models.  The higher your threat model, the higher a level of security you should choose.  I believe you should always use “high”.  It is less convenient and requires a working knowledge of NoScript, but if you are going to use Tor you should use it to its full potential.  On the other hand, ease-of-use may convince more people to use it overall.

Tor Browser Bundle 4

Potential Problems with Tor

Tor is imperfect for everyday use.  There are reasons it is not incredibly common.  Among them: the Tor Network is slow.  Traffic is routed through multiple servers, usually in multiple countries.  This inevitably slows your traffic.  Additionally, your traffic is slowed at least to the speed of the slowest server in your circuit.  You will also be forced to solve captchas to visit or log in to some websites, and encounter other minor inconveniences. You will also encounter security issues when using the Tor Browser.  I addressed some of these in my last post.  My next post will address one of them specifically: exit node security through HTTPS.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Tor Threat Models

The Tor Browser Bundle is a terrific security tool.  Tor is a decentralized, anonymization network. To use it you need a specific internet browser, and it allows you to be as close to anonymous as one can be on the internet.  It also strongly encrypts your traffic, and best of all, it is free.  Readers have asked my opinion on Tor, and why I have not written about it.  There are some potential downsides to using Tor.  As a result, I have very mixed, very nuanced feelings about using it.  Before jumping into and using this tool you should take some time to consider these Tor threat models.  Though I typically analyze variations of the tool itself, my Tor threat models are in relation to use cases and user profiles rather than the tool.

Continue reading “Tor Threat Models”

DIY Encrypted Email 4: In Practice

In Part I of this series we discussed the principles of rolling your own encrypted email.  Part II and Part III covered the installation and setup of the applications needed to make this happen.  Today we will begin talking about how to actually use all this “stuff”.  Installing the programs are the easiest parts of this process, but using it isn’t as daunting as it was just a few years ago.  Hopefully you have been using Thunderbird over the past week and have some comfort level with it. To begin using it to send and receive encrypted email, you will need someone to practice with.  This is a good reason and a good strategy to encourage others to use encryption!

Continue reading “DIY Encrypted Email 4: In Practice”

DIY Encrypted Email 3: GPG and Enigmail

In the last part of this installment we discussed importing mail into the Thunderbird mail client.  Now that our email has been taken out of the browser, we can begin adding the cryptographic elements.  The first of these is GPG (Gnu Privacy Guard).  GPG is an open source implementation of PGP.  It will provide the actual encryption used for our emails. The next step is to install an add-on to Thunderbird called Enigmail.  Enigmail will provide the interface, allowing Thunderbird to use GPG’s encryption.  Installing and setting up GPG and Enigmail is the first order of business in this post.


Different operating systems require different versions of GPG.  If you are using Windows you will install GPG4Win.  If you are using OS X you will install GPG Suite.  If you are using Linux, you can probably skip this step because GPG comes standard with most distros.  If you do need to download it you can do so here.  After you have downloaded the application, begin the setup process.  You will be prompted to provide your administrator password and select a language.  After you have done so you should see screens depicted in the following screenshots.

On the third screen you will be asked which components of GPG you wish to install.  I generally choose to make my installation as light as possible.  I uncheck everything except “GnuPG” and the “Compendium”.  The other components provide powerful capabilities, but they are superflous for our purposes.

GPG and Enigmail


The next step is to install Enigmail.  Since it is only a extension to Thunderbird this is an easy installation.  First, open Thunderbird.  Next, click the hamburger icon, and then click “Add-ons”.

GPG and EnigmailClick the search bar in the Add-ons menu and type “Enigmail”.

GPG and EnigmailClick install button for Enigmail.  It will begin downloading.

GPG and EnigmailAfter Enigmail is installed, you will be prompted to restart Thunderbird.  After a restart you will be ready to being creating your key pair.

GPG and Enigmail


With GPG and Enigmail installed, you are ready to begin creating your key(s).  When Thunderbird restarts the Enigmail Setup Wizard will begin walking you through the process of key generation.  This is not an overly complicated process, and Enigmail will automate most of it.  With the “Start setup now” radio button checked, click “Next”.

GPG and EnigmailOn the next screen select “I prefer an extended configuration”.  On the next screen check “I want to create a new key pair for signing and encrypting my email”.  The next screen will prompt you to enter a password.  I recommend that you take some time to enter a good password.  This password can never be changed, so take the time now.  After clicking the “Next” the key generation process will begin.

GPG and Enigmail

After the keys have been generated you will be prompted to generate a Revocation Certificate.  A revocation certificate allows you to revoke your keys if they are compromised in the future (leading to compromise of communications encypted with them).  This ensures that if you lose control of your private key you can still maintain control of the communications.  We will discuss how to revoke a certificate in a future post on the topic.  Ensure you store the revocation certificate in a secure location.

GPG and Enigmail

Now that we have installed GPG and Enigmail and setup a keypair, we are ready to being exchanging encrypted emails.  We will cover this in the next segment, so stay with me!

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

DIY Encrypted Email 2: Thunderbird

This is the second in a multi-part series on setting up your own email encryption.  Today we will cover installing and setting up Mozilla Thunderbird.  Thunderbird is a desktop mail client that allows you to access your email from a platform other than the browser.  This is a necessary step because of the vulnerabilities inherent in internet browsers.  Thunderbird is popular (I am far from the first person to post a Thunderbird tutorial) and capable.  For our purposes it will be used to remove email (and crypto) from the browser into a more secure environment. Continue reading “DIY Encrypted Email 2: Thunderbird”

DIY Encrypted Email 1: The Basics

As promised in my post on email threat models, today I am going to begin a series on DIY encrypted email.  As I discussed in the email threat modeling post, this is the most secure email encryption available.  Before we get into the “how to” portion of this, it is important to first understand asymmetric encryption. Email encryption relies on a wholly different encryption model than that used to protect data-at-rest.  Encrypting email and web traffic relies on asymmetric encryption (also known as public key cryptography).  One of the classic problems with encryption for communications is “key exchange”. It would be simple to encrypt  a PDF and email it to someone.  However, it would be difficult to exchange the password for that file without sending it unencrypted.  Sending it plaintext leaves the password vulnerable to interception.  This compromises the integrity of the entire system.  But there is a better way. Continue reading “DIY Encrypted Email 1: The Basics”