Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##############################################################################
- /######//########///##/////######//#######/##///##////##////##////##/#####////
- ##////##////##/////####///##////##/##//////##///##///####///###///##/##///##//
- ##//////////##////##//##//##///////##//////##///##//##//##//####//##/##////##/
- /######/////##///##////##/##//####/######//#######/##///##//##/##/##/##////##/
- //////##////##///########/##////##/##//////##///##/########/##//####/##////##/
- ##////##////##///##////##/##////##/##//////##///##/##////##/##///###/##///##//
- /######/////##///##////##//######//#######/##///##/##////##/##////##/#####////
- ##############################################################################
- ### STAGEHAND Issue #1 ## Title: Communicating Safely ## Date: 24 Nov 2016 ###
- ##############################################################################
- RiseUp's warrant canary has gone missing. We believe they are fighting a court
- battle to keep their users safe.
- https://c4ss.org/content/47015
- They have a lot of experience and they're good guys, but what if they lose?
- Service providers on our side are great, but you need to take personal
- responsibility for your own safety.
- Here is a loose guide as to how to do that, which is state of the art as
- of the day the RiseUp canary croaked – 24 November 2016.
- We're not saying this twice: RiseUp is not the only group having trouble,
- they're just the only group whose canary has been noted missing. *P00F*
- ########################
- # Know Your Opposition #
- ########################
- What hunts you?
- The so-called "Alt Right"? GamerGate? "B-tards"?
- Corporate security?
- Local or state police?
- Federal police or intel?
- Everybody gets scared shitless and paranoid when things start happening. If
- you are vocal about opinions, maybe the "Alt-Right" trolls want you. Attending
- -or worse- organising protests? Local LE are interested as well as the
- targeted company. Dealing with people planning national protests or cracking
- corporate web sites? That gets you federal attention.
- ################################################
- # Stupid Stuff You Should Stop Doing Right Now #
- ################################################
- Email in any form. Really, just stop putting anything more important than cute
- pictures and dank memes in there.
- Facebook is a place to broadcast to derps. Don’t do planning there, encourage
- people to find other places for private discussions.
- Twitter. About as bad as Facebook, use it to broadcast, don’t treat DMs like
- they aren’t being read and that site is really grabby about IP addresses.
- SMS texts are easily read and snooped upon, they show who sent them, who read
- them, when it happened, and where each of you were. Your mobile phone is a
- tool of the enemy, hold it like you would a cat you’re about to give a bath.
- Or a porcupine.
- ########################
- # What Actually Works? #
- ########################
- There are reasons to consider all of the following:
- 01) IRC
- 02) XMPP / Jabber
- 03) Slack
- 04) MatterMost
- 05) Telegram
- 06) WhatsApp
- 07) Signal
- 08) Semaphor
- 09) Ricochet
- ########################################
- # Why are they split into four groups? #
- ########################################
- IRC & Jabber are old school, you can find clients for every desktop and mobile
- OS, and they all support OTR, which is "Off The Record" encryption. If you’re
- smart about networks you can use some of these services over Tor, concealing
- your IP address.
- Slack & MatterMost are groupware. If you’re organizing stuff these are handy,
- you can add OTR protection for person to person conversations there, but the
- central server has plain text (readable, snoopable text) of any shared room.
- You’ll find a lot of these in use, just be mindful that they’re a slightly
- kinder, gentler sort of Facebook in terms of security.
- Telegram and WhatsApp both claim to offer end to end encryption, which is what
- OTR provides, but these are proprietary apps. Unless you can examine network
- traffic in great detail how do you personally know what they are doing? These
- are both really popular, but we have concerns.
- Signal is a chat app that requires a phone, Semaphor doesn’t force you to give
- up identifying information, and Ricochet only runs on Tor. Best of all, these
- are all Free Software or Open Source Software. That means they can be examined
- and are more likely to do what you want them to do.
- #######################
- # Let’s go one by one #
- #######################
- IRC is the original chat network. Plain text service on port 6667, TLS
- encrypted on 6697, there's generally no need to sign up, many of them used to
- work via Tor, but the world is full of neckbeards and they all got fat
- feasting on Cheetos while hanging out on IRC. If you don’t know this
- environment, just stay away, it’s dangerous. If you do use it, why aren’t you
- already using Tor and TOR?
- Jabber is a person to person service first, with chat rooms being the
- secondary use, a bit like IRC turned upside down. Same thinking is necessary -
- don’t usually need to give a working email to get an account, TLS encryption
- is the norm, and most of these still working with Tor exit nodes. Use OTR
- everywhere and chat with confidence. If you’re new and you get an invite it’s
- probably OK, it’s not like you’re going into the Star Wars cantina that is
- IRC.
- Slack/MatterMost are corporate tool and clone, but you can run your own MM
- server which is nice, if you’re into that sort of thing. These are good work
- group environments, but think carefully about how much of a trail there is and
- what an enemy would do. Maybe you should use the gateway service and chat with
- your favorite OTR capable Jabber client rather than using the TLS-only
- official client.
- Lots of people on Telegram, jihadi warriors and cryptocoins guys. Political
- types are on WhatsApp. Both claim to be end-to-end. Nobody has seen a
- situation where they are providing stuff you thought was private to The Man.
- But they’re closed source, which means that experts can't easily examine them
- and say what they do. The only reason to use these is if you find an existing
- community of practise you want to join. If you’re tight with a group using
- these, try to get them to move uptown.
- Signal needs a phone to sign up, can’t do it with just a scammed Google Voice,
- and the desktop client, a Chrome app, needs a med check. Still, you can
- encrypt your voice calls. Get everybody moving this way if you can. Semaphor
- is by the Spideroak cloud guys. You can register without really giving up
- much. We don’t know any big groups using it, so we think it’s cool because
- Spideroak, but we wish we had more time in grade using it. Ricochet is Tor-
- only, you just download it, it creates a new random string name for you, and
- then you have to find people. This is the best thing going, AS LONG AS YOU’RE
- NOT MAILING YOUR RICOCHET ID AROUND IN PLAIN TEXT.
- #######################
- # Aspects to Consider #
- #######################
- Those are some opinions by people who use crypto and who might have done some
- stuff they should not have. Here are the things we think about when examining
- an app.
- 01) Do you have to give up an email to use the system?
- 02) Do you have to give up a cell phone number to use the system?
- 03) Is there a corporate middle man who can sell you out?
- 04) Is there end-to-end encryption?
- 05) Is the client Free/Open Source Software?
- 06) Is the server Free/Open Source Software?
- 07) Will the service work over Tor?
- If you use email, that's fucked. You’re inside the machine. Email leaves a big
- fat trail of who talks to who, when they talked, what IP addresses they were
- using.
- Cell phones are just as bad as email. Worse, they can give up your location
- due to GPS and Wi-Fi reception, EVEN IF YOU TURN LOCATION SERVICES OFF. You
- have to be willing to buy burners, do so in an anonymous fashion, use them at
- a location you don’t normally frequent, and then throw them away when you are
- done. That’s about $25 to $30 in cost every time you want to create something.
- And if you use that piece of shit WhatsApp, it *insists* the associated phone
- not only be still in service, it’s got to be reachable online. Fuck those guys
- for any serious organising.
- If you have a service like Slack, there is a place where a warrant can be
- served, or a subpoena if you get into a civil mess. Same goes for MatterMost,
- unless you are running a server of your own offshore. Groupware is nice, but
- it’s a group hug for Big Brother.
- Many of these things claim end to end encryption, but unless you can download
- the client on your own, compile it, and test it, who knows. Signal, Semaphor,
- Ricochet. There are others, we don’t have time to check them all, which is why
- we explain HOW we review tools, not just making blind recommendations. Bottom
- line: Free/Open Source Software and proven end-to-end encryption are BFFs.
- Your two baes forever.
- And finally, can you access the service via Tor? If you’re going outside the
- lines, you’d better make sure you’re doing so from an undisclosed location.
- That’s a whole other thing, how to internet without leaving a trail. There are
- VPNs (most are shite) and proxies and Tor and I2P. You may have a high speed
- service, even to on your mobile, but if you want to be safe the things that
- work feel like an analog modem did back in the nineties.
- ######################
- # What is STAGEHAND? #
- ######################
- If you spend any time in a black box theatre you’ll see stage hands. They’re
- setting up the scenery before the show, making sure the lights and sound are
- right, and very rarely you’ll see someone all in black pop up during a scene,
- adjusting a prop for the actors.
- That’s us, that’s what we do. We read white papers... and indictments. We
- evaluate software and write a bit of our own. We build *stuff* for people. We
- keep an eye on trends in activism, in privacy, in surveillance. When we detect
- a need, sometimes we publish this zine.
- This isn't our first kerfuffle, so we know it’s important to make clear what
- we don’t do.
- 01) We are programmers, observers, researchers. There's no STAGEHAND ops other
- than this zine.
- 02) At this time there is no STAGEHAND IRC channel, Twitter, nor any other
- official outlet.
- 03) We occasionally add new members, when we can’t get what we need by
- following and reading, but this takes eighteen to twenty four months. If you
- thought you would ask, that's how you know you aren't right for this. We’ll
- call you.
- 04) When we publish STAGEHAND Issue #2, it will include six lines of text
- that, when checksummed with MD5 will produce the following result. This is how
- you will know Issue #2 is authentic, and we’ll include a less ghetto signing
- method for future issues, too.
- MD5(STAGEHAND.txt)= 170f72c233cf70ace661410636257996
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement