Security Recommendations VPN,TOR etc for living under dangerous government in Africa ?

[whitedragon101]

Hi guys my friend is living in Tanzania and the Goverment has just said "if you criticise us we will throw you in jail forever."  They asked what I would recommend to stay safe.  I am thinking I will send the following :

 

Signal For messenging and calls

NordVPN for VPN - (double VPN and vpn over TOR)

Enable Full Disk encryption on computers

Use a TOR browser

 

Would you make any changes, additions or improvements to this list or have any other suggestions?

 

[TheNuzziNuzz]

VPN in VPN?

 

Does the country have anything against using VPNS?

[Granular]

What does using several VPNs at the same time or TOR in combination with a VPN achieve?

Seeing as a government that will throw you in jail for criticizing it will also throw you in jail for refusing to decrypt a computer, I would add that the disk encryption software should have deniable encryption support ( unlock an innocuous volume when provided with an alternative password).

[LtStaffel]

34 minutes ago, Granular said:

What does using several VPNs at the same time or TOR in combination with a VPN achieve?

It encrypts the traffic going through TOR instead of just making it hard to see where it is coming from. TOR is not a full VPN.

 

To @whitedragon101, make sure he buys everything securely with BitCoin so the purchases to the VPN cannot be traced. Make sure he separates his normal day-to-day internet use ENTIRELY from his secure & anonymous TOR+VPN+TAILS setup. That's another thing, he needs to use TAILS (Live OS, don't install) and know how to use all of its encryption features. If he uses that live stick of TAILS for secure things, then he doesn't need full disk encryption like you and @Granular are suggesting.

Also, make sure the VPN he uses is not based in Africa, that way it will not be subject to Africa's search laws. Preferably, make sure it isn't based in any of the Americas either, because we have stupid logging and subpoena laws.

[Mikensan]

He's better off using PGP and sending you an email to post something on his behalf should he feel the need to make a statement against the government.

 

As @LtStaffel points out you're better off using something like TAILS - because as soon as your computer hits the internet it essentially has a unique fingerprint (mixture of applications you have installed all trying to pull updates and their general chatter) - however with the unique fingerprint I doubt that his government has enough pull with other countries to identify it. So if you can be identified that way it doesn't matter how secure your connection was to its destination. Also his writing style if posted directly could be used to identify him. It's a dangerous game depending on how capable the government is. If it were China or N. Korea I'd say f' it, dont chance it. I don't know enough about any single country in Africa to have an opinion.

[whitedragon101]

21 hours ago, LtStaffel said:

It encrypts the traffic going through TOR instead of just making it hard to see where it is coming from. TOR is not a full VPN.

 

To @whitedragon101, make sure he buys everything securely with BitCoin so the purchases to the VPN cannot be traced. Make sure he separates his normal day-to-day internet use ENTIRELY from his secure & anonymous TOR+VPN+TAILS setup. That's another thing, he needs to use TAILS (Live OS, don't install) and know how to use all of its encryption features. If he uses that live stick of TAILS for secure things, then he doesn't need full disk encryption like you and @Granular are suggesting.

Also, make sure the VPN he uses is not based in Africa, that way it will not be subject to Africa's search laws. Preferably, make sure it isn't based in any of the Americas either, because we have stupid logging and subpoena laws.

 

16 hours ago, Mikensan said:

He's better off using PGP and sending you an email to post something on his behalf should he feel the need to make a statement against the government.

 

As @LtStaffel points out you're better off using something like TAILS - because as soon as your computer hits the internet it essentially has a unique fingerprint (mixture of applications you have installed all trying to pull updates and their general chatter) - however with the unique fingerprint I doubt that his government has enough pull with other countries to identify it. So if you can be identified that way it doesn't matter how secure your connection was to its destination. Also his writing style if posted directly could be used to identify him. It's a dangerous game depending on how capable the government is. If it were China or N. Korea I'd say f' it, dont chance it. I don't know enough about any single country in Africa to have an opinion.

 

Thanks guys really helpful info 

 

Its tricky because it might not be just directly criticising the government.  It might be as simple watching/reading western news and you accidentally watch/read a report of things that the government doesn't want known.

Its strange you always think these issues are far away until they suddenly affect your life.  I've been over to visit them and wouldn't have expected this in Tanzania where things seemed to be modernising.

 

 

[semithotamatic]

17 hours ago, Mikensan said:

He's better off using PGP and sending you an email to post something on his behalf should he feel the need to make a statement against the government.

 

As @LtStaffel points out you're better off using something like TAILS - because as soon as your computer hits the internet it essentially has a unique fingerprint (mixture of applications you have installed all trying to pull updates and their general chatter) - however with the unique fingerprint I doubt that his government has enough pull with other countries to identify it. So if you can be identified that way it doesn't matter how secure your connection was to its destination. Also his writing style if posted directly could be used to identify him. It's a dangerous game depending on how capable the government is. If it were China or N. Korea I'd say f' it, dont chance it. I don't know enough about any single country in Africa to have an opinion.

Second this. He should use PGP for any risky messages.

[Mikensan]

Well for simply reading news articles then a VPN would satisfy that need, even at the most basic level. I would avoid popular VPNs as their servers are probably well known, TOR would be best although slow. The issue with popular VPNs isn't anything bad, but ideally you don't want them knowing you're using a VPN for the simple fact you're trying to hide your traffic which could set them off.

 

I would also only use the VPN/TOR for reading said news and still use normal internet for all else, that way his traffic report doesn't just have 100% of traffic to a single IP.

 

Scary world it's becoming.

[whitedragon101]

Wow just spoke to them on while they are in Europe. Apparently the Tanzanian president has added "talking to or being friends with homosexuals" to the list of things they will "throw you in jail forever" for.

 

I did suspect that was coming.  Dictators in African regimes seem to have a thing about homosexuality

[Granular]

On 4/23/2018 at 5:17 PM, LtStaffel said:

It encrypts the traffic going through TOR instead of just making it hard to see where it is coming from. TOR is not a full VPN.

Where are you getting that from?

I mean I know TOR functions differently from a VPN, but it does encrypt the message content, not just the source and destination headers.

[LtStaffel]

11 hours ago, Granular said:

Where are you getting that from?

I mean I know TOR functions differently from a VPN, but it does encrypt the message content, not just the source and destination headers.

You need Tor to go through a VPN (I had it backwards the first time). That way the VPN doesn't know where you're coming from and it's also harder to know you're using Tor. Neither truly "encrypts" your traffic in a meaningful way. You need to encrypt what you want encrypted yourself. You can't just trust either a VPN or Tor, so you use both. We're talking about layers here.

[Granular]

40 minutes ago, LtStaffel said:

Neither truly "encrypts" your traffic in a meaningful way.

Whoa! Stop the presses! Local forum member discovers universally trusted cyphers aren't true encryption!

When recommending privacy and security measures, you need to be mindful of usability. If what you recommend is too much of a hassle, people won't bother and have no protections. Chaining VPNs, using TOR in combination with a VPN and dailying TAILS is something that makes sense for a journalist covering politics or a prominent member of the political opposition - someone who could become a victim of targeted surveillance - not someone who just wants to avoid a (probably rather unsophisticated) potential dragnet.

[LtStaffel]

5 minutes ago, Granular said:

Whoa! Stop the presses! Local forum member discovers universally trusted cyphers aren't true encryption!

When recommending privacy and security measures, you need to be mindful of usability. If what you recommend is too much of a hassle, people won't bother and have no protections. Chaining VPNs, using TOR in combination with a VPN and dailying TAILS is something that makes sense for a journalist covering politics or a prominent member of the political opposition - someone who could become a victim of targeted surveillance - not someone who just wants to avoid a (probably rather unsophisticated) potential dragnet.

It's a common misconception that security, privacy, and anonymity are all related, and that they are all spectrums. Nothing could be further from the truth.

 

You are either secure, or you are not. You are either private, or you are not. You are either anonymous, or you are not. You cannot be "partially secure" because anything less than secure is insecure. You cannot be "partially private" because private means no one knows what you're up to, and as soon as one person knows, you aren't private. You cannot be "partially anonymous" because as soon as someone knows who you are, you aren't anonymous anymore.

 

I don't care about usability. Just because you're not willing to go the full length to be secure, private, and anonymous doesn't mean the person tracking you isn't willing to take advantage of the fact. I'm not trying to hire recruits. I'm not trying to win people to my side. I do what I want about my security, privacy, and anonymity, and if other people don't care as much as I do, then it's on them if they have trouble just like it's on me if I have trouble.

 

A dissertation won't help anyone, so I'll stop writing here.

[Granular]

1 minute ago, LtStaffel said:

-snip-

That's admirable. Tell me, what measures do you take to defeat a potential quantum computer brute force attack on your encryption? One time pads?

Do you have several fake online personas to keep someone linking your activity on different websites through linguistic fingerprinting?

Do you have a self built true random number generator that you don't let out of your eyesight to be sure it doesn't get tampered with?

Do you wear a Faraday cage on your head to keep potential advanced MRI machines from stealing your passwords and secret thoughts?

[LtStaffel]

40 minutes ago, Granular said:

That's admirable. Tell me, what measures do you take to defeat a potential quantum computer brute force attack on your encryption?

Thank you : D Supposedly "lattice" (iirc) encryption would be valid protection against quantum computers. I have not done research on it, but if I get to it I'll probably see how hard it would be to implement (#ruprepped4doomsday?)

 

40 minutes ago, Granular said:

One time pads?

Sometimes.

40 minutes ago, Granular said:

Do you have several fake online personas to keep someone linking your activity on different websites through linguistic fingerprinting?

Yes.

40 minutes ago, Granular said:

Do you have a self built true random number generator that you don't let out of your eyesight to be sure it doesn't get tampered with?

I've looked into cracking Mersenne Twister and it takes quite a while but is possible. I'm currently looking into learning the correct subjects in math to be able to build my own pseudo random generator. It will almost definitely be worse than all the Phd's generators, but I think it will be cool : D I've got Intel's compilers with my student stuff so it should be pretty quick compared to GCC (for example).

Unfortunately, computers, as you can probably guess, can only be pseudo random. Since I am a hard determinist, I believe nothing is random lolol jk though I think it'd be neat to try to build a randomness input based on something accidental, like errors in memory (ECC would not be good for this generator lol)

40 minutes ago, Granular said:

Do you wear a Faraday cage on your head to keep potential advanced MRI machines from stealing your passwords and secret thoughts?

No, but I've taken self defense in an attempt not to get into that situation : D

[Mikensan]

There is no such thing as 100%. If the data exists, it exists because it is needed - and needed by someone. Thus you will always have a human element to break whatever protection that is in place. Be it insider threat, or not following protocol - nothing is guaranteed. If you rely on "trust" it is no longer 100%. Do you trust your VPN vendor? Do you truly trust TOR? Do you know who is in control of the exit node, or entrance nodes? All you have is mitigation and trust, the second the data leaves your person.