useful points to consider when rogue elements of law enforcement are trying to silence you
please consider this bullet point list as like a PowerPoint slide, every single point deserves a few minutes of any Talk. Some points perhaps much longer
the measures outlined are designed to make snooping so difficult an investigating policeman would have to raise paperwork, make official requests and eventually demand passwords from yourself with a warrant. hopefully this will prevent further snooping AND/OR cause a corrupt official to trigger procedures and investigation into themself.
Bluetooth devices can be picked up for 100 metres
using government WiFi
sending passwords at all
SMS texts are copied several times enroute to you
home VPN setups
always delete everything you wouldn’t want a thief to read immediately
Signal, Telegram & Whatsapp are better than Facebook
use a home VPN for WiFi at home
whitelist your own devices
use a home VPN for WiFi at home
organise your home network so WiFi devices can’t access critical boxes
Reduce the output power of WiFi in your Home Hub
Block the signal path to outdoors with metal
Change the WiFi password often
always choose encryption, if you only encrypt part of your traffic you’re highlighting.
never use email on port 25 & 110 (always encrypt use 465 & 995)
use ethernet wherever possible (instead of wifi)
never use a wireless keyboard they can be picked up for 50 metres
use a VPN if your connection is being real-time monitored
here’s the breakdown for getting all your things onto Namecheap Hosting this includes the extra for the UK data centre the new setup will be GDPR compliant (where the old one isn’t)
you’ll be pleased to learn that namecheap don’t nickel & dime you over the mailbox sizes, all your existing emails will migrate with room to spare
£91.56 — (2yrs) Renews at £182.44/2 years £37.68 (2yrs) dedicated IP £62.60 (2 yrs) wildcard SSL (on offer 44% discount) renews at £78/yr
the price does NOT include a wildcard for boys’ website, he gets a free SSL from namecheap for the public website only. without this “wildcard” his servers will have to be mail.dadsdomain.co.uk to access email for email@example.com
Despite Facebook & their sycophants in the Irish Government throwing millions at a case the European Court of Justice has finally ruled that American companies can no longer use SCC’s (Standard Contractual Clauses) to duck out of responsibilities under GDPR legislation.
SCC’s are used by all the big USA tech giants in this manner, to avoid the fact that once inside the USA, UK & EU data becomes fair game for their alphabet soup of spy agencies. This is a breach of our rights under GDPR and unless the USA governments change all their collective minds about their surveillance laws things will slowly but surely get ugly.
Facebook isn’t the only offender, microsoft are looking at Office365, one-cloud and Skype becoming non-compliant. Google too, with most of their offerings involving USA data centres. G-suite & google-documents could end up on the banned list along with dropbox & dozens of SaaS providers. All this despite all the providers mentioned having really good security reputations
EXACT REASON: this is due to a domain mismatch, between the server address being typed into a mail app & the one inside the SSL certificate being used to encrypt communications.
EXPLAINED: your hosting server uses subdomains to deliver all the business services, like email and shared resources. for instance, the email server is often called by a subdomain , “mail.your-domain.co.uk”, other services use subdomains, like “webmail.your-domain.co.uk” to access your email in a web page. Other subdomains in use for carddav shared address books, caldav shared calendars, webdav cloud-drive and of course the auto-configure services used by your apps.
all the extra subdomains mentioned above are not covered by your existing SSL. in the absence of a valid SSL cetificate to provide cover, the mail server reverts to using a certificate installed on the providers hosting platform, which obviously isn’t in your name. Apple have decided to err on the side of caution and not allow you to make an exception for mismatched SSL in all their apps.
SOLUTION: decide which webhost provided services you are going to use, and buy an SSL certificate to cover them all. basically there are 2 types of certificate for doing this
Cheapest: Multi Domain SSL (upto 3 domains) covers web pages, all email access, calendars* and address books*. typically the 3 domains are (plain)my-domain.co.uk, mail.my-domain.co.uk & webmail.my-domain.co.uk
since email clients were available on windows 3.1 in the early 1990’s they have had PKI facilities for keeping email totally private. PKI is still the most reliable and secure system for keeping nosy parkers out of email streams. it is a universal system that both parties of a conversation need to buy into separately, in order to interact.
each user of the system buys a s/mime (email certificate) from a certificate provider, and has that installed in their email apps. there are many providers to buy an email certificate from. all certificates are compatible with each other, all email addresses & 99.6% of email apps
each certificate has two parts – a PUBLIC KEY & PRIVATE KEY
the public key part is used (usually by other people) to encrypt an email that only it’s matching private key can unscramble. and only you have that, don’t copy or give your private key to anyone for any reason.
when receiving an encrypted email, or signing an outgoing email, you may be prompted for the passphrase for your key (as proof of owner action)
buying in & getting going
when you purchase an email certificate you will set a passphrase & download a file (your email key pair) and follow the instructions for installing it in your mail app. don’t whatever you do forget the passphrase to your keypair
make sure you tick a little box during this process to “make your key exportable”. make sure to “sign” all emails from now on. this alerts subscribers to the PKI system that they can encrypt a reply to you.
when you receive signed email from someone else, the public key of the sender is automatically added to your mail app. only because you also own a certificate, from then on you can choose the “sign & encrypt” option when sending that person an email.
someone who doesn’t have a keypair of their own, receiving a signed email is now restricted by the app mafia (microsoft/mozilla/apple/et al) from encrypting a reply. they can however take comfort from the surety their email was in fact from yourself & that it was delivered intact, un-damaged.
GDPR requires password protected email attachments when sensitive data is being emailed. The herd are using the “Protect Document” feature in Office365 to achieve this. the only restriction being that the recipient must have office365 to open that protection.
not everyone has office365 and it’s not cheap now with yearly fees per laptop, even fewer people have s/mime certificates and fewer still even know what one is.
for outgoing attachments the dutch government recommend installing a NextCloud instance on the webserver to provide your Outlook, Thunderbird etc with an “attachments being converted to a password protected download link” facility. remember you must tell the recipient what the password is preferably not-by-email.
NextCloud also allows you to create a password protected upload link to email out, where the recipient clicks to end up on your NextCloud web page, entering the password to upload documents etc to your private cloud.
another way to close the GDPR gap for incoming mail, is to post a HTTPS secure web-form on the website to send encrypted email back to base. this is implemented as the contact form on this wordpress. anyone can now send a truly private message, without any subscription or special software straight from their browser.
owners of such webforms can make their email contacts aware of the facility by placing a link to their ‘contact-us’ page in the footer of every email they send