All posts by adminz

Paranoia List

warning

for bloggers & news groups


useful points to consider when rogue elements of law enforcement are trying to silence you

please consider this bullet point list as like a PowerPoint slide, every single point deserves a few minutes of any Talk. Some points perhaps much longer

the measures outlined are designed to make snooping so difficult an investigating policeman would have to raise paperwork, make official requests and eventually demand passwords from yourself with a warrant. hopefully this will prevent further snooping AND/OR cause a corrupt official to trigger procedures and investigation into themself.

  • Bluetooth devices can be picked up for 100 metres
  • using government WiFi
  • sending passwords at all
  • SMS texts are copied several times enroute to you
  • home VPN setups
  • 2FA Hardware
  • always delete everything you wouldn’t want a thief to read immediately
  • Signal, Telegram & Whatsapp are better than Facebook
  • use a home VPN for WiFi at home
  • whitelist your own devices
  • use a home VPN for WiFi at home
  • organise your home network so WiFi devices can’t access critical boxes
  • Reduce the output power of WiFi in your Home Hub
  • Block the signal path to outdoors with metal
  • Change the WiFi password often
  • always choose encryption, if you only encrypt part of your traffic you’re highlighting.
  • never use email on port 25 & 110 (always encrypt use 465 & 995)
  • use ethernet wherever possible (instead of wifi)
  • never use a wireless keyboard they can be picked up for 50 metres
  • use a VPN if your connection is being real-time monitored

  • avoid free email. gmail, hotmail, yahoo, icloud etc are utterly unsuitable
  • use the email server that comes with your hosting
  • guide public to your web-to-email page and use contact form 7 to encrypt email sent to you
  • use NextCloud to provide secure upload links for public
  • schedule off-host off-site backups to avoid spiteful deletion


this GDPR compliant website is hosted on Namecheap

Create your Web Presence with Namecheap
Create your Web Presence with Namecheap
Get almost everything* here for a secure & reliable service
  • the only things Namecheap can’t provide are themes & plugins for wordpress or prestashop
Create your Web Presence with Namecheap


Create your Web Presence with Namecheap
Just because you’re paranoid doesn’t mean it’s not happening

Keep prying eyes out of sensitive comms with NordVPN’s uber paranoid “Double VPN”
the public ip you go out on is different to the one you connect to.

this completely breaks unauthorized snooping

Let’s Compare Jolt

ProviderNamecheapJolt
originUSA ArizonaUK
UK ServersYESYES
UK Upgrade serversYESYES
UK VPS & Private ServerNO, TX & AZ (USA)YES
this is about location & law, now lets get on with what you get
PackageCash WebsitesPersonnelRestriction *
NC “Stellar Plus”23.91 +vatunlimitedunlimitedentry proc 30
Jolt “Bolt”49.95 +vat202020 personnel
NC “Stellar”£18.82 +vat330entry proc 20
Jolt “Sparkle”£14.96 +vat221Gbyte RAM
* the restriction being the limit that i consider matters the most

Just like namecheap do, Jolt say they’ll give me commission on sales where a new customer clicks to their site from my affiliate link https://www.jolt.co.uk?ref=timothyduckitt

domain £5.80 +vat / yr

ssl £30 +vat

extras like fancy web themes, upgrades and things all cost more.

Internet things for Dad

here’s the breakdown for getting all your things onto Namecheap Hosting
this includes the extra for the UK data centre
the new setup will be GDPR compliant (where the old one isn’t)

you’ll be pleased to learn that namecheap don’t nickel & dime you over the mailbox sizes, all your existing emails will migrate with room to spare

£91.56 — (2yrs) Renews at £182.44/2 years
£37.68 (2yrs) dedicated IP
£62.60 (2 yrs) wildcard SSL (on offer 44% discount) renews at £78/yr

the price does NOT include a wildcard for boys’ website, he gets a free SSL from namecheap for the public website only. without this “wildcard” his servers will have to be mail.dadsdomain.co.uk to access email for boy@boysdomain.com

total electronic money required:

£191.84 +VAT
£230.20 TOTAL

Namecheap SSL Page

namecheap logo

click that, log in and place money on your account. i’ll let you know the day before we need to put new server details into mail apps etc & nip down your shop then to supervise

ECJ finally acts on GDPR

Despite Facebook & their sycophants in the Irish Government throwing millions at a case the European Court of Justice has finally ruled that American companies can no longer use SCC’s (Standard Contractual Clauses) to duck out of responsibilities under GDPR legislation.

SCC’s are used by all the big USA tech giants in this manner, to avoid the fact that once inside the USA, UK & EU data becomes fair game for their alphabet soup of spy agencies. This is a breach of our rights under GDPR and unless the USA governments change all their collective minds about their surveillance laws things will slowly but surely get ugly.

Facebook isn’t the only offender, microsoft are looking at Office365, one-cloud and Skype becoming non-compliant. Google too, with most of their offerings involving USA data centres. G-suite & google-documents could end up on the banned list along with dropbox & dozens of SaaS providers. All this despite all the providers mentioned having really good security reputations

iOS MacOS & Hosting Servers

ISSUE: UNABLE TO VERIFY SERVER

EXACT REASON: this is due to a domain mismatch, between the server address being typed into a mail app & the one inside the SSL certificate being used to encrypt communications.

EXPLAINED: your hosting server uses subdomains to deliver all the business services, like email and shared resources. for instance, the email server is often called by a subdomain , “mail.your-domain.co.uk”,  other services use subdomains, like “webmail.your-domain.co.uk” to access your email in a web page. Other subdomains in use for carddav shared address books, caldav shared calendars, webdav cloud-drive and of course the auto-configure services used by your apps.

all the extra subdomains mentioned above are not covered by your existing SSL. in the absence of a valid SSL cetificate to provide cover, the mail server reverts to using a certificate installed on the providers hosting platform, which obviously isn’t in your name. Apple have decided to err on the side of caution and not allow you to make an exception for mismatched SSL in all their apps.

SOLUTION: decide which webhost provided services you are going to use, and buy an SSL certificate to cover them all. basically there are 2 types of certificate for doing this

Cheapest: Multi Domain SSL (upto 3 domains) covers web pages, all email access, calendars* and address books*. typically the 3 domains are (plain)my-domain.co.uk, mail.my-domain.co.uk & webmail.my-domain.co.uk

All Services: Wildcard SSL (unlimited subdomains) covers web pages, email, carddav shared address books, caldav shared calendars & webdav cloud drive.

Use the proper SSL solution & all your iOS and MacOS connection problems will go away along with all the scary “untrusted connection” warnings in normal devices.

*some automatic functions may not work or present warnings

Proper GDPR Email Security (crypto)

since email clients were available on windows 3.1 in the early 1990’s they have had PKI facilities for keeping email totally private. PKI is still the most reliable and secure system for keeping nosy parkers out of email streams. it is a universal system that both parties of a conversation need to buy into separately, in order to interact.

each user of the system buys a s/mime (email certificate) from a certificate provider, and has that installed in their email apps. there are many providers to buy an email certificate from. all certificates are compatible with each other, all email addresses & 99.6% of email apps

each certificate has two parts – a PUBLIC KEY & PRIVATE KEY

the public key part is used (usually by other people) to encrypt an email that only it’s matching private key can unscramble. and only you have that, don’t copy or give your private key to anyone for any reason.

when receiving an encrypted email, or signing an outgoing email, you may be prompted for the passphrase for your key (as proof of owner action)

buying in & getting going

when you purchase an email certificate you will set a passphrase & download a file (your email key pair) and follow the instructions for installing it in your mail app. don’t whatever you do forget the passphrase to your keypair

make sure you tick a little box during this process to “make your key exportable”. make sure to “sign” all emails from now on. this alerts subscribers to the PKI system that they can encrypt a reply to you.

encrypt email

when you receive signed email from someone else, the public key of the sender is automatically added to your mail app. only because you also own a certificate, from then on you can choose the “sign & encrypt” option when sending that person an email.

someone who doesn’t have a keypair of their own, receiving a signed email is now restricted by the app mafia (microsoft/mozilla/apple/et al) from encrypting a reply. they can however take comfort from the surety their email was in fact from yourself & that it was delivered intact, un-damaged.

GDPR & Password Protected Emails

GDPR requires password protected email attachments when sensitive data is being emailed. The herd are using the “Protect Document” feature in Office365 to achieve this. the only restriction being that the recipient must have office365 to open that protection.

not everyone has office365 and it’s not cheap now with yearly fees per laptop, even fewer people have s/mime certificates and fewer still even know what one is.

for outgoing attachments the dutch government recommend installing a NextCloud instance on the webserver to provide your Outlook, Thunderbird etc with an “attachments being converted to a password protected download link” facility. remember you must tell the recipient what the password is preferably not-by-email.

NextCloud also allows you to create a password protected upload link to email out, where the recipient clicks to end up on your NextCloud web page, entering the password to upload documents etc to your private cloud.

another way to close the GDPR gap for incoming mail, is to post a HTTPS secure web-form on the website to send encrypted email back to base. this is implemented as the contact form on this wordpress. anyone can now send a truly private message, without any subscription or special software straight from their browser.

owners of such webforms can make their email contacts aware of the facility by placing a link to their ‘contact-us’ page in the footer of every email they send