AKA a certain behaviour and a set of rules of thumb that will keep you and your information more safe as well in day to day as in production, with a particular focus on mac users. Plus an appendix on operational choices for dyne.org projects confidentiality.
First thing first: assess the type of opposition you have. Consider that we operate in general in medium confidential environment. Type of opposition: who wants to know, why.
Risk assessment: always assess that **the opposition is stronger than you, better organised and knows a lot already** (is true that it has a lot of resources). At the same time avoid paranoia: you act and think in a way that males you a tough cookie.
- you act according to the law and to your constitutional rights
- you act according to high etical standards
- you are not alone
As such role playing on project based compartments and personal trust is at the base of any security assessment. You use paranoia
* Exemples from cospiracy: rings - in a ring of pairs all information is accessible by all the peers, but nothing goes out to others without agreeing between the inner parties: rule of 5; no more than 5 persons can be efficiently part of a ring. Communication needs escalates. In soviet classic security organisations this was compartmentalised with a controller/ringleader mechanism. We are not in need of that level of paranoia. Yet is good to know just in case.
* Positive view: in/out border: Enforcing confidentiality between peers, agree if disclosure to outer ring is necessary, and keep it on a need to know basis.
* “l’agendina": write down stuff with pen and ink and keep it in a drawer; It is not safer but is much more expensive for the opposition to send a team to break in your house and look for a piece of paper than bug your computer with malware
* "il pizzino": a paper written by hand that can be sent to someone, gets read and destroyed on spot. Or such kind of things. Works, is safe from sigint, implies a certain level of trust. A plus is that you can recognise calligraphy and handwriting brings signs of emotional stress. Consider a form of talk that might carry a world that if used implies you believe you are compromised... the rest is a Le Carre book (a very good read).
* Need to know - a measure to be used in delivery or operations: you know only what you need to know to perform your task to protect the operation. In this case you don’t talk any more about the whole picture, you operate temporarily on a "need to know" basis. Because we are peers you will be debriefed at the end.
* Communication loop outside the magic circle: strategies, objectives, keywords
3. Confidentiality -
A document marked confidential has to be kept such: partial or total disclosure is up to be decided upon by the responsible. Has to have a distribution list printed on his first page so that all recipients know who has access to the document.
3.1. Dyne is a think (&do) tank but also a software foundry. WE USE FIRST OUR OWN SOFTWARE if it does the job. Then open source, then eventually proprietary. Some software we DONT USE ON PURPOSE. IS BANNED. For security reasons AND also for public image reasons.
* on mac you can use encryption AES 256 on disk images
* dyne developed secrets.dyne.org for shared passwords. Use it were necessary. This tool allows you to encode a string (a password) and shread it into 5 string that can be distributed to friends. Putting 3 of them together can reconstruct the secret string and, as an example, use the lost password to re-open a bitcoin wallet. Use it.
* office.dyne.org is obsolete been replaced by nextcloud: cloud.dyne.org
* repository for file sharing document based on our servers. Functionalities similar to google drive and dropbox, install the client on your desktop/laptop/Mobile
* pad.dyne.org for shared document writing. Preferibly use "code" and write in markdown.
* really, get used to markdown! 3 minutes guide https://guides.github.com/features/mastering-markdown/
* for note taking and todos: https://joplin.cozic.net free and open source, integrated with Nextcloud and multi-platform (as well for mobiles)
* weechat or irssi in terminal: https://irc.dyne.org
* xchat / hexchat as a standalone IRC client
Dyne.org has a ZNC bouncer that we've started using. We can say that ZNC simulates a connection and makes it look like you're always connected to IRC. This way, whenever and wherefrom(?) you connect to the ZNC server, you will get a playback of all the things you would have missed while you were offline.
You connect to ZNC the same way you connect to any other IRC server;
Server info:
* host: znc.dyne.org
* port: 30001
* server username: yourusername/networkname
(networkname will be "dyne" for dyne's IRC network)
* server password: the same password we used for registration on ZNC service
IMPORTANT!
I DO NOT ALLOW ACCESS IF YOU'RE NOT USING SSL. YOU MUST USE SSL WITH
YOUR CLIENT. IF YOU DON'T USE SSL, THE DOOR IS THAT WAY :)
* channels we are using:
#dyne - our main IRC channel, where most of the things are talked about
#bridge - the channel mostly used for people based in Amsterdam
https://znc.dyne.org also allows you to configure your user via a web-panel. It's very well documented. I set good default settings for you and if you don't use IRC on other networks, you shouldn't need to change anything. You can change your password via the web-panel easily as well. You might like that.
XChat/Hexchat Configuration:
Get it using your usual package manager. It is probably in your official repositories.
Run it, and see below.
https://moo.projectarch.tk/qumwrf.png
https://moo.projectarch.tk/xchat.webm - video
IMPORTANT NOTES FOR ZNC/IRC
IRC is generally not considered as a very secure platforrm, yet it's extremely useful for quick communication. Please encrypt sensitive data. We try to make it more secure by using SSL but this does not promise anything.
JABBER ON LINUX
* pidgin
https://moo.projectarch.tk/gkpoia.png
https://moo.projectarch.tk/pidgin.webm - video
* psi-plus
https://moo.projectarch.tk/dxaplx.png
https://moo.projectarch.tk/jyqanp.png
https://moo.projectarch.tk/psi.webm - video
You can also integrate your GPG key with psi+
* bitlbee (for more tech savvy people, terminal)
IMPORTANT NOTES FOR XMPP/JABBER
* use SSL/TLS. It's supported and good.
* please spend some time and get to know your client.
* at least find time to install the OTR plugin yourself and learn how it works. if someone just shows you how to do it, you will learn and gain nothing from it and your security is basically the same as without using it.
* OTR doesn't work unless both parties are online and explicitly using OTR. Consider it when typing sensitive data.
IRC ON ANDROID
* AndChat (Play Store, find apk if not using. app is worth it)
Open app: https://moo.projectarch.tk/gqhsvp.png
Add a server: https://moo.projectarch.tk/ilwdus.png