Hey Habr.
This is us VPN . Now we are temporarily working on the HideMyna.me mirror. Why? July 20, 2018 Roskomnadzor added us because of the decision of the Medvedevsky District Court in Yoshkar-Ola. The court ruled that visitors to our site have unlimited access to extremist materials #without registrationisms, and somehow found the book "Mein Kampf" by Adolf Hitler on it. Apparently, for reliability.
We were very surprised by this decision, but we continue to work on hidemyna.me, hidemyname.org, .one, .biz, etc. A protracted squabble with Roskomnadzor did not lead to any result. While our lawyers and I are challenging the blocking and the magical court decision, we share with you basic tips for maintaining privacy on the Internet and news on this topic.
Edward Snowden loves the National Security Agency (probably)
It's no secret that popular Russian services are not safe. Your correspondence at any time may be in the field of view of domestic guardians of the law. We tell you what you need to remember when communicating through different communication channels.
SORM and ARI
There is ways to listen to your phone. Official and legal - SORM, a system of technical means to ensure the functions of operational-search activities. By law in the Russian Federation, all mobile operators are required to install such a system on their PBXs if they do not want to lose their license. There are three types of SORM: the first was invented in the 80s, the second was introduced in the 2014s, and the third has been trying to be imposed on operators since XNUMX. , most operators use the second type, but in 70% of cases the system does not work correctly or does not work at all. However, it is still better not to discuss sensitive topics over a landline phone and through a regular call from a mobile phone.
Scheme of work of SORM-2 (Source: mfisoft.ru)
According to 97-FZ, any messengers, services and sites that operate in Russia must be entered in the register . By "Β» they are required to store all user data, including recordings of voice calls and correspondence, for six months. In ORI, by the way, there is also Habrahabr.
The operation of the registry is described in detail on the example of Threema, but the main conclusion is this: now, at the request of the Russian authorities, any information about you may end up in law enforcement agencies. Therefore, the first thing to do to maintain confidentiality is to transfer calls and messages to instant messengers that are not in the ARI registry. Or to those that are there, but they refuse to transfer data to the authorities - like Threema and Telegram.
Help: Being on the ARI registry does not in itself guarantee that the data will be shared with the authorities. It is necessary to constantly monitor the news and look at the reaction of the messenger when they βcomeβ for it.
Voice calls and messages
End-to-end encryption can protect our conversations and messages from third-party interference, so messengers with E2E are considered the most secure. But this is not entirely true: consider the popular options.
Telegram end-to-end encryption in their Secret Chats and stores encrypted data about your correspondence in the cloud, which is scattered across different countries with "safe" jurisdictions. But after on HabrΓ©, one can begin to doubt about the illusion of security of Telegram Passport in E2E from Durov.
Of course, Secret Chats are still a good option for the paranoid. The server is not involved in their encryption at all: messages are transmitted peer-to-peer, that is, directly between the participants in the correspondence. For greater peace of mind, you can use the function of self-destructing messages on a timer. But do not blindly rely on Telegram. To make it a little more secure, you and your recipient must go to the messenger settings and do at least two things:
- Set a password when entering the application (Privacy and Security -> Passcode);
- Enable XNUMX-Step Verification (Privacy and Security -> Two-Step Verification).
After that, in addition to the code from the SMS, when logging in from a new device, the application will ask for a password that only you know.
Now confirmation of entry only via SMS does not protect a person who uses a Russian SIM card in any way. Cases of hacking Telegram accounts through an intercepted SMS message are already known - in 2016, attackers to the correspondence of several oppositionists, and in 2017 account of Dozhd journalist Mikhail Rubin.
WhatsApp so far, it avoids the ORI registry and also uses end-to-end encryption, but everything is not so cloudless with it. We recently published about the residents of Magadan, who were charged with a criminal case for criticizing the mayor of the city. This story, fortunately, ended with the usual fine. But it confirmed the fears of users: it is not safe to communicate in WhatsApp group chats.
What will happen?
- As soon as you write a message, your phone number will immediately become available to all members of the group. And by the number your identity is easy to calculate.
What to do?
- The solution may be a "left" SIM card or a foreign number - preferably a European one.
If you are using a Russian card registered in your name, avoid sarcastic comments in groups with a name like "Mayor - resign": for WhatsApp, it is better to leave only personal correspondence and calls.
Viber is also not listed in the ARI registry, but maintains communication with the Russian authorities (during his spare time from sending spam). This messenger was one of the first to comply with the new requirements of the government: it stores logins and phone numbers of Russian users on the territory of the Russian Federation, but provide message data - refers to the mechanics of end-to-end encryption and corporate policy.
Apple Lossless Audio CODEC (ALAC), also uses end-to-end, but when registering with iMessage, it creates two key pairs: private and public. The message that you receive from the same owner of the apple device is transmitted to you with encryption, which uses a public key. It can only be decrypted using the recipient's private key, which is stored on their device. You can read about how Apple treats user privacy and what it will do if it receives a request from the government. There have been no cases of the company transferring data of Russian users to the authorities of the Russian Federation.
Source:
But iMessage has two drawbacks:
- You can only write or call through these channels to the same Apple owner;
- If you're having trouble connecting to the internet, the message will go over a normal cellular channel and become a simple SMS that can be easily intercepted.
To avoid turning iMessage into SMS, you can disable this feature in the settings.
Researchers at the Electronic Frontier Foundation that there is no one hundred percent safe option for calls and messages. If some messengers do not allow the authorities to get your private data, this does not mean that hackers (or the state that can use their services) cannot do this bypassing the laws. To give the user confidence that there is no man-in-the-middle, Telegram has a nice feature: when calling, both recipients can make sure that they see the same emoji in the upper right corner of the screen - this will be a confirmation of the absence " intrusions" into the connection.
If you're looking for a more secure way to communicate, we recommend that you go beyond secret chats, passwords, and XNUMX-step/two-factor authentication to less popular niche apps like or .
I use Signal every day. #notes for the FBI (Spoiler: they already know)
Popular companies that make it possible to use their email clients (in Russia, these are Yandex, Mail.Ru and Rambler) are already included in the ARI registry, which means they are not very safe. Yes, Mail.Ru Group criminal cases for memes and grant amnesty to convicts, but may give information about your data to the authorities upon request.
Even if you use Western email clients like Gmail or Outlook, have two-factor authentication enabled, and know that your email is encrypted using a secure SSL/TLS protocol, you cannot be sure that your recipient's email is just as secure.
Protection options:
- When sending sensitive information, encrypt emails using Pretty Good Privacy (). This program helps to turn data from a letter into a meaningless set of characters for everyone except the sender and recipient;
- When sending important information, always pay attention to the recipient's domain and do not write to a suspicious address;
- Check with the recipient in advance whether he has set up forwarding or mail collection through the Russian postal service.
In the case of domestic companies from the ARI registry, no encryption on the user's side, in principle, will help. Information is not intercepted, but stored and transmitted by endpoints - similar services. The solution can only be to replace them with more secure counterparts like ProtonMail, Tutanota or Hushmail. More such email services can be found at page.
Social Networks
To begin with, minimize your stay in popular Russian social networks - My World, Odnoklassniki and VKontakte. At least Facebook does not share your data with Russian intelligence agencies. At least no such cases have been recorded.
But it is interesting that in 2017, the company still satisfied 85% of requests from the US government:
Screenshots from
If you are too used to VK, but do not want to end up in the dock, pay attention to a few things:
- your saved pictures;
- posts, comments and messages that you write;
- posts you like
- posts you share
- users you are friends with.
In all of the above, it is best to avoid anything that might be considered offensive or extremist. Always remember that "spreading" is the communication of "illegal" information to at least one person. Damir Gaynutdinov, a lawyer with the Agora international human rights group, claims that, under the law, ARI law enforcement even drafts of unsent messages. Read more about how not to sit down for a repost.
By the way, for some time now, anyone who has your phone number can find you on VKontakte by default, even if the page itself does not betray your real identity.
You can prohibit finding you by number in the profile settings (Settings -> Privacy -> Contact me). But this, of course, will not save from the special services. Do not use calls and video calls on VKontakte: it is not known whether the network really encrypts them end-to-end, as the administration claims.
Website security
The only good news is that of all popular sites on the Internet already have an https version or have completely switched to using only https versions. Information received and transmitted on such sites is encrypted and cannot be read by third parties. Such resources are marked in green and the word "protected".
This is where the good news ends. Despite the https protocol, the fact of visiting such a site and DNS requests (information about which domains you accessed) still remain in the ISP's sight.
But other news is even worse: the remaining half of the sites work on the usual http protocol, that is, without data encryption. The solution can be a VPN that encrypts absolutely everything received and transmitted so that there is no readable information on the side of the ISP and anyone who tries to infiltrate between you and the final site. The only thing that will be visible is the fact of connecting to a certain IP address on the Internet (that is, to a VPN server). And nothing more.
We will be happy if life really suddenly becomes so simple: turn on the VPN and forget about the leakage of sensitive information. But it is not. Regularly check if your favorite resource is included in the ARI registry, monitor how it interacts with the authorities, check active connections in the settings of instant messengers and social networks and reset suspicious ones (and then be sure to change passwords).
Globally
When working with communication channels and data transfer, only an integrated approach to security and privacy makes sense. Follow Internet security events in our telegram channel , Online and on other resources dedicated to events on the Internet and Runet in particular.
What security measures are you taking?
Source: habr.com