InfoSec for TBP Readers – Part 2

Guest Post by aka.attrition

Privacy and security are not easy and especially not for those of us who are not very computer literate. Coming from an information technology (IT) background with special interest in information security (infosec) I decided to write an article for the layman (don’t give me no uphill about politically correct words!) to help you increase your security and protect your privacy a little more.  This is a small contribution to this website where I spend far too much time reading the articles and especially the major commentators – you know who you are. Thanks Jim and the heavy hitters.

The full article is broken down into 3 parts and each part has several sections;

Part 1

• The one thing you need to do with your browser
• Ad-blockers and anti-trackers
• Internet search

Part 2

• Email
• DNS servers
• Virtual Private Networks – VPN

Part 3 (if there is interest)

• Windows 10/11 – the boss tracker and what you can do about it.

I realize that some of these topics can be a hard for the non-IT / computer oriented person and I write this article with those end-users in mind, not an IT professional audience. There are very many options, settings, and tools one can use but in this article I’m going to restrict it to just a few of the biggest-bang-for-your-buck changes, those things we should all be able to implement without too much IT knowledge. After all, we have day jobs.

Email

Amongst other email services I have used ProtonMail for many years, since 2018, but recently I have become totally dissatisfied with it and feel it can no longer be trusted. I have several times seen it being recommended on this site by commentators including at least once by myself. There are two deal-breaking issues:

• Over the years and on a regular basis I clear out the deleted emails folder. When emails are deleted they get moved to the Trash folder. The norm for email services is that after some time, for example 30 days, emails in the Trash folder are automatically deleted permanently. ProtonMail does not seem to do this so you manually need to clear out that folder. When viewing the Trash folder there is an icon across the top called “Delete Permanently”. I have used this button regularly to clear out the entire contents of the Trash folder and assumed the word “permanently” meant what it means.  However, a few days ago I noticed that the “All Mail” folder suddenly showed I had hundreds of emails in there! Wait, what?? Looking at that folder showed me emails dating back 4 years, emails I deleted long, long ago in a galaxy far, far away. Apparently even with this service, which bills itself as all about privacy and security, my deleted emails for the past 4 years were still there even though I regularly used the empty trash function. What gives, was it just me or does anyone else see this?
• After the above incident I looked into what other issues users had with the service and checked Trust Pilot. Well those reviews aren’t great; of 533 reviews (the latest being just hours ago as of this writing) 44% are 1-star, another 8% are 2 star which makes for over 50% below average reviews and an average rating of 2.5 = “poor”.

https://www.trustpilot.com/review/protonmail.com

What seems to be one of the biggest issues users have? Reading many of the reviews it seems that ProtonMail uses automated tools to scan email contents and if they find something the automated tool / rule-base determines is against their terms and conditions then the account can be totally frozen and you will have no access to it … sometimes this lockout is permanent without the ability to access the account to retrieve anything!

Some users complained that they did not break any terms of use but were still locked out. For example, apparently if someone on your send-to or received-from list is on their automated blacklist then your account can be blocked too. There is an appeal process but what would it mean to you if you no longer had access to your emails, your calendar, and your contacts without warning? This is the problem anytime your content is hosted on someone else’s servers/computers.

The main issue, in my opinion, is that your emails are scanned, albeit by automated tools. That doesn’t sound too private to me and who decides what content, subject matter, recipient, or sender is acceptable? When will some website or topic you mention in a private email become verboten or some person become persona non-grata and your account gets frozen/cancelled by association?

This danger may well exist with other mail services that you use and it is worth checking into to be sure you don’t “accidentally” (wink, wink, nudge, nudge) get cancelled and lose all access to correspondence and contact info.

What online (i.e. internet/cloud based) alternatives are there? I use various mail services for various functions but will not use any of the big tech names like Gmail. I have recently signed up with Tutanota in Germany. The name comes from the Latin words for secure (“tuta”) and message (“nota”). They are fully encrypted end-to-end, do not scan your emails, do not record anything about you. Importantly they are open-source and code reviewed and audited. More info on how they secure your email and contacts here: “Encrypt It All” – https://tutanota.com/blog/posts/innovative-encryption

But here is the best part for me; they have a desktop application for Windows / Linux / Apple / mobile / etc. so you can access it in your browser AND/OR have your emails, calendar, and contacts all inside a local app running on your computer/device with access even if you have no internet connection. The difference in a nutshell is having your stuff in the cloud, on the internet, on someone else’s computers vs. having a local copy of everything on your own computer. Website: https://tutanota.com

Of course, another simple solution is to use a local, i.e. not cloud/internet based, email application like Thunderbird from Mozilla – the Firefox people. It’s free and open source too. Here is a pretty good overview of Thunderbird – https://www.applicationpedia.com/mozilla-thunderbird-for-windows-11.html

A quick internet search for local email client software will give you even more alternatives. But if you want cloud based then TutaNota.com is certainly worth a look. If you continue with ProtonMail for practical reasons then do so with awareness of the trash folder issue and the fact that email even deleted from trash are still not actually gone.

DNS Servers

This one is a bit trickier to setup / modify so be warned but it is an important one if you are concerned about privacy.

When you type in a domain address in the URL bar of your browser, for example www.some-website.com, how does your browser know which server in the world is hosting that domain/website? The browser finds this out by querying a Domain Name System server for the information (DNS). The DNS server converts the domain name (www.some-website.com) into an IP address and then the browser can locate the server hosting the site.

When you set up your internet connection on your computer the default is to use the Domain Name System servers managed/offered by your Internet Service Provider (ISP). What does this mean? It means that every website you choose to visit must be looked up using your Internet Service Providers Domain Name System servers and therefore the ISP knows single every website you visit, when you visit it, how often, etc. The ISP cannot inspect the actual traffic that transfers between you and that website since virtually all websites now use an encrypted tunnel for transferring content but the ISP does know the websites you visit and all the related meta-data to that visit. And they can, of course, save that information for as long as they like. How can we overcome this?

There are two relatively easy options for solving this problem:

• Manually change the Domain Name System servers for domain lookups to some other DNS provider unrelated to your ISP and thus unrelated to your account with your ISP.
• Install a Virtual Private Network application (VPN) which uses its own Domain Name System servers and not those of your ISP.

Below are the steps for changing the Domain Name System servers for your internet connection under Windows 10. There will be a similar set of steps under Linux but I suspect most here will be using Windows.  I can post the steps for Linux or Windows 8 if wanted.

• Click the Windows start button (usually in the bottom left corner)
• Choose the gear icon – “Settings”
• Choose “Network & Internet”
• Choose “Change Adaptor Options”
• Identify the network adaptor (i.e. internet connection) you are using. For most users there will only be the one
• Right mouse click it and choose “Properties”
• In the scrollable list in the centre of the dialog select/highlight “Internet Protocol Version 4”
• Click the “Properties” button below the scrollable list
• Change the second radio button to “Use the following DNS server addresses”
• You will now enter some IP addresses which are made up of 4 numbers separated by periods. You can ignore the periods as they are entered automatically.

208. For the “Preferred DNS server” enter 208.67.222.222
209. For the “Alternative DNS server” enter 208.67.220.220

• Check your entries and when ready click the OK button to save your changes
• Then close the various dialogs opened above
• Reset your computer so that the next connection to the internet will pick up these alternative DNS servers

The two IP addresses above are for the OpenDNS service at https://www.OpenDNS.com . There are other DNS server providers, of course, but OpenDNS is very reliable. To revert back to using your ISP’s DNS servers simply switch that radio button back to “Obtain DNS server address automatically”.

Now obviously OpenDNS will know which websites you visit since you now are asking their servers for the domain name to IP address translation but they do not directly know who you are. They only know the IP address you are coming from and thus the ISP you are using. Yes, it can all still be traced back to your specific account with your ISP but it is a lot more complicated than your ISP knowing it directly.  Bonus: this option also enables you to bypass website restrictions that your ISP has decided to implement.

The alternative option to changing your DNS servers yourself is to install a Virtual Private Network application which uses its own DNS servers  – see next section.

Virtual Private Network Application (VPN)

A virtual private network application tries to hide your surfing activities from prying eyes. A good VPN must use its own DNS servers in order to bypass your ISP snooping on you so that is something to make sure your VPN has. One thing to keep in mind though is that a VPN does not make you totally anonymous but it does stop your ISP from knowing what you do online (provided it uses its own DNS servers). VPNs are a part of an overall privacy strategy with the understanding that nothing is perfect and full-proof. The guiding principle is defence in depth; taking a multi-layered approach to security and privacy.

Also, while we’re on the subject of anonymity; be aware that using the Firefox Private Browsing window does not make you anonymous in any way at all. All that does is prevent websites you visit from accessing cookies and other files created in other tabs in the normal browsing windows and it prevents saving passwords and login details of websites you visit. It also clears the cache when you close the private browsing window. Do not confuse the word private with anonymous.

Over the years I have tried most all major VPN applications out there and they all do much the same. Some have features that others don’t, some have more servers to spread their user load over, some have servers in more countries, etc. but overall it’s really more or less the same when comparing the top 10.

What I also notice is that review websites almost always cover the same top 10 applications and almost always (with minor variations) rank them the same. It is pretty obvious to me that review websites are at best simply paid advertorials for the VPN companies.

The problem with all VPN applications is the matter of trust. Trust is extended to the VPN company doing what they say they do such as not logging your surfing activities, providing an encrypted and secure surfing channel, and so forth. Many VPNs are audited for their security claims to reassure their customers.

I tend to switch VPN applications about once per year or two. The one I like the best currently is iVPN. They open source all their code and they get audited – big plus. They do not pay for review articles and that’s why you never see them reviewed or ranked. Their application is simple but comprehensive, they have very decent throughput on their servers, a good selection of servers in the US and Europe and elsewhere. They have applications for Windows, Linux, Android, and Apple so cover all the device options. Price is good and you can use on multiple devices simultaneously. They don’t try and sell you any additional stuff, ask to invite a friend, or any of that irritation. And they use their own DNS servers.  I strongly recommend using a VPN and iVPN is worth your time to consider. Website: https://www.ivpn.net

For those wondering about using a TOR browser; yes that is also an option but I find the performance too slow for my purposes. The tech is clever and a good privacy solution but performance is the downside for me. I know there was a breach in the TOR security in 2015 and another in 2017 (maybe more but I don’t follow it closely) but they were complex hacks and the 2015 one required 3-letter agency involvement. Vulnerabilities are fixed but, honestly, if you’re up against the 3-letter agencies and state-actors then you need a lot more in-depth IT knowledge to stay anonymous (if it’s even possible at all). I don’t mind paying for a VPN if I get the performance desired and the security and privacy is “good enough” for my purposes.

Thank you for reading. Part 3 will be posted if there is interest. And remember, if you’re using a service for free on the internet then it’s probably you that’s being sold.

-----------------------------------------------------
It is my sincere desire to provide readers of this site with the best unbiased information available, and a forum where it can be discussed openly, as our Founders intended. But it is not easy nor inexpensive to do so, especially when those who wish to prevent us from making the truth known, attack us without mercy on all fronts on a daily basis. So each time you visit the site, I would ask that you consider the value that you receive and have received from The Burning Platform and the community of which you are a vital part. I can't do it all alone, and I need your help and support to keep it alive. Please consider contributing an amount commensurate to the value that you receive from this site and community, or even by becoming a sustaining supporter through periodic contributions. [Burning Platform LLC - PO Box 1520 Kulpsville, PA 19443] or Paypal

-----------------------------------------------------
To donate via Stripe, click here.
-----------------------------------------------------
Use promo code ILMF2, and save up to 66% on all MyPillow purchases. (The Burning Platform benefits when you use this promo code.)

Click to visit the TBP Store for Great TBP Merchandise