One of our aims in creating Surveillance Self-Defense (SSD) is to provide a resource for combatting online spying that is quickly and consistently updated to keep track of current events and the changing capabilities of both protective tools, and the attackers they defend against. We'll be blogging regularly here to catalog the clarifications, corrections and new information we've added to the site.
Many of these changes are based on reader feedback. We'd like thank everyone for all the messages you've sent and encourage you to continue providing your notes and suggestions, which helps us preserve SSD as a reliable resource for people all over the world. Please keep in mind that some feedback may take longer to incorporate than others, so if you've made a substantive suggestion, we may still be working on it!
On a *nix operating system, we recommend using sfill to securely delete anything left in the free space of your drive. Secure-delete is available for Debian, Mint, and Ubuntu but is not installed by default, so you’ll probably need to install it using your distribution’s package management software (sometimes known as a “Software Manager”). (If you use RedHat, Fedora, OpenSUSE, or Mandriva, and know how to use alien to convert packages from deb format to rpm, you can find the deb for secure-delete here.) The article explains what to do once it's installed.
An issue was found with Adium notifications on OS X; they are logged by default, meaning there is a record of Adium chats even if logging is turned off. The article now explains how to disable Adium notifications so they will not be logged by the underlying operating system.
While Pidgin's download page uses "HTTPS" and is therefore relatively safe from tampering, the website it directs you to to download the Windows version of Pidgin is currently Sourceforge, which uses unencrypted "HTTP," and therefore offers no protection. That means that the software you download could potentially be tampered with before you download it. The article expands on the level of this risk, based on your threat model.
If you use two-factor authentication with Google (and depending on your threat model you probably should!) you cannot use your standard Gmail password with Thunderbird. Instead, you will need to create a new application-specific password for Thunderbird to access your Gmail account. See Google's own guide for doing this.
Additionally, we flagged that in October 2014, the GPG Tools team, who package GPG for the Mac OS X platform, announced that they would soon be charging for GPGMail, the part of their package that lets you use GPG with Apple's Mail application. Because our PGP guide for Mac explains how to use GPG with Thunderbird, it doesn't require that component. You can just use the zero-cost part of the GPG Suite. In addition, all of these tools are "free software" in the FLOSS sense that you are still allowed to freely examine, edit and redistribute GPG Mail's underlying source code. For more information, see GPG Tools' own FAQ on their decision.
Several of you asked why RedPhone and TextSecure cannot be downloaded without signing up for Google Play. In the guide, we explain that to prevent tampering or data collection by third parties, it would be better if this software was downloadable outside of Google's "Google Play" app store. Unfortunately, for now, these programs use some of Google's infrastructure for software updates and for "push" notifications, which requires using their store ecosystem. You can read more about the creators' reasoning for this decision here.
Dates that indicate when articles were last updated are now present at the bottom of each guide.
In the News
- Open Whisper Systems (makers of RedPhone and TextSecure) recently announced an agreement with Facebook's WhatsApp to include compatible encryption in its proprietary Android client; we hope to document this alternative shortly.
- Detekt is a new malware detection tool, aimed at protecting activists and others targeted by illicit state surveillance.
- EFF examines what security protections popular messaging services provide.
- We're also working to ensure that websites will be able to offer their users encrypted connections much more easily.
- The Tor Browser will soon be unavailable for older (Mac OS X 10.6) Macs.