A Selection of Privacy, Information Security and
It is a frequently expressed view among computer security experts that
information security must "just work", hidden from the view and
requiring no end user's understanding or knowledge.
This is a fallacy: without a good understanding of the fundamentals, an
end user will invariably make some seemingly trivial error that will, unknown
to him, completely subvert the security of the system. Without knowledge
of the fundamentals, it is difficult to differentiate between trivial and
significant issues, or between minor and critical errors. Does this matter?
It depends on the circumstances, but one thing is certain: without such
knowledge the participation in any activity that requires a high level of
digital security is, at best, imprudent.
Security requirements depend greatly on the value of the confidential
information, on the technical capabilities of the adversary and on the cost
in time, effort and discipline that an owner is prepared to invest in order
to protect his or her data or communications. Collectively, the definition
of these factors is known as the threat model. A software tool or a
protocol that is a reasonable solution for one threat model might be totally
inadequate for another.
What follows is therefore not a set of magic bullets, but a list of tools
and learning resources that are more often than not worth considering.
Section 1: products that everyone should know about (and probably use)
Opera Browser: better way to surf the 'net
Browser with a built-in ad blocker and free VPN. After the installation,
remember to replace Google as a default search engine with DuckDuckGo
(see below) and carefully examine and adjust all Privacy & Security settings.
Spamgourmet: E-mail re-direction and spam protection
If you give your email address to everyone, you are bound to receive spam
emails, and you won't know where they came from. This long-lived service is
one of the most convenient and effective anti-spam and e-mail privacy-enhancing
tools on the 'net. (Update: Currently (2019 Q2), Spamgourmet has disabled
creation of new accounts).
Duckduckgo Search Engine: no tracking, no ad targeting,
"We don’t store your search history. We therefore have nothing
to sell to advertisers that track you across the Internet."
DuckDuckGo web site includes useful privacy tips in form of
a "product Blog".
KeePassX password manager
KeePassX is a cross platform, light graphical interface program that saves
many different types of information e.g. user names, passwords, urls,
attachments and comments in one single encrypted database, protected
by a password and/or key-files.
Encryption Wizard file and folder encryption software
Simple, strong, Java-based file and folder encryption software for protection
of sensitive information. Without requiring a formal installation or elevated
privileges, EW runs on Microsoft Windows, Mac OS X, Linux, Solaris, and many
other operating systems.
Notex: a different approach to encrypted email
Notex, a program similar to Windows Notepad, exchanges encrypted or decrypted
text with any POP mail-client program or (if you are using web-mail) the browser,
via the clipboard. It is quite unorthodox in that it uses single secret key that
both the sender and recipient must exchange via a personal contact or a trusted
channel. While this requires some effort, the communication is extremely
resistant to the e-mail content surveillance commonly performed with the
cooperation of Internet service providers and/or mail service providers,
or by exploiting SSL Internet infrastructure weaknesses. It requires no
special installation and works on all versions of Windows and on Linux via Wine.
TrueCrypt: encrypt data on your computer; Wikipedia article
Now abandoned by the original developers, this open source freeware utility performs
what is known as "on-the-fly" encryption. It can create a virtual "encrypted disk"
within a file, or encrypt a partition so that a user can have disk-resident data safe
from an adversary who has stolen or sequestered his computer while the device was
powered down. (System partition encryption capability of TrueCrypt should be avoided).
While discontinued, it is still considered safe to use. There are many archives
on the 'net from which it can be obtained, the most reliable is probably
TrueCrypt archive on Gibson Research Corporation Website.
Signal: a messaging application for "smart phones"
Best of the bad lot among messaging applications for the current generation of
consumer mobile telephony devices (i.e., Android/Google and iOS/Apple). The idea
of secure communication using devices jointly owned and completely controlled by
hardware vendors and communication service providers is debatable at best. This
application, at least, has open source, and can (on Android) be "side-loaded"
from an application install bundle provided directly by the developers.
The application source code (both the server and the device programs) has been
reviewed by independent information security and software engineering experts.
On the other hand, Signal user-id is her telephone number and, much worse, in an
attempt to gain the share of the crowded market of mobile telephony messaging
applications, the operators of the system make it quite trivial to compose the
lists of users and their Signal id's. There are some techniques to thwart such
exposure, but they are not simple to implement or foolproof.
Section 2: basic learning resources
Electronic Frontier Foundation: the leading nonprofit
organization defending civil liberties
Learning resource: not complete, not error-less, but a good place to start
learning about the privacy and information security landscape. The link
above leads directly to their "Tips, Tools and How-tos for Safer On-line
Communications" web page, but the rest of the web site is also well-worth
Zdziarski's blog article "Protecting Your Data at a Border
Learning resource, an overview of issues surrounding inspection of digital
devices by various Customs and Immigration agencies. The rest of the blog
is interesting, but often at the information security expert level.
Section 3: advanced products and topics
Tor: software and an open network that defends against traffic
The Tor network is a group of volunteer-operated servers that allows people to
improve their privacy and security on the Internet. Note however that extremely
aggressive surveillance techniques, normally used only against specific, high-value
targets can break Tor. Additionally, Tor slows down the network traffic to a degree
that makes it unsuitable for high-volume applications.
Tails, a live operating system that can be run from a USB stick
or a DVD
Tails is a complete operating system designed to be used from a USB stick or a
DVD independently of the computer's original operating system, in order to preserve
user's privacy and anonymity. It helps one to use the Internet anonymously and
circumvent censorship almost anywhere you go and on any computer but leaving no
trace unless you ask it to explicitly.
Burp: clean cypher-text file encryption utility
File encryption utility that produces encrypted file that consists entirely of
a random data stream - it can not be easily detected or "provably identified" as
cipher-text, as long as the key is secure, or unless it is broken cryptographically.
GnuPG simplified: GnuPG without the W-O-T crud
In its original form, GnuPG "public key" e-mail encryption program is a
product of unmatched cryptographic strength, unfortunately tightly integrated
with a naive and horrendously complex W-O-T ("web-of-trust") public key
authentication scheme. In addition to the complexity which restricts its
use to a niche of devotees, W-O-T completely subverts user's privacy.
This site outlines a method for using GnuPG without the W-O-T infrastructure.
Introductory text includes an explanation of the mechanics of public key
(aka. "asymmetric") cryptography.
Lord: Large Opaque Removable Device backup
In many instances (see, for example, Zdziarski's blog article above) it can
be advantageous not to store any confidential data on the laptop computer disk,
but keep it instead on an encrypted external USB flash memory "drive", which is
"mounted" only when the computer is in active use.
Such "drive" should be regularly backed up, preferably in its "opaque",
i.e., encrypted state. This can be an onerous operation for large-capacity
devices. This program and the accompanying documentation provides a quick
and reliable method for performing such backups.
Section 4: advanced learning resources
Schneier on Security: Blog by Bruce Schneier
Schneier is author of many books, most notably "Applied Cryptography - Protocols,
Algorithms, and Source Code in C". His newsletter ("Crypto-Gram") provides monthly
e-mail summary of the events and developments in the field of cryptography and
Financial Cryptography: "Where the crypto rubber meets the Road
Another expert-level blog, focusing on the information security of financial
This page is periodically revised. Date of last revision: 2019-10-30
Comments and suggestions are welcome. Please write to: