A Selection of Privacy, Information Security and
Cryptography Links

It is a frequently expressed view among computer security experts that information security must "just work", hidden from the view and requiring no end user's understanding or knowledge.

This is a fallacy: without a good understanding of the fundamentals, an end user will invariably make some seemingly trivial error that will, unknown to him, completely subvert the security of the system. Without knowledge of the fundamentals, it is difficult to differentiate between trivial and significant issues, or between minor and critical errors. Does this matter? It depends on the circumstances, but one thing is certain: without such knowledge the participation in any activity that requires a high level of digital security is, at best, imprudent.

Security requirements depend greatly on the value of the confidential information, on the technical capabilities of the adversary and on the cost in time, effort and discipline that an owner is prepared to invest in order to protect his or her data or communications. Collectively, the definition of these factors is known as the threat model. A software tool or a protocol that is a reasonable solution for one threat model might be totally inadequate for another.

What follows is therefore not a set of magic bullets, but a list of tools and learning resources that are more often than not worth considering.

Section 1: products that everyone should know about (and probably use)

Opera Browser: better way to surf the 'net
Browser with a built-in ad blocker and free VPN. After the installation, remember to replace Google as a default search engine with DuckDuckGo (see below) and carefully examine and adjust all Privacy & Security settings.

Spamgourmet: E-mail re-direction and spam protection
If you give your email address to everyone, you are bound to receive spam emails, and you won't know where they came from. This long-lived service is one of the most convenient and effective anti-spam and e-mail privacy-enhancing tools on the 'net. (Update: Currently (2019 Q2), Spamgourmet has disabled creation of new accounts).

Duckduckgo Search Engine: no tracking, no ad targeting, just searching
"We don’t store your search history. We therefore have nothing to sell to advertisers that track you across the Internet." DuckDuckGo web site includes useful privacy tips in form of a "product Blog".

KeePassX password manager
KeePassX is a cross platform, light graphical interface program that saves many different types of information e.g. user names, passwords, urls, attachments and comments in one single encrypted database, protected by a password and/or key-files.

Encryption Wizard file and folder encryption software
Simple, strong, Java-based file and folder encryption software for protection of sensitive information. Without requiring a formal installation or elevated privileges, EW runs on Microsoft Windows, Mac OS X, Linux, Solaris, and many other operating systems.

Notex: a different approach to encrypted email
Notex, a program similar to Windows Notepad, exchanges encrypted or decrypted text with any POP mail-client program or (if you are using web-mail) the browser, via the clipboard. It is quite unorthodox in that it uses single secret key that both the sender and recipient must exchange via a personal contact or a trusted channel. While this requires some effort, the communication is extremely resistant to the e-mail content surveillance commonly performed with the cooperation of Internet service providers and/or mail service providers, or by exploiting SSL Internet infrastructure weaknesses. It requires no special installation and works on all versions of Windows and on Linux via Wine.

TrueCrypt: encrypt data on your computer; Wikipedia article
Now abandoned by the original developers, this open source freeware utility performs what is known as "on-the-fly" encryption. It can create a virtual "encrypted disk" within a file, or encrypt a partition so that a user can have disk-resident data safe from an adversary who has stolen or sequestered his computer while the device was powered down. (System partition encryption capability of TrueCrypt should be avoided).

While discontinued, it is still considered safe to use. There are many archives on the 'net from which it can be obtained, the most reliable is probably TrueCrypt archive on Gibson Research Corporation Website.

Signal: a messaging application for "smart phones"
Best of the bad lot among messaging applications for the current generation of consumer mobile telephony devices (i.e., Android/Google and iOS/Apple). The idea of secure communication using devices jointly owned and completely controlled by hardware vendors and communication service providers is debatable at best. This application, at least, has open source, and can (on Android) be "side-loaded" from an application install bundle provided directly by the developers. The application source code (both the server and the device programs) has been reviewed by independent information security and software engineering experts. On the other hand, Signal user-id is her telephone number and, much worse, in an attempt to gain the share of the crowded market of mobile telephony messaging applications, the operators of the system make it quite trivial to compose the lists of users and their Signal id's. There are some techniques to thwart such exposure, but they are not simple to implement or foolproof.

Section 2: basic learning resources

Electronic Frontier Foundation: the leading nonprofit organization defending civil liberties
Learning resource: not complete, not error-less, but a good place to start learning about the privacy and information security landscape. The link above leads directly to their "Tips, Tools and How-tos for Safer On-line Communications" web page, but the rest of the web site is also well-worth visiting.

Zdziarski's blog article "Protecting Your Data at a Border Crossing"
Learning resource, an overview of issues surrounding inspection of digital devices by various Customs and Immigration agencies. The rest of the blog is interesting, but often at the information security expert level.

Section 3: advanced products and topics

Tor: software and an open network that defends against traffic analysis
The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Note however that extremely aggressive surveillance techniques, normally used only against specific, high-value targets can break Tor. Additionally, Tor slows down the network traffic to a degree that makes it unsuitable for high-volume applications.

Tails, a live operating system that can be run from a USB stick or a DVD
Tails is a complete operating system designed to be used from a USB stick or a DVD independently of the computer's original operating system, in order to preserve user's privacy and anonymity. It helps one to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.

Burp: clean cypher-text file encryption utility
File encryption utility that produces encrypted file that consists entirely of a random data stream - it can not be easily detected or "provably identified" as cipher-text, as long as the key is secure, or unless it is broken cryptographically.

GnuPG simplified: GnuPG without the W-O-T crud
In its original form, GnuPG "public key" e-mail encryption program is a product of unmatched cryptographic strength, unfortunately tightly integrated with a naive and horrendously complex W-O-T ("web-of-trust") public key authentication scheme. In addition to the complexity which restricts its use to a niche of devotees, W-O-T completely subverts user's privacy. This site outlines a method for using GnuPG without the W-O-T infrastructure. Introductory text includes an explanation of the mechanics of public key (aka. "asymmetric") cryptography.

Lord: Large Opaque Removable Device backup
In many instances (see, for example, Zdziarski's blog article above) it can be advantageous not to store any confidential data on the laptop computer disk, but keep it instead on an encrypted external USB flash memory "drive", which is "mounted" only when the computer is in active use.

Such "drive" should be regularly backed up, preferably in its "opaque", i.e., encrypted state. This can be an onerous operation for large-capacity devices. This program and the accompanying documentation provides a quick and reliable method for performing such backups.

Section 4: advanced learning resources

Schneier on Security: Blog by Bruce Schneier
Schneier is author of many books, most notably "Applied Cryptography - Protocols, Algorithms, and Source Code in C". His newsletter ("Crypto-Gram") provides monthly e-mail summary of the events and developments in the field of cryptography and information security.

Financial Cryptography: "Where the crypto rubber meets the Road of Finance..."
Another expert-level blog, focusing on the information security of financial systems.

This page is periodically revised. Date of last revision: 2019-10-30
Comments and suggestions are welcome. Please write to: