A (fairly) comprehensive guide to privacy and encryption

I know I’m not the only paranoid bastard around here, so I’ll attempt a
run down of the best programs and practices I’ve come across. Keep in
mind that there’s no such thing as complete security, but this is about
the best it gets.

File Encryption
For storing any private files on disk, I recommend TrueCrypt,
an open source disk encryption application. It blends seamlessly into
Windows and allows you to encrypt entire partitions, devices such as
floppies or flash drives, and also allows you create and mount virtual
disks which are stored in a single encrypted file.

TC supports most major encryptions, including AES-256, Blowfish, CAST5,
Triple DES and Twofish. It also employs a nice little security feature
in the event that you’re forced to reveal your password to somebody; a
hidden volume can be created inside an existing TC volume. Because free
space in TC volumes is filled with random data by the default, it’s
impossible to distinguish this hidden sector from empty space.

Another popular method of file encryption is PGP (see below).

Email Encryption
PGP is a public key encryption method commonly used in emails. The ‘public key’ is in essence a large passcode (example here)
which can be distributed however you like to allow other people to send
you encrypted messages. Despite this key being public, messages
encrypted using it can only be decrypted using your private key, which
you keep to hidden and to yourself. PGP can also be used to encrypt
regular files on the hard disk, but I’d recommend using TrueCrypt for
that, as in most cases the original file will have been present on the
disk before the encryption process took place. With this in mind, it’s
very likely that the original file could be recovered even after
deletion, whereas with TC the original file will be encrypted on the
fly so long as it exists inside a TC volume. A more indepth report on
the innards of PGP can be found here.

Not long ago PGP went commercial and closed source, this along with
(likely fabricated) accusations of NSA backdoors means that some might
be more comfortable with GPG, which essence it’s no different than and open source clone of PGP and is 100% compatible with it.

IM Encryption
The first option for instant messaging users is a protocol known as Secure Internet Live Conferencing, or SILC. It supports all of the features you’d expect to find in an IM protocol, however all communications are encrypted.

Switching from your regular IM programs to a whole new network isn’t
very practical for most people though, so another option is to use the GAIM
client. GAIM allows you to log in with all of your IM accounts at once
and supports AIM, ICQ, MSN, Yahoo, IRC, Jabber, SILC and a few more.
Once using GAIM you can install a security plugin called Off The Record,
which allows you to encrypt IM conversations over any of the supported
networks so long as both participants have OTR installed. Whilst
arguable not as secure as using SILC, the fact that it can be used in
conjunction with regular AIM and MSN accounts makes it worth a look at.

Secure Deletion
As I’m sure most people know by now, when you delete a file from your
computer you do nothing but delete the reference to it in your file
table. The contents of that file are still on your hard drive and can
be accessed in no time at all with any number of file restoration
applications on the market.

Sdelete
from SysInternals is a free command-line program for Windows that
allows for secure deletion of files from your disk, implementing
Department of Defense standards for data deletion. The program allows
you to overwrite a file any number of times with useless data to hinder
retrieval. Specialist hardware and software will always be able to
retrieve some data from the disk, given enough time and resources, but
the more passes you make over the file the harder retrieval becomes.
However the best feature of Sdelete in my opinion is the ability to
securely delete any past files and empty space on a disk. With Sdelete
running on command line only it might not be to some people’s tastes,
but it’s the best free solution I’ve come across, so it’s worth
checking out.

HTTP Privacy
For secure website browsing, the two best solution available are TOR and JAP.
Both achieve similar results in that they encrypt and route your
connection through another server to disguise the user’s online
identity and protect them from any electronic eaves dropping along the
way. Again, as with everything in this post, privacy isn’t guaranteed
and if, for example, a law enforcement agency were willing to invest
the time and effort required to discover where a website request
originated from, they could do just that. Of TOR and JAP, my personal
favourite is the former, admittedly I’m slightly put off by the fact
that JAP was at one time backdoored by the German government. TOR can
also be used to route any network application with support for the
SOCKS proxy protocol, so it’s far from restricted to web traffic.

General Tips

• Grab Firefox
  if you’re not already using it. If you’re like me you’ll want to run it
  as clean as possible, disable caching, cookies, history, address
  saving, form/password saving, etc.
• Ccleaner
  is another useful free tool; clears usage history for a ton of
  applications as well as Windows itself, can be set to run automatically
  on start up.
• TweakXP is a handy tool from Microsoft which can be used to disable document history, run history, address bar history, etc…
• To
  get into the habit of using different passwords for all of your
  accounts, using symbols as well as upper and lowercase alphanumeric
  characters. Most brute force password crackers will only attempt
  lowercase passwords up to about 8 characters; so don’t make the job any
  easier.
• I can’t count the number of people I know who have had
  accounts stolen via the ‘secret question’ function. It doesn’t matter
  how strong your password is, if you’re reminder question is something
  as simple as a pet’s name it’s not going to do any good; you’re giving
  an attacker an easy way to circumvent your password. If you’ve got a
  good memory it’s worth using an incorrect or irrelevant secret answer.

Most of what’s in this post is irrelevant for most people’s purposes,
but they do give peace of mind. As I’ve mentioned, there’s no such
thing as complete anonymity and security, but the solutions detailed in
this post will certainly help.