Security and Whistleblowing with Signal and Moxie Marlinspike


New Orleans   Not long ago in the Edinburgh office of ACORN, I got a crash course in some simple things about basic email and text protection from spying and other weirdness thanks to one of our leader/organizers, Jon Black, who has done a deep dive on some of this stuff, so now that everyone is looking over our shoulders, maybe it’s time to share some tips.

I had fooled Black and masked my basic techno-peasantness because I knew about the legendary Moxie Marlinspike who is seen by many as the world’s expert on encryption. Of course I only really knew about Marlinspike because I had read a number of articles by him, thought the name was fantastic, and liked the fact that he was not your standard issue Silicon Valley greed grubber. Jon has actually read all of the terms and conditions so he was able to explain to me exactly why Moxie’s Signal was better than WhatsApp, which Marlinspike also developed and is now owned by Facebook. There was an important difference involving setting specific controls on WhatsApp for the user to be notified if someone was creeping up on their account, which are automatic for Signal. At least I think that’s what he told me.

But, anyway, Signal is actually owned and run by Marlinspike, so that should just be enough. Importantly, when WikiLeaks dropped the dime on the CIA at first I shouted out for Jon that they had managed to break through the encryption at Signal, but that was wrong. I heard the Moxie-man on the radio and he made it very clear, and it’s been confirmed elsewhere since, that they cracked the smartphones, not the apps. Of course one thing is still important to remember. To really encrypt your phone calls, video calls, and texts on Signal, the other party also needs to be on Signal. It’s an easy switch, and I’d recommend it as a “why not be safe rather than sorry” move.

Another recommendation for moving in this direction were some tips I saw recently in the magazine, “Wired,” for being a leaker or whistleblower and hoping to protect your anonymity. When it came to doing so with a phone they made the following suggestions, which many would have known form any close viewing of the great HBO series, “The Wire:”

“Buy a burner – a cheap, prepaid Android phone – with cash from a nonchain store in an area you’ve never been to before. Don’t carry your regular phone and the burner at the same time, and never turn on the burner at home or work. Create a Gmail and Google Play account from the burner, then install the encrypted calling and texting app Signal. When you’re done, destroy the burner and ditch its corpse far from home.”

They never say the words GPS, cell tower triangulation, or Stringer Bell, but almost all of these cautions underscore the fact that when you’re rolling with your phone – especially if it’s switched on – anyone and everyone can track you anywhere and anytime. Regardless, I would call those instructions a huge product endorsement for Signal as top of the line, best in class now especially for the price. Heck, it’s free, so you get more security for nothing. What’s to lose?


A Funny Thing Happened on the Way to….America?

Signal-encryption of WhatsApp

Signal-encryption of WhatsApp

Denver    The modern world is a conundrum in an exploding time capsule. Every time we make the mistake of thinking that what we’re reading in the news is strange, exotic or frightening, we are still surprised when we trip over it, and it slaps us up the side of our faces.

I thought this as I read my email yesterday and got a delayed message from one of ACORN’s ace organizers in France. The first message was usual business, following up on this and that, but I scratched my head as he referred to an earlier message he had sent, as if I had received it already. And, later I did, and that was weird, and the message was disturbing. Despite his having a pre-approved visa to visit the United States, including spending a week in New Orleans later in August for extensive planning with me at our offices, he had been denied access to the airplane and told that his visa had been inexplicably revoked yesterday. He was hit by a bolt of lightning out of nowhere.

This has happened to me twice earlier this year as I was denied a visa renewal – with no explanation – to India. I’m the least paranoid person in the world. I assume “they” know everything and just keep on rolling, putting it in the category of something like a hurricane – past my ability to control or predict. Today though, I found myself reading closely a story in Wired about a crack encoder and rebel with many causes with the nom de guerre of Moxie Marlinspike who had developed a super encryption program called Signal which is embraced by all the right people and feared by all the wrong people. I’ve never been an encryption guy, partly because as a techno-peasant, who is still not sure Windows 10 is even a good thing and pretty certain I don’t have 4 to 6 hours to do the changeover, I always worry that if I encrypt my emails, I won’t be able to get in them, but all of this is getting worrisome to me. I also don’t like coincidences.

In this case maybe there’s an explanation, but in every case “maybe there’s an explanation,” but that doesn’t mean that the ways we want to rationalize events matches reality. On my India visa, I continue to hope that I just filled out the application incompetently, even though I applied twice with the same result, and my local Congressman’s office who promised assistance isn’t responding to my calls and emails anymore.

In France, in the wake of the recent massacre in Nice, the president had renewed a state of emergency through July 26th, which was the day my colleague was flying. Did he get caught somehow in that mess? He speculated that the fact that he had been in Lebanon and Syria a decade ago might have red flagged him in these crazy “end” times. Maybe work in Tunisia and Morocco were also a problem. Who knows?

And, that’s my point? Who knows how national security forces are working these days? The Obama Administration might not have gone all Trump on keeping people out of the USA, but when the French and Americans put their heads together and add an “excess of caution,” as they call it, with no explanation ever offered or available, maybe the Moxie’s and the rest of the gang are on the right track, and I’m the last citizen of Lulu-land.

Meanwhile, I read that Trump is asking Russia to get its hackers on the job to cough up more emails lost on Hillary’s server. If he were living on Pennsylvania Avenue, would any of us – I mean people like me – be able to travel at all?

What was the name of that encryption program, Moxie? Was it Signal? Is there a user friendly techno-peasant version for the rest of us?