## The Cryptography of a BlockChain

[Updated on 2019-09-11]

By now you’ve all heard of a blockchain and that it’s the backbone of cryptocurrencies like BitCoin, Ethereum, LiteCoin and others.  I’m not here to tell you that blockchains are the solution to every problem or that blockchains are the next best technology that everyone will use.  You’ve heard that 100 times.  I’m going to explain, in as simple and straightforward a way as possible HOW a blockchain is put together and how cryptography is central and core to the whole thing.

You’ll discover, on your own, that putting a couple of old ideas together creates something phenomenally more powerful than the individual parts summed together.

## First, let’s list the parts:

1. A simple transaction (a record showing a FROM address, a TO address, an amount being transferred, and a time stamp).
2. A “block”, which is just a list of transactions.
3. Hashing (the result of a complex math problem using the numbers of all the bytes of a file (or a block and/or a transaction record)), to uniquely identify a larger chunk of data.
4. Encryption

That’s it!  No, really!  A block chain and a cryptocurrency contain no more than that.  Well, a cryptocurrency needs computers to do the calculations for the hashing and encryption, etc…, but they just build  and validate the block chain.

So, here is what a block chain is in a nutshell:

1. Every transaction ever taken place since the creation of the blockchain.
1. The list of transactions are divided into “blocks”.  If you create your own blockchain, you get to decide how big a block is and how many transactions are placed in a block.  In BitCoin, for example, a block used to be 1MB max (it was updated in August of 2017 to be bigger).  A new block is added to the blockchain every 10 minutes… at least, on BitCoin, it’s every 10 minutes.
2. The transaction is digitally signed by the sender so the network can confirm the owner of the cryptocurrency is truly authorizing the transfer.
2. Each transaction in the block has a hash that uniquely identifies the transaction.  No 2 transactions will ever have the same hash.
3. Once all transactions for the next block are ready, the hash from the prior block is added to the new block and that hash, plus all the transactions, are hashed to create a final hash of the new block.
4. Critically important:  That prior hash being added to the new block is what LINKS the new block back to the prior block!  That’s what makes it a “chain”.  Each new block references the old one and the new block’s hash is dependent on the old one, which was dependent on ITS older one, and so on, all the way back to the first “genesis” block.  The new hash is the way it is because of ALL the older hashes are the way they are.  If any single transaction anywhere in the blockchain were different, so would ALL the hashes be different following that one.

That’s it!  Really, that’s all there is.

But, some really important things have happened as a result of those simple pieces:

• Every processing computer on that network has a full copy of the entire blockchain.
• There’s no central blockchain server.  The blockchain exists ONLY on the hard drives of the machines of the volunteers.

That means a hacker can’t hack “the bitcoin server” and change records, because no such central server exists.  He’d have to hack into EVERY bitcoin node and change it.  (Well, he’d have to hack at least 51% of them).

Something else important happens with the technology:

• When a BitCoin node computes the hash of a block, it doesn’t just compute the hash ONCE, it computes TRILLIONS and TRILLIONS of hashes.  A single, home laptop, would probably take years to compute that hash.  Why? The network won’t accept just any hash.  The hash produced MUST match a pre-defined pattern.  Specifically, it has to, by pure chance, come up with a hash that begins with a bunch of zeros.  The amount of zeros needed increases over time as computers get faster, to ensure that Moore’s law doesn’t overtake the network.  These hashing computations NEED to take a long time.  MANY BitCoin nodes are competing with each other to find that magical hash value.  The first one that finds it, submits it to multiple peers on the network for confirmation.  Confirmation is instant.  Once confirmed, the block is accepted into the blockchain and it’s distributed to every node on the network so they can all add it to their local copy of the blockchain.  And the computer that found the hash is awarded with 12.5 new BitCoins (worth about \$92,000 at the time of this writing).  Those computers that spend all their time crunching numbers to produce those hashes are called “miners”.

So, why are miners required to compute all those useless hashes only to find yet another useless hash?  Because it has to cost the miners something to do it.  It’s too expensive to do that if there’s no reward, so a hacker is not going to waste their time doing it.  If a hacker tried to submit a false hash, the network would reject the false hash and would ban them from the network.  So, only hashes that actually went through the full AND EXPENSIVE computational process are accepted.

When a miner submits their hash, and it’s confirmed by other miners, that hash is a “proof of work”.

Again, WHY?

Aside from making it too expensive and mathematically improbable to submit false hashes, it makes it impossible to change records in the blockchain.  If you tried to change a record from 24 hours ago, you’d have to rehash it, then rehash the next block (because remember, the NEXT block has been hashed with the prior block’s hash… the one you’re CHANGING!).  You’d have to rehash EVERY block after the one you’re changing.  It takes about \$1,000 worth of electricity to mine a block and thousands of specialized computers to get it done in time.  In a 24 hour period, there are 144 new blocks, so it would cost you \$144,000 to rehash them all.  Every 10 minutes back in time of a transaction you’re trying to alter will cost you another \$1,000 in electricity.

Then, you’d have to somehow hack 51% of all bitcoin mining rigs and REPLACE ALL their local copies of the blockchain.

There simply is not enough computer power in the world to accomplish that task, not even if you add all the world’s supercomputers owned by the NSA, Oak Ridge National Laboratories, China, etc…  Because while you’re doing that, the bitcoin network (the fastest supercomputer on the planet), is still churning out new blocks every 10 minutes.  You’d need the combined computational power of the ENTIRE bitcoin network, PLUS MORE to catch up with them.

It’s no longer a hacking challenge, but a thermodynamic problem that you simply cannot do with current technology.  It’s expected that a quantum computer would eventually be able to do that, but the BitCoin developer teams are working on new algorithms safe from quantum exploitation.  Side note:  It’s believed that current AES encryption is likely quantum-safe.

THAT is why any record written to the blockchain is permanent and unalterable.  That was accomplished with extra hashing of blocks and distributing copies of the blockchain all over the network.

# Back to Cryptography

Hashing:  Again, hashing is taking a string of bytes, pushing them through a particular algorithm, and producing a fixed length, unique string of bytes, always the same size (for the SHA256 hashing algorithm, the one that BitCoin uses, that’s 256 bits long or 32 bytes long), regardless of the size of the original string.  A hash is non-reversible.  That means that you CANNOT reverse a hash to recreate the original data that was used.  Think of it in the same way you think of the remainder to a division math problem.  For example, 13/5 = 2, with a remainder of 3.  But how many other divisions have a remainder of 3?  An infinite number of them.  So, if all you have is the remainder, you have no way to determine what the original 2 numbers were.  That’s kind of how a hashing works.

Signing:  For more details on signing, please see:

Understanding Encryption

When you transfer digital money on a blockchain,  you digitally sign your transaction to move money out of your “wallet” (again, your wallet address is a hash of your public key).

The network refuses to transfer money from one address to another unless the transaction is digitally signed by the “from” wallet address’s owner.

Encryption: You don’t really encrypt anything in most blockchains, but I’ll mention encryption here, just so it’s not ignored from the conversation.  But “signing” and “hashing” are considered subsets of the larger “encryption” concepts.

# Benefits of all these pieces of technology put together:

1. An immutable (unchangeable), public ledger.  You never have to worry about someone changing a past transaction.
2. Decentralized.  There’s no single place that a hacker can attack and no single place a dishonest website owner can manipulate, and no single place for a tyrannical government to shut down, and no single company to go out of business, tacking everything with it.
3. You are 100% in control of your own cryptocurrency.  No one, not EVEN the government can technologically steal your funds or stop you from sending or receiving money on the blockchain.
4. It’s virtually unhackable, not even someone with resources as deep as say the NSA.

See these images?

Check back later for updates too!

# What is RansomWare?

Ransomware is probably the worst kind of malware you can get infected with.  After it gets into your system, it secretly encrypts all your disk drives in the background.  Once it’s done, it notifies you that all your files are encrypted and locked and demands an exorbitant amount of money to be transferred to the thieves (usually via BitCoin) in order to receive the decryption key and sometimes they take your money and never give you the key.  The longer you wait, the higher the ransom, until after about 3 days, they delete your key and your files are gone forever.

# Things that do NOT work:

• Encrypting your hard drive.  While it’s good practice to encrypt your hard drive, this does absolutely NOTHING to protect against Ransomware.  It may protect you from external people snooping your data, but if ransomware gets installed on your machine, it has access to your drive while it’s unencrypted, and can then encrypt it with its own keys.
• Backups created using the same PC.  Why would having a backup NOT work against ransomware?  Because again, the ransomware can see and write to your backup drive if it’s accessible from your same PC and it will encrypt that too!

# How I’m protecting myself against Ransomware

• I have 2 drives on my main PC:  A boot drive that contains Windows and the installed applications, and an external, high capacity hard drive where ALL my data goes, INCLUDING my Windows Desktop, and all the special windows folders like desktop, documents, pictures, videos, downloads, etc…
• My boot drive and my external drive are both encrypted (not really a help against Ransomware… just thought I’d mention that they’re encrypted).
• I have a second drive of equal capacity as my data drive and it’s hooked up to an older Linux laptop.
• On host, Windows PC, I created a user account named “Backup” (could be named anything) with read only access to my main data drive on my Windows PC.
• On Linux, I used Veracrypt to encrypt my backup drive that’s connected to it (doesn’t really help against Ransomware, but again, just thought I’d mention it.)
• Running a scheduled backup program on the Linux laptop (Lucky-backup… a GUI for rsync), connecting to my Windows PC over the network with the Windows “Backup” user account. It backs up all of my Windows external data drive to the Linux, encrypted backup drive and runs a differential backup every night.
• Critically, the Windows PC has no direct access to the Linux backup drive.
• My Linux laptop boots off a Linux flash thumb drive and does NOTHING but backup.

# How does this protect me?

By using 2 different PC’s, the chances of BOTH of them being infected with ransomware at the same time is very small. By using 2 different operating systems, the chances of both being infected at the same time is drastically reduced.  While Linux is NOT virus free and is NOT ransomware free, it’s significantly more resilient and will NOT be infected by a Windows ransomware infection.  If, by chance, the Linux machine gets infected with Ransomware, it has only read only access to my data drive on my Windows PC and will not be able to encrypt it.  In either case, I have my full data on the other machine.

# What happens if my Windows machine gets Ransomware?

I’ll reformat all of my Windows drives by booting off a clean flash thumb drive that has Windows installation media.  Then I’ll have to manually re-install my software, which will be a pain, but I have access to all of it.  Then I’ll need to restore my data to my data drive from my clean Linux backup.

# What happens if my Linux machine gets Ransomware?

I’ll reformat all my Linux drives by booting off a clean flash thumb drive and then re-set up my backup system.  My Windows machine at that time should be clean.

# Zero Knowledge

Spideroak.com has this to say about zero knowledge encryption:

“Zero Knowledge means we know nothing about the encrypted data you store on our servers. This unique design means nothing leaves your computer until after it is encrypted and is never decrypted until it is unlocked with your password on your computer. It’s not just “end to end encryption;” it’s a Zero Knowledge System.”

Spideroak.com, by the way, is a cloud drive service provider.  Though, there are some critiques of the way they password protect your local key on your own PC, it is far more secure than Google Drive, Microsoft One Drive, Amazon cloud storage, DropBox, Box.Net, etc…

In short, if you have full control over your encryption keys and the remote service provider does NOT and cannot decrypt your data, then THAT is zero knowledge encryption.  Never settle for anything less.

## Mobile: Encrypting All Internet Traffic

This is one of many articles in a series I’m writing to cover end-to-end encryption for everything…

Encrypt All The Things! [A Guide]

you do in your digital life.  I’ll cover encrypting specific types of …internet traffic (like E-Mail, Web sites, etc…) in other articles.

Understanding Encryption

…as it teaches VERY IMPORTANT concepts that you need to know before moving forward here.

This works for rooted AND unrooted phones.

# Big Disclaimer

Before going any further, let’s make one thing perfectly clear on THIS particular encryption.  This does NOT make all your internet traffic encrypted from your phone all the way to the final destination!

# So… What does it do then?

This will encrypt your connection from your phone through and past your ISP.  It protects you from your ISP and anyone snooping on  your local end of the network.  This is great for when you need to use public wifi.  Scammers running a free wifi node will NOT be able to see your data NOR will they know where on the internet you’re going.

# So… What does it NOT do?

Excellent question!  Let’s say you’re browsing a website that’s NOT encrypted (like this page you’re on right now)… Under normal circumstances, anyone snooping your network traffic ANYWHERE on the internet… from your local connection all the way to the connection on my end at my website, can see:

• The URL you’re wanting to visit.
• Anything you type on my search page.
• The contents of the pages my website sends back to you.
• In short, everything is visible and in the clear.

Using the techniques in this article, you’ll be on an encrypted connection from your phone, through and past your ISP to some random computer on the TOR network, to a couple MORE computers on the TOR network, till your connection finally exits the TOR network and gets back on the regular internet, possibly in another country.  From THERE, your connection from THAT computer to my website is entirely unencrypted.

# So… Why use TOR then?

To hide your network activity from your ISP, your cell phone provider network, your employer’s wifi, your local government(s) (including the NSA and GCHQ (the British NSA)), and anyone else snooping on the network near your end of the connection.  It will also hide your IP address from the websites you’re visiting.  You can make yourself appear to be in just about any country you choose.

# Will this guarantee no one can see what I’m doing online?

LOL!  You’re cute when you’re innocent.  Of course not.  NOTHING is 100% safe on the internet, but it’s pretty darn strong protection and causes even the NSA headaches.  Someone with lots of resources would have to be specifically targeting you and it would be very difficult for them, even then.  You’re reasonably safe even against the NSA, but not totally.

# What does it encrypt?

Note that this is a method to obfuscate ALL your internet traffic from your Android device, not just web browsing, but everything, including traffic to and from the Google Play Store, Google searches, game communication.  Again, it will NOT encrypt an unencypted connection.  It will encrypt all steps of the connection up to the exit node (see “How does it work?” below).

# How does it work?

There are thousands of computers all around the world volunteering to be part of the TOR (The Onion Router) network.  When you connect to the TOR network, you’re randomly choosing an entry node computer somewhere in the world.  That computer then forwards your traffic to another, randomly chosen computer somewhere else in the world, which then forwards you to yet another computer on TOR somewhere else in the world, which then forwards you to a randomly selected TOR “exit node” computer… a computer on TOR whose purpose is to act as a fake YOU to the sites you visit.  It’s THAT computer’s IP address that your sites will see.

All traffic between you and all the TOR computers that your traffic passes through is encrypted.  The TOR computers do not know of your entire connection path through all the TOR computers you’re connecting through.  ONLY your own device knows that.  This is to prevent malicious adversaries from trying to reverse trace where you are.

# Doesn’t this slow my connection down?

You betcha!  Yes.  Yes it does.  You do NOT want to do this for a first person shooter game.  YOU WILL LOSE!

# Step by step instructions (FINALLY!)

If you’re device is NOT rooted, you’re going to change your Proxy address to “localhost” and your port to 8118 after you download and install Orbot. Below the installation steps are steps on doing that below:

2. Optionally, you may want to ALSO install “Orfox”, a browser made to work on the TOR network.  It’s a modified version of the FireFox browser.  It works in tandem with Orbot.  But any browser will work.
3. Launch the Orbot app.
4. Long press on the screen to start Orbot.
5. If you want to appear to be from a specific country, tap the drop down control in the bottom right of the screen and choose your desired country.
6. If your device is rooted, skip the following steps about configuring your wifi connection and go directly to step #11.
7. If your device is NOT rooted, it requires a little more work.  Steps 7-9 will need to be completed every time you connect to TOR.  Go to Settings->Wifi and long press on your wifi connection that you’re connected to and select “Manage network settings”.
8. Now check the box “Show advanced options”
9. Change your Proxy to “Manual”.
10. Change your Proxy Host Name to localhost and your Proxy port to 8118 and tap “SAVE”.
11. If everything worked (and it doesn’t always), you should have a secure connection on the TOR network now.  Open OrBot and click the “Browser” button on the lower left.
12. If you have OrFox installed, it should open OrFox and load a page that tests.  It will tell you if you’re on a safe Tor connection.  If you don’t have OrFox installed, it’ll launch your default browser and do the same thing.  Here are 2 screenshots, one of OrFox and one of Chrome:

If it didn’t work, you’ll see a page like this:

If you see the “sorry” page, launch Orbot, then open its menu and choose “Exit”, then go to step #3 and try again.  There’s no guarantee that this will work all the time.  Some days it works.  Some days it doesn’t.

# How to end TOR and go back to NORMAL networking

1. Open the Orbot app, long press, and Orbot will end the TOR connection.  The onion icon will become gray.
2. Open the menu in the Orbot app and choose “Exit”.
3. Fix your wifi proxy back… Settings->Wifi.
4. Long press your wifi network and choose “Manage network settings.
5. Click the check box “Show advanced options”.
6. Change “Proxy” back to “None”.
7. Tap save.

You should now have a normal network connection again.  As a last resort, simply reboot your device if networking fails to restore to normal.

## Encrypt Your Entire Non Boot Disk

This is another entry in my list of articles on encrypting your entire digital life…

Encrypt All The Things! [A Guide]

##### Short (VERY short version)
1. Install encryption software.
2. Backup the drive (no, seriously!  DO THIS!)
3. Select an empty drive letter.
4. Select device.
5. Encrypt.

The rest of this shows you the details of those steps.

##### Let’s begin
2. Select an available drive letter (your encrypted volume will have this drive letter, NOT the original drive letter).
3. Click the “Select Device” button and choose your drive to be encrypted.  (3 lines for each drive show up.  Choose the line that contains your drive’s current drive letter).
4. From the “System” menu, choose “Encrypt System Partition/Drive”.
5. Follow the directions in the software.

### DO NOT FORGET YOUR PASSPHRASE!!!!!

After that, you’re all done.  Now, every time you reboot, if you want to open your encrypted drive, you’ll need to mount it with VeraCrypt.  SO DON’T YOU DARE FORGET YOUR PASSWORD!  Seriously!  If you forget your passphrase, there’s NO WAY to recover it.  That’s it.  It’s done.  The data on your non boot drive will be gone forever.  You’ll have to reformat your drive and start all over OR pull out the drive and set it aside, hoping you’ll remember your passphrase some day.  I cannot stress this enough.  You CANNOT forget your passphrase!  I recommend storing a HINT of your passphrase in an ENCRYPTED password management tool, like LastPass.  I use the “secure notes” feature to store mine.

Your drive is now much more secure.

This is the sixth entry in my “Encrypt All The Things!” series.

Let’s face it.  Cloud storage SUX!  Why?  Because all of the most popular cloud storage services do NOT provide end to end encryption.  Oh sure, you’re files travel over an https connection from your PC to their server, but your files are not encrypted with a public key from a private key that only YOU have access too.  Sure, the cloud storage providers may encrypt your files (with THEIR keys) AFTER they receive your upload and before they store them on their own drives.

# There’s only ONE option

When it comes to cloud storage, you have only one option for realistic security.  That is, your files MUST be encrypted ON YOUR END before they’re sent over the wire to the cloud storage provider and that encryption on your end MUST be done with your public key and your private key MUST be a key that ONLY YOU have access to.  It should exist ONLY on your own PC or phone.  PERIOD.  There are no if, ands, or buts about it.  This is called “zero knowledge” encryption.

Please see “Understand Encryption” on a discussion of public/private keys.  It’s kind of critical to your understanding of how to judge whether a cloud storage service is doing it right.

# Zero Knowledge

Spideroak.com has this to say about zero knowledge encryption:

“Zero Knowledge means we know nothing about the encrypted data you store on our servers. This unique design means nothing leaves your computer until after it is encrypted and is never decrypted until it is unlocked with your password on your computer. It’s not just “end to end encryption;” it’s a Zero Knowledge System.”

Spideroak.com, by the way, is a cloud drive service provider.  Though, there are some critiques of the way they password protect your local key on your own PC, it is far more secure than Google Drive, Microsoft One Drive, Amazon cloud storage, DropBox, Box.Net, etc…

Another one with zero knowledge is Mega.co.nz.  This cloud storage provider was created by the infomous Kim DotCom who’s wanted by the United States government for hosting a similar service for copyright pirates.  So, some reasonable questions have arisen as to the true privacy of this site.  And recently Kim DotCom has come out and said he’s no longer affiliated with Mega and that you shouldn’t trust it, that it’s not safe (but can you trust HIM?)

Anyway, the point is, you need to either encrypt your own files BEFORE uploading them to a cloud service or use a cloud service that does it for you (ON YOUR END!).

# Home Brew

Alternatively, you can do it yourself by manually encrypting your Individual Files then upload the encrypted files to any cloud storage provider you want.  It’s a bit of a hassle, but it will provide you actual protection.  You should note that if you upload your encrypted files, but keep the file names, a LOT can be known about what you’re storing.  Best to zip up the file first (storing the name in the zip file), giving the zip file an arcane name, like the date and time it was zipped, encrypt the zip file (not with the weak ass encrypting provided in the zip products, but with how I describe to encrypt Individual Files), THEN upload it.

# Conclusion

1. Save yourself some headaches and use only “zero knowledge” cloud services and thoroughly research what others have to say about their encryption.
2. Hide your meta-data (file names, folder names, folder structures, etc…) if you’re going to home-brew it.

This is my fifth installment in my “Encrypt All The Things!” series.

Encrypt All The Things! [A Guide]

Today, we will encrypt all (or as much as possible) of your web traffic on Windows, Mac, Linux, & Android.

Your web traffic (what you request to view, what is sent to your browser to view, and what you post back in webforms when signing up for new accounts, uploading your photos, uploading your files… is all done in clear, unencrypted text unless the page you’re requesting or posting to begins with https://.   That “s” is the critical piece.  That means “secure”.  That means the web page was encrypted at the web server before being sent to your browser and anything you post (or fill in and submit) will be encrypted too.

# But, Not So Fast!

There are several gotchas where that is NOT the case:

1. You might be on an https site, but the site may have been coded poorly and the data you’re filling in might not be going back to an https page.  If so, then your data is being sent back in clear text over the open internet, and THAT’S more important than the page you’re viewing being encrypted (well, in many cases).  The page COULD be coded to post your data back to a non-secure page.
2. Just because you’re on an https site, doesn’t mean that the site owners are trustworthy.  All it means is that the connection between the two of you is encrypted.  If you’re on a phishing website, it’s still the bad guys, even IF it’s encrypted.
3. If you’re at work, it’s entirely possible that your employer has installed their OWN root certificates on YOUR work PC and your employer is acting as a man in the middle.  Even though you may be on an https website on a trusted website like https://google.com, your connection may be encrypted only between your PC and the equipment downstairs in the computer room in the very building you’re in.  Your employer can easily have access to ALL of your web traffic, record it, snoop it, and use it against you.  (We’ll spend some extra time on this one a little later in the article).
4. If your PC already has malware on it, encrypted traffic is pretty much useless because they’ve already gotten behind all your protections and have access to everything you do BEFORE it gets encrypted and sent over the internet.  (Wipe your hard drive and start over.  Not kidding!)

# So, What Do You Do?

1. If the https site is coded poorly and is sending your data back, unencrypted, how do you know?  That’s a little complicated and unless you’re a web developer (and even IF you’re a web developer), it’s hard to tell sometimes.  In short, do this on a login page or a web page asking for your personal information:
1. On your desktop browser, right-click the page and choose “View Source” or “View Page Source” or something similar to that.
2. Look for something that starts with “<form “   Like this from EFF’s website, as an example:
1. <form action=”https://supporters.eff.org/subscribe” method=”post” class=”newsletter-form” accept-charset=”UTF-8″>
3. This is called a form and the “action” tells us WHERE our data goes when we submit it on that page.  Notice that it’s an “https” site?  That means it’s encrypted on our end before going back.  If it’s just “http” with no “s”, it’s being sent back in the clear, with ZERO encryption!
1. What do you do?  Not much you can do about that.  But you CAN install the TOR browser.  It’ll encrypt EVERYTHING you do in the browser, and pass it through a peer to peer network, hopping through multiple other computers, before finally having the last computer actually send your data to the real website.  But, it’ll have to be unencrypted there before going across the internet to the site you wanted to post to.  You can’t force the website to receive your data encrypted.  You can only encrypt it on your end, pass it along a few PCs before it must be decrypted and sent in the clear.  That’ll at least block your ISP form seeing it or anyone snooping on your local network.  But it won’t stop a snoop on the OTHER end of the connection.
2. How do you know if your employer is snooping on what you THOUGHT was an encrypted connection?
1. In Chrome:  Go to any https site, like https://google.com, click on the green padlock, click “connection”, click “certificate information”, click the “Certification Path” tab.
2. It should not have your company’s name in there.  If it DOES, guess what?  You’re employer is decrypting and snooping on your traffic.  They’re playing as what’s called a “Man In The Middle”.  This only works because they have control of your PC and have installed their OWN root certificate telling your browser to trust THEIR security certificates as valid owners of Google.com.  NOT COOL!
1. What do you do about THAT?  Stop using your work computer for anything that’s personal.  That’s the only way out.  I take my own laptop to work, plug in my Android phone to it and share my T-Mobile data connection with my laptop.  I do my web browsing from my laptop and the rest of my work from my work PC.
3. If your PC has malware on it… You might not even know it.  But if you DO know it, for heaven’s sake!  STOP USING IT… like RIGHT NOW!  Reformat your drive, re-install your OS and your software.  That’s the only realistic way to get rid of it all, and stop downloading those stupid toolbars!  Seriously!  Also, don’t download software from sources you’re not 100% certain are widely accepted as trustworthy!

# Maximize Your Encryption While Browsing

• You can’t force websites that aren’t using encryption to start using it, so avoid websites that don’t offer https .
• If you’re on a website that’s NOT https., then click in your browser’s address bar and TYPE that s right after the “p” in “https” and click “GO”. Many websites DO offer an encrypted version of their website, but you must manually enter it.
• Better yet, install Https Everywhere.  It’s a browser plugin available for the most popular browsers.  It will do the above step for you by using the https version of any site you go to (if that site has one available).  This will NOT force all your web traffic to be encrypted, but it sure will avoid the non encrypted versions of sites you visit, if at all possible.  NOTE!  You can still get to unencrypted sites and your traffic won’t be encrypted on those sites.

# Stop your ISP, Employer, Family, Neighbors, and Hackers from snooping on your web traffic

I mentioned the TOR browser above.  This is a modified version of the FireFox browser, specially made to route your web browsing traffic through its own sub-network… kind of an underground network of participating servers and PCs around the world.  Normally, when you go to say www.google.com, you’re making a direct connection from your PC to google.com.  With Tor, you’re going to a random server around the world on the Tor network, which then forwards you to another random server somewhere else around the world, to yet another one somewhere else around the world, which finally then sends your request to google.com, but from that 3rd machine.  In other words, as far as Google is concerned, a connection was made from that other machine to them, which might be in Russia, China, America, Germany, or anywhere else in the world.  You’ll frequently see ads in other languages because of this.

This protects you from your ISP, your employer (if you can get away with installing TOR on your work PC… but just assume that even if you can, that your employer can still see your traffic because they have complete control of your work PC), your nosy family members, nosy neighbors, nosy patrons at the coffee shop, or anyone else near by that may be snooping on your traffic.

The end result is it’s damned near impossible to tie YOU to whatever you’re doing on the destination website.  It also encrypts ALL your web traffic to and from any website… BUT ONLY ENCRYPTED UP TO THAT LAST PC!  If you’re visiting an unencrypted website, YOUR TRAFFIC WILL BE UNENCRYPTED from that last PC in the Tor network to the final website, and back again.  You MUST understand this.

This should be obvious, but my experience in IT is that nothing ever is, to everyone.  So!  I’ll state this clearly:  The TOR browser does NOT encrypt your web browsing if you’re using Chrome, or FireFox, or Opera, or Internet Explorer, or Edge.  It’s only going to work on web pages you visit WITH the Tor browser.

You have two good solutions on Android.  One’s good.  The others even better.  Both options are the Orbot app.  But the differences are if you’re Android device is rooted or not.  A rooted Android device gets significantly better security options.

First, go download the Orbot app here from the web, or here from the Play Store.

Orbot, if you’re device is rooted, can rout ALL your internet traffic through the Tor network.  You can also configure Tor to only send traffic from specific apps through the tor network.

When your traffic goes through the tor network, anyone locally snooping on your web traffic has no way of knowing what websites you’re communicating with.  Remember, if the site you’re communicating with is NOT an https site, there will be an unencrypted connection somewhere in the world to your final site.  Don’t trick yourself into thinking it’s fully encrypted all the way through.  It only is for sites that are https.  Tor will protect you from local snoopers.  It won’t protect you from snoopers hacking into the data to the final, unencrypted website.  Got it?  Good!

## Creating an encrypted, virtual disk

This is the fourth post in my “Encrypt All The Things!” series.

Encrypt All The Things! [A Guide]

The prior article was on encrypting a single file.

Encrypt Individual Files (Desktop)

In an effort to increase my privacy and my family’s safety, I’m going through and encrypting everything that’s possible and writing a series of articles on end-to-end encrypting for everything from phone calls to hard drives.

# What you’ll need

• Encryption software (described below, with links – It’s FREE)
• A Windows, Mac, or Linux PC.

# Software

TrueCrypt was one of the most popular disk encrypting programs for a long time, until about a year ago when the author unexpectedly pulled the plug and put some strange text on his website that the program was unsecure and people need to go find something else.  The whole tech industry was scratching their heads because it had just gone through a very public security audit and determined to be very secure.  What happened was the author(s) just got tired of supporting it and called it quits.  Fortunately, it was open source and other groups have taken over, forked the code, and have been improving on it.  VeraCrypt is a popular fork of it that I recommend.  You can download it here.  It’s available for Windows, Mac, & Linux.  And it’s fully open source and free and supported by its new authors.

# Virtual Disks

We’ll be making a virtual disk that’s encrypted.  A virtual disk is simply a large file.  VeraCrypt can do its magic and make Windows/Mac/Linux think it’s a disk, so you can read and write files in it, just like on any other hard drive.  In Windows, the virtual disk will have its own drive letter (but only when you “mount” it… when you’re done with it, you “dismount” it and it stops looking like a disk to the OS).

• Click the “Create Volume” button to begin.

• Make sure “Create an encrypted file container” is selected, then click “Next”.
• Select “Standard VeraCrypt volume” and click next.  I’ll let you discover the other features of this product outside the scope of this tutorial.
• For “Volume Location”, click the “Select File…” button and choose a place on one of your accessible hard drives or network drives.  You’ll need to provide a file name.  I recommend giving it an ambiguous name like “Graphics-System.dll”.  This obscures the meaning of the file from intruders.
• Then click “Save”.  Also, make sure “Never save history” is checked.  This prevents intruders from running this app on your machine and seeing where you created your last encrypted virtual disk.

• Click “Next” and if you named it with a file extension of “.dll”, then you’ll get a warning.  It’s OK.  We’re doing this on purpose.
• Now, choose your encryption method.  All of them are good.  Better is using 2 or more of them simultaneously.

• Remember, the tougher the encryption, the slower the encrypting and decrypting.  I recommend clicking the “Benchmark” button and choosing the one that gives you the fastest speeds, unless you have state secrets or secrets that can cause significant harm to you or others, then take one of the options that give you all three.  Notice that you might notice one of them is significantly faster than the others.  If so, then your CPU chip probably has encryption hardware built in.  VeraCrypt will use that if you choose it.  As you can see, AES is drastically faster than the others on my own machine.  That’s because my Intel CPU has AES encryption hardware.  I’m going to choose “AES”

• For the hash Alorithm,  Sha-512 is better than Sha-256.  Whirlpool and Sha-256 are similar, but Sha-256 was created by the NSA and Whirlpool wasn’t.  Use that information however you like!  I’m choosing Whirlpool.
• Next, choose the size of your encrypted virtual disk.  This is up to you.  How much space do you need for your encrypted data?  Whatever that number is, it HAS to be less than the available space on whatever drive your storing the virtual disk file on.
• Next, choose your password.  This is a pass phrase you’ll need to enter every time you mount the encrypted volume.  Obviously, use something strong, long, and easy to remember, but difficult for others to figure out.  I recommend typing in a full sentence, with punctuation.  CASE MATTERS!  Don’t use famous quotes.  Think of something that is unique to you like, “I hate it when people cut in front of me in line at the movies!@#\$”  Be creative!

• After entering and re-entering your pass phrase, click next.  That takes you to the “Volume Format” window where you need to rapidly move your mouse back and forth, up and down, in circles, and everything else in that window to help your computer create a random number to seed the encryption.  The more randomness from you it gets, the better.  Computers are terrible and making random numbers by themselves.  So spend a full minute or two just moving your mouse every which way across that window.  Then click “Format”.

Congratulations!  You have now created your first encrypted virtual disk.  But, in order to USE it, there’s just a little more to do (and this is what you’ll need to do every time you want to mount your encrypted, virtual disk).

Back to the main window of VeraCrypt, pick a drive letter from the list provided (Mac & Linux will be slightly different), then click “Select File” and find your encrypted virtual disk file (You DID pay attention to where your created it, right?)

And click the “Mount” button.   Then enter the pass phrase you created at the beginning.  Without this passphrase, it will be impossible to access the encrypted data on your virtual disk (even if there’s nothing in it yet, you can’t even mount it without the passphrase).

If you used a system file extension like “.dll” on your encrypted volume, you’ll get another warning when you try to mount it.  Just click OK.  It’s OK, we meant to do this.  We’re trying to fool the bad guys, right?

# You’re Done!

Your encrypted volume is now mounted and ready to use, like any other disk.  “But, can I…”  YES!  It’s just a volume like any other volume.  You can read and write to it exactly like anything else.  You an stream video files to and from it just like any hard disk.

Notice I have mine mounted with the “M” drive letter assigned to it.  You can exit VeraCrypt and your encrypted virtual volume will stay mounted.  When you’re done with this, start VeraCrypt back up, select the volume, and click “Dismount”.

As long as it’s mounted, anyone that has physical access to your machine can access its contents, so be sure to dismount as SOON as you’re done with it.  Also, anyone with NETWORK ACCESS to your machine could have access to the contents of your encrypted volume.  It’s ONLY protected when it’s NOT MOUNTED!  When you’re using it, it’s accessible to other software on your computer!!!

Notice my M: drive in my drives list?

That’s the encrypted volume I just created and mounted.  Yes, it’s a really small disk.  Don’t tell anyone, OK?   I do have bigger ones!  No!  Really!  I do!  Wait!  Where are you going?

## Encrypt Individual Files (Desktop)

This is the 3rd article in a series of articles about encrypting your entire digital life

Encrypt All The Things! [A Guide]

# Short (VERY short version)

1. Install encryption software.
3. Encrypt a file.
4. Decrypt a file.

The rest of this shows you the details of those steps.

# Review or brush up

Before you go any further, it’s really important that you are familiar with the basics of modern day encryption.  Please review this article on understanding encryption:

Understanding Encryption

I will be using terminology that won’t make sense to you if you have not read the “Understand Encryption” article or are not already fairly familiar with encryption and how it’s implemented in modern technology.

# Let’s begin

2. Once installed, you’ll need to import your friends’ public keys (if you plan on sending them anything encrypted) and create your own (if you don’t already have any).
1. Open Kleopatra (it’s installed with Gpg4win).  It’s a key management application.
2. Click the “Lookup Certificates on server” button and enter your friends’ names and/or e-mail addresses to see if they have public keys.  If they’re not published, you can easily ask them directly.  Most likely, most of your friends do not yet.  I’d encourage you to get them started on this.
3. Now, create or import YOUR key pair.  Close Kleopatra and open GPA.  Yes, it’s almost a clone of Kleopatra.  No, I don’t know why there are two of these tools.  But Gpa will let you create key pairs.
4. Open the “Keys” menu and choose “New Key”.
5. Enter your name (you can’t change this, so choose wisely), then “Next”, then your e-mail address.
6. Yes, you want a backup copy.
7. Enter your passphrase… DO NOT EVER FORGE IT!  DON’T BE STUPID – MAKE IT COMPLEX!  I recommend saving it in LastPass.com (get set up with LastPass.com if you’re not already.  It’s TOTALLY worth it (free)).
8. Right-click your new key and choose “Export Certificate to Server” which will export your public key to a public key server for others to find so they can send you encrypted data.
3. Now that your contacts’ keys are imported and you’ve created your own key, let’s encrypt a file.
1. Open Windows Explorer (I said _Windows_ Explorer, NOT _Internet_ explorer!) and find some file that you’d like to encrypt.
2. Right-click the file and choose “Sign & Encrypt” (You don’t have to do both signing AND encrypting.  You can do just one, if you like).
3. In the dialog box, make sure “Encrypt” is selected.  If you’d like to compress it before you encrypt it, be sure to check “Archive files with”.  Because you can’t compress it AFTER you encrypt it!
4. Click “Next” then pick your recipient (who you want to be able to decrypt the file).  If it’s just you, then choose your own key.

To decrypt the file, just right-click it and choose decrypt.  It will know which key was used and will prompt you for the passphrase.

## Encrypt All The Things! [A Guide]

You want your data to stay out of their hands and eyes?  Then you’d better put on your foil hat, pull up a chair, and pay attention to this how-to on encrypting all your data and all your communications (including phone calls!) and some best practices thrown in for good measure.

From a high level, here are the things we’ll be encrypting.  I’ll break them up into separate articles, because it would be quite a lot to take in all at once.  I’ll be writing these articles over the next couple of weeks, so check back here to see this topic list change from black text to hot links to the published articles.