Communication Channels

When setting up a communications plan with radios, you select several frequencies and number them into "Channels". When building a communications plan with the internet, setting up a channel is not as simple as selecting a single frequency. There are numerous messaging apps, services, and dead drops. Before discussing how to build an internet communications plan, we will discuss what the options are for channels, we will cover the actual communications plan next chapter.

Normie Phone Messaging

Essentially all popular messaging and social media apps will be sharing metadata and content with corporate and state level interests. Facebook has been known to censor certain terms and videos in private messages. In some cases they say "message could not be sent", in others they pretend to send it but it never arrives at the recipient.

Unfortunately, most people you know will be using atleast one of these, friends, family, and extended family. Depending on who the communications plan is for, you will likely want to have the preferred popular app among people you know as part of your communications plan. You tell the people on the communications plan to consider any direct messages on their favorite app to actually be a group message with corporate and state interests, and have a keyword to switch to a more secure channel when necessary, but I am getting ahead of myself. It's not preferred, but you likely will need it on your plan.

Instead of an exhaustive list, consider anything that is not "open source" to be fully compromised. But even some options that are partially or complete open source I still consider compromised.

Open source refers to code that is released for public vetting of the app. This allows you to build the app into a "Binary" so that it can run on your system. Code has to be built into these binaries before it can run.

Signal

Speaking of compromised open source apps, Signal claims to have an open source client, but some people have noticed that the Signal app you download from the app store is not the same size as an open source build. That implies that the Signal app has different code then what they publicly released. Not to mention that the server is closed source. It is best to assume that Signal is compromised.

Telegram

Telegram also open sourced their client, and the support "reproducible builds" to prove that the apps are the same as the code they released as open source. However, Telegram does not support running your own server, so I would consider it only slightly better than Signal.

Monolith vs Decentralized

The apps I've mentioned so far use "Monolith" servers, as in you cannot run your own server. This introduces a single failure point where you can be censored, shut down, or even have your account taken by the owners of the server.

The opposite is called decentralized, where your account is not part of the server infrastructure at all. There are Tor based messengers that do not use servers at all, but there are also decentralized protocols that use servers that only convey messages and do not store accounts. The problem with decentralized servers is usually the lack of consistent notifications.

Server-less messaging apps like the Tor based apps, usually require both people online at the same time in order to work. If you are not online, your app is incapable of receiving messages. If you are online but the person you are trying to talk to is not, you are unable to send.

These are two Tor based decentralized messaging apps, desktop only.

GitHub - TokTok/c-toxcore: The future of online communications.GitHub

Toxcore

GitHub - blueprint-freespeech/ricochet-refresh: Anonymous peer-to-peer instant messagingGitHub

Ricochet Refresh

This is a server based decentralized messaging app for phones. It is possible to use on desktop, but it's not meant for it.

GitHub - simplex-chat/simplex-chat: SimpleX - the first messaging network operating without user identifiers of any kind - 100% private by design! iOS, Android and desktop apps 📱!GitHub

SimpleX

Briar

Briar is a Tor based decentralized messaging app worth of special mention. It is meant to run on phones, but there are desktop apps that he has available for testing with most features. He also as a "Brair Maildrop" app that can run in the background and accumulate messages while the default Briar app is offline.

In order to use the Briar app, you have to select a passphrase to encrypt the contents of all the Briar messages stored on your phone. In theory this makes the app more secure, practically, state level threats will either force you to enter in the password or throw you in jail for failure to provide passwords.

The best way to send messages is not using an app at all, which I will discuss near the end of this chapter with dead drops. Briar is still one of the best messaging apps against small time and corporate threats. While it's not good enough for state level threats, people might think it is.

This is the greatest danger with Briar, that you will rely on it more than proper tradecraft. But Briar is still one of the best options for balancing security with ease of use.

Secure messaging, anywhere - Briar

Briar

Federated

There is a type between "Monolith" and "Decentralized" called "Federated". In fact, the oldest messaging software available right now that everyone still uses is Federated.

It's called email.

Federated is when you run your own server, and other people can run their own server, but your server can communicate with other people's servers so you can message more than just the people on your own server.

When you setup an email account, such as user@gmail.com, you can send emails to anybody on Gmail, or on other mail servers like yahoo. But if you setup user@yahoo.com, with the same username, it's still a different user. Your user information is tied to the server.

There is still a centralized authority in this method, gmail.com and yahoo.com are controlled by ICANN. All "domain names" such as facebook.com and twitter.com rely on ICANN. You can purchase a domain name from ICANN if it isn't already taken by godaddy.com or similar services. But ICANN has no idea what users you are running.

I've only heard of one person having his domain name taken. He sold facemasks that are see-through, to make it clear that the mask does nothing, but still complies with mask guidelines. He also sold facemasks that are just as easy to breath through but are not see through so you can breath normally incognito. He has his domain taken away from him twice. This is the only instance I've heard of this.

Email has some of the advantages of both Monolith and Decentralized services. Unfortunately there are not many truly Federated options.

Matrix

Matrix claims to be a federated system, and is technically open source, client and both servers. Yes, this app requires two separate servers in order to work. Smell a scam? There is.

One server is the "Identity Server", which stores account information, and the other is the "Home Server", which stores all of your messages. You can host your own home server, and connect to other home servers just like you would with email.

But there's a problem, the other home server has to be using the same identity server that your server is running. If you use the default identity server, then the owners of Matrix has your account information. But if you host your own identity server, you will be unable to connect to any other home servers.

So your options are to give your Metadata to the owners of Matrix, who have close ties with the French government, or run your own identity server and essentially have a non-Federated system.

You essentially need to run two servers to make Matrix somewhat secure, and lose one of it's best features. Not exactly an ideal option, but it's still one of the best options on the market at this time.

The app you download on your phone or computers to use the Matrix is called Element.

Element | Secure collaboration and messaging

Element

Matrix.orgMatrix.org

Matrix

Messaging without an app

You don't necessarily need an app to send messages to people, Facebook Messenger can be used without an app, Twitter Direct Messages do not require an app, and in face Matrix servers don't always require an app. This helps reduce metadata stored on your device.

Some friends of the Warrior Poet Society and T-Rex Arms setup a Matrix Home Server and Identity Server that is available to the public. This is an excellent option to use Element/Matrix if you don't have the technical knowledge to run your own servers.

Greyman NetworkGreyman Network

Greyman Network

Internet Dead Drops

The ultimate in secure communication is to use "Internet Dead Drops". You connect to a service on the internet, place your content there, and leave. You can use this technique to store files for later retrieval by yourself. In this way you can keep no import data on yourself. You can also share a dead drop location with someone else to communicate messages or data. Unlike decentralized methods, the person you are communicating with does not have to be online for you to drop a message in.

The classic example of an internet dead drop is to use an old forum, such as a birdwatching forum. Simple choose a thread on the forum to drop in your content in and leave it there.

You are only limited by your creativity in choosing a dead drop location, but there are a few things to consider. Modern websites use algorithms to decide what to show you, so using a popular website can make it difficult to find the message unless you have a long term account on that website.

For example, you can setup a long term twitter account to post memes on. Every time you post, the other person would check to see if you've hidden any messages in the images you posted.

Hiding messages in images

Simply placing your message in plain text can be done, but an obvious message can catch eyeballs that you don't necessarily want on your message. Stenography is the art form of hiding messages in other content so that only the intended recipient knows that there is a message there.

Stenography is a large topic, but lets focus on images.

There are several ways to hid content in an image file, you can place data in the image metadata, or you can hide a message in the image itself, which can be done several ways.

One of the best ways is to make an image file that doubles as a zip file. To read the message, you would download the file, change the extension from .png to .zip, and unzip the file.

GitHub - DavidBuchanan314/tweetable-polyglot-png: Pack up to 3MB of data into a tweetable PNG polyglot file.GitHub

Tweetable Polyglot PNG

Later in this document, I will give you an example of how to hide a message inside an image using Tails.

I may or may not have hidden a message earlier in these instructions in an image.