The Freedom Feens recently wrote and published an extensive and kick-ass tutorial on setting up encrypted e-mail, here. However, e-mail isn’t always the best tool, especially if you’re going back and forth in a conversational manner. But there is a way to set up encrypted instant messenger, OTR (off-the-record) Pidgin. OTR Pidgin is more instant than e-mail, better for back-and-forth conversations, keeps no record and leaves no trace. It provides actual Plausible deniability (to borrow a phrase from the CIA). I don’t use OTR Pidgin for everyone, only like eight people I trust and know really well, but it’s even better than PGP mail because there is no record, the only record of the conversation is in the heads of both people involved.
A lot of serious hard-core white-hat hacker computer security experts don’t even use e-mail, EVER. They use OTR Pidgin for all Internet communications.
With e-mail and a public key, if someone can get your passphrase, they can read any saved e-mails. But with the OTR Pidgin, NOTHING IS SAVED. Again: The only record is IN THE BRAINS of the two people talking. And it’s even better if you’re using it over a VPN or Tor.
The OTR plugin was created by Cypherpunks. More on them and OTR is here. I showed this tutorial to Cypherpunk Ian Goldberg, who invented the OTR Pidgin plugin. He made a few suggestions for changes, and I made those changes. He added: “If you use OTR and also something like Tor, you can break the link between the username and your physical identity, but *only* if you _always_ use Tor with that IM account, even when creating it….If you need to break the link between the username and your identity, you need to use an anonymous communications network such as Tor in addition to OTR (they’re designed to work well together!).”
Setting up OTR Pidgin is a lot of steps, but each step is simple. The problem with getting more people to use encryption is there’s no way to do it that’s as easy as picking up a phone or using Skype (both of which are uber NOT secure). And so far, the really easy ways of doing encryption (like Hushmail) are not secure. The problem is human stupidity and State evil. Most people say “I have nothing to hide”, and governments don’t want people using encryption. In a real LibPar (without governments, and with all “power” removed from idiots and returned to each honest, smart person), encryption would be in all Internet programs by default.
Instead we get shit like Facebook, where if you’re one of their
marks users, they add a chat bar EVEN IF YOU DON’T WANT one. And if you set it to go away, it randomly comes back from time to time like a stalker ex. They WANT you chatting on their un-secure chat program, and they’re a company that will give any information to any law enforcement entity without a warrant. I recently left Facebook, and if you’re interested in security, you should too. You should also use Internet security programs like PGP e-mail and OTR Pidgin, EVEN IF YOU HAVE NOTHING TO HIDE. Because these days, not matter how “legal” or “ethical” your conversations, intentions and actions are, governments around the world (as well as some individuals, and almost all corporations) will try to use what you say against you. The repercussions of this can run the gamut from being spammed to being imprisoned….even if you think you’re not breaking any laws. We’re in a post-Patriot Act world, where doing things that one branch of the government tells you to do (like having a stockpile of food) can get you targeted as a suspect by another part of the government.
VERY IMPORTANT NOTE: There is a lot of “fake security” these days. For instance, the “Off The Record” option in the Google Talk client is *not* OTR. (They explain that here.) And as I said in our PGP tutorial, using BAD encryption or no encryption when you THINK you’re using encryption is far WORSE than using NO encryption and knowing it, because it only gives you an illusion of security. The way the world is headed, that’s like going into a war zone with a “magic” protection amulet instead of bullet-resistant body armor. Screw web-based encryption. Do it all on your end. No one should have your private keys and passwords but you. OTR Pidgin is secure. It is not fake security.
So, let’s set up OTR Pidgin….