Ask HN: My country is undergoing a coup, which encryption software should I use?

[botencat]

My country (Israel) is going through a coup d'état, which would result in a regime that can use surveillance without going through the courts.

Israel has one the most advanced surveillance capabilities, that has long been used to target other peoples and nations, but as far as is known, not its own people. This might now change.

I am trying to prepare in advance with encryption software, and optimally a way to communicate if traditional networks go down. Unfortunately other nations have gone through similar situations recently, so I'm wondering if there's a known guideline for these situations.

[toast0]

A lot of this depends on your threat model and how much of a target you think you are.

If you are worried about your safety, it's better to leave than figure out workarounds. And it's likely easier to get out before things get bad; consider going on an international vacation --- if things look fine, enjoy your trip and go back; if not, figure out what comes next from there.

If you aren't really worried about your safety, but just want to avoid getting hassled about communications and don't want to lose communications with the outside world... Definitely do encrypted messenger stuff. But also, try to set up alternate communications. Even though they're not hard to block, many government shutdowns don't block fixed line internet service, land line telephones, or international voice calling. If you can setup a dial-up internet account with an ISP in another country, you may be able to use that from your landline even if internet via domestic ISPs is all shut down. Of course, if the regime is interested, your telephone company would have records of the calls (at least destination and length) and that might get you put on a list.

But also note, if most of your contacts are local, and local communications are disrupted; having access to international communications doesn't help you communicate with your contacts, unless they've done the same thing and the more people who have set it up, the more likely it is to be noticed.

[farseer]

State overreach and surveillance is a global trend. Don't mind me saying this: As a Jewish citizen with fair skin, a dual passport you would probably do fine, unless you are an Arab...

Even under the most tyrannical regimes such as Iran, Myanmar, Russia, China etc. The elite are rarely targeted by the state apparatus. If you are a majority ethnic group with family links in the military, bureaucracy, big business politics etc. You are mostly safe. If not, well encryption is not going to save you. Take your family and run.

[tianqi]

I'm afraid I don't agree with this. In China's Cultural Revolution(1966-1976), the elite were the prime target of persecution. They included the intellectual class, the rich, and even political leaders. Millions of elites committed suicide or were persecuted to death during this movement, including even the 2nd president of the country.

[local_issues]

That many want to do this again is absolutely insane to me.

I see so much support for Mao BECAUSE of his murder of landlords and business owners, not DESPITE of his atrocities

[giraffe_lady]

I don't want to downplay atrocities of that revolution. But, as a quip, if you think the murders were bad wait until you hear what the landlords were up to!

Seriously though using the english word landlord is a gross simplification that elides generation on generation of pervasive horrors. It is very difficult for us to imagine how all-consuming and oppressive this environment was, it was much closer to european manorialism than the current property ownership relationship we call landlords.

Shit like getting an usurious grain loan from your landlord to survive the winter, than having to sell your children to repay it in the spring. Having your wife seized as collateral and enslaved by your landlord. This sort of thing was routine and pervasive, and it lasted hundreds of years. We're lucky to live in an era where we can easily imagine comprehensive change to the conditions of life. These people were not. If you make any effort to understand it it is quite easy to understand why it went the way it did.

A famous quote about another revolution often considered to have overstepped:

> “There were two “Reigns of Terror,” if we would but remember it and consider it; the one wrought murder in hot passion, the other in heartless cold blood; the one lasted mere months, the other had lasted a thousand years; the one inflicted death upon ten thousand persons, the other upon a hundred millions; but our shudders are all for the “horrors” of the minor Terror, the momentary Terror, so to speak; whereas, what is the horror of swift death by the axe, compared with lifelong death from hunger, cold, insult, cruelty, and heart-break? What is swift death by lightning compared with death by slow fire at the stake? A city cemetery could contain the coffins filled by that brief Terror which we have all been so diligently taught to shiver at and mourn over; but all France could hardly contain the coffins filled by that older and real Terror—that unspeakably bitter and awful Terror which none of us has been taught to see in its vastness or pity as it deserves.”

[tianqi]

They don't want. Where there is no information, people are like zombies just do what the manipulator wants them to do.

[appplication]

Same with the Khmer Rouge in Cambodia. Famously targeted journalists, doctors, lawyers, scientists, academics, business leaders, etc.

[defrost]

Not Colombia - very much the wrong part of the world.

Kampuchea and|or Cambodia works.

[appplication]

Good catch, I commented on mobile think that was an autocorrect-ism

[defrost]

No drama, easy slip to make when commenting on the trot, I wasn't laying blame on you (I've done similar myself) just setting the record straight :-)

[gtirloni]

> Take your family and run.

Pretty much my advice when some friends started to discuss having guns at home.

If I ever find myself in a situation where I need a gun (because of gang violence, robbery, etc), I'll move neighborhood->city->state->country as needed.

It's less critical (IMHO), when it comes to state surveillance (your privacy is jeopardized but your physical security may or may not be, it depends) but I'd apply the same approach.

[bagacrap]

> trend

Overreach is a trend? So it will be passe eventually?

> global [...] run

To where, Mars?

(Thought I would complement your utterly unhelpful comment with one of my own.)

[boeingUH60]

Coup d'état - an illegal and overt attempt by the military or other government elites to unseat the incumbent leader.

How about not exaggerating first. I had to run to Google to see if Israel was actually having a coup, lol. A coup is not something I'll even wish on my worst enemy.

[botencat]

Not all coups are violent/military.

Today Israel's extreme government passed the first laws of the judicial overhaul bringing Israel closer to an autocracy, where there is only one power, the government, with unbalanced and unchecked power.

[rabidonrails]

The definition of a coup would include either a show of force or an illegal action. Neither of those is happening here.

[1]https://www.google.com/search?q=define+coup+d%27etat [2]https://en.wikipedia.org/wiki/Coup_d%27%C3%A9tat [3]https://www.merriam-webster.com/dictionary/coup%20d%27etat

[toss1]

Yes, that is a good definition of a coup. Notice that it does not require bloodshed or boots on the ground.

In a self-determining society or democracy all institutions are largely independent; this includes both the institutions of government such as the Executive, Judiciary, and Legislature, as well as the institutions of civil society including the press, academia, industry, education, religion sport, etc. In an autocracy, these institutions are bent to the will of the executive.

When a group in a democracy takes actions to corrupt or co-opt the independence of the institutions, it doesn't matter whether or not violence is involved; it is legitimately a coup, especially as far as practical results are concerned for those newly under autocratic rule.

You are quibbling about dictionary minutiae and ignoring the very real threat posed to OP, and his request for help.

[ecshafer]

Is there an actual coup going on? I can't find any articles on this.

[alephnerd]

There isn't a coup.

A controversial judiciary bill that was spearheaded by Netenyahu just passed in Israel despite massive opposition to it.

Also, to OP - nothing will work if Israeli ISPs and the Govt actually wanted to implement internal surveillance (which they in fact do in some limited manner).

That said, I doubt such a situation would arise.

[ajmurmann]

It's probably about the vote to limit supreme court powers: https://www.reuters.com/world/middle-east/israels-netanyahu-...

[local_issues]

No, OP just disagrees with the vote on the judiciary.

A coup is nothing like this.

[weard_beard]

My understanding is there is legislation being enacted which strips power from elected or appointed groups and places that power with the executive.

A soft coup through “patriot act” style legislation

[nceqs3]

>My understanding is there is legislation being enacted which strips power from elected or appointed groups and places that power with the executive.

Who elected the Supreme Court in Israel? Nobody. The power will now lie in the hands of the legislature, which is the definition of democracy.

[weard_beard]

That is a good point. I don't pretend to understand the nuances here (such as just how representative Isreal's legislature actually is) and I cannot say whether this represents a positive change regarding their representative government or not.

[kotaKat]

As close to it as you can get.

https://www.bbc.com/news/world-middle-east-66258416

[charlysl]

Here is one article from today's Financial Times by famous Israeli author Harari, "Israeli democracy is fighting for its life" [1]

[1] https://archive.ph/8RK3M

[gsatic]

The thing is their tools are totally useless if traditional networks go down. And the prob with surveillance, in the age of the info tsunami, is not having enough people to go break down doors. There is no use if the dumb tool is flagging 20000 posts a minute and you have 1 poor jackass staring at the flood trying to work out who to pick on.

That's why however great their tools are they seem totally incapable of Controlling the protests.

[rabidonrails]

Let's level set here a bit. There is no coup d'etat. Here's the definition of a coup: _a sudden, violent, and unlawful seizure of power from a government_ that is not what's happening here on either side.

Instead here's a quick review of what's happening. Currently the Israeli supreme court can strike down laws based on what they deem "reasonability." As you might guess, this is a pretty strong power for the court to hold because it's subjective. The new legislation would remove much of this power.

Those for this change argue that this is a good move because elected officials should be working for the people that they represent, not a court that gets to unilaterally make decisions.

The opposition argues that this power being handed to the elected officials without the oversight of the court's reasonability power and thus might allow bad actors to take additional control and do things that don't represent a substantial, but minority, population.

I'm not arguing for either side, but calling this a coup is wrong.

[lock-the-spock]

Many countries have similar veto powers for their courts. The exact reasoning of course is different.

But no one elected official working for the court in israel. There is an important difference between a court able to block something and being able to do own legislation (as it does often in the US). The Israeli court was never able to do legislation, only to block the government from going too far in any new direction.

[ctrlp]

Does it not amount to the same thing? Striking down laws (blocking) and finding interpretations that become precedent (making) seem like two sides of the same coin.

[bjourne]

German socialists also described Hitlers rise to power as a "coup" or implied that he "seized" the chancellorship unlawfully. It was too painful for them to admit that so many of their countrymen supported Fascism and that he won a democratic election. I'd imagine botencat is in a very similar situation.

Remember Trump's "Muslim ban"? The US courts declared the law unconstitutional and prevented its implementation. The judicial reform would make it de facto impossible for the Israeli supreme court to strike down whatever crazy stuff the right-wing extremist government comes up with. Death penalty for stone throwers? No problem.

[sdfzguf]

Technical subreddits often have up to date wiki entries.

- https://old.reddit.com/r/PrivacyGuides/

- https://old.reddit.com/r/privacy/

You can also look here:

- https://www.privacyguides.org/

All of this can only be seen as a starting point. The provided links will not give a thoroughly picture. Look further.

[sdfzguf]

I went through some notes and will just dumb more links here.

- https://www.eff.org/

- https://ssd.eff.org/

- https://www.wilderssecurity.com/

- https://wiki.archlinux.org/title/Security

- https://wiki.archlinux.org/title/Category:Security

[subsection1h]

FYI, Privacy Guides is a shitshow. It was formerly privacytools.io[1], and in 2019, the creator[2] of privacytools.io stopped contributing[3] and a new contributor[4] immediately focused on donations[5], became the admin[6] and took control[7] of most assets, including donations but excluding the domain and Twitter account[8]. In 2021, the creator of privacytools.io launched a new privacytools.io[9] and added affiliate links[10], and the Privacy Guides team shut down r/privacytoolsIO rather than return it[11] to the creator. Like I said, a shitshow.

[1] https://github.com/privacytools/privacytools.io

[2] https://www.reddit.com/user/BurungHantu

[3] https://github.com/privacytools/privacytools.io/commits?auth...

[4] https://github.com/jonaharagon

[5] https://github.com/privacytools/privacytools.io/commits?afte...

[6] https://github.com/privacytools/privacytools.io/commit/4b60a...

[7] https://redd.it/tuo7mm

[8] https://twitter.com/privacytoolsIO

[9] https://redd.it/pxtw2y

[10] https://www.reddit.com/r/VPNTorrents/comments/raftz6/i_made_...

[11] https://redd.it/qk7vn0

[brewdad]

I don't really care about petty arguments between the contributors. Is the information available there reliable or not? If not, can you suggest an alternative?

[sdfzguf]

I didn't knew about it when I commented. About the .io page: Affiliate links are always a no-go. You can't trust a source that profits from you buying into their recommendations.

Edit: I didn't check if anything OP says is correct. Just asuming and following along ...

[botencat]

Thank you

[nivertech]

What you're mistakenly referring to as a "coup d'état" is actually an effort to prevent the use of Pegasus on innocent citizens by the judiciary, law enforcement, and the State Attorney General, who were appointed by previous governments.

There have been more than a thousand of unlawful Pegasus cases so far (tens or hundreds of thousands if you count text messages from other people on contact lists and WhatsApp group messages). It's possible that almost every smartphone user in Israel was affected in some way.

Some were even against the acting Prime Minister.

So, yes, you do need to protect your privacy, but for entirely diff. reasons. The only sure way to achieve this is by going off-the-grid.

--

Israel's Law Committee has approved a judge-led probe into the NSO Pegasus spyware.

https://www.jpost.com/israel-news/article-746164

[thrawa8387336]

PGP but realistically just talk in person.

[paulryanrogers]

Or GPG, or Veracrypt (hidden volume)

Though I agree it's best to speak IRL. Ideally away from voice activated, smart devices

[cookiengineer]

Use briar [1] for online+offline end-to-end encrypted messaging. Use LineageOS [2] without gapps (aka without Google Play Services) and get a device that is officially supported with current LineageOS version. Don't use any XDA developer builds, because they're known to be infected with malware.

Obviously don't use Meta or Google apps, because that's where the backdoors are for governments. Don't use WhatsApp, don't use Telegram, don't use Threema. They're compromised.

Use AppWarden [3] to enable/disable/verify the usage of known trackers in your apps.

Use NetGuard [4] as an Android firewall.

Use F-Droid [5] and Fennec builds [6], with uBlock Origin to protect your smartphone from malvertisements.

Never synchronize your contacts, block contacts access for all Apps; and make sure you don't use their real names. Contacts stored on or accessed by SIM cards (e.g. call history) can be downloaded via Class 0 SMS, remotely.

If possible, I'd avoid MediaTek based SoCs because their rootkit was leaked a couple years ago and it works still on newer chipsets. I would recommend an "as open source as possible" device, like the Google Pixel devices or the Fairphones.

On your Desktop or Laptop machines you should switch to a Linux distro of your choice. The most reasonable secure ones are Arch (not beginner friendly), Manjaro, OpenSUSE - or as a beginner friendly alternative - LinuxMint.

Would advise against Debian/Ubuntu though for security reasons (which would include LinuxMint).

The Arch maintainers (and therefore Manjaro, too) heavily reduced the attack surface of SUID binaries or LOL binaries that could be abused for privilege escalations and/or remote exploits/persistence etc. [7]

[1] https://briarproject.org/

[2] https://wiki.lineageos.org/devices

[3] https://gitlab.com/AuroraOSS/AppWarden

[4] https://netguard.me

[5] https://f-droid.org/

[6] https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/

[7] https://gtfobins.github.io/

edit: clarification of LinuxMint

[monsieurgaufre]

I really don't want to derail the thread as it is useful, but i'm curious about the security reasons against Debian/Ubuntu.

[balnaphone]

I'm also curious how Mint resolves the security threat of Debian and Ubuntu, given its lineage.

[cookiengineer]

For reference I've included the OVAL datasets [1] [2] for Debian and Ubuntu, as well as the CVE list [3] for Debian that's used as a basis for generating the issues/view in the frontend. For argument's sake (feature freezes are bad for security is my baseline argument) I'm focussing on Ubuntu LTS which is jammy at the time.

The issue terminology you want to look for is "diverged too much from upstream" or a bunch of different similar EOL or end-of-life or "end of life" tags that are not standardized in any security tracker's format. I'd argue that both security teams use a software that uses free-form textareas for setting the tags of the issues (e.g. closed, fixed, and other).

Accumulative word list that might be incomplete, to discover those kind of issues:

- "bug, not a security problem"

- "cannot reproduce"

- "eol"

- "end-of-life"

- "end of standard support"

- "end of esm support"

- "out of standard support"

- "reached end of life"

- "ignored"

- "changes too intrusive"

- "contains no code"

- "code is different"

- "code is very different"

- "code not built"

- "code not compiled"

- "code-not-compiled"

- "code not present"

- "code not-present"

- "code-not-present"

- "code not shipped"

- "not-in-code"

- "disputed"

- "fix would break"

- "intrusive"

- "not remotely exploitable"

- "was deferred"

- "was needed"

- "was pending"

- "no server code"

- "no update available"

- "no security impact"

- "not available"

- "not security vulnerability"

- "not supported"

- "not upstream fix"

- "ugly backport"

- "update not available"

- "upstream version is not redistributable"

- "removed from archive"

- "replaced by"

- "superseded"

- "superseded by"

- "too intrusive"

Source: Am building a scraper and vulnerability database that is cross-distro, and has different confidence factors for different linux distributions (for mentioned reasons). [4]

[1] https://www.debian.org/security/oval/oval-definitions-bullse...

[2] https://security-metadata.canonical.com/oval/com.ubuntu.jamm...

[3] https://salsa.debian.org/security-tracker-team/security-trac...

[4] https://github.com/tholian-network/vulnerabilities

[tapoxi]

Why would Mint, a desktop-oriented fork of Ubuntu, be more secure than Ubuntu?

[tcmart14]

No clue if they are right. If they are, I can imagine it is because Mint would be stripped of any telemetry and other corporate bits of Ubuntu that Canonical has in there. From what I know, Canonical/Ubuntu does a good job of anonymizing that data and doesn't capture anything sensitive and put it over the wire, however in the worst case scenario of a coup, it probably doesn't hurt to be over cautious.

Although, assuming worst case. I personally say, OpenBSD.

[grayhatter]

Encryption is impossible* after the fact. The most important thing you could do today is read! Learn as much as you can. figure out the basics of both operational security, and bootstraping encryption. Then, and here's the important part, share everything you've learned as widely as you possibly can, write guides, write tutorials, make videos. All of information you need is available, but if the people you want to communicate with don't know it, or don't have access to it. It doesn't help either of you.

[refulgentis]

Thank you this is wise: is there anything more specific than that you could offer?

After double-checking, OP didn't ask to encrypt things from the past, and "read and share" isn't quite going to help get someone started, sort of becomes a catch-22 at that point. I really hope there's some info to offer people who don't have tech experience. It'd be a lot to ask to acquire a tech background then a security-specific one, especially if all we can say is "read"

[grayhatter]

Impossible but only for some definitions of the word. Put more simply it's much much easier to have it *before* you need it.

[throwawayadvsec]

Israel will hack your devices, Mossad could come into your home when you're not there, encryption is kind of useless if you're actually targeted.

PGP and Luks could get you tortured.

Leave this hellhole or do nothing "incriminating".

[froster]

Peer-to-peer Bluetooth messaging

https://usehyperlocal.com

[dewey]

This only says "Join waitlist" and "coming soon". Not exactly helpful.