Internet Security and Privacy for Activists and Citizens





Internet
Security and Privacy for Activists and Citizens.
Version
1.0*

Written
by Leftism
editorial
assistance by Azz

Introduction

Terminology


Your
IP address
Hiding
your IP address

Why
should I hide my IP address?
How
do I hide my IP address?
Checking
that your IP address is hidden


Your
Internet Service Provider

The
problem of ISP surveillance
A
solution to the problem


Anonymous/Secure
Surfing
Anonymous/Secure
Emailing

web-based
remailers
Hushmail
PGP
(Pretty Good Privacy)


Anonymous
Newsgroup Posting
Securing
your computer and files

Your
browsing/windows habits
Deleted
files not secure
Keeping
your files private


Emerging
Technologies
Afterword

* Unmodified copies of this
document may be freely distributed.
Introduction
This web page is intended
to be a very basic introduction to Internet security and privacy issues for
activists and citizens. It is not meant to be an exhaustive text of all
the issues, nor does it deal with any of the issues in great depth. My intention
is not to teach the theoretical or technical basis for security on the Internet,
but rather to enable the user to protect his/her security and privacy as quickly
and easily as possible.
Terminology
Before we begin, we need
to clarify the terms that we will be using in this essay.
'Anonymity': refers
to the ability to engage in activity on the Internet, such as emailing, surfing,
or posting to newsgroups, in such a manner that no one can determine who you
are or practically any other nontrivial information about you.
'Privacy': refers
to the ability to store information, or transmit information, from sender to
recipient(s) in such a manner that only the intended recipients or owner(s)
are able to decode, read, or use the information. This usually involves making
sure that no unintended third-party is able to intercept the information along
the transmission route and make any real use of it. In the context of websurfing,
I will also use the term 'Securely'.
'Encryption':
refers to the process in which data is 'scrambled' in such a way as to make
it deliberately unintelligible to anyone who reads or gains access to it other
than the intended recipient(s).
Your
IP address
Every computer on the Internet
has an IP address. This is a number of the format x.x.x.x (where each x is a
number from 0-255) which uniquely identifies your computer on the Net. This
number is essential for sending and receiving information from one computer
on the Net to the next. If you are on a dial-up connection, this number usually
changes each time you connect. Alternatively, your IP address may not change
if you are on a high-speed, always on line, or your Internet Service Provider
(ISP) has designated you a 'static' IP address.
What this means is that your
Internet activity can potentially be recorded or traced, either by your ISP
or by the various servers (computers) that you connect to. Web-sites, for example,
are known to sometimes log IP addresses. What further information about you
that can be obtained with the knowledge of your IP address varies greatly depending
how you are connected to the Net. Suffice to say your ISP keeps a log of who
is using what IP address at what times. If someone should complain to your ISP
for whatever reason about activity from such-and-such IP address, or if the
authorities legally force your ISP to tell them who was using what IP address
at whatever time, then any such activity can be traced directly back to you.
 
Hiding
your IP address
Why
should I hide my IP address?
Because of the way that your
IP address is a unique identifier for who you are and your activity on the net,
it is essential that you hide your IP address while surfing the web and doing
other net activity if you wish to preserve your anonymity and preserve your
online.
The simplest way to do this
is to use a 'proxy'. Simply put, a proxy is an intermediary machine between
you and the computer that you wish to connect to. The way a proxy works is this:
If you wish to access a file on another computer on the net (machine X, say),
you tell the proxy machine to get it for you. The proxy machine then retrieves
the information from that machine and then passes it on to you. Machine X knows
nothing about your computer. All it knows is that the proxy machine made the
request for this information. Ideally, any information that it gathers will
be about the proxy machine, and not your computer.
Next, we will discuss how
to hide your IP address while surfing and web-mailing by setting up your browser
to use a proxy. This will also be useful for sending anonymous web-based mail,
as we shall see later on. Anonymous emailing will also be dealt with in more
depth further down.
How
do I hide my IP address?
Setting up a proxy on your
browser may sound complicated, but it is actually a fairly simple process. All
browsers that I am aware of have a feature which allow you to configure them
to use proxies.
First, find an anonymous
proxy to use by visiting one of these pages:
Multiproxy
proxys4all
Both pages have instructions
on how to configure your browser to use Proxies. I will not go into detail here
on how to do it, since I believe these pages explain them quite nicely and better
than I ever could. The Multiproxy site contains a program called 'Multiproxy'
which installs on your computer and which, once configured, makes your browser
'chain' a large number of proxies together, providing the assurance of maximum
anonymity- since there is nothing stopping a proxy itself from recording your
IP address. You do not have to install this program, however, and can simply
use one of the proxies listed with your browser in the normal manner, as instructed
at 'proxys4all'.
The instruction page on the
'Multiproxy' website is here.
The instruction page on the
'proxys4all' website is here.
Checking
that your IP address is hidden
Once you have configured
your browser to use a proxy, it is crucial that you check that your IP address
is hidden and you are indeed anonymous; you may have misconfigured your browser,
the proxy you installed may not have been anonymous, or a number of other problems
may have occurred.
To do this, you need to use
what is called an 'Environment checker'. This is normally a web-page that you
visit that tries to gather as much information about you that it can. The most
important piece of information being, of course, your IP address. From this
web page, you can tell how much information you are giving away while browsing.
It is recommended that you first visit such a web page with your proxy turned
off so you can determine your IP address if you don't already know how to obtain
it. Once you have done that, revisit the 'Env checker' web page (or a different
one) and compare the two results. The 'Env checker' web page should now show
the IP address of the proxy that you have configured - or, if you have chained
several proxies, the last proxy in the chain.
Here
is a very good 'Env checker' at  http://www.privacy.net/
Both the 'Multiproxy' and
'proxys4all' websites also have 'Env checkers' or links to them.
 
Your
Internet Service Provider (ISP)
The
problem of ISP surveillance
It is important to be aware
that everything that you do online can be monitored and recorded by your ISP-
every web page your visit, everything you type and send over the Internet, everything
you download. Most of the techniques outlined in this document concentrate of
preventing 'third-parties' from being able to trace particular Internet activity
back to you or your Internet Service Provider. However, if the authorities already
suspect that you are engaging in 'suspicious' activities (for example, organising
a peaceful protest), they can order your ISP to start recording your activities
(although unlikely, they may already do so as a matter of course for all users)
and hand over these records to them.
It is worth briefly mentioning
that government spy networks such as Echelon
pose a similar threat to your privacy and anonymity by intercepting data en
route. This need not involve your ISP at all.
A
solution to the problem
The only way to prevent this
sort of monitoring is to make sure that everything that you send out to and
receive over the Net is encrypted. This includes surfing, emailing and newsgroup
posting. Simply put, encryption means 'scrambling' or 'encoding' your data so
that no one but the intended recipients can make any sense of it if they intercept
it along the way or at the destination.
Below we will discuss ways
of allowing you to do the main three Internet activities - Web Surfing, Emailing,
and Newsgroup posting - anonymously, and if you wish, using encryption
for extra security. We will also discuss how to send email securely so
that only the intended recipients can read it, whether the sender is anonymous
or a known party.
 
Anonymous/Secure
Surfing
If you have configured your
browser to use a proxy or proxies correctly, then you are already surfing anonymously.
The web site that you visit will almost certainly not be able to trace your
visit back to your computer. The more proxies you have chained, the lower this
probability.
Another way of surfing anonymously
without configuring your browser to use a proxy, is to use a 'CGI' web-based
proxy. This just means a web site which you can visit as you would any other
web site, but that which you can make page requests to, and will act as an intermediary
or proxy server for you. This is no doubt the easiest method of anonymous surfing.
Here are a few good web based proxies:
Anonymizer.com -  http://www.anonymizer.com/
Janus Rewebber -  http://www.rewebber.de/
Anonymouse -  http://anonymouse.is4u.de/
Safeweb -  http://www.safeweb.com/
[*]
Autistici.org -  https://proxy1.autistici.org/
The last two of these - 'Safeweb'
and 'Autistici.org' - also encrypt all the URL's that your request and
all the data that leaves or enters your computer. This allows you to browse
the web securely.
[*] You should be aware that
the trustworthiness of safeweb has been called into question for not entirely
unjustified reasons, which can be read here,
here or here.
Anonymous/Secure
Emailing
web
based remailers
Anonymous emailing can be
very easily achieved through the same method as anonymous surfing. There are
web sites that provide you with an email template which you fill out in the
same way as a regular email message when using a POP/SMTP account (for example,
when you use a mail client such as Eudora, Pegasus or Outlook Express). These
web sites then forward your mail to the destination you designate in the 'To:'
and 'CC:' fields. The mail could then be theoretically traced back to the web
remailer that you used, but not to you or your computer. Such a service is called
a 'web to mail gateway'. Here are a few good web based anonymous remailers:
(a) Anonymouse -  http://anonymouse.is4u.de/
(b) The Global Internet Liberty
Campaign remailer -  http://www.gilc.org/speech/anonymous/remailer.html
(c) Riot anonymous emailer
-  https://riot.eu.org/cgi/remailer.cgi
These three remailers are
listed in increasing level of security. The 'Anonymouse' remailer (a) does not
encrypt your message as it is sent from your computer to the server and
does not chain your message with other anonymous remailers. The GILC (b) remailer
chains several anonymous remailers together, thereby enhancing your security
greatly, but is also not encrypted. The person you email may not be able
to determine who you are, but anyone snooping in on your communications will
be able to determine the contents of your email, who you emailed, and at precisely
what time. The Riot (c) anonymous remailer provides the highest level of security.
It chains several remailers together, like the GILC remailer, but also uses
'SSL' encryption to scramble your data during transmission from your computer
to the server.
Anonymous remailers that
use encryption are both anonymous and secure.
Use whatever level of security
that you think best fits your needs. Always be aware of the type of security
whatever remailer you are using provides in terms of chaining, encryption, and
whether or not you can trust the provider of the service itself.
Hushmail
Hushmail
is a free webmail service that offers anonymous and secure communications
to its users. The advantage of having a webmail account over using an anonymous
web remailer is that people can reply back to the messages that you send out,
giving you a two-way communication channel. If the service that you use does
not require you to provide your name and other personal information, like Hushmail,
or the information tht your provide is false[1], then it can be considered somewhat
anonymous. I stress the word 'somewhat', because the webmail
service provider can still determine your IP address in the usual manner unless
you have taken steps to conceal it - as I have explained above.
Apart from anonymity, Hushmail
provides a secure channel by which Hushmail users can send emails to each other.
In other words, Hushmail users can send emails to each other without fear that
their messages are being intercepted en route and being read by an unintended
third-party. Once again this is achieved through encryption. This encryption
process is done completely automatically and the users sending and receiving
mails don't have to do anything differently than if they were using regular
webmail accounts.
You must be remember, though,
the privacy aspect of Hushmail only works when sending messages between
Hushmail accounts. If a Hushmail user sends a message to anyone other
than another Hushmail user, then the communication will not be secure,
though if they have taken the adequate steps,
they will be remain anonymous. Also remember that all your emails are still
being stored on Hushmail's mail servers and the authorities can always force
Hushmail to hand over the contents of your mail box.
Hushmail is useful as a quick
and easy way to send secure messages between you and your friends or fellow
activists that requires no additional computer expertise above sending a regular
email message. It is highly recommended.
[1] The author of this article
is not encouraging any illegal activity such as falsifying information. Every
user is responsible for their own online activity.
PGP
(Pretty Good Privacy)
PGP, or Pretty Good Privacy,
is a software program that provides practically unbreakable[2] encryption for
anyone with a reasonably powerful computer to use for all their online communications,
including and especially email, as well as a way of securing files on their
computer from prying eyes.
Unlike when using Hushmail,
data is encrypted by the user himself using the PGP program and the user can
verify this fact for himself by examining the data. Also, when using PGP, there
is no intermediary location that stores emails or files in their unencrypted
form. For these reasons, among others, PGP provides probably the best security
a home PC user can get. In fact, the level of security is so high that, when
used properly, not even government agencies with huge computing power at their
disposal are able to crack a high level security (large keylength) PGP encrypted
file. It is for this fact that the US government classified PGP software as
'munitions', and until very recently, 'banned' it from being exported from the
United States.
Apart from encryption, another
feature of PGP, is the implementation of 'digital signatures'. Briefly, this
means that one can digitally 'sign' a document in such a way that the intended
recipient is absolutely sure that the source is authentic, and that the message
or file has not been tampered en route.
PGP is widely available over
the internet. For starters,
you can go to C|NET - download.com and
type in 'PGP' in the search text box after choosing your operating system. For
beginners, it is recommended that download 'PGP Freeware' instead of 'PGP x.x.x'.
Be forewarned, although the
authors of the software have tried to make the software as easy to use as possible,
some users may experience difficulties in getting the software to work. Although
somewhat confusing to operate at first, the rewards are well worth the effort.
Therefore, I strongly recommend that every computer user above novice level
who is concerned about their online privacy, make a concerted attempt to install
and run PGP on their home machines.
[2] It is a tenet of cryptography
that nothing can or should be considered unbreakable under all circumstances,
all of the time, for all time. However, the cryptographic methods of PGP are
soo strong that, when used properly, they are considered to be unbreakable -
practically speaking - for the time being and foreseable future.
 
Anonymous
Newsgroup Posting
Anonymous newsgroup posting
can be achieved most easily through the same method as anonymous emailing...
that is, through a web interface. Such a service is called a 'web to news gateway'.
both 'Anonymouse'
and 'Riot', as listed above
provide web to news gateways.
In addition to the above
two, here is an additional gateway:
Elandnews 'Pseudo anonymous
web2news' -  http://www.elandnews.com/mauritius/anon.html
Another way of sending anonymous
newsgroup messages is to sign up to 'Google
Groups', which is a service provided by Google which provides a near complete
inferface to newsgroups via the web; users can both read and post newsgrousps.
In order to access this service,
you need a valid email address, but no other information is asked of you other
than the username that will appear on your posts - which can be any name of
your choice that is not already taken.
Of these four, only the 'Riot'
gateway is anonymous, chained and secure. Remember to always use
a proxy when connecting to any of these web to mail or web to news services
if you want to ensure your anonymity.
 
Securing
your computer and files
This essay has, up until
now, discussed security and anonymity when a user is transmitting information
over the internet. There is, however, another important aspect which we have
not discussed - the security and privacy of the files stored on your computer,
including files containing records of your internet activity. It is in this
section that we will briefly discuss a few of the most important areas in this
subject.
Your
browsing/windows habits
Many users do not realise
the size and scope of the trail of information that they leave on their computer
when they open files and browse the internet. A great deal of what you do online
and offline on your computer is being recorded on various files on your hard
drive.
For example, every URL (hypertext
link) that a user visits is recorded on his or her hard drive. This information
can be stored for months, years, or even an indefinate amount of time. Every
image, or almost every image, that has been loaded while browsing the web is
also stored on the hard drive for a specified period of time, or until the cumulative
space consumed by these images reaches a certain amount. In addition, URL's
are sometimes stored in a browsers 'Location bar' for easy access later on.
These things are done (ostensibly) in order to speed up and facilitate a users
'browsing experience', but obviously raise seriously privacy concerns.
Another concern is the use
of 'cookies'. These are small text files that are created on your computer when
you visit a web-site that keep track of your online activity within the site
that the cookie originated from (sharing cookies is rare, but does happen on
occassion). A cookie is sometimes used, for example, to determine whether a
user has visited the site before, and if so, what areas they took an interest
in.
There are four main areas
that a user should primarily be concerned with with regards to surfing habits:

The History folder, located
at c:\windows\history

...which stores URL's
of every page you have visited


The Windows Temp folder,
located at c:\windows\temp

...which stores .html
and image files from pages you have visited


The Cookies folder, located
at c:\windows\cookies

...which stores all
the cookies you were given by websites


The Temporary Internet
Files folder, located at c:\windows\tempor~1

...which again stores
the URL's of the pages you have visited, along with some other information.



in addition to the 'normal'
files which are stored in these folders, an addition special file is also added.
This file is called 'index.dat' and cannot be deleted from within Windows.
This is potentially a very big problem, because it also contains information
of a sensitive nature (for example, URL's).
You can solve this problem
by exiting to DOS (completely quitting Windows, not just opening up a DOS window)
and deleting these folders by hand or by modifying your 'autoexec.bat' file
to do this for your every time you start up your computer. I would recommend
the latter, as the index.dat files will be recreated by Windows anyway and it
wont be long before they start to grow in size again by accumulating more and
more sensitive data; if you modify your 'autoexec.bat' file to delete these
files for you, you will never have to worry about them again.
Find the text file called
'autoexec.bat' in your root directory (usually C:\). If you can't find it, that's
ok, just create a new one. Copy the below five lines in italics into it and
save. If you want to actually see the process happening every time you start
up, ommit '@ECHO OFF' entirely and the '> NUL' part at the end of each line.

@ECHO OFF
DELTREE /y c:\windows\history\*.* > NUL
DELTREE /y c:\windows\tempor~1\*.* > NUL
DELTREE /y c:\windows\temp\*.* > NUL
DELTREE /y c:\windows\cookies\*.* > NUL
Deleted
files not secure
When you 'delete' a file
using right-click, 'Delete' in Windows or typing in 'del' from DOS, you are
not actually erasing that information from your hard drive. What you are instead
doing is removing all references to that information. Your operating
system does this because it is a lot quicker to remove references to files and
file information than to physically write over or delete (destroy) the actual
information stored on the disk.
This can present problems
for privacy, since information which you may have thought you safely deleted
can actually later be retrieved by someone who you may not wish to have access
to it.
Remeber, this also holds
true for the files listed in the above section relating to your browser history,
temp, and cookie files.
The solution is to download
a program which will both a) delete individual files for you in such a manner
as to completely (irretrievibly) destroy them by overwriting on top of file
data several times and b) perform a 'wipe free disk space' operation that will
do the same thing on the free space on your HD (which may contain file fragments
of old files erased 'normally').
There are several of these
programs, called 'file wipers', at C|NET -
download.com. Among some of the better ones are 'Eraser' and 'BCWipe'. Go
to C|NET and do a file search for 'file wipe', or type in the names in the search
box of the above two programs directly. I would recommend trying out a few to
see which one you think is the fastest and most productive.
Don't forget to wipe both
sensitive individual files and free disk space (on a regular basis).
Keeping
your files private
The only way to keep your
files private with any real degree of security is to encrypt them on
your hard disk. While there are many utilities that do various tricks with your
operating system to hide or password protect your files, ultimately these should
only be used in conjunction with 'strong' encryption to provide additional
security.
There are many programs available
to do this. Again, you can find a number of them on C|Net. While there are many
programs that provide encryption, what is needed is 'unbreakable' encryption.
While no encryption technique is fool-proof and will remain so forever,
there are encryption techniques which, for all intents-and-purposes (if used
correctly) are, practically-speaking, unbreakable (as far as we know) for
the time being.
PGP is one program which
provides such encryption techniques. Though are other programs out there besides
PGP, but PGP is certainly the most well-known and trusted. Therefore, I recommend
using PGP for this purpose, in addition to encrypting emails.
Be sure to read the manual
first and use PGP properly. I would also recommend a key size of at least 2048
bits - you will understand the meaning of this once you download the program
and read the instructions.
 
Emerging
Technologies
I will briefly now only mention
three future communication technologies for the internet that may be of interests
to activists and citizens concerned about their privacy.
The three programs are called
'Freenet', 'Peekabooty' and 'psst'.
There are working versions of these programs at this very moment available for
download, but users should be aware that they are still under development.
Freenet
is program that implements a peer-to-peer network over the internet. I will
not go detail as to what this means, other than to say that peer-to-peer networks
are computer networks that have a decentralised structure- making them less
vulnerable to attack and censorship.
Freenet
allows you to share files and information using your web browser in a way that
is private (nobody knows what you're downloading or uploading), anonymous, and
uncensorable. For these reasons Freenet has the potential to be an extremely
useful technology in the context of modern 'information warfare'.
Not much is known about Peekabooty,
as no versions have even been released yet. I mention it here because it sounds
quite promising. Like Freenet, Peekabooty will allow users to download content
anonymously. Unlike Freenet however, Peekabooty will not grab this content from
it's own network, but instead uses the web. So for all intents-and-purposes,
it will be an anonymous browser.
In similarity with Freenet,
Peekabooty is being designed specifically to the censoring of content by governments
and corporations very difficult.
If you would like to learn
more about Peekabooty, the best thing to do is to do a Google seach for 'Peekabooty',
or simply click this
link to do so automatically.
psst
is a chat program that runs on both Windows and Linux and which the programmer
describes as:'Simple, free, convenient no-frills Instant Messaging software
with strong encryption...'
Alternatively, you can get
the PGP plug-in for ICQ if you are more comfortable with it. psst has the advantage
of being very small and quick and won't add any other files to your system.


 
Afterword
I hope this document has
been informative and useful. It covers the very basics of Internet security
which everyone should understand if they are concerned about their online privacy
and wish to do something about it. I have not mentioned Firewalls, Trojan Horses,
and Viruses. These topics may be covered in the next version of this document.
Knowledge of them will greatly enhance the chances of you maintaining your privacy.
I therefore encourage readers of this document to investigate these matters
on their own by clicking on the links below.
These links concern the topics
mentioned immediately above as well as other issues. They are written for varying
levels of expertise.
Cryptography
FAQ
CERT
Manual on Home Network Security
Security
Focus's basic Basic Security Checklist for Home and Office Users
and finally the wealth of
information at Astalavista.com
Good luck.