Skip to content or view screen version

Hidden Article

This posting has been hidden because it breaches the Indymedia UK (IMC UK) Editorial Guidelines.

IMC UK is an interactive site offering inclusive participation. All postings to the open publishing newswire are the responsibility of the individual authors and not of IMC UK. Although IMC UK volunteers attempt to ensure accuracy of the newswire, they take no responsibility legal or otherwise for the contents of the open publishing site. Mention of external web sites or services is for information purposes only and constitutes neither an endorsement nor a recommendation.

internet, encryption and privicy. please read if you use a computer.

sue denim | 05.01.2009 20:10 | Analysis | Repression | Technology

i'm getting quite annoyed with some posts about security and anonymity of the internet.
esspecially in posts regarding the police hacking computers

just to clear a few things up.

TOR

tor is easily compromised, it works on bouncing your message through 4 computers, but with very few people offering computers to the network, the police can run computers in the system. for example if NETCU pay for 10 computers all interlinked to the system at anyone time, then the chances are your message is going to run through at least 2 of them, so they can identify where the message was sent from and the page it ends up as.
paranoid? well why do people use Proxys? generally people use ultra secure proxys for naughty things.
so theirs a good chance most people using them are committing offenses.

PGP

PGP's strength came from it being open source, now its a closed source program owned and maintained by AOL, so no one knows how many back doors their are.
lets have a look at some of the "technology alliance partners" to pgp*
Intel and IBM are amongst the main names, oh wait Intel and IBM both are heavily involved with EDO and don't all the latest bombs have Intel chips? so is it in their best interests to keep the "activists" data secret?
major users of PGP include the police and NHS, i'm fairly sure their better customers than the activist community.
at the end of a day PGP is now the PGP corporation, and corporations can't be trusted.

Windows and Microsoft

microsoft are so right wing it makes me sick.
their are hundreds of thousands of windows loop holes, it is about as secure as shouting your secrets into a megaphone outside a police station after telling them to turn on their Dictaphones.
and yet reports of groups like SHAC still using windows, and people who still think stuff like MSN is secure, its not at all!
linux is getting so user friendly, and so easy to use, it seems foolish that people aren't embracing it.

other notes and points of improvement.

i think what we can all start doing is using encryption as much as possible. decryption takes time and resources, if 5 minutes of NETCU's time is wasted decrypting a message to my mum about whats on telly, then thats 5 minutes more for the people who need encryption, and don't fall into the bullshit about hindering the police's attempts at catching pedophiles. the police have specialist units for catching pedophiles just as they do for activists.
remember what is super secure now, may not be in 5 years time. so if your discussing something illegal, don't do it by email. because in 5 years time when you think you got away with it, your door could come down.
encryption becomes useful against police repression, because you can organise legal things, like demos and meetings, and the police don't have time to order in stupid amounts of police and arrest everyone before they get their, or don't have time to bug the venue.

a few good ideas and programs
OTR (off the record) is a program that encrypts your messengers (msn, yahoo etc) it runs on a few programs, and provides basic encryption. it is VERY VERY weak, but is better than nothing, (think of it as putting your message in an envelope instead of on a post card).

live CD's - these are good because you can run your pc without your hard drive, the ultimate way of making sure no one scans your hard drive is not to have one!
some the the anonymous live cd's available are pact with cool things that let you stay hidden.

boot and nuke - if you realize you've got stupid things on a computer, download and burn this onto CD and nuke your hard drive, but make sure you've got a Linux (i'm not going to say or windows) to install afterward, as your pc will be a vegetable.

macchanger - not only does your pc have an IP address your wireless card or modem has a unique mac address which can be used to identify you.

not using a computer - at the end of the day, if you have something to hide, don't put it on your pc. don't email it, don't save it, don't type it, don't say it down the phone. because this stuff is made by the same companys you stand outside of with picket signs.

Their are so many groups like agenda-security (www.agenda-security.co.uk) who get payed to find you and find your secrets, so often all they have to do is check your myspace and facebook. and low and behold, all your secrets. your name, address, date of birth, your favorite color, who you know, what you do, where you've been, who you fancy and to top it off, they get a big stack of photos to identify you with. all without braking the law and without a warrent.

nowerdays the police can listen to your conversation via hacking your mobile phone thats in your pocket, it would be stupid to think they can do that, but can't decrypt messages encrypted with publicly available software.

if any of the information here is incorrect then i apologize, i'm not an expert. please correct me.

thanks
sue denim


* http://www.pgp.com/partners/technology_alliance/index.html

sue denim

Comments

Hide the following 10 comments

ta

05.01.2009 20:46

Thanks for info. The best way not to get caught is not do anything illegal.

Fortunately, the people they are primarily aiming at (terrorists) are not very bright.

For the rest of the people, public encryption is good but not unsolvable - it just takes computer time.
People believe that the high-bit encryption is totally secure and they'd be correct baring one point. Just because certain encryption can't be cracked realistically today, doesn't mean that 10+ years from now, those saved data can't be opened with new technology and used against you.

101101001010101


openPGP exists

05.01.2009 21:10

you can use openPGP with email clients like thunderbird - you dont have to used closed source.

For those who dont know: if the 'source' (ie program code) is open, that means anyone can read it, and check for security problems, such as code that could allow security agencies to access your private data.

open pgp is extremely secure.

Jon B
- Homepage: http://scotland.indymedia.org


a few comments

05.01.2009 23:50

Some good points there but a few comments:

I wouldn't say that Tor is easily compromised. You need to control a large percentage of the Tor network to compromise it, and the identity of Tor nodes are visible to the public. Have there been any cases of Tor traffic being identified by state agencies? Or of Tor nodes being exposed as state assets?  http://www.torproject.org/

PGP is an open specification as well as being the name of one particular product that implements it. GnuPG (GNU Privacy Guard) is a free and open source implementation of the PGP spec., and available for Windows, Mac and Linux.  http://www.gnupg.org/ The general principles behind PGP are well known and fairly simple, so its weakness isn't from a direct attack, it is from a keylogger.

I wouldn't use Windows personally, but if you are behind a router and firewall, and are careful about keeping it up to date, and not getting viruses, it should be reasonably safe.

OTR for encrypting instant messaging like MSN is good, but are you sure it is "very very weak"? I think it is very strong. Far better than the analogy of putting your message in an envelope.  http://www.cypherpunks.ca/otr/






computer g33k


Naked Males

06.01.2009 00:55

Gpg4Win is explained here so even a Microsoft engineer can understand it:
 http://www.theregister.co.uk/2008/11/14/email_encryption_how_to

The article links to this Linux How To for Gnu Privacy Guard:
 http://dewinter.com/gnupg_howto/english/GPGMiniHowto.html

You can boot up a PC from a cheap, tiny memory card which is easy to hide (up your bum) and dispose of (with a lighter).
TrueCrypt offers plausible deniability, meaning you can nest an encrypted volume. That means if the judge orders you to provide a password to it, or a gangster threatens to cut off your fingers unless you unlock it, your sensitive data is still hidden.
 http://www.truecrypt.org/docs/plausible-deniability.php

xMCSE


more Tor

06.01.2009 11:04

Tor is designed to defend only against "traffic analysis", i.e. "this computer accessed this website at this time" by an enemy that can see a large amount of network data, i.e. the state or your ISP. From a user's point of view it can hide your identity from websites you visit and hide the websites you visit from your ISP.

To do this it passes the traffic through 3 or more "nodes", each with a layer of encryption that prevents nodes further down the chain knowing the ultimate origin or final destination of that traffic.

I think the only serious question that's been raised about Tor is the possibility of "rogue nodes" being able to get some information about the traffic going through it.

For example, you should not use it to log onto a website that doesn't offer SSL encryption (the padlock thing like IMC UK or a shop). This is because when your traffic *leaves* the Tor network (as it must), it is no longer encrypted by Tor. This raises the possibility of a rogue node siphoning off passwords, though it still would not know what computer they came from.

The other danger comes from statistical attacks. If an attacker has enough nodes collecting data and enough general network data, can they make inferences from this to find the identity of a particular computer? That's a difficult question to answer but the good news is that if you set up Tor to run as a node (not so hard to do now) then you get more protection (since your traffic is mixed up with others'), and you increase the bandwidth available on the network.

The Vidalia bundle (www.torproject.org) makes installing Tor on Windows easy.
Linux people should check out TorK, a frontend for Tor on KDE ( http://www.anonymityanywhere.com/tork/)


Using any of those technologies mentioned in the original post is better than *not* using them. Know what their limits are, don't do anything reckless and you will have more privacy than before.

CH


Tor

06.01.2009 12:21

Tor was originally developed by the US Navy:

 http://en.wikipedia.org/wiki/Tor_(anonymity_network)

There have been a few cases where people have used it to sniff account passwords:

 http://blog.wired.com/27bstroke6/2007/11/swedish-researc.html

Tor is more of hindrance to route tracing than anything else. And if you are really seriously worried about route tracing: hijack an open WiFi router using a decent strength PCMCIA (bought at a computer fair with cash) WiFi card with a spoofed MAC address.

Sometimes it is better not to rely of encryption and use a personal system of code words that cannot cracked by algorithmic analysis. If you have a system of words or pictographs that represent something inobvious to anyone but you, it will make the job of deciphering potentially impossible. It will also mean that you have a last line of defense should file encryption yield. It's a limited system of course, but useful nonetheless.

Mr Ed


send rubbish

06.01.2009 14:21

thanks for the information above - is there any reason not to do what is suggested below?

try inserting rubbish along with your messages. For instance djwannigodoonrabouzer or qwejhfnerhtysxifg when contacting other activists and insert at any point in message - kkllddhnahterenndd sooner or later if there is 'something of interest to the authorities' tthdsadsahasfg a human will have to read it and spend time trying to fraternalityahdntshoogleniftily understand it thus wasting time of Netcu/Stasi spooks and hopefully annoying them to fuck
hahahfperharayhenryil;yz

craphead


craphead

06.01.2009 14:49

When Carnivore and Echelon came to light there was a fad for a while of us smallfry Kopyright Liberationists using the whole 'trigger word list' as a default a email signature heehee!

The premise being: flood teh system with false positives

Mr Ed


responces

06.01.2009 15:37

i was told that if you run 7 tor nodes you have something like a 5% chance of being able to skim a piece of info, i don't know in what timescale.
but their have been quite a few cases now of people stealing account info and credit card details from tor users.
and yes tor was developed by the navy. but they don't use it now. so their must be a reason for abandoning it to the public domain.

and yes OTR is secure, but i didn't want to say otr is ace, and then hear about activists doing stupid things over messengers.

the best way of not getting caught. is not to do anything!

sue denim


Open Source code and security

06.01.2009 18:18

Hi Sue. I think you're missing the benefits of the code for these programs being Free Software.

The code is open, meaning that anyone can read it (some folk might even understand it!) and therefore bugs, deliberate backdoors, etc are more likely to be found. Open source code is generally considered MORE secure than hidden code.

The US Navy haven't "abandoned [Tor] to the public domain". By releasing it under a Free license, someone else does the work and they, as well as anyone else who uses the software benefits from it. In the case of obscure network-y stuff, the more people looking at the code, the more likely it is they'll fix any holes in the design.

The same Open Sauce goodness should alleviate your concern about PGP. I don't know anyone who uses the commercial PGP product, as Jon pointed out above, there is the excellent, Free OpenPGP. This combines with Mozilla Thunderbird and the Enigmail extension to make a 100% free, non-corporate controlled, usable email encryption solution.

As for the "run 7 Tor nodes to get a password within X" - that's kindof what I said. It doesn't provide "end-to-end" encryption of the data, so you shouldn't log on to forums or email without the websites themselves being encrypted. It's something to be aware of but it isn't what the program is for, so its a side issue that you need to be aware of.

I would be sceptical of the usefulness of adding "false positive" rubbish to messages these days - anti-spam filters process stuff like this on a massive scale. I reckon it would be easy for GCHQ to re-use that knowledge to identify truly "interesting" messages. Encryption is the way to go. Make the fuckers work.

CH