Free Steps to dealing with a government you fear

xrayspx's picture

[music | Pete Seeger - Talking Union]

"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -- Benjamin Franklin

Your Government should fear you, not the other way around, here's how to protect yourselves.

I've had some comments on my forums stating users fear of our current administration, and there are certainly many who started taking their personal freedoms much more seriously during our last administration. In the last 10 years, we've been asked to give up, or have had taken away, many of our liberties which were taken for granted. It's time to take them back.

Obama has shown no signs of easing off of the policies of "Capture everything, analyze later" carried over from Clinton and Bush. If you send unencrypted traffic across the Internet, you need to expect it to be read. If you say something inflammatory, expect it double. Know that there is no "Right to Privacy" and never has been, you have the Fourth Amendment protecting you from unreasonable search and seizure, but is intercepting a phone call transiting public lines "seizure"? Is capturing an email on an Internet backbone and scanning it "Search"? Nope. Anything you broadcast can legally be captured and interpreted by others, anyone, not just Feds. It's best to keep your footprint small, and whatever they do get, make them WORK to read it. This applies whether "They" are credit card thieves, identity thieves, or Feds. None of these groups should be given a free key to your private data.

If encryption is made ubiquitous by users, those capturing your traffic won't even know where to begin to try to interpret any of it. If you encrypt your shopping list before you send it to your spouse, they can't tell an encrypted shopping list from an encrypted Flash Mob location. If EVERYONE encrypts, they need to treat all traffic equally, and all their snooping will be for naught.

For those on my forums concerned about such things, there are answers, mainly "Encrypt" and "Obfuscate". Below are several free tools to help you protect your online identity and prevent anyone from reading anything that you don't specifically permit. Of these, the one with the most up-front headache for the average user will be encrypted Email, and the one with the most in-line overhead will be protecting your browsing with TOR. Once GPG or PGP is configured, you don't really have to figure it out. TOR takes a bit more of a toll on your day-to-day, but if your anonymity is worth it at that moment, it's worth it.

Web

Use SSL for anything you want to protect. It's not just for banks and credit cards anymore. You have important data on the internet. You have Flickr accounts, you have LiveJournal accounts, they offer SSL, use it.

Encryption techniques that anyone can use would include "Use SSL wherever possible". I, in fact, DO offer SSL on my site, however it's with a Self Signed, and thus un-trustworthy certificate, so I don't publicize that fact. People misconstrue "Self Signed" certificates to mean "Insecure". That insecurity exists only if you do not trust the party signing the certificate. In my case, it's safe enough for me to transfer my mail, because hey, I trust me, dammit.

I am considering dropping the $40 and getting a real certificate so I can offer you an encrypted experience end-to-end. Though if you're really that worried about my site, the real answer is "don't post anything you wouldn't want someone to read".

Email

Email encryption is almost as easy. If you use Windows, there is a good suite of tools called GPG4Win to help you create a public-private key pair and use Outlook to encrypt your email. If you use Thunderbird for your email, it's even easier, with Enigmail.

I use Macs and Linux, so I use Enigmail and the GPGMail plugin for Mail.app.

The basic trick of PGP/GPG encryption and signing is this:

You have a private key, protected by a passphrase, only you get to see this key, you protect it with your life.

You also have a public key, which you send far and wide, and which you can publish on public key servers. If you suspect your private key has been compromised, you can revoke it. If, like me, you created a key long ago and no longer have the private key, well, you just have to disavow it as hard as you can and deal with the consequences of someone sending you mail encrypted with a key you can't decrypt.

You can also sign the keys of others. This creates a chain of trust. If you receive an encrypted or signed email from a relative stranger, but one of your friends has signed his key, and you trust your friend's judgment, you can now also trust this new party.

Instant Messaging

Many Instant Messaging clients offer plugins for Off the Record (OTR) chat encryption. The Mac client Adium, and the Linux clients Kopete and Pidgin have OTR support baked in, Pidgin is also distributed for Windows. The popular Windows client Trillian has some level of support via plugin, but there's some deal where you have to pay money for Trillian to get the feature. I don't know. There's zero point in paying for an IM client.

The way OTR works is that you and your contacts create an encryption key the first time you start chatting, you use a challenge/response, which only the other party will know. You can make it anything. OTR will then use this key to encrypt to that party. There is also session specific hashing built in which prevents someone from, say, capturing a bunch of your encrypted traffic, then stealing your laptop and using your key to decrypt the traffic they captured, it won't work. Your chat traffic is also given plausible deniability as there is no signature tying them back to you. As the site says "Anyone can forge messages after a conversation to make them look like they came from you". This is a good thing, since under interrogation, you can claim ignorance of the traffic, since it can be forged.

Your Hard Drive

Use TrueCrypt to protect your data and give you plausible deniability in the event your keys are coerced out of you, legally or otherwise. It's been decided that the Fifth Amendment does not protect you from handing over encryption keys, so you should be prepared.

TrueCrypt allows you to create virtual storage partitions in a single file. When you mount a TrueCrypt volume it will show up in My Computer, for instance, as a regular drive, E:\ for example. That alone offers several advantages over trying to protect your various data, you can take that single file and back it up, copy it, basically treat it as any file, but it will hold gigs of data. You can also embed TrueCrypt volumes, so that if you are coerced into giving up your passphrase, you give up the "safe" passphrase.

This gets Them access to one set of data, while being unable to prove that any further data exists.

The idea here is that you put some sensitive data in the "safe" area, maybe your taxes, web passwords, stuff you want to keep private but which won't land you in jail. Use that Safe Volume from time to time, copy things into it for safe keeping. Meanwhile, you have the second volume, with a separate passphrase, which holds the Secret Missile Codes, the location of the Aliens, or whatever it is you're really trying to protect. They can't prove it's there, they already have your password, what else can they do?

Traffic Obfuscation

If you want to surf anonymously, completely, you want Tor(The Onion Router [layers, it will be clear {promise}]). Tor will route your traffic, encrypted, through a web of donated "tor routers" and out of a Tor exit node to its destination. This effectively anonymizes you from the site you're trying to hit.

For instance, if you were to browse xrayspx.com with Tor enabled, I would be able to see the hits, obviously, but I would see the traffic as originating from the Tor exit node. Trying to trace back farther will only reveal one layer of this virtual route. The virtual routers along the path don't know the true origin of the traffic, they only know the next hop, and the previous hop. Therefore the more hops are taken, the farther abstracted you are from your destination, and the less trackable you are.

Although your traffic proceeds unencrypted from the Tor exit node to its destination (SSL should still be used), it cannot be tracked back to your machine. You could be in Egypt and have your traffic appear to originate from Canada or Greece, or wherever.

As with anything that sends your traffic through random donated networks, you should be aware that it could be redirected, but if what you want is anonymity, what you want is Tor.

If you use TOR, you should also provide TOR the ability to route through your network. You can decide how much of your bandwidth to give them, but every little bit helps. If you rely on others to help you, you should help others as well.

Summing Up

Most times, what you want is a combination of technologies, Tor + SSL, or PGP for transit+TrueCrypt to store your local mail directory. The more layers you have between your data and Them, the better protected you are, and the less you have to fear. You can communicate freely, and free communications goes a very long way. The French Resistance would have been much less effective if they were unable to coordinate their attacks. You do have to be wary of Tokyo Rose, but if you follow some simple steps, you will have a much better chance of success.

Be stealthy, but leave a huge mark on your world.

xrayspx's picture

If you want to implement any of this, I can go into much more depth and give screenshot install guides for Linux, Windows and Mac for any of the technologies I outlined above.

--Edit, also, the music was a tough choice, it was a toss-up between Pete Seeger, The Clash (Ghetto Defendant), and Snow (Informer), each came up in my mix during my writing. I stand by my decision.

The Governor of South Carolina wasn't disclosed by NSA.

The Governor of South Carolina wasn't disclosed by NSA.

So? You can't help every moron every time. As I understand it there actually were unencrypted emails regarding his case in the possession of some paper somewhere.

ThreeTags (www.threetags.com) is an online notebook with built-in client-side encryption. Can be used to keep text notes/documents private.

That looks pretty interesting, thanks ThreeTags.

Just what is it you want to keep "private"?

xrayspx's picture

Just what is it you want to keep "private"?

Everything. I don't need the government seeing anything I do, be it a shopping list, a link I send my wife, or any of my correspondence with anyone.

Email encryption, while easy and secure, is not /as/ easy for the average person as IM encryption with Off The Record. Can you imagine the bulk of IM traffic that could be intercepted and what profiles you could build about a person from snooping it?

Email is, unfortunately, a pie-in-the-sky concept. I would LOVE it if everyone I communicated with used encryption, but they just won't, and I get that. It also has the side effect of making anything other than the to: from: and subject: fields all but un-searchable unless you keep unencrypted offline copies.

Tis had said she fears the current government, and I heard a lot of people say similar things about the last as well. There is no reason the government should be aware of protests against it or people organizing their opinions. I look at it in terms of the 4th amendment:

If you send unencrypted email over the public Internet, it's fully legal for anyone, the Govt. included, to intercept it as it crosses their network and save it, and mine it. If you send an Encrypted mail across the Internet, they can save it all they want, but they're not reading the message, and in my mind, if they spend the CPU-years to decrypt that message, then THAT is unreasonable search and seizure. Equate it to the difference between sending a post card with your note written on the back, and sending a letter in a privacy-envelope. If someone opens that letter, that is a crime.

And if the government disregards the potential 4th amendment issues in the interest of suppressing the 1st amendment, then at some point, they will come to regret that there is a 2nd amendment.

/amdendment

P_t_W asks:
"Just what is it you want to keep "private"?"

Did he really expect a straight answer?
M. Heppelwhite

Did he really expect a straight answer?

Probably not. I could have said Dutch Horse Porn I guess. But it's a subject I take pretty seriously.

When people start telling me they fear government data mining their communications, I feel I should advocate as hard as I can for anything that increases their personal privacy.

There is no "Right to privacy". There is only the 4th amendment, and that does not extend to anything you put out for all to see.

Two weeks ago, I had a friend IM'ing me telling me how his boss, a senior engineer in a very Internet related field, had told him "I've completely wiped myself from the Internet, find /anything/ on me, I dare you".

In 15 minutes, starting from his name only, I found several forum postings, all his phone numbers, his wife's name (including the fact he has a wife), his kids, his review of a camcorder, just lots of stuff. I know what kind of phone he has, I know what kinds of phones he's had in the past, I know what products he buys, where he lives and what car he drives. If I'd been willing to spend any money I could have gotten lien information, and just gone much deeper on it.

Remember that anything we write on the Internet can safely be assumed to live on long after the site we write it on has gone away, it's a fact of life.

I really wish I'd gotten some feedback from Tis on these encryption threads. This really is what she should do if she's in fear of her government. It's really what all of us should be doing, all the time. I'm not being facetious when I say "You're in fear of the government, here then, do this stuff".

P_t_W asks:
"Just what is it you want to keep "private"?"

Did he really expect a straight answer?

I have learned that you don't put anything on the Internet that you don't want broadcast as headlines. I don't do any banking on the Internet, and use a credit card that specifically protects the user against cyber-fraud.

Data-Mining, is used by us for surveillance of Terror groups and this country's outspoken Socialist enemies.

If you don't use strange coding or type on Arabic-character keyboards, you have little to fear.

I'd expect the data-miners to key on subtle site features—Note the scroll bar to the left—in the following example:

http://74.125.47.132/search?q=cache:oE0qtSdku4AJ:yazdershad.ir/persian/i...

Data-Mining is what Clinton* signed into law pre-9/11 and Obama continues to use. The use was "leaked" by the New York Times.

Data-Mining is what tis objected to upon news that "The Evil President Bush" was actually using what Clinton* signed into law.

("Leaked" by the New York Times, who later proudly announced to its shareholders that "datamining" would be used for profits of its readers).

QUOTE:
"...Barely a year after their reporters won a Pulitzer prize for exposing data mining of ordinary citizens by a government spy agency, New York Times officials had some exciting news for stockholders last week: The Times company plans to do its own data mining of ordinary citizens, in the name of online profits..."

http://74.125.47.132/search?q=cache:8w6pcvE5dIYJ:newsbusters.org/blogs/c...

I expect that encryption will certainly be used by Terror groups and this country's outspoken Socialist enemies (if not now), and we taxpayers will be paying to "decode" such encryptions (if not now).

>>

Peace_through_Weakness

xrayspx's picture

"If you have nothing to hide, then you won't mind if we search everything you do" has been used by more oppressive regimes throughout history than you can count.

It's a horrible slippery slope and I can't believe you advocate that position. "If You're not Arab, or communicating with Arabs, then you have nothing to fear" is just lame.

Again, you make the mistake of bringing party politics into the discussion. Can you get it through your damn head that no matter who is in charge of the government, we should not be giving them the power to profile everyone by traffic.

And, to use your's and Tis's favorite phrase "You're NAIVE" if you think the TLA's don't have the capability or desire to flag keywords in pretty much any unencrypted communications stream.

For the record, I do bank online, I do not purchase anything online except concert tickets. For the record, I spent 6 years working at a Top 50 eCommerce site, and I don't buy things online. Take what you will from that.

I read what your wrote more carefully, x. It sounds like it is just other steps and blocks when working on the computer- all taking more time. Actually, I wouldn't even care if I didn't need a password to log into sites. I guess it would be nice when searching the web to not have them know who is there, but since I don't do very much of that, I think I can live without doing it --now, anyway.
I have nothing to hide either, but it doesn't mean I don't like my privacy.

Tis doesn't need more methods of encryption. She's already a skilled user of ambiguity and typos to mask her true message.
But she's always pleasant about it.
oc

xrayspx's picture

I read what your wrote more carefully, x. It sounds like it is just other steps and blocks when working on the computer- all taking more time. Actually, I wouldn't even care if I didn't need a password to log into sites. I guess it would be nice when searching the web to not have them know who is there, but since I don't do very much of that, I think I can live without doing it --now, anyway.

Actually yeah, that's why I had these in the order I do. The time-sink parts don't start until you're dealing with email. IM and web encryption are pretty much no-brainers requiring no more steps than non-encrypted.

Using a fully encrypted hard drive requires a one-time up-front effor to make it happen, I use both. I have a fully encrypted drive, so that "just works", and I also use the file-based TrueCrypt containers.

I'm not sure how to take that oc! LOL!

tis - 07/22/2009 - 5:40pm
I'm not sure how to take that oc! LOL!

Well tis, you're off to a good start.
oc