Recently in Privacy & Encryption Category


Thursday, May 3, 2012


JWR:
One concern I have is that if I were to record unconstitutional actions by police, would my phone be seized and the videos erased?

One solution may be to record via internet stream. Then they would have to also think to take an extra step of checking for the software and logging into your account to delete your videos. Meanwhile, you could call someone from jail and request they copy the video before it gets deleted.

I found a review of the three different sites.

I recommend that you keep your recorder software signed in and ready to go and use quick locking/unlocking on the phone itself.

Even so, I urge you to comply by all written recording laws. This advice would only apply for situations where it's not technically illegal but which might happen anyway. After all, they're acting unconstitutionally in the first place! - C.D.V.


Friday, April 27, 2012


SurvivalBlog readers:
If you have a fairly recently manufactured computer, there is no reason to expose your computer to malware at all. Most computers are powerful enough to host a "virtual machine" (MM) - that is, a session that is completely isolated from the hosting computer and that does not make any permanent changes to your system without your express command. VMs can be modified, saved and discarded as you wish. If you are browsing the web using a VM and suspect that you have encountered a virus or malware, simply discard that session and start a new one. There are many tutorials on the 'net that give step-by-step instructions on how to set up and maintain VMs on your home computer. I use VMs on a decade-old hand-me-down office PC running Windows X. If that old clunker can handle it, yours probably can as well.

Respectfully, - Dr. John G.


Thursday, April 26, 2012


Hello, Mr Rawles:
I saw the Odds 'n Sods piece where Michael Z. Williamson's forwarded an article on the warning about "thousands of PCs infected" to lose Internet access that refers people to www.dcwg.org. I read the article.

Sorry, but I don't trust going to such a site. It could easily be a government-based data collection site. It's amazing how much information is passed along with simply browsing a web site. dcwg.org is registered to someone in Cupertino, California.

I found that www.DNS-OK.us will give the same information about whether a system is infected or not. That site is registered to Paul Vixie, whom the article refers to as their consultant. Vixie's site will give you a green colored screen if you are clear and a red colored screen if you are infected. His site does warn that if your Internet Service Provider (ISP) redirects DNS, the Domain Name System, your computer might pass the test yet still have the infection. It seems that only Windows systems were affected, although ISPs could have been and they're used by other systems, such as Linux and Mac systems.

After checking Vixie's site, the easiest way to know if you may yet be infected is to check your DNS server addresses against the FBI's bad list:

85.255.112.0 to 85.255.127.255 --------> 85.255.112-127.0-255
67.210.0.0 to 67.210.15.255 -----------> 67.210.0-15.0-255
93.188.160.0 to 93.188.167.255 --------> 93.188.160-167.0-255
77.67.83.0 to 77.67.83.255 ------------> 77.67.83.0-255
213.109.64.0 to 213.109.79.255 --------> 213.109.64-79.0-255
64.28.176.0 to 64.28.191.255 ----------> 64.28.176-191.0-255

For those who do not know about Internet Protocol (IP) addresses, notice that they contain four numbered parts with periods separating each part, sometimes called a dotted list. Each part will be a number in the range 0 to 255 inclusive. On the right I have denoted them as dotted range lists. For instance, if the first two or three dot-separated numbers, e.g., 85.255 or 77.67.83, do not match your DNS numbers then you are clear. If any in the bad list do match, the rest of the entry shows the ranges of the bad numbers. For instance, if your DNS server number starts with 85.255, then the third number must be between 112 and 127 inclusive to be a match in the bad list. If that third number matches then the fourth number is a guaranteed match.

Windows users can find out their DNS server IP addresses by opening the Start menu and selecting the Run option in the list. Type "cmd" and press ENTER. A window running cmd.exe will open. At the command prompt type "ipconfig /all" and press ENTER. At the end of the output will be a list of DNS Servers. Check the DNS IP address numbers against the bad list. One address could be the router's address, typically beginning with 192.168. If that's in the list of server addresses, you may have to login to your router to see what it denotes as its server. The router connects to the ISP, which does the real Internet access.

To check the DNS server that your ISP gave your router, login to the router. Start a web browser, click your mouse pointer in the location box, erase whatever is already in there, and type the IP address that ipconfig showed as the "Default Gateway."

The router's web page may prompt for your router's login name and password. If you did not change the login info from the initial settings that came from the router manufacturer, shame on you! Those names and passwords are documented and well known to system crackers -- check your router's manual. That would be the way someone could have changed yours. Enter your name and password and check your DNS Server's IP address against the bad list.

If the router's DNS address is on the bad list call your ISP's technical support immediately. Should you get the red screen on Paul Vixie's site instead of the green, or one of your own system's DNS address is on the bad list, you may have to reformat your disk drive, reinstall your operating system, all your software, and your data files. You should have a backup of your important files stored somewhere so that reinstalling is merely an inconvenient, time-consuming pain, but you are not left out in the cold. Be careful of a simple restore of your entire operating system from your backup because you may have backed up the infected system and you would just reinfect it with the restore. Safest to start from scratch. Install from your operating system and various programs you use from manufacturer's disks.

If you're not familiar with these operations, consider consulting a friend, relative, or neighbor who is familiar or contracting with a computer professional to help. - Larry R.


Tuesday, March 27, 2012


Jim:
Regarding the post of the guy in California that Google can take a photo from the public street, and see his electric meter and objects in his open windows: the problem is not so much Google as his choice to live so close to a public road that anyone could do this.  I used Street View to "sorta" see my gate, and that is all you can see--just a gate. Google Map's satellite photos show far more detail about the layout of my "spread", though the detail is fairly fuzzy. - Andy G.


Monday, March 26, 2012


Dear Editor:
A few years ago I blocked out the views of my house from Google Street View.  However, I recently discovered that the Street View vehicle had taken updated pictures of my street, and my house was again visible, and in much greater detail!  I was actually able to read my electrical meter from Street View and view objects inside of my house by zooming in on windows that were open.  It also appears that the Street View cameras are much higher than the previous vehicle; based on the height of a pedestrian on my street, the cameras look to be at least 8 feet off the ground.  So your 6 foot tall privacy fence may be mooted by the camera being able to peer over your fence.  

I would suggest to fellow readers that they should periodically review Street View and other services, like Spokeo, to ensure that they are not being displayed for all the world to see.

I have noticed that in the last few months there has been an increase in suspicious activity on my street, and I thwarted a break-in attempt a few months ago - oddly enough, after the time the updated street view pictures were taken!! (thank the Lord I had a pistol on my person).  A thief no longer needs to case your house out from the street - Google Street view does it for them!

To remove your home from Street View:

1) Find your address on Google Maps, and then zoom until the map flips from top-down to the 'Street View'
2) Center your house in the street view
3) Find the very hard to read "Report a Problem" text on the lower left corner of the Street View & click
4) A new screen should popup (a new tab for me, you may need to turn off a pop-up blocker).
5) Click "Privacy Concern", and then "My House" and then "I have found a picture of my house and would like it blurred"
6) Fill out the description field - I've cited recent theft attempts
7) Fill in an e-mail address - I would suggest using a fake e-mail address so that you are not telling Google what e-mail address lives at your house.  (Side Note: Make sure your wi-fi is locked down, as they are probably sniffing this at the same time as well).
8) At this point you will see why we centered your house earlier - there is a red box around the center of your house in the image.  Please note that you can adjust the red box from this screen as well, but the view is much smaller.
9) Fill out the word verification, and then hit submit
10) This is the most important step: you need to move the Street view up and down your street, and repeat this process from every part of the road that can see your house.  I had to make 8 separate privacy submissions to fully block my house from Google Street View.  To move the street view, there should be two or more white arrows on the road - click them, and you should see your location change.

- Nate in California


Tuesday, March 20, 2012


JWR:
Can you let your readers know what the names, identifying characteristics, and other information is that we can use to check and see if we have the FBI installed cookies on our machines? Thanks, - J.V.

Web Forensics Expert Mr. X. Replies: First let me explain how to look for cookies.  The easiest way IMHO (there is more than one way to skin a cat, my favorite method involves using high-pressure air...) because it is easy and anybody can do it with little or no chance of [accidentally] nuking their own machine:

In Internet Explorer, go into the File --> Import and Export setting.  You are given a choice of three actions - import from another browse, import from a file, or export to a file.  Choose export to a file and hit "next."  You are given three options to export -- favorites, feeds, and cookies.  Export cookies by selecting the box and clicking next.  Save the file in a location that you can then find.

When you open the file all of the cookies you've used will show up.  And since its a text file it is searchable.  You can do a search on "FBI" ... I did this and found:

fbi.gov    TRUE    /    FALSE    1394696342    __utma    158289773.903355577.1331260742.1331260742.1331260742.1

fbi.gov    TRUE    /    FALSE    1331626142    __utmb    158289773.3.10.1331260742

fbi.gov    TRUE    /    FALSE    1347392342    __utmz    158289773.1331260742.1.1.utmcsr=dogpile.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/web

So what this tells you is that there is a tracking cookie from the FBI on your machine.  In this case this tracking cookie comes from dogpile.com (see the last line) which is a search engine that I use frequently.  The problem is that you never know what they will call their cookies.  The aforementioned example has nothing to do with your web site at all.  And I've picked up in the past few hours since its Monday here (I scrub down each weekend) just doing searches for topics at work.

There is a similar method in Firefox but given the number of add-ons for Firefox and the different platforms it is on putting directions for each possible combination in would just confuse most people. 

To eliminate the cookies and history you do that via the Tools --> Internet Options option and check off the "Delete Browsing History On Exit" box and/or hit the "Delete" button in the same space (should be on the opening tab of the Internet Options). 

Yes, the only reason I noticed this was because they have not done anything to try to hide what they are doing.  So the obvious stuff is well pretty darn obvious.

There are tools out there like Spybot Search and Destroy that will automatically eliminate the bulk of "bad" tracking cookies that are hidden as well.  There are a number of things you can do to scrub your machine and get very paranoid about your browsing but they are not things that most people should do simply because if you don't know what you are doing you have a good chance of [inadvertently] nuking your machine. 

 

James:
I read your blog post about the FBI's cookie caper and it brought to mind an overview article about The Onion Router (Tor) that I came across a while back

Here is a quote from the Tor web site:

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.
Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. Tor's hidden services let users publish web sites and other services without needing to reveal the location of the site. Individuals also use Tor for socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses.
Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they're in a foreign country, without notifying everybody nearby that they're working with that organization.
Groups such as Indymedia recommend Tor for safeguarding their members' online privacy and security. Activist groups like the Electronic Frontier Foundation (EFF) recommend Tor as a mechanism for maintaining civil liberties online. Corporations use Tor as a safe way to conduct competitive analysis, and to protect sensitive procurement patterns from eavesdroppers. They also use it to replace traditional VPNs, which reveal the exact amount and timing of communication. Which locations have employees working late? Which locations have employees consulting job-hunting websites? Which research divisions are communicating with the company's patent lawyers?
A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.
The variety of people who use Tor is actually part of what makes it so secure. Tor hides you among the other users on the network, so the more populous and diverse the user base for Tor is, the more your anonymity will be protected.

Regards, - D.D.

 

James Wesley:
Thanks for the post on the FBI cookie caper.  It is distressing, but enlightening about the times we live in.

I'm writing about your change of heart on posting the foresee-alive.js script.  The FBI posts this code on their fbi.gov site. It is available here.

I thought that link might be helpful to some.  I guess maybe those people that are savvy enough to read the script and interpret the code are probably already savvy enough to find it on their own, but I thought just in case I would send this on to you.

Also, I agree with your decision that it's probably wise to not post the code directly, but I believe that since they did not post any copyright information it is therefore public domain like any other government publication.  Otherwise, they would have to indicate it as a protected work from an outside party.  But that's my non-professional opinion, and "you're the doctor" as they say.

Thanks for keeping the flame of freedom burning! - B.C.

 


Dear Mr Rawles;
I read your announcement about "The FBI's Cookie Caper and the VPN Imperative". Thanks very much for your candor. However, I believe some of your information is mistaken or missing. Here are the most important points I saw:

Disabling cookies will not remove others' ability to track you. At best, disabling cookies only makes it a little harder. There are plenty of other ways to track you, including data collection and silent install of malware on your computer to record your keystrokes. Here is an example.

Using a paid VPN does not ensure your security. Here is a good explanation as to why this is true.
A better solution is to use The Onion Router (Tor) and/or Tails and their associated applications. There is also Orbot, an Android app to allow Tor Anonymity browsing on an Android phone. I have and use these. Granted, they are not always the simplest in terms of user friendliness, but once set up they should rarely need changes due to their structure. The Tor Browser, however, is about as simple as it gets on the web.

Not all of the listed browsers are safe to use. Some are outdated (Netscape), and others are inherently flawed from a security standpoint (such as Internet Explorer). More importantly, only two that I know of offer Anonymous Browsing - Firefox and Chrome. Please add the Tor Browser to this list, which is by far the best method for anonymous browsing available to the average user.

SurvivalBlog.com [has a working encrypted https address, but] is not yet HTTPS Everywhere enabled. This means that even if the visitor is using the Tor network, traffic between a Tor server and SurvivalBlog.com is still unencrypted, and vulnerable to spying and/or attack. Please join the HTTPS Everywhere project.

Much of this may sound like an advertisement for the Tor Project, but the reason for that is that the Tor Project is the best method I have found to secure your privacy online, if used properly. (Never identify yourself on the Tor Network.)

Thanks for your consideration in these matters. Sincerely, - I Am John Galt   

 

Dear Mr. Rawles,
I just took your advice on setting up a VPN.  I have been using an anonymizing proxy for some time and living with the speed decrease, but it's just so easy to turn it off for something and then forget to turn it back on.  At any rate, I went looking for a VPN provider that is (A) domestic and (B) accepts bitcoin.  It's just one less way to be trackable since the payments won't show up on any bank or credit card statement.

At any rate, I found one: based in Chicago, I am now using CamoList VPN and have had a very nice conversation with the proprietor about bitcoin.  Service is $5 a month.  Bandwidth is up to 5 mbps, but that actually doesn't matter to me since I live in the boonies and have to make do with 1 mbps on my end.  Just thought I'd pass this along for anyone else who might be interested. - Buckaroo


Monday, March 19, 2012


It has come to my attention that from August of 2011 to November of 2011, the FBI secretly redirected the web traffic of more than 10% of SurvivalBlog's US visitors through CJIS, their sprawling data center situated on 900 acres, 10 miles from Clarksburg, West Virginia. There, the Feebees surreptitiously collected the IP addresses of my site visitors. In all, 4,906 of 35,494 selected connections ended up going to or through the FBI servers. (Note that this happened several months before we moved our primary server to Sweden.) Furthermore, we discovered that the FBI attached a long-lived cookie that allowed them to track the sites that readers subsequently visited. I suspect that the FBI has done the same to hundreds of other web sites. I find this situation totally abhorrent, and contrary to the letter of 4th Amendment as well as the intent of our Founding Fathers.

I recognize that I am making this announcement at the risk of losing some readers. So be it. But I felt compelled to tell my readers immediately, because it was the honorable and forthright course of action.

Working on my behalf, some volunteer web forensics experts dissected some cached version histories. (Just about everything is available on the Internet, and the footprints and cookie crumb trails that you leave are essentially there for a lifetime.) The volunteers found that the bulk of the FBI redirects were selected because of a reader's association with "Intellectual Property" infringing sites like the now defunct Megaupload.  But once redirected, you were assigned a cookie.  However, some of these were direct connections to the SurvivalBlog site (around 4% of the total.) So if they had kept this practice up long enough and if you visited us enough times then the FBI's computers would have given you a cookie. This has been verified with sniffer software.

Bad Cop, No Donuts Cookies

For your privacy, I strongly recommend that you disable cookies when web browsing. Here are some detailed instructions on how to do so for the most popular web browsers:

But beyond that, more must be done to protect your privacy. You need to be proactive.

Install and Use VPN!

I am now imploring all SurvivalBlog readers to immediately install and use Virtual Private Network (VPN) on their computers. This will allow you to surf the Internet anonymously. Anyone that tries to track web site visitors e-mails will see your visit as originating from one of dozens of anonymous URLs in Europe, or elsewhere in the United States. (With most VPN services, you may pick the city of your choice.) With VPN active, your connection to the Web is "tunneled", emerging at a far-distant IP address, and it it would be very difficult to track back to your home IP address. Setting up VPN takes just a few minute to accomplish. Once installed, you can set VPN to turn on automatically by default when you start your PC, Mac, or Linux computer. Most VPN providers charge $5 to $20 per month. You can toggle off VPN with the click of your mouse. (You will find this necessary if you visit any of the few web site that disallow overseas IP addresses, such as Netflix). But I recommend that you leave VPN turned on, as much as possible. Set it up to turn on each time that you start up your computer. It is crucial that you use VPN whenever you visit web sites, blogs, and forums that are deemed politically incorrect, or whenever you purchase storage food or firearms accessories on the Web. For those of you that are not tech savvy, ask a friend or relative under age 25 to set up VPN for you. It is not difficult.

Some recommended VPN service providers include:

  • StrongVPN ($55 to $240 per year. One of the most flexible in reassigning the far end of your tunnel on the fly. Superior speed.)
  • 12VPN ($79 per year.)
  • AceVPN ($55 per year. A bare bones service, but one of the least expensive.)
  • VPNHQ. ($84 per year.)
  • PureVPN. ($75 per year for their basic service.)

(Some reviews of the various services are available here. )

Note that some of the lower cost services might see your connection speed suffer. Your Internet connect will seem noticeably slower than using your original ISP, alone.

It is my hope that in the next two months SurvivalBlog's site visit map will shift substantially, giving the appearance that most of my readership has moved to Switzerland. Say "Ein Glück, dass wir den los sind" to the FBI's snooping! It would warm my heart to soon see SurvivalBlog ranked as one of the most popular web sites for readers with Swiss IP addresses.

Beyond VPN

Because government agencies have access to lots and lots of computing power, VPN is not completely impenetrable. It is vulnerable to penetration during the key exchange phase. With the resources available to a state actor, sniffing the entirety of the traffic into and out of a web site is trivial these days. (They can use massively scalable horizontally-scaled virtual sniffers -- i.e. using a visualization engine and a template they can keep adding more virtualized instances of a windows or Linux based sniffer program and not even impact the performance of the connections.) I believe that the next loop of the threat spiral in the privacy wars will be Quantum Key Distribution (QKD). But I must clarify that this will become important only for the most high profile media commentators, bloggers, and activists. This is because all the spook legions with all of the mainframe computers in the world simply cannot backtrack everyone's VPN tunnels. (And, as VPN becomes more and more popular, this supposed goal will become even more elusive.) And if you are high profile, don't worry. Some very bright people are already working on QKD. Stay tuned.

Our Liberty is Stake

I want apologize for the cost, inconvenience and time required in implementing the foregoing security measures. But you can sleep a little better, knowing that you've added a layer of anonymity to your Internet presence. We need to recognize that the early 21st Century is a delicate time for individual liberty. Technology is leapfrogging while at the same time databases are filling at an alarming rate. These databases could provide dossiers on demand, for nefarious purposes. How you vote and how you "vote with your feet" (physically or virtually) are both of tremendous importance. Pray hard. Choose wisely. Act accordingly.

P.S.: For those who are web software savvy, I had originally planned to post the latest version of the actual "foresee-alive.js" Javascript code that the FBI used to attach the cookies. But then it was pointed out to me that ironically, revealing this might constitute copyright infringement, opening me up to a intellectual property lawsuit. That has an odd sort of irony that got me thinking. This predicament somehow dovetails with two bits of history. The first instance is from the First World War: I have read that the U.S. Government paid patent license fees to Mauser before and during the hostilities of the Great War with Imperial Germany. This was because the M1903 Springfield rifle was correctly adjudged a patent infringement on the Mauser Model 1898. During the war, the patent payments continued, conveniently handled by Swiss bankers, acting as middlemen. The U.S. taxpayers paid Mauser of Germany about $1 per rifle plus additional penalties that would have eventually totaled $250,000 USD, up until the U.S. entered the war. It has also been rumored that some payments continued to arrive even after the U.S. Congress declared war on the Kaiser's Germany. (We'll have to wait for the release of Jon Speed's next Mauser book to read the details.) This historical tidbit is just once notch below what happened two decades later when Germany's Nazi regime had the temerity to sell full fare train tickets to some Jews, to cover the costs of their forced relocation to the designated ghettos before their planned extermination. Oh, but the Nazi bureaucrats were so conciliatory. They only charged children half fare to be sent to their deaths. (If you doubt this, then read the book Fathoming the Holocaust by Ronald J. Berger.)


Sunday, March 18, 2012


Capt. Rawles,
I enjoy your blog very much, however, I have read several times that you need a physical mailing address to get an amateur (ham) radio license.  I don't believe that is correct.  If you look closely at FCC form 605, line 15, they ask for a "P.O. Box, and/or Street Address".     The FCC needs a "address of record".  One could rent a box at a UPS Store (which gives a street address) they just want to be able to reach you by mail.  You can also register as an "Entity", i.e. a business, corporation, LLC, etc.  I recently went through the process.  I used an old business that has not been active in years, along with it's EIN, instead of my social security number.  It should not be very difficult to keep ones actual physical address out of the FCC database, without lying or doing anything illegal. - The Shiny New Tech    


Thursday, March 1, 2012


If you are a frequent visitor to SurvivalBlog then I do not need to explain why the subject matter may be of importance. There are several previous posts that cover somewhat related information that I will reference and expand upon.

First, the disclaimers: I am not a data security expert. I could not blind you with science nor expertly baffle you with Bravo Sierra. However, I have been directly involved in the Internet related software business for almost 20 years. I have spent many hours a day for almost two decades using the internet and watching it evolve. During that time, especially since 9/11, I have also watched the watchers watching more of everything we do.

The second disclaimer is the software or services I mention below may not be legal in all countries. While currently legal in the US, the FBI recently sent a flyer to all Internet cafes and coffee shops warning that a number of quite normal and legal behaviors should be considered a "potential indicator of terrorist activity" and should be reported.

Hopefully the information contained herein will help you maintain the small amount of privacy you have left when it comes to the data on your computer and your online activities. The caveat being this – there is no such thing as perfect security or absolute privacy. Pretty much any code or encryption can be broken if someone has the resources and the motivation to do such.

There are certainly many more options available than I will cover here, but I wanted to keep this as simple as possible so anyone with more than rudimentary computer skills can implement whatever measures they deem necessary. I will cover the areas of securing data you keep (files, folders, etc), securing e-mails, IM and chats, protecting your identity while browsing and also making secure voice and video calls. However, the first thing I have to talk about is using some common sense.

Common Sense
Yes, an invasive government has the resources to electronically monitor any and all communications and to break almost any type of code or encryption. However, that does not mean they have the resources to manually analyze every single phone call, e-mail, chat, purchase or web browsing habits of every single person on Earth. Just because you may visit sites deemed threatening to TPTB or you have purchased a survival knife online doesn't mean you are a high priority target on some watch list.

So here is the common sense part: don't make yourself a high priority target. Try to exercise a degree of discretion and intelligence if you find it necessary to make posts online or send e-mails. I have to shake my head in disbelief when I see people making inflammatory posts online. Such posts are filled with threats, anti-government or violence inciting rhetoric. Such "keywords" will get someone's attention. The bottom line is this: unless you are one of the very brave souls that have chosen to take a public stand, to offer constructive ways to adapt to and survive the rapidly changing world we live in, it's best to draw as little attention to yourself as possible. Try to keep your emotions at bay when posting online, because once you put it out there, it is there forever.

Data Security
We all have data we need to keep and a lot of it should be secured in some manner – such as scanned copies of your important papers (birth certificates, passports, driver's license and such), supply lists, maps, routes – you get the picture. Any unsecured data on an Internet connected (or confiscated) computer is a security risk. Trojans, Viruses, Key-Loggers, Malware, Drive-by Downloads all pose the risk of exposing your data. I won't discuss the need to keep your anti-virus and/or anti-malware software up-to-date because if you aren't doing that – the rest of this information won't do you much good. Below I will cover several aspects of data security from the simplest to the more complex.

The first rule is to not to keep your sensitive data on your computer's hard drive in the first place. Flash drives (USB thumb drives) are inexpensive and can hold a tremendous amount of data. Keep your sensitive data on a flash drive, or better yet, a Micro SDHC card. For around $15 you can get a 16GB Micro SDHC card with SD adapter. You will probably need the adapter because the actual data card is smaller than your pinkie fingernail and about as thick – it can be hidden anywhere. If your computer doesn't have a flash card reader, then you can get an external card reader for less than $15.

File Encryption Using a Password
Again, I won't cover all possible options in this post, just the quick, easy and less complex solutions I have found and since Windows is the most prevalent operating system, I will limit software references to that unless noted – you can probably find similar solutions for Macs or Linux machines. For quick encryption of one or more files, dsCrypt is a free AES/Rijndael file encryption software with simple, multi-file, drag-and-drop operations. All you do is download/save the 25kB .exe file and double-click to launch – it doesn't have to be installed – the file you download is the program itself – which means it can also be used from portable media.

If you have a lot of files you need to secure, you may want to look at TrueCrypt, a free open-source disk encryption software for Windows, Mac and Linux. TrueCrypt creates a virtual encrypted disk within a single file which can be mounted as a real disk. This file can be created anywhere on your hard drive or portable media. Anything saved to this "disk" is automatically encrypted. This solution requires a multi-step installation – but is well worth it. I suggest you keep the disk space allocated to something reasonable because it cannot be undone without formatting the drive.

To exchange encrypted files with others, there are some free solutions available that offer high levels of encryption. The only caveat is the recipients also need the same software installed and the password used to unencrypt the files – not a huge price to pay for a bit of security.
Encrypt Files is a very easy to use for files or entire folders
dsCrypt - (great for portable media)
MEO Encryption is a great free program for files and e-mail. Actually, after playing with MEO for a bit, it is quickly moving to the top of my list.

Finally is the area of obsolete or replaced drives. Formatting a drive does NOT delete the data – it can be fully recovered with simple software. Most drives I replace will not be reused because they are old technology. I used to take a sledge hammer to them, but now use a drill press and put a ½" hole all the way through the case and platters. However, if that's not your style – you might want to look at Boot and Nuke. You have to create a CD or DVD from the downloaded .iso file, but then you simply re-boot using that disc and the hard drive will be wiped clean to DoD/NSA disc over-writing standards.

Also, simply deleting a file/folder – even after emptying your recycle bin – does not protect that data. It can be recovered unless you use a file shredder program. A good free one can be downloaded from Fileshredder.org/

Secure E-mail
Every e-mail you send will go through numerous servers before it is delivered (usually 10 -15 different servers). Your message can be read, scanned or copied at any step in that route. Referring back to the section on using common sense – be mindful of what words or phrases you use because you might garner someone's attention - other than your intended recipient.

One partial solution is to use a web-based "secure" e-mail service. Such services encrypt your messages before sending but the thing to keep in mind is any time you rely on a third-party service or server, your messages aren't really secure. However, some security is better than no security so here are some of the free secure email services you might want to check out:
Hushmail.com
S-mail.com
PrivacyHarbor.com
BurnNote.com

For much better security, your best bet is to encrypt messages before you send them. This can easily be done using MEO Encryption (mentioned previously for encrypting files) which can be used with your existing e-mail server.

To quickly encrypt a simple text file to send, LockNote is a good way to go.

For those worried that by simply sending encrypted files or messages will draw unwanted attention, how about encoding short messages into a standard image file? This can be done with 4t HIT Mail Privacy Lite

Secure Instant Messaging and Chats
While both Yahoo and Google offer an off-the-record or encryption option in their IM clients, I must again remind you that such service providers have full access to the original content as they handle the encryption.

Your best bet for secure IM communication is to use Pidgin for Windows or Adium for the Mac OSX. Both programs have an Off-the-Record function that uses 256-bit AES encryption that is performed before the message is sent through the 3rd party provider. Both work with all major IM servers and offer a slew of other great features:
Pidgin for Windows
Adium for Mac OSX
Jitsi for Windows, Mac and Linux

Private Web Browsing
You leave footprints everywhere you visit via any of the standard browsers. Yes, you can disable cookies and your browsing history and all that, but I'm talking about the footprints you leave on every server that transmit your requests for any web site. The footprint includes your IP address, operating system, browser and version, screen resolution and more. There is a previous SurvivalBlog post that provides more details about this.

In the post above, using the Tor proxy system was recommended. Until recently, this was not so easy to do. It involved installing a couple of programs and browser plug-ins. Further, most people would use Tor with their favorite browser not realizing that a lot of multimedia features on web sites will negate any benefits Tor is providing. For instance, Flash movies, scripting language and file downloads can reveal your actual "footprint."

However, this process has been made a lot easier by the Tor community. You can now install a Tor/FireFox combination in a single program. It is an older, stripped down version of FireFox that has all possible vulnerabilities disabled. A single icon first launches and connects you to the Tor network and then automatically launches the safe FireFox browser.

Using A Virtual Private Network (VPN)
While all other services and software I mention are free, there is a low-cost option to consider to keep all your online activity private. If you are like me, I tend to bounce around the Internet from buying wool socks online to sites where I should be using Tor - but I simply forget to launch it first.

While Virtual Private Network (VPN) services have been around a long time, it has recently become easy enough to implement that anyone can do it. Briefly, when you use a VPN, you create an encrypted tunnel between your computer and the VPN servers. All your network traffic is then routed through that server and sent back to you. The gist of it is, you download/install a simple software program, set it to start when you boot up (if you want), and all your internet activities are through the IP address of the VPN service - and the good ones don't keep logs of your activities. The one I use hides me behind 24,500 different IP addresses on servers in 40 different countries. And best of all, I don't have to remember to do anything - it's automatic and full-time.

There are a lot of VPN services out there, and prices range from $7 - $20 a month (you get much better deal on annual payments). Personally, I use http://HideMyAss.Com - but each service is a bit different in regards to usage limitations, so here is a site that reviews the top 10: http://myvpnreviews.com/

The service I use allows me to install the software on as many computers as I want, in addition to my smartphone. However, only two devices can use the service at the same time.

Two final notes on VPNs. First, you should always use some type of VPN when connected to public Wi-Fi. They are terribly unsecure. You might as well run around naked in broad daylight. Yes, you are that exposed.

Finally, a VPN is great for hiding your browsing activity - but it does not take the place of file or email encryption. While the tunnel between your computer and the VPN is encrypted, unencrypted files or emails still go through public/open servers to reach your recipient.

Secure Voice and Video Chat
We all know how easy it is to eavesdrop on cell phone or even land line telephone calls, and to repeat again, using a third-party voice or video service is not secure. But what if there was a way to tap directly into the SIP (Session Initiation Protocol) network used for VoIP (Voice Over IP) and have your conversations and video chat encrypted before they even hit the network?

As with using encrypted IM or files, all parties involved must have the same setup – but since we are talking free stuff here, that is a non-issue. I will skip the technicalities and just get you going. To do the above is a two-step process (both easy). First, you need to register to get a free SIP address.

Second, download and install Jitsi for Windows, Mac and Linux (mentioned previous for secure IM). Jitsi facilitates secure video calls, conferencing, chat, desktop sharing, file transfer, support for your favorite OS, and IM network. Jitsi uses ZRTP to encrypt all communications. To use Jitsi with a SIP address, you will have to go into Options – Accounts and create a new account for the SIP network. To save you some possible confusion, the Jitsi SIP setup asks for "SIP id" – this is the "SIP address" contained in the email you receive when you sign-up at GetonSIP.com. The rest should be self-explanatory.

Finally, I would like to add a bit to a couple of previous posts. This SurvivalBlog post explains how to setup the Hosts file for going directly to a web sites IP address in case the DNS system is unavailable.

The question unanswered in that article was: "How do I find the IP address of my favorite sites so I can add them to the Hosts file?" The fastest way is to go to http://centralops.net/co/ , click on the Ping menu. On the new page, enter in the domain name and click go. The page will refresh showing the IP address.

Multiple MAC Addresses
This SurvivalBlog post recommended buying a dedicated laptop to use at public Wi-Fi locations. The post mentions the network card in each computer has a unique MAC address. That MAC address can be captured by servers you visit – but most definitely is logged by the Wi-Fi router every time you connect to one.

If you cannot afford a dedicated laptop for this purpose, the next best bet (and less expensive) would be to buy several USB Wireless adapters (all the same make/model). You can pick these up for around $10 each online. Because all the adapters are the same make/model, they will all work seamlessly with the drivers provided. However, each adapter will have a unique MAC address (and not the one of the onboard Wi-Fi card in your laptop). They are small enough to easily put in a zip-lock baggie and cache near two or more of your favorite public Wi-Fi spots – so you don't have to keep them in your possession.

So you would just grab the wireless adapter, disable the onboard Wi-Fi card, pop in the adapter and it will be the adapter's MAC address logged. When you are done, wipe the adapter and baggie down, and return it to its hiding place. If for some reason your laptop is confiscated, you would have excellent plausible deniability because the onboard MAC address would not be one that was logged.

And, again, when using public connections, a VPN tunnel is highly recommended.


Monday, February 13, 2012


Dear SurvivalBloggers:
There are a number of ways to encrypt or read encrypted email.  This one is about the easiest to get installed and running on your Macintosh computer, that I've run across. It uses the native Apple Mail program, and adds a OpenPGP Encryption and Signature option.

All you have to do is install the program from the dmg file, and enter a password.  There's a GUI key interface for importing existing keys into it.

Of course not all emails need encryption, but that OPSEC sensitive email you need to send to loved ones or group members is a perfect example of when to use it.  Once installed, you choose what gets encrypted. 

Application: GPGTools (Developed by the GnuPG group.)
Download: https://github.com/downloads/GPGTools/GPGTools/GPGTools-20111224.dmg
Main Web site: http://www.gpgtools.org

Include in the install program are the following (from their web site):
 Compatible with OS X Lion.
 All applications are 64-bit compatible.
 Integrated GPGMail (OS X 10.5 to 10.7, Universal).
 Integrated GPG Keychain Access (OS X 10.5 to 10.7, Universal).
 Integrated GPGServices (OS X 10.6 to 10.7).
 Integrated GPGToolsPreferences (OS X 10.6 to 10.7).
 Integrated MacGPG 2 (OS X 10.5 to 10.7, Intel).
 Integrated MacGPG 1 (OS X 10.5 to 10.7, Universal).
 Integrated Enigmail (Thunderbird 3 to 8).

There's even a screen-cast of the install, encrypting email, and using the Apple 'Services' feature for text edit encryption,  if you want to watch it before installing: http://www.gpgtools.org/screencast.html though I'll warn you: it goes by so fast you should be ready to hit the pause and rewind buttons when you start it.

Steps [with Apple Mail closed]:

1. Download the GPG dmg file.
2. Have a password in mind
3. Open the dmg by double clicking the file in your web browsers Downloads window
4. Double Click the GPGtools.mpkg file and select an install location
5. When asked enter your email address, and name.
6. When asked, enter a password, then re-enter it when asked.

When completed, you can close the GPG Keychain Access application and start your Apple Mail.
When you select a 'new' email, you will see an OpenPGP section under the "from" drop-down list. Also you can get to the encryption/decryption options under "Messages -> OpenPGP" in your menu bar. This will allow you to sign and encrypt  and decrypt your email.

In addition, this bundle of GPGTools works with Apple's Services, allowing for encryption of 'Services' aware applications.
If you open your System Preferences -> Keyboard you can click on Keyboard Shortcuts -> services and click the OpenPGP items under "Files and Folders" along with "Text" allowing you to encrypt any text file you open with textedit.
When you open textedit the next time you will see "Textedit->Services->Open PGP"  in the menu bar.

The toolkit also comes with a command line interface for encrypting just about any type of file you want, but that's a little out of scope here.
For more information on the CLI, using public key servers, and general GPG information, check out this set of How-Tos.

Hope this helps, - Robert X.

All Content on This Web Site Copyright 2005-2012 All Rights Reserved - James Wesley, Rawles - SurvivalBlog.com
Site Maintained By:
Whiteout Productions

About this Archive

This page is an archive of recent entries in the Privacy & Encryption category.

Plagues and Pandemics is the previous category.

Profile is the next category.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Visitor Map

Map

Statistics

counter customisable
Unique visits since July 2005. More than 300,000 unique visits per week.