Feeds:
Posts
Comments

Posts Tagged ‘privacy’

Submitted by CWZ on Sun, 09/15/2013 – 15:11

Now that we have enough details about how the >NSA eavesdrops on the Internet, including today’s disclosures of the NSA’s deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.

For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn’t part of today’s story — it was in process well before I showed up — but everything I read confirms what the Guardian is reporting.

At this point, I feel I can provide some advice for keeping secure against such an adversary.

The primary way the NSA eavesdrops on Internet communications is in the network. That’s where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.

Leveraging its secret agreements with telecommunications companies—all the US and UK ones, and many other “partners” around the world — the NSA gets access to the communications trunks that move Internet traffic. In cases where it doesn’t have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.

That’s an enormous amount of data, and the NSA has equivalently enormous capabilities to quickly sift through it all, looking for interesting traffic. “Interesting” can be defined in many ways: by the source, the destination, the content, the individuals involved, and so on. This data is funneled into the vast NSA system for future analysis.

The NSA collects much more metadata about Internet traffic: who is talking to whom, when, how much, and by what mode of communication. Metadata is a lot easier to store and analyze than content. It can be extremely personal to the individual, and is enormously valuable intelligence.

The Systems Intelligence Directorate is in charge of data collection, and the resources it devotes to this is staggering. I read status report after status report about these programs, discussing capabilities, operational details, planned upgrades, and so on. Each individual problem — recovering electronic signals from fiber, keeping up with the terabyte streams as they go by, filtering out the interesting stuff — has its own group dedicated to solving it. Its reach is global.

The NSA also attacks network devices directly: routers, switches, firewalls, etc. Most of these devices have surveillance capabilities already built in; the trick is to surreptitiously turn them on. This is an especially fruitful avenue of attack; routers are updated less frequently, tend not to have security software installed on them, and are generally ignored as a vulnerability.

The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO — Tailored Access Operations — group. TAO has a menu of exploits it can serve up against your computer — whether you’re running Windows, Mac OS, Linux, iOS, or something else — and a variety of tricks to get them on to your computer. Your anti-virus software won’t detect them, and you’d have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it’s in. Period.

The NSA deals with any encrypted data it encounters more by subverting the underlying cryptography than by leveraging any secret mathematical breakthroughs. First, there’s a lot of bad cryptography out there. If it finds an Internet connection protected by MS-CHAP, for example, that’s easy to break and recover the key. It exploits poorly chosen user passwords, using the same dictionary attacks hackers use in the unclassified world.

As was revealed today, the NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about. We know this has happened historically: CryptoAG and Lotus Notes are the most public examples, and there is evidence of a back door in Windows. A few people have told me some recent stories about their experiences, and I plan to write about them soon. Basically, the NSA asks companies to subtly change their products in undetectable ways: making the random number generator less random, leaking the key somehow, adding a common exponent to a public-key exchange protocol, and so on. If the back door is discovered, it’s explained away as a mistake. And as we now know, the NSA has enjoyed enormous success from this program.

TAO also hacks into computers to recover long-term keys. So if you’re running a VPN that uses a complex shared secret to protect your data and the NSA decides it cares, it might try to steal that secret. This kind of thing is only done against high-value targets.

How do you communicate securely against such an adversary? Snowden said it in an online Q&A soon after he made his first document public: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

I believe this is true, despite today’s revelations and tantalizing hints of “groundbreaking cryptanalytic capabilities” made by James Clapper, the director of national intelligence in another top-secret document. Those capabilities involve deliberately weakening the cryptography.

Snowden’s follow-on sentence is equally important: “Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

Endpoint means the software you’re using, the computer you’re using it on, and the local network you’re using it in. If the NSA can modify the encryption algorithm or drop a Trojan on your computer, all the cryptography in the world doesn’t matter at all. If you want to remain secure against the NSA, you need to do your best to ensure that the encryption can operate unimpeded.

With all this in mind, I have five pieces of advice:

  1. Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are. 
  2. Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections — and it may have explicit exploits against these protocols — you’re much better protected than if you communicate in the clear. 
  3. Assume that while your computer can be compromised, it would take work and risk on the part of the NSA — so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the Internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my Internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good. 
  4. Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means. 
  5. Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden’s documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I’m not going to write about. There’s an undocumented encryption feature in my Password Safe program from the command line; I’ve been using that as well.

I understand that most of this is impossible for the typical Internet user. Even I don’t use all these tools for most everything I am working on. And I’m still primarily on Windows, unfortunately. Linux would be safer.

The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.

This essay previously appeared in the Guardian.

Advertisements

Read Full Post »

Screenshot from mega.co.nz

Screenshot from mega.co.nz

Kim Dotcom’s Mega.co.nz is working on a highly-secure email service to run on a non-US-based server. It comes as the US squeezes email providers that offer encryption and Mega’s CEO calls Lavabit’s shutdown an “honorable act of Privacy Seppuku.”

Mega’s Chief Executive Vikram Kumar, who is heading the development of the company’s own end-to-end encryption technology to protect the privacy of the future email’s users, has reacted to the Lavabit founder’s decision to suspend his service’s operations – an act, which was shortly followed by voluntary closing down of another secure email service, Silent Circle.

“These are acts of ‘Privacy Seppuku’ – honorably and publicly shutting down (“suicide”) rather than being forced to comply with laws and courts intent on violating people’s privacy,” Kumar said in his blog post.

The concept he was referring to was developed by secure service providers such as Cryptocloud, which made a ‘corporate seppuku’ pledge to oppose the mass surveillance and shield the privacy of their users’ data. The name for the move apparently derives from a Japanese ritual suicide, which was originally practiced by samurai to preserve honor.

According to Cryptocloud team’s board post cited by Kumar, “corporate seppuku” is “shutting down a company rather than agreeing to become an extension of the massive, ever-expanding, secretive global surveillance network organized by the US National Security Agency.”

This way, if the company receives a secret order from the NSA “to become a real-time participant in ongoing, blanket, secret surveillance of its customers,” it will not be forced into doing it. The pledge it made to its users will make it terminate itself instead, thus making the data mining impossible.

Such a policy manifests that “there is always a choice” for any company approached by the agents, while at the same time placing the users’ security in the highest priority.

Owner and operator of Lavabit.com Ladar Levison on Thursday wrote that his nine-year-old encrypted email service was shutting down in order to avoid becoming “complicit in crimes against the American people.”

“We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now,” Silent Circle founder Jon Callas then wrote in a blog post.

But as Cryptocloud urged all the companies to make an ultimate privacy-protecting pledge, NSA leaker Edward Snowden said in an email to The Guardian that the internet giants are unlikely to join such action – although it could yield much greater results. He called for Google and Facebook to question their current stance, calling Lavabit’s owner decision “inspiring.”

“Employees and leaders at Google, Facebook, Microsoft, Yahoo, Apple, and the rest of our internet titans must ask themselves why they aren’t fighting for our interests the same way small businesses are. The defense they have offered to this point is that they were compelled by laws they do not agree with, but one day of downtime for the coalition of their services could achieve what a hundred Lavabits could not,” Snowden said.

Mega doing ‘true crypto work for masses’

Meanwhile, Kumar has been involved in an email service project with what he says is exceptional level of encryption.

Mega has been doing an “exciting” but “very hard” and time-consuming job of developing both highly-secure and functional email service, Kumar told ZDNet.

“The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side. If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side,” he explained, adding that even Silent Circle did not try to achieve such a feat.

“On this and other fronts, Mega is doing some hugely cutting-edge stuff. There is probably no one in the world who takes the Mega approach of making true crypto work for the masses, our core proposition,” Kumar said.

According to the company’s founder Dotcom, Mega doesn’t hold decryption keys to customer accounts and “never will”, thus making it impossible for it to read the emails. This also means that Mega by design cannot be forced to rat on its users by intelligence agencies.

However, Dotcom earlier told TorrentFreak that a new spy legislation being pushed by the US and its Five Eyes alliance partners – UK, Canada, Australia and New Zealand – may force Mega to relocate its servers to some country exempt from such jurisdictions, such as Iceland.

The New Zealand government is already “aggressively” eyeing legislation that will compel all internet service providers in the country to design a “secret decryption access” for the intelligence agencies, he said.

Original link

Read Full Post »

mainbanner1“The Net interprets censorship as damage and routes around it.”
– John Gilmore

Censorship is dangerous. It oppresses citizens and harms free speech.

We’re living in a nanny state. In modern Britain, the government decides what websites we can and can’t see. It is the same in many other countries. We think this is unacceptable, which is why we started Immunicity.

Once you configure your browser, requests to blocked websites will be seamlessly routed via Immunicity servers to get unblocked. All other requests will go directly to their destination, without being routed through our servers.

Immunicity is completely free to use, it doesn’t require any registration or any software to be installed. You can turn it on and off easily by reversing the setting change.

For more info, visit the Immunicity website

Read Full Post »

“Hemlis means “Secret” in Swedish

We love the internet, social networks and the power it gives for sharing and social connections. When sharing something on Twitter or Instagram the whole world can see it and that is great!

What we don’t love though is that private communication has more or less turned into an open stream for companies and governments to listen into.

Companies like Facebook, Twitter, Apple and Google have been forced to open up their systems and hand out information about their users. At the same time they have been forbidden to tell anyone about it!

We’re building a message app where no one can listen in, not even us. We would rather close down the service before letting anyone in.

Secrets are only secrets if they are secret.”

Read more about Heml.is here

Read Full Post »

Image1How does CheckMyTorrentIP work?

CheckMyTorrentIP is a torrent tracker that lets you download a legal torrent file created uniquely for you. Because no one other than you has this torrent and since there are no seeders, the torrent will not download and never complete and will remain active in your queue as long as you wish. You’ll see your torrent IP within your torrent client and you can come back here to see your torrent IP history. I created this site after a friend found it difficult to constantly monitor his setup and kept asking me for help. The site is a free service and there are no gimmicks, just pay it forward.

But I’m using a VPN or Proxy, isn’t my privacy 100% safe guarded?

Maybe, maybe not. This FAQ details many ways your IP address can leak and explain what steps you can take to prevent it. By checking your torrent IP address over a period of time, you can verify if there are any holes in your security practices. If you’re not a techie, have a friend help diagnose your connection.

Why can’t I just use a web browser or other program to check my IP?

See the next question that gives examples where a web browser fails to help you. Also keep in mind that you can’t manually check your IP with a browser 24×7 and your torrent client may be setup to use a different IP address.

How can my IP address be exposed if I’m using a VPN or Proxy?

There are many ways, here are some different scenarios, feel free to send in any others you know about and suggestions.

VPNs – There are many types of VPNs, the two most prevalent types are PPTP and OpenVPN. While each has their advantages and drawbacks, all suffer from the same weakness, at one point or another the connection will drop and this may expose your personal IP address (Note: VPNs enjoy dropping while you’re tucked in bed catching up on ZZZzzzs). To completely prevent exposing your IP address you’ll need to modify your routes or use a firewall program to do this for you. See below in another question for more details on securing a VPN.

Proxies – Again there are many variations but the most popular by far is a socks proxy. The proxy can be a remote host or exist locally via an ssh tunnel. If your proxy is incorrectly configured or unknowingly unset you may expose your IP address. Also always be sure to disable DHT, uTP, udp trakers, udp peers, and UPnP in your client otherwise you will mostly likely leak your IP address even if your proxy is configured correctly. Please see below in another question for more details on securing your proxy and DHT/UPnP.

Firewall – Some users use a software or hardware firewall to route torrent traffic through a secure connection and other traffic (like web) through the local connection. The configuration can be incorrect or become undone.

Relative or Friend – You may have the most secure setup but all it takes is a lovely relative or friend to misunderstand/forget your clear simple instructions and expose your IP address.

Torrent client software bug – There are plenty of torrent clients, and new ones coming out all the time, some are specialized or experimental, others tout better performance. As long as you stick to established mature software, this shouldn’t affect you. But for the bold and daring, make sure to always test the proxy/forwarding/hider feature.

Being an exit node on private P2P – There is a new wave of public/private P2P networks (not Tor) that anonymize your traffic in return for you anonymizing other user’s traffic. There have been and currently exists bugs that incorrectly route your traffic to the point of making you the exit node of your own traffic!

Unknowingly using employer’s VPN – Some computers have multiple VPN configurations installed and you could inadvertently be using the wrong VPN.

By monitoring your torrent IP address, you can definitely improve your setup and curb poor habits.

Check your torrent IP here

Read Full Post »

vpn

Mastercard and Visa Start Banning VPN Providers?

Read Full Post »

From The Guardian

Exclusive: UK security agency GCHQ gaining information from world’s biggest internet firms through US-run Prism programme

Documents show GCHQ has had access to the NSA's Prism programme since at least June 2010

Documents show GCHQ (above) has had access to the NSA’s Prism programme since at least June 2010. Photograph: David Goddard/Getty Images

The UK’s electronic eavesdropping and security agency, GCHQ, has been secretly gathering intelligence from the world’s biggest internet companies through a covertly run operation set up by America’s top spy agency, documents obtained by the Guardian reveal.

The documents show that GCHQ, based in Cheltenham, has had access to the system since at least June 2010, and generated 197 intelligence reports from it last year.

The US-run programme, called Prism, would appear to allow GCHQ to circumvent the formal legal process required to seek personal material such as emails, photos and videos from an internet company based outside the UK.

The use of Prism raises ethical and legal issues about such direct access to potentially millions of internet users, as well as questions about which British ministers knew of the programme.

In a statement to the Guardian, GCHQ, insisted it “takes its obligations under the law very seriously”.

The details of GCHQ’s use of Prism are set out in documents prepared for senior analysts working at America’s National Security Agency, the biggest eavesdropping organisation in the world.

Dated April this year, the papers describe the remarkable scope of a previously undisclosed “snooping” operation which gave the NSA and the FBI easy access to the systems of nine of the world’s biggest internet companies. The group includes Google, Facebook, Microsoft, Apple, Yahoo and Skype.

The documents, which appear in the form of a 41-page PowerPoint presentation, suggest the firms co-operated with the Prism programme. Technology companies denied knowledge of Prism, with Google insisting it “does not have a back door for the government to access private user data”. But the companies acknowledged that they complied with legal orders.

The existence of Prism, though, is not in doubt.

Thanks to changes to US surveillance law introduced under President George W Bush and renewed under Barack Obama in December 2012, Prism was established in December 2007 to provide in-depth surveillance on live communications and stored information about foreigners overseas.

The law allows for the targeting of any customers of participating firms who live outside the US, or those Americans whose communications include people outside the US.

The documents make clear the NSA has been able to obtain unilaterally both stored communications as well as real-time collection of raw data for the last six years, without the knowledge of users, who would assume their correspondence was private.

The NSA describes Prism as “one of the most valuable, unique and productive accesses” of intelligence, and boasts the service has been made available to spy organisations from other countries, including GCHQ.

It says the British agency generated 197 intelligence reports from Prism in the year to May 2012 – marking a 137% increase in the number of reports generated from the year before. Intelligence reports from GCHQ are normally passed to MI5 and MI6.

The documents underline that “special programmes for GCHQ exist for focused Prism processing”, suggesting the agency has been able to receive material from a bespoke part of the programme to suit British interests.

Unless GCHQ has stopped using Prism, the agency has accessed information from the programme for at least three years. It is not mentioned in the latest report from the Interception of Communications Commissioner Office, which scrutinises the way the UK’s three security agencies use the laws covering the interception and retention of data.

Asked to comment on its use of Prism, GCHQ said it “takes its obligations under the law very seriously. Our work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the intelligence and security committee”.

The agency refused to be drawn on how long it had been using Prism, how many intelligence reports it had gleaned from it, or which ministers knew it was being used.

A GCHQ spokesperson added: “We do not comment on intelligence matters.”

The existence and use of Prism reflects concern within the intelligence community about access it has to material held by internet service providers.

Many of the web giants are based in the US and are beyond the jurisdiction of British laws. Very often, the UK agencies have to go through a formal legal process to request information from service providers.

Because the UK has a mutual legal assistance treaty with America, GCHQ can make an application through the US department of justice, which will make the approach on its behalf.

Though the process is used extensively – almost 3,000 requests were made to Google alone last year – it is time consuming. Prism would appear to give GCHQ a chance to bypass the procedure.

In its statement about Prism, Google said it “cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a back door for the government to access private user data”.

Several senior tech executives insisted they had no knowledge of Prism or of any similar scheme. They said they would never have been involved in such a programme.

“If they are doing this, they are doing it without our knowledge,” one said. An Apple spokesman said it had “never heard” of Prism.

In a statement confirming the existence of Prism, James Clapper, the director of national intelligence in the US, said: “Information collected under this programme is among the most important and valuable intelligence information we collect, and is used to protect our nation from a wide variety of threats.”

A senior US administration official said: “The programme is subject to oversight by the foreign intelligence surveillance court, the executive branch, and Congress. It involves extensive procedures, specifically approved by the court, to ensure that only non-US persons outside the US are targeted, and that minimise the acquisition, retention and dissemination of incidentally acquired information about US persons.”

Related

NSA Prism program taps in to user data of Apple, Google and others

Revealed: Google and Facebook DID allow NSA access to data and were in talks to set up ‘spying rooms’ despite denials by Zuckerberg and Page over PRISM project

The Tor system: Welcome to the dark internet where you can search in secret

GCHQ taps fibre-optic cables for secret access to world’s communications

How Microsoft handed the NSA access to encrypted messages

Feds tell Web firms to turn over user account passwords

The American Surveillance State Is Here. Can It Be Evaded?

Revealed: NSA program collects ‘nearly everything a user does on the internet’

Read Full Post »

Older Posts »