|
|
|
Sunday, 22 September 2002
Around the room, what interests the participants:
---
What you say and do online can have real life implications. Examples: Genoa, Indymedia Seattle. Web sites keep logs of IP addresses. Be aware of the trails you are leaving on the Internet. The FBI and other agencies are developing ways to aggregate data.
KEY LOGGERS
Key loggers keep track of the keys you press. They bypass encryption. It is possible to use both software and hardware as a keylogger. Magic Lantern, is a software key logger that is delivered like a virus by email. Example of keylogging: the Scarfo case. Mafia boss nabbed by the FBI. He was using encryption, but they installed a hardware key logger on his computer. FBI is convincing virus protection companies not to detect Magic Lantern. Under U.S. Patriot Act - FBI does not have to notify you they have installed a key logger until 90 days after investigation has taken place.
SNIFFERS
Carnivore a black box that intercepts data. It does not run on your computer, runs on ISP's computer or on the same network. Sniffers log network activity between your computer and others. Carnivore can collect email subject lines and the Web sites you visit without a warrant. If they want to read your email, they need a warrant.
EXPLOITS
Backdoor access: Back Orifice, a remote administration tool that gives a remote operator anywhere on the global Internet access to almost anything you can do on your computer -- and some things you can't do -- all without any outward indication of his presence.
------
ANONYMITY:
Disguising who you are.
ENCRYPTION:
Disguising your communication. (Who is sending and receiving message is still known, as is the subject line.)
Visit http://security.tao.ca/, a good source of info for activist and security culture in general.
--
Two kinds of Internet access available: free internet access, anonymous internet access.
ANONYMOUS
No identity check, you know you are not being video taped coming or going, you are not being keylogged. (Some service providers do.)
FREE INTERNET TERMINALS
Not secure!
FREE INTERNET SERVICE PROVIDERS
FREE WIRELESS INTERNET
Bring your own laptop. Really unsecure!
---
You surf the Web by way of the proxy server. The Web server you are visiting only sees the proxy, can't see you. Only the proxy knows your IP address. You are still vulnerable to key logger and sniffer.
---
WHAT CAN BE LOGGED?
An IP address identifies your computer on a network.
---
Yahoo, Hotmail, and other corporate email providers do not care about your privacy. It's very easy for governments and advertisers to get your info. They also have discretion to close down your account. Yahoo has closed down account of "controversial" groups - for example when the Christian right complains about a queer organization.
FREE WEB BASED EMAIL ACCOUNTS FOR ACTIVISTS
FREE WEB BASED ENCRYPTED EMAIL
---
Paul Garrett (Making, Breaking Codes: An Introduction to Cryptology) defines cryptosystem as "a procedure to render messages unintelligible except to the authorized recipient." It can also be used for authentication.
Why do we want this? Keeping secrets is good. SMTP traffic is really easy to read on a network.
Envelope analogy: You wouldn't want to write some messages on a postcard so that they can be read by everyone who handles them in transit. However, if everyone used postcards (analogous to current situation where everybody sends unencrypted email), envelopes would be suspicious. But, they are not necessarily suspicious—and encryption doesn't have to be either.
Continuing the envelope analogy: envelopes do not obscure who you communicate with or the fact that you are communicating; they only obscure the content of the communication. Notably, for email, the subject line is not encrypted. So, it may make sense to always use the same subject line on all your encrypted email. (Like 'hey').
Garrett again, defining several terms we'll use: "The encryption process, performed by the sender, is intended to render the message unintelligible to any eveasdropper or interceptor of the encrypted message. The decryption process is conducted by the legitimate intended receiver, recovering the original message (the plaintext) from the obscured version (the ciphertext). Paraphrasing: it is intended to be significantly harder for anyone evaesdropping or intercepting the ciphertext to recover the plaintext than for the intended recipient to decrypt it. In symmetric cryptosystems, at least, this is accomplished by having the sender and receiver share a secret, called the key. Not knowing the key should be sufficient to prevent an eavesropper from decrypting the cyphertext."
Easy ciphers: Caesar, monoalphabetic substitution. examples if time. Problem: really easy to break. Witness publication of "cryptogram" games in newspapers, Poe's "The Gold Bug".
One-time pad. Totally unbreakable crypto for which everybody in the room can understand all the math. See Mike's notes.
Private key and asymmetric, public key crypto, how it works: see Mike's notes.
What is PGP, GPG?
PGP stands for "pretty good privacy." It is an encryption method that is the de-facto standard for email encryption today, with millions of users worldwide. Because of U.S. export systems, PGPi, and international variant, was developed. GPG is the GNU privacy guard, it is a patent-free, Free Software version of PGP. It is compatible with PGP.
How to make a key pair
---
General questions and answers:
What are "cookies"? And why are they bad for privacy?
See http://www.epic.org/privacy/internet/cookies/
What is Linux?
See http://www.gnu.org/gnu/linux-and-gnu.html
What is Free Software?
See http://www.gnu.org/philosophy/free-sw.html