Being Anon – Staying alive in a mad world – part 7

Encrypting your entire computer

Take away point: All computers should be encrypted so that they need a password to boot up.

From part 6 of this series, you saw some examples of how messy operating systems are at leaving activity traces everywhere. The simplest solution is to encrypt the entire hard drive of your computer with military grade encrypting so that you need a pass phrase to start it. If it is stolen or confiscated, absolutely nothing will be recoverable.

This example is uses a DELL XPS laptop with Windows Vista.

Start by running your copy of truecrypt that you downloaded and verified in part 4 of this series and press the create volume button and select “Encrypt system partition or entire system drive”. You should see the following:

Next select “Normal”. Hidden partitions are great but we want to keep things simple at this point.

Choose “encrypt the whole hard drive”

Select “no” to be safe.

Select “single boot”. If you already have multiple operating systems running on your laptop, it is highly unlikely you need this tutorial!

Select the default value, AES. The general consensus seems to be that AES is good and reasonably fast. However, it is always a good idea to do search on terms like Truecrypt best algorithm to see if there is anything new on this issue.

Choose a pass phrase. A long sentence with a few numbers and symbols thrown in is best. Use a unique password — not something that is the same as your twitter account. Many systems are hacked this way. Sometimes for example, you can select “forgot my password” on a web site and it will mail you your password! Assume the passwords you use on many web sites are actually stored unencrypted and that people with power can simply ask for them and get them no questions asked. Once they get a password of yours, they will try it out on every other account or encrypted file you own just to see if you reused it.

Move your mouse around for half a minute to generate random data.

Save the rescue image somewhere where you can burn a CD. You will need to burn this CD and let Truecrypt verify it before you can continue.


On this laptop, there was something installed that wanted to install a disk burning program. I decided to try it out and it worked fine. Normally I would let windows burn the iso image directly or use a third party product like Nero to burn the CD.




If you remove the disk after burning or burn it elsewhere, you will get this message. Truecrypt wants to verify the rescue disk so put it in the computer that you are encrypting.

I didn’t bother with the wipe. If you have previously had sensitive data on your drive and expect powerful enemies then use the wipe. Encryption takes about 4 hours on the DELL laptop and the 3-pass algorithm will make that take more like 16 hours to complete.




Once you have rebooted and the pre-test was successful, then encryption will begin. The first screen is very slow to appear so don’t lose patience and reboot. Once the system is encrypting, you will see the following screen. you can use the computer in the meantime but I chose to just let it run. It may also be wise to disconnect it from the internet in case you get some windows update that wants to run automatically and reboot your computer automatically afterwards.

This process is well automated — the truecrypt wizzard is very well done. While there are many really clever options like decoy operating systems and hidden volumes, most of the benefit will be gained by using the simple option of encrypting the entire volume. If has very little affect on the speed of the computer and guarantees that if someone takes your computer it will be useless without the encryption pass phrase. There is no way your adversary is going to crack a strong password. Far more likely they would resort to extortion or installing spy cameras in your house to watch you type or maybe install a hardware keystroke logger in parallel with your keyboard or use a method called a “cold boot attack”.

Another point to consider — don’t travel internationally with laptops. You can always encrypt the files you need into a file container and upload it somewhere for later download. A good way to do this is to create a gmail message and attach your file but leave it as a draft.

http://tinyurl.com/6fkwf2u

Posted in Security, privacy and protection | Tagged , , , , | 1 Comment

Being Anon – Staying alive in a mad world – part 6

Activity Traces

Take away point: Almost everything you do leaves a messy trail which is far more extensive than you may have realized.

Anytime you do something on a computer, traces of it are left all over the place. Some of this is intentional, for example you save your archived emails or office documents while others are a byproduct of the operating system. Here are some examples.

Thumbnail images

The thumbnail database, Thumbs.db exists in all folders where you have viewed files as thumbnails. This option can be disabled, but is on by default. If you want to experiment, you can search for free thumbnail viewers and check out your system.

This is the contents of a Thumbs.db file using a free viewer called Thumbnail Database Viewer 2.0. Notice that even PDF documents have a miniature of the first page of the document.

junk

If you look in a directory that contains photos or pdf files, you will see a file called thumbs.db. If you don’t, you may have to turn on ‘show hidden files and folders’.

thumbs.db

To prevent thumbnails from being saved, select ‘Do not cache thumbnails’. You can find this menu in Windows explorer at tools->folder options->view. You can safely delete the thumbs.db file if you see them.

thumbs.db

Page File / Swap file
When windows runs low on memory, it swaps some of it out to disk, therefore it is possible to have all sorts of data in this file. If you have enabled the show hidden files and folders option in explorer, you will see a file in the C: directory called pagefile.sys

There is an easy solution. RAM is cheap, so install lots of memory (4G if you can) and turn off the page file all together. Control Panel -> System -> Advanced->Performance Options->Settings->Change Virtual Memory and select ‘No paging file’

Virtual memory

The Registry
Applications like to write all sorts of things, like the names of recently used files, in the registry. Even if you uninstall the programs, this data is usually left behind. The best tool I have found for getting rid of this is JV16 power tools by Macecraft. This product has a lot of other useful tools which I will cover later. You can download a 60 day trial which has all features enabled.

JV16 power tools

Deleted Files
You are probably already aware that deleting a file simply moves it to the trash folder. When you empty the trash it is marked as deleted to free up the space. However, it is not overwritten so it is possible in many cases to un-delete your files. JV16 Power Tools un-deletes files quite well as do many other utilities.

The solution to this is to periodically overwrite the free space on your disk and the slack space at the end of files with a utility like PGP Desktop, or Clean Disk Security. Clean Disk Security is a particularly good choice because it is free and clears the MFT table if you are using NTFS partitions. If you don’t clear the MFT, then someone can see all the names of the files you ever deleted. If you aren’t sure what file system you are using, look at the properties of your c: drive in windows explorer. For example:

NTFS file system

The basic download of Clean Disk Security will do everything (like wipe free space) but won’t allow you to run more than a few plug-ins at a time. Plugins are scripts that look for specific files like download histories of applications. If you pay for the product, you have unlimited use of the “process plugins” option.

Clean Disk Security

The image below shows what you see using JV16 Power Tools to undelete files. The entries would have had the original file names had Clean Disk Security not filled it up with “CDSNTFS….” entries.

MFT deletion

Browser Caches

If you are using Firefox, you can browse your cache by entering about:cache?device=memory as it it was an URL. If you want to ensure that these files are not left on the disk after you quit the browser, you can use the “Private Browsing” feature in the newer versions of Firefox. There are also options under tools->options->privacy to tell Firefox to never remember history.

Every browser, and often different versions of the same browser, stores its cache files somewhere different. You will probably find that if you have had your computer for awhile, that they are all over the place in various “temporary” directories.

This is only the tip of the iceberg. I will expand this post later and put in links for how to fix each of them, but for now I will just make a list and keep it growing as I remember things.

  • Copies of web pages in various temporary cache directories with different locations depending on the browser and its version
  • Application specific caches where you might find copies of videos you watched
  • File stamp information — some of which you need special utilities to clear
  • Most recently opened files littered all over the system registry, known as MRU’s
  • application log files

One brute force method is to encrypt the entire disk so that a password is needed when you power up the computer. This solves some obvious problems:

  • Laptop theft — the thieves will never get your data (you could be a lawyer with confidential records perhaps)
  • Seizure – if someone takes your computer, they will also need you to give them the pass phrase.
  • The need to keep your computer clean is less important since nobody can browse it without your permission.

An obvious down side if you are traveling with a laptop is that if you are asked to turn it on and they see it has whole disk encryption, you might be detained in some countries. Many corporations encrypt laptops for all employees that travel but they also include a corporate backdoor.

If you want to do this, you have several options. Truecrypt (recommended and free) and PGP Whole Disk Security are two that I have used. The latter is now owned by Symantec and cannot be trusted anymore not to have a back door. I have found PGP whole disk encryption to be extremely reliable.

Volume Encryption:

If you allow your computer to boot without encryption, then the first level of security is the logon screen. Don’t be fooled though, there are bootable UNIX CD’s that have utilities to clear the passwords from windows accounts. It is so easy to do it is ridiculous. Assume anyone can reset your account and log in if they steal your computer.

Once windows is loaded, you can use PGP or Truecrypt to create a volume. You can specify high grade encryption and choose a very long and secure pass phrase. The result is a file that you can click on (or mount manually) that will give you a new drive letter. It behaves just like if you added a USB stick to your computer. Insert the USB and you get a drive letter – mount the encrypted volume file and you get a drivel letter.

Once you have the drive letter, you can install applications to that drive or use it to save all your data. If the system is stolen, the volumes are inaccessible. If you configure it to not save the last volume’s file container name, then nobody will know which file you were using. Of course, they can look for large gigabyte files whose contents appear to be random and then assume that these must be encrypted volumes — but they would never know for sure.

At this point, if you haven’t tried Truecrypt, I recommend you download it and start experimenting.

This can be all taken to higher level. Consider the following:

  • You have whole disk encryption. If forced to, you will divulge the password.
  • You have created a hidden volume
  • You don’t use your computer for anything important at all. It is simply a host for a virtual machine.
  • You have installed a Virtual Machine player. This allows you to start up a new PC running UNIX or Windows — the operating system can be different from your host operating system
  • The Virtual machine’s image lives on the hidden True Crypt container
  • You log onto your PC, open the hidden volume, run the virtual machine, and now you have an entirely new PC, inside of a PC. You can afford to let this one be scattered with things and not worry about so much about the consequences. However, cleanliness is always a good idea.
  • Nobody can prove your machine within a machine even exists. They may see a player and there maybe an image to play but that may not be the image you are using.

more later in a few days.

Posted in Security, privacy and protection | Tagged , , , | Leave a comment

Being Anon – Staying alive in a mad world – part 5

Browsing Anonymously

Take away point: You can browse anonymously and ensure that services like Twitter cannot track where you are tweeting from.

In part 4, we created an encrypted file container. Next we will create another one, this time 120M in capacity, and install tor browser. Go back to part 4 if you need a refresher on using TrueCrypt.

Using windows explorer, mount your file container (I used T: for Tor as my drive letter in this example), navigate to the T: drive, and copy into it the tor bundle file you downloaded and verified in Part 3.

Unlike most install programs, tor bundle is just a collection of files to decompress. It has an extension of .exe so you can just double click it since you have already verified its authenticity. However, clicking on self extracting archives is not a good idea in general – it could be something bad with a misleading name. The safest thing to do is to use a program like 7-zip and right click on the .exe file. You will have a menu option to decompress the file, and it will understand that the .exe file is actually a compressed archive.

Tor files

You have now achieved the following:

  • You have installed a copy of Firefox that is pre-configured to use Tor. This copy of firefox is completely independent of any other copies of Firefox that you have installed on your computer.
  • You no longer have to be as concerned about someone seeing your bookmarks or cache files because everything is installed in an encrypted file container.

To start up Tor Browser, double click on “Start Tor Broswer.exe”. You will see a the Vidalia control panel and once you are connected to the Tor network, Firefox will start automatically.

Vidalia control panel

One of the default pages that will load in Firefox is https://check.torproject.org which will verify that are accessing it via Tor. If all is well, you will see something like this:

Tor check

In particular, look at the IP address:
Tor check

It should NOT be your address. You can double check this by browsing to anonymizer.com and having a look at their front page. In this case it appears that I am in Germany right now, which would be nice if it were true.

Tor check

Next, turn off Java script for additional security. It is possible for Java script to reveal your IP address. The downside of course, is that some web pages don’t work without it.

Disable javascript

Now you can sign up for services like Twitter or web mail and even if they record the IP address you used to sign up, it won’t be linked to you.

I was going to suggest using Hushmail but javascript is required, and they have a bad reputation for privacy. Also see this thread. Always research any site that requires Java Script.

Avoid Hushmail

Browsing Twitter without Javascript works fine for now, as does logging into an existing account. However, I also tried creating a new Twitter account with Javascript disabled and found that the accept button didn’t work. I will update this post once I find a work around.

In summary, if you need to ensure that your tweets cannot be tracked, you can do the following:

  • Install tor browser in an encrypted container and use it to sign up for an e-mail account that you can associate with your twitter account.
  • Create a twitter account if you can using Tor. If the javascript is a problem, try signing up from an open ISP connection somewhere using Tor on your laptop with Javascript enabled.
  • Use Tor Browser when you want to send tweets.
  • Use https://twitter.com – note the ‘s’ in https:// This prevents eavesdropping between the Tor exit node and twitter.com.
  • Shut down Tor and dismount the file container using the TrueCrypt control panel when you are finished.

Once you get used to Tor, please read the documentation and consider turning on relaying to help the network. By allowing people to use your node as an exit, you are providing a valuable service and only taking a minor risk that some of the traffic existing your node will lead to harassment. Some websites also block all traffic from known Tor relays so it could cause some inconvenience.

Posted in Security, privacy and protection, Society | Tagged , , , | Leave a comment

Being Anon – Staying alive in a mad world – part 4

File Containers

Take away point: It is easy to create drive volumes that are completely secret and secure – even if your PC is stolen and analyzed by adversaries and you are forced to give them a password.

We will now download True Crypt, verify its digital signature and install it. We will then create a volume that will be used in a future posting to contain Tor Browser.

First, download True Crypt and the signature file and save them to your GnuPG directory. The signature on this page should download as a file, so you don’t need to paste it into notepad and save as a text file.

Also look around and find the public key and download that to your GnuPG directory as well. The key I found was called TrueCrypt-Foundation-Public-Key.asc and located here and the details:

ID: 0xF0D6B1E0
Type: DH/DSS
Fingerprint: C5F4 BAC4 A7B2 2DB8 B8F8 5538 E3BA 73CA F0D6 B1E0

The next step is to add the public key to your key ring using this command:
gpg –import TrueCrypt-Foundation-Public-Key.asc

It should look like this:
adding the key

Now we are ready to verify the file. I got tired of mis-typing ugly file names, so I used the DOS command ren (rename) to shorten them to TrueCrypt7.exe and TrueCrypt7.exe.sig .

The command to verify is this: gpg –verify TrueCrypt7.exe.sig TrueCrypt7.exe
The result will be something like this:
verifying the file

Now that we know the file is good, we can run the installer. Accept the license agreement. There is nothing too special here, the defaults are probably fine for you.

After a possible reboot (if requested), run TrueCrypt from the windows menu and you should get this:
True Crypt

The next step is to create a container. We will make one that can hold 30 megabytes. Click the create volume tool button. Select “create an encrypted file container”. You will see the following:
True Crypt.

Next select “Hidden Truecrypt Volume”.
True Crypt

True Crypt

For the volume location, browse to where you want the file to be created and type in a name for the file that will be the contents of the volume. Truecrypt will then create this file in a subsequent step.

True Crypt

True Crypt

True Crypt

We decided earlier to make the volume 30M, but it can be gigabytes if you wish.
True Crypt

Now it gets interesting. Provide a password here that will be used by your adversary provided you give up your password of course. This will not be the password you use for your own work. Make sure is different enough that you will never accidentally confuse the two.
True Crypt

True Crypt

True Crypt

Press the open outer volume button to get a window where you can drop in some secret file. As you can see, I have a picture that proves Justin Bieber is a girl. Tax returns might be more appropriate, or some pictures of your girl friend.
True Crypt
True Crypt
True Crypt

Note that we don’t get the full 30M because some space has been taken by the files we added earlier. We set 20M so that there is some space to add some more files later to the decoy.
True Crypt

Now choose a password that you never give away and which is so long that nobody will ever guess it. A sentence is best, with some unusual extra characters thrown in and odd capitalization.
True Crypt

Next, move the mouse around for awhile to generate randomness and press format.
True Crypt

Now you are done. Press the exit key and then cancel.
True Crypt

Returning now to the True Crypt window, we select the file, foobar in this case, and mount it by supplying the password. This will give us a drive letter called T.
True Crypt

Some important points to remember.

  • there is only one volume file, foobar in this case.
  • Whether we get the volume with the pic of Justin Bieber with space for 10M or the volume for our work, with 20M, depends only on which password is chosen.
  • The volume with the pic of Beiber is a regular volume. You can keep writing to it but if you over fill it, it will clobber and destroy your secret work volume.
  • There is absolutely no way anyone can tell if there are two volumes in the same file.
    The choice of drive letter T is arbitrary. You can select any of the drive letters in the window.

Coming up next — our work volume is going to be home to Tor Browser.

Posted in Security, privacy and protection, Society | Tagged , | Leave a comment

Being Anon – Staying alive in a mad world – part 3

Verifying Your Files

Take away point: You should verify your downloaded copies of Tor, Truecrypt and other security programs with PGP to guarantee they haven’t been corrupted or turned into spyware.

When you download a utility program, often you will often see something like this:
checksum utility

After you download your file, you are encouraged to see if it has been corrupted or perhaps modified by someone, either of which could compromise your security. To do this you need a checksum utility such as this one. There is nothing special about this utility – I am sure there are hundreds of them to choose from.

Click the browse button and look for your file, and you will see this:
checksum utility

Then, to make things easy, copy the checksum from the web page and paste it into the hash field at the bottom of the dialog and press verify. It will compare them for you and pop up a small box like this:

checksum utility

The checksum utilitity’s MD5 checksum is 3FCFFFD28F4DCBE2FBB96A9A72BE2287 .

Verification using PGP

Some packages (install programs) are signed with the PGP keys of the developers. This example will use tor bundle, which is indispensable for browsing the web anonymously. Start by going to the tor project page and downloading the installer and its signature. In this example we will download the file tor-browser-1.3.15_en-US.exe into the directory where GnuPGP was installed (see part 2 of this series).

Tor bundle download

Click on the signature and cut out the signature block and paste it into notepad. Save the signature block you pasted into notepad to the GnuPG directory. In this example the saved signature was called torbundle.sig.txt

Tor bundle download

Tor bundle download

The next thing to look for is the signing key. In the documentation I found the following:
gpg.exe –keyserver hkp://keys.gnupg.net –recv-keys 0x63FEE659

This command requests the key of Erinn Clark, 0x63FEE659, be retrieved and added to your key chain. You should see the following:

Tor bundle download

Now you can request that GnuPGP verify that the signature is the result of signing the install program with the developers key. Unlike a simple checksum, this indicates that not only is the program unmodified / uncorrupted but that the owner of the key vouches for it.

The command here is:
C:\Program Files\GNU\GnuPG>gpg –verify torbundle.sig.txt tor-browser-1.3.15_en-
US.exe

Tor bundle download

You can read more about verifying tor signatures here.
The file is safe. Keep it around, and we will look at installing it in an encrypted container in an upcoming posting.

Posted in Security, privacy and protection, Society | Tagged , , | Leave a comment

Being Anon – staying alive in a mad world – part 2

File Encryption – ensuring only your intended recipient can read it

Take away point: PGP can be used to create a message that only the recipient can read. You probably don’t need to do this, but PGP will be used in a later tutorial to verify that the security programs you download have not been tampered with.

Suppose you want to send an important message to a newspaper reporter but it is absolutely imperative that nobody except the reporter can read the contents of the message. You see that the journalist has published a key that looks something like this:

pgp key

Note that this is an entirely random choice for an example. I know nothing about these people and have no reason to trust or not to trust them. They could be the CIA for all I know.

I will now step through the sequence required to prepare a message with this key, using some rather out of date methods, but I think it will give you better idea of what is actually happening than an automated solution. There are products that automate this by looking up the e-mail address of your recipient in a key server and encrypting the message on the fly but the downside is that you have no idea what is going on.

The first step is to download and install a version of PGP. In this example, I will use GnuPG. The best program I have found for this is PGP desktop, but unfortunately, after moving through various owners, Symantic being the latest, it can no longer be trusted. Given the ability of the US government to get corporations to do whatever they want with a simple phone call, you have to assume there is a back door in it or there will soon be. Therefore, it is safer to use an older, international version. I had a PGP license for many years but finally let it expire. GnuPG is also useful for verifying downloaded files.

Start by downloading GnuPG . The installation file for windows is called gnupg-w32cli-1.4.11.exe . You can use the default values when you install it.

This is a command line program, so for those that don’t remember MS-DOS (Microsoft Disk Operating System), you can go back in time on a windows XP machine by going to Start->Run and then typing cmd and pressing ok. You will then get a terminal window that looks like the screen on an IBM PC, 20 years ago.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\YourAccountNameHere>

Then you need to change the current directory to the location of the command line executables. The command for this in DOS is cd. If you type dir you will get a list of the files in that directory. If you need to kill a program and get back to the command prompt, pressing the Ctrl key and the C key at the same time will usually do the trick.

pgp key

The next step is to create a key pair for yourself by typing gpg –gen-key . Here is an example:

pgp key

The maximum level of encryption, 2048 bits was selected, the key expires in 1 year and it will be associated with the email address entered. Now we press o for ok followed by enter. You will be prompted for a pass phrase to protect your secret key. Use a long sentence something like this for the pass phrase: What is the use of a bOOk, without $99 pictures or conversations?. This is a quote from Alice in Wonderland with some oddities added to it. You can remember such foolishness and it is will never be guessed.

pgp key

You now have a key chain that has two keys in it. One is a secret key that when used with your pass phrase, can decrypt a document that was encrypted with your public key. The other is your public key – a key that you can post on your web site or store on a public key server. This is the key that other people will use when they want to send you a message.

The next step is to run the program notepad (just type notepad and press the Enter key and it will pop up). Cut the key from the web page and paste it into the notepad window. You will end up with something like this:

pgp key

The save command is in the file menu of the notepad window. The file name you choose isn’t important. Make sure there are no blank spaces at the beginning or end of the key block you pasted into the notepad window, otherwise adding the key will generate an error message.

The next step is to import this key into the key chain so that it will be available to encrypt messages. The command to import is: gpg –import scrap.txt where scrap.txt was the file name used when notepad saved the file containing the public key.

pgp key

The next step is to encrypt a message or file with the private key that was just imported. In this example, there is a file called message.txt in the current directory that I created earlier by typing it into notepad and saving it as message.txt. You can use the type command in DOS to display the contents of a text file. The file can be anything. As you can see, the message is very important.

pgp key

Now we are ready to encrypt the message so that only the recipient can see it. The command is gpg –encrypt message.txt

pgp key

There are a couple of important things to note here. They key is not trusted so there is a warning. This is to be expected because it is not signed, and we simply downloaded it from a web site. You can have trust relationships, but when dealing with anonymous users, having it signed by other anonymous users doesn’t really make much sense. On the other hand, a trusted key from the New York Times would make sense to be signed by reputable authorities. The second point is that it asks for multiple recipients. If you were using a commercial program and it added an additional recipient without your knowledge, there would be a back door. Remember that the message can be decoded by any of the recipients.

A new file has been created with the extension .gpg added. If you use the type command to print out the contents of message.txt.gpg you will just get binary junk.

The file just created is now junk for anyone other than the intended recipient. Not even you can read it. If you delete the original message.txt then you have lost the message forever. The recipient must have his secret key file and his pass phrase. If you had simply encrypted the file with 7-zip and told him the password, then anyone who intercepted the conversation and file could decrypt it. This way, they have to get physical possession of the file you sent, the key ring with the secret key on the recipients computer (and it may be somewhere else like on a smart card) and convince him to divulge the pass phrase.

The next step is to find a way to transfer the message. You could e-mail it to the recipient from a computer in a library, but that adds the risk of someone intercepting it. They wouldn’t know about Elvis, but they would know who you were trying to contact. I will cover this part more in a follow-on post.

Also remember that in DOS, when you delete a file, it isn’t really deleted. The space is freed up, but the information is there. To completely delete a file you need to delete it and then use a utility program to overwrite all the free space on the disk. PGP Desktop has a utility for this, plus there are several good free alternatives.

If you have to do this regularly, then you would want to look at setting up an integrated system that looks up the key server automatically to get keys and transparently takes care of the encryption and decryption. However, you would want to read up a lot of FAQ’s, tutorials and warnings and make sure you have configured everything perfectly. The last thing you need is a message that says “recipients public key not found, send insecurely anyway?” and accidentally press Yes.

There are some good references here:
GPG/PGP Basics
Official GnuPG documentation
Oxford University Computing Services – PGP
PGP International
JA.net PGP page

I will take a look at Hush Mail’s free accounts (Canadian based) in a separate posting.

Posted in Security, privacy and protection, Society | Tagged , | Leave a comment

Being Anon – Staying alive in a mad world – part 1

Update January 7, 2011:
Not even twitter is safe. The US DOJ has subpoenaed twitter for records from Birgitta Jonsdottir, a member of the Icelandic Parliament asking for tweets and her personal information. On May 6, 2010, the Pennsylvania Attorney General, Tom Corbett, sent a subpoena for the identity of people criticizing him.

This kind of harassment requires you retain a lawyer who will likely want a few thousand dollars for a retainer, especially if your adversary is a state or national government agency. It is becoming evident that we are evolving into a police state and that if you have anything to say that reflects badly on powerful people, you had better be truly anonymous. If you look at the Pennsylvania subpoena you will see that it demands: This should include, but not limited to: name, address, contact information, creation date, creation Internet Protocol address and any and all log in Internet Protocol addresses.

You must assume that Facebook, Twitter, Google search records and ISP e-mail address will be handed over to authorities without your knowledge. The people and organizations you support today may be next years Wikileaks and you will be swept up in a wave of neo McCarthyism, where communism has been replaced with anarchists or some similar term that includes anyone that dares tell the truth or ask questions. When this time comes, you will be glad you don’t have a massive trail of IP addresses and comments that will be used to turn your life upside down or worse.

Introduction

This is a sequence of posts about privacy and keeping yourself safe. Each step by step tutorial is a lesson that you can try on your own computer. I have used Windows XP for the examples because it is the most common operating system used to access this blog.
OS breakdown for blog access

There are 4 posts so far, and I hope to have another 4 complete by the end of January. I will start with simple things like e-mail privacy and then successively cover far more advanced topics. I will attempt to distill what I have learned from a lifetime in information technology and sincerely hope that I can make a difference.

I may write these things in a random order as time permits, but the general sequence is this:

  • how to minimize spam and how to avoid giving out your primary mail address
  • how to communicate by e-mail with various degrees of anonymity
  • using encryption like PGP to ensure only your recipient (and no one else) can read your message.
  • how to verify downloaded files using checksums or PGP signatures.
  • how to encrypt your files and hard drives and the various issues you will encounter
  • Problems with Windows operating systems — you may be rather shocked at how much stuff is left behind and how hard it is to clean up a system. I will show you how to fix or minimize all the problems I am aware of.
  • The use of virtual machines to solve some of these problem.
  • Setting up Tor and I2P and why you want to use them.
  • VPN’s (virtual private networks)
  • and perhaps much more as time goes on, especially if you respond with specific concerns.

You can comment on the blogs, and I will update them immediately if you have uncovered an error or have concerns — so assume what you read is the latest.

Disposable e-mail Addresses

Take away point: Never give out the e-mail address associated with your ISP or a paid hosting service since it identifies your residence and or is linked to your financial information.

I will use spamgourmet as an example since it has been around for a long a works well.

spamgourmet

Often you need to give out your e-mail address or want to add one to your post but don’t want to get inundated with spam or give away your identity too easily. For example, bill@microsoft.com wants to tell Apple how much he loves his iPod but doesn’t want the publicity storm it will cause.

Here is another example: You want to post a resume at monster.com but don’t trust them. Instead you decide to invent an e-mail address like monster.9.bestemployeeever@spamgourmet.com

When someone replies to your e-mail, the following will happen:
spamgourmet.com (a free service by spam haters) receives the message. You have already created an account at spam gourmet called bestemployeeever but you have never used the e-mail address monster.9.bestemployeeever@spamgourmet.com before.

spamgourmet automatically sets up a counter for your e-mails that begin with the word “monster” because this is the first time it has seen you use “monster”, and sets the maximum count to 9 messages. The .9. told it to allow nine messages. It then looks up your real e-mail address for account bestemployeeever (assume you told them it was bandersnatch@hotmail.com) and forwards the message to you. It will add 1 of 9 to the subject line. Each time someone mails you, the message count will increment. After 9 messages, all additional messages will evaporate into cyberspace.

If you find monster.com trustworthy, you can tell spamgourment to trust this address so that you don’t have to reset the counter. On the other hand, you will probably receive Nigerian scams and be glad you didn’t trust them. Monster.com is terrible for things like this. It will be obvious where the spam is coming from if the Nigerian scam is sent to monster.9.bestemployeeever@spamgourmet.com.

If someone wants your real address, they would have to go after spamgourmet legally. Of course, all they would find is another e-mail address and the wild goose chase would begin.

If you reply to a spamgourmet message, it will be automatically relayed through spamgourment so they will still not know your real e-mail address. You can of course, reply directly to the recipient, in which case they will have your e-mail account address.

Many web services (Facebook for example) are on to this and ban the domain spamgourmet.com I will not list them here because someone might decide to update the blacklist — but with a few Google searches you can find other donated domains that are also the spamgourmet service, but obscure enough not to be blacklisted.

Don’t underestimate the amount of spam this service can eat. The statistics get reset from time to time, but even today I get this:

Your message stats: 5,472 forwarded, 96,443 eaten. You have 410 disposable address(es).

Posted in Security, privacy and protection, Society | Tagged , , | 1 Comment

9/11 building collapses were from controlled demolition

I am sure your first thought is that this is just crazy and far too monstrous to be true. That was my feeling too — until I saw this detailed presentation given at the University of Manitoba by an organization of engineers and architects. It is slow paced and thorough and very, very disturbing.

I can tell you from my scientific perspective that everything they present makes sense. In particular:

  • The buildings collapsed in a free-fall. This is only possible if the structure underneath them is blasted away first. The collapse is exactly what you would expect in a controlled demolition.
  • You can see the line of charges blasting down the building in advance of collapse in the media footage.
  • molten iron was found at the base of the structures, still far hotter than any jet fuel fire could have produced and the main structural beams were cut into segments at a angle – consistent with shaped cutting charges.

There is an excellent research paper titled Active Thermitic Material Discovered in Dust from the 9/11 World Trade Center Catastrophe . If you go over to Fire Fighters for 9-11 Truth
you will find a lot more damning evidence. After reading the research paper above the first thing that comes to mind is that the explosive residue was military grade or custom prepared for the job. If so, there is no way any official investigation will get to the truth because doing so would cause an uprising.

All this explains other troubling issues — like the unusual health issues experienced by ground zero workers. The enormous dust clouds and explosive residue were likely highly toxic.

There is absolutely NO WAY that there aren’t dozens of people involved with the various 9/11 inquiries who had their doubts and dissenting scientific opinions. Unless all the investigators were completely devoid of mathematical, physics and engineering training there would have been many heated discussions as to the scope of inquiry and extreme disagreement with some of the conclusions. Yet we hear none of it.

Or how about the fact that one of the three buildings, one which collapsed perfectly into itself, wasn’t even hit by a plane? No high rise building falls like this (a neat implosion) unless the demolition is planned by engineers.

There must be many internal memos and hand written notes which if made public, would force a proper investigation. We need whistle blower protection and organizations like wikileaks to facilitate this because mainstream media is part of the problem.

If this turns out to be the crime of the century, there will be hell to pay.

Update: August 2011
Watch this video of Susan Lindauer, a former CIA asset who is supposed to be “incompetent to stand trial” and who spent a year in jail because of the Patriot Act. She appears to be anything but insane, and what she says fits in well with the evidence uncovered by Engineers for 911 Truth.

http://bit.ly/es2DwJ

Posted in Society | Tagged , , | Leave a comment

The most important event of 2010

WikiLeaks. Period.

We are witnessing something epic, something that affects all of us. If you are young, you might want start with rap news over at thejuicemedia and ask yourself, what would Harry Potter do :-) ? What would Neo from the Matrix do?

Since there is an extreme amount of mis-information and propaganda circulating within mainstream media, I will do my part and attempt to offer an objective overview here.

1) Much of the debate in the mainstream media concerns the morals, sex life and personality of the spokesman and public face of Wikileaks, Julian Assange. There are many serious things here about which books will be written, but it distracts from a far more important issue: The contents of the leaks themselves.

2) Anonymous leaking sites are a global phenomena, impossible to shut down and are here to stay. Thousands of leakers worldwide and new leaking sites will dwarf the initial contribution made by Wikileaks. Examples include crowdleak and openleaks and Global Leaks and even WikiSpooks.

3) While individuals deserve and need privacy, democratically elected governments absolutely do not. They serve the people who elect them and other than a small collection of top secret military documents like launch codes and current troop movements — the business of government must be public. Corruption requires secrecy to flourish. Classifying media that documents the crimes of a government is morally wrong.

4) There is indeed harm that will come from these leaks. It is unfortunate that a few regular citizens *might* be harmed by the revelations, but the vast majority of those harmed will be politicians, spies, CEO’s of corporations, powerful people at Goldman Sachs, dictators, owners of corporations that profit from corruption and military actions, etc.

There is a also great deal of good that can come from these leaks. Hundreds of thousands of lives can be saved if wars end sooner due to the withdrawal of public support. Imagine if the Iraq war had never happened because the New York Times had exposed the truth about the motives for war, the lack of credible evidence of weapons of mass destruction and asked hard questions in press conferences instead of being a propaganda organ.

The extent of worldwide abuses is staggering — cleaning it up is not going to be easy, but it has to be done.

5) Conspiracy believers feel that the whole world is conspiring against them. It is indeed working against the public, but not because rulers and power brokers around the world work together, but because they share common interests and end up supporting the same repressive things.

6) Corporations are not people. They do whatever they can to make profits for shareholders. They have no morals. In many cases their actions would be considered evil and sociopathic if performed by an individual. Individuals need freedom from regulation while large corporations need strict regulations to minimize they damage they can do. Most importantly, they should not be permitted to fund politicians. Allowing large corporations to purchase lawmakers to pass laws that favor them has been a recipe for monstrous injustices. It also ensures that the wealthy owners of corporations have far more influence than individual voters which makes a mockery of democracy. If politicians actually represented the majority of the electorate, the world would be a very different place.

7) Many of the leaks are indeed trivial. However, many are not.

Expect a backlash. Laws will be proposed to retain internet access logs, force bloggers to register (new Web publishing restrictions for Saudi Arabia), restrict what what you can link to, censor search engines, outlaw encryption and much more – these must be resisted if the world is not to become a police state. World Press Freedom Committee’s Interesting times is a good place to monitor this. The apparatus promoting these restrictions is running scared for good reason.

If you want to get up to speed rapidly — here is where I would start:

a) Go to twitter and do a search for #wikileaks. You will find other terms to search for and this will lead to many good links. This is much more productive than using a search engine.

b) Go to salon.com and read Glen Greenwald. The important thing here is that Glen is an extremely critical thinker and everything he says is worthy of serious consideration. Read his posts carefully, check out his references, and you will come to a similar conclusion.

c) Have a look at this summary of the important revelations so far from the following sources. This should convince you that there are important things in the leaks. Remember that while much of this was surmised before, there was no proof available to the average citizen. Now we know for certain — and the big question is how can we best stop this evil madness.

Glen Greenwald’s summary

Also have a look at this summary from CBS:

Most of mainstream media is propaganda and Journalism as a paid career is almost dead. This is a shame, but the blog sphere is filling that void. It is rather ironic, but you can get better news from Pravda these days – something that was clearly designed as a propaganda organ – than from fox news or cnn.

The Real news network is worth checking out.

ProjectCensored.org has many important stories that were shunned by mainstream media.

The Center for Media and Democracy’s PR Watch investigates public relations spin and propaganda.

Ted is a great place to find thought provoking speeches and presentations on countless topics.

The following newspapers are currently redacting/editing US cable leaks:
El Pais (in English) and why they chose to publish the leaks.
The Guardian

Action Plan
a) Be careful. If you are particularly successful at disturbing the status quo, you will become a target. Learn how to use anonymity tools. Start with truecrypt and Tor .

b) Educate yourself and keep an open mind.

c) Find ways to affect change. Here are some possibilities.

- Vote against incumbents unless they are someone special like Ron Paul in Texas or Danny Williams in Canada – rare people that are beyond corruption.

- Promote finance campaign reform to make it illegal for corporations to influence government. Insist there be restrictions on the activities of lobbyists and disallow the revolving door between senior official positions and their counterparts in industry.

- Fight for the rights of whistle blowers. Never shoot the messenger.

- Encourage friends to get their news from alternate sources. Mainstream media is dying and social networking is here to stay.

- Find ways to educate the next generation and counteract the propaganda they are subjected to. For example,

  • ask your university (as an Alumni) to host a wikileaks mirror
  • encourage school students to do book report/project on a wikileak cable of their choice
  • write up important issues and post them on Facebook, tweet them, write songs about them. Rap news is an example of this.
  • post videos discussing a leak on YouTube
  • if your local newspaper has a comment section for their articles, vote them up or down as appropriate. You need to do this to counteract propagandists that pay teams of people to do this all day.
Posted in Society | Tagged , | Leave a comment

Banana Republic of the United States

If you had asked me a few years ago about the future of the USA I would have told you the housing bubble will pop and that high energy prices would put an end to globalization; material and finished good transportation costs would negate offshore labor savings; and that we would have a fair bit of economic chaos.

I had no idea however at the level of economic corruption, the collusion between the highest levels of government, financial institutions like Goldman Sachs and the private “federal” reserve. This type of behavior is not new — many emerging economies have needed assistance from the International Monetary Fund because their corrupt regimes had destroyed the wealth of their nations. New to me was that the USA has many characteristics of banana republics.

The article The Quiet Coup is a must-read. It was written by Simon Johnson, a professor at MIT’s Sloan School of Management, and chief economist at the International Monetary Fund during 2007 and 2008. One of the most alarming, says a former chief economist of the international Monetary Fund, is that the finance industry has effectively captured our government—a state of affairs that more typically describes emerging markets, and is at the center of many emerging-market crises. If the IMF’s staff could speak freely about the U.S., it would tell us what it tells all countries in this situation: recovery will fail unless we break the financial oligarchy that is blocking essential reform.

Given how the AIG and bank bailouts seem to covering the losses of select, large financial institutions; that the secretive bailouts are engineered by former Wall Street elites who are very much part of the current and previous administrations – the financial oligarchy is nowhere close to being broken.

And this: “In its depth and suddenness, the U.S. economic and financial crisis is shockingly reminiscent of moments we have recently seen in emerging markets (and only in emerging markets): South Korea (1997), Malaysia (1998), Russia and Argentina (time and again). In each of those cases, global investors, afraid that the country or its financial sector wouldn’t be able to pay off mountainous debt, suddenly stopped lending.

As if that isn’t depressing enough, the statistical indicators we have relied on to measure economic progress have been mutated by successive administrations as to become almost meaningless. Consider the CPI or consumer price index. We are often told that inflation is low yet we have seen vast increases in the cost of gas, housing, medical care and education. The official statistics redefine the equations to exclude items or substitute them for other goods with the sole purpose of arriving at the “statistic” that politicians want to hear. The graph below is a realistic look at CPI.

Chart of U.S. Consumer Inflation (CPI)

Anytime a country significantly increases the quantity of paper money in circulation without a corresponding increase in something “real” to back it up — the currency will begin to devalue. The chart below, M3 is estimated after 2006 because the Federal Reserve decided to discontinue reporting it. Their reasoning is here. M3 is M2 with the addition of large time deposits, institutional money-market funds, short-term repurchase agreements, along with other larger liquid assets. It is clear that “transparency” in federal finance is virtually nonexistent.

Chart of U.S. Money Supply Growth

This brings me to the question — how do you take control back from a corrupt regime that has destroyed a nation’s wealth, has the highest incarceration rate in the world, a vast military complex and indistinguishable political parties?

Posted in Society | Tagged | Leave a comment