HBGary gets bitch slapped by the Anonymous Borg

Posted on February 17, 2011 by Administrator

This is the humorous message from Anonymous that was included in their e-mail dump torrent. It will lighten your day. HBGary is notorious now for the implied threat against Glenn Greenwald and others. In one of their PowerPoint presentations they stated “these are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause.”

HBGary doesn’t seem to understand that Anonomous is a constantly changing collection of people, sort of like fans of Britney Spears or Justin Beiber. There is no Beiber fan leader or Britney club sponsor to persecute and even if you did find one, it wouldn’t make any difference. In may ways, it is more like the Borg in Star Trek. Hundreds of brains connected in real time via a hardware network with terabytes of storage across every time zone and she never sleeps. It is part human, part machine, and at any time, there are many brilliant minds at work generating a consensus. If there are multiple consensus, then it might temporarily fragment and fight on several fronts. You don’t want to be on the wrong side of an enemy like this.

Greetings HBGary (a computer “security” company),

Your recent claims of “infiltrating” Anonymous amuse us, and so do your attempts at using Anonymous as a means to garner press attention for yourself. How’s this for attention?

You brought this upon yourself. You’ve tried to bite at the Anonymous hand, and now the Anonymous hand is bitch-slapping you in the face. You expected a counter-attack in the form of a verbal brawl (as you so eloquently put it in one of your private emails), but now you’ve received the full fury of Anonymous. We award you no points.

What you seem to have failed to realize is that, just because you have the title and general appearance of a “security” company, you’re nothing compared to Anonymous. You have little to no security knowledge. Your business thrives off charging ridiculous prices for simple things like NMAPs, and you don’t deserve praise or even recognition as security experts. And now you turn to Anonymous for fame and attention? You’re a pathetic gathering of media-whoring money-grabbing sycophants who want to reel in business for your equally pathetic company.

Let us teach you a lesson you’ll never forget: you don’t mess with Anonymous. You especially don’t mess with Anonymous simply because you want to jump on a trend for public attention, which Aaron Barr admitted to in the following email:

“But its not about them…its about our audience having the right impression of our capability and the competency of our research. Anonymous will do what every they can to discredit that. and they have the mic so to speak because they are on Al Jazeeera, ABC, CNN, etc. I am going to keep up the debate because I think it is good business but I will be smart about my public responses.”

You’ve clearly overlooked something very obvious here: we are everyone and we are no one. If you swing a sword of malice into Anonymous’ innards, we will simply engulf it. You cannot break us, you cannot harm us, even though you have clearly tried…

You think you’ve gathered full names and home addresses of the “higher-ups” of Anonymous? You haven’t. You think Anonymous has a founder and various co-founders? False. You believe that you can sell the information you’ve found to the FBI? False. Now, why is this one false? We’ve seen your internal documents, all of them, and do you know what we did? We laughed. Most of the information you’ve “extracted” is publicly available via our IRC networks. The personal details of Anonymous “members” you think you’ve acquired are, quite simply, nonsense.

So why can’t you sell this information to the FBI like you intended? Because we’re going to give it to them for free. Your gloriously fallacious work can be a wonder for all to scour, as will all of your private emails (more than 44,000 beauties for the public to enjoy). Now as you’re probably aware, Anonymous is quite serious when it comes to things like this, and usually we can elaborate gratuitously on our reasoning behind operations, but we will give you a simple explanation, because you seem like primitive people:

You have blindly charged into the Anonymous hive, a hive from which you’ve tried to steal honey. Did you think the bees would not defend it? Well here we are. You’ve angered the hive, and now you are being stung.

It would appear that security experts are not expertly secured.

We are Anonymous.
We are legion.
We do not forgive.
We do not forget.
Expect us – always.

Post to Twitter Tweet This Post

Posted in Security, privacy and protection | Tagged , , , | Leave a comment

Being Anon – Staying alive in a mad world – part 8

Posted on February 14, 2011 by Administrator

How to break True Crypt

Take away point — All encryption can be broken, but you can make it extremely difficult for even the most determined adversary.

I’d like to make it clear that programs like PGP whole disk encryption and Truecrypt will protect your files from analysis from any typical adversary. However, if your adversary is a large police state with unlimited budget and unencumbered by law, you may be in trouble. This probably isn’t too much of a problem because if a police state wants to get you, they don’t really need evidence anyway. Look at Julian Assange’s extradition request for “questioning” or Cpl. Bradley Manning’s solitary confinement. Neither have been charged with any crime. Your only real risk is that your data may compromise your friends. That of course is a good reason for operating anonymously — if you don’t know the identity of your collaborators, then you can’t inadvertently betray them either.

Some of the obvious methods to decrypt a hard drive are:

  • Brute force, trying every possible combination of letters and numbers — millions of years with current technology for long complex passwords unless they are very lucky – sort of like winning a mega jackpot lottery.
  • Extortion — give me what I want or your family dies and I’ll feed your pets to my piranha.
  • Breaking into your house and installing spy cameras to watch you type or keyboard loggers to record your key strokes.

    • Key stroke logger

  • Electronic surveillance, which might be very easy if you use a wireless keyboard

Even considering the above, you have still achieved a lot. Decrypting your computer is now a major undertaking and requires some information technology expertise or break-and-entry and you probably aren’t important enough for “them” to bother.

There are other methods though that aren’t so difficult. Using a method known as a “cold boot attack” you can recover the contents of memory on a computer. The technique takes advantage of the fact that DRAM (memory) chips in a computer are like tiny capacitors that slowly discharge unless refreshed but still retain their settings for a few minutes. You can shut down a computer, hook up a bootable device and restart it with a program that immediately copies the RAM contents. If you freeze the memory with a can of “freeze it”, you have even longer to recover the memory. Somewhere in the memory are the encryption keys used to decrypt the disk that was in use.

For a really good explanation, read the article Lest We Remember: Cold Boot Attacks on Encryption Keys. “This paper was released February 21, 2008 and published in Proc. 2008 USENIX Security Symposium. For the most recent revision, related source code, and videos of demonstration attacks, visit http://citp.princeton.edu/memory.”

One way to prevent this might be to put your laptop in a cement vault with a laser tripwire to trigger a shutdown. Chances are your adversary forgot the jack hammer and they will be too late to image the memory.

So what are you to make of this? I look at it this way:

Encrypting your hard disk increases the difficulty of an adversary recovering your data immensely. It is worth doing.

Counter measures can be taken to minimize this risk (assuming you have a long complex passphrase), including:

  • Turn your laptop off rather than leaving it on standby or at the locked screen saver when passing through airport security
  • Check the PGP signatures of software that you install on mission critical machines to minimize the risk of installing spyware that might log your keystrokes.
  • Provide encryption keys when asked but use hidden volumes so that there is no way to know for sure that you have additional encrypted data.
  • Do not use the disk encryption password for any of your other encrypted volumes. If you have encrypted volumes that haven’t been opened since the last time the computer was powered up, they will be safe from a cold boot attack.
  • Keep your disk clean — securely erase things you don’t need to keep around.
  • Provide physical security for your machine or simply keep it well hidden. You need the physical machine plus has to have been on recently for this attack to work.
  • Turn your machine off when you are away and don’t need it running.

Post to Twitter Tweet This Post

Posted in Security, privacy and protection, Society | Tagged , , , | Leave a comment

Will Glenn Greenwald be the next Julian Assange ?

Posted on February 13, 2011 by Administrator

cross posted on Salon.com (and some grammatical errors corrected) …

I have been fighting on-line scams and frauds for years by exposing them on my website and I used to get irritated that regulatory agencies didn’t even seem to care. For example, it is easy to claim NASA endorsed your product and get away with it. Even journalists that covered these scams had to be careful not to use the words scam or fraud or else their employers wouldn’t let them print the story – because minimizing potential legal risk to a TV station outweighed any public service value. Interestingly, the only scammers to ever go after me with international lawsuits were connected to US senator Joseph Lieberman – something that made more sense later. Nowadays, such concerns seem trivial.

Then after working as a senior manager for a large consulting firm and watching 2 billion dollars in shareholder equity vanish, I noticed the glowing ratings and target prices right up to the point of bankruptcy and beyond and marveled at the collusion between ratings agencies and crooked firms. It seemed that they were all part of a old-boys network and that the real losers were personal pension funds that had invested in them based on their investment grade ratings and employees that foolishly had all their retirement funds (401K) in company stock.

Over time, after reading sites like www.shadowstats.com and seeing how misleading government statistical figures are, and following Glenn Greenwald’s columns I began to realize that the level of corruption was an order of magnitude larger than I ever imagined and absolutely everywhere.

If there was a turning point for me, I think it was the fact that not a single nation on Earth had leadership willing to support Wikileaks or even the latest democratic revolution in Egypt. That really shocked me. Not even Canada had any guts. Was the entire leadership of the planet a bunch of evil psychopaths? Is Earth already a police state?

The biggest change I see now is that we have a younger generation that has coalesced because of Twitter, Facebook and social networking. Flash uprisings are possible. Cultures and language are merging. The anonymous nature helps too – there is no leader to assassinate or bribe and it is virtually impossible to stop. Short of temporarily shutting down the internet (which I believe every country must be seriously considering) there is little they can do other than wholesale slaughter of protesters and hoping of course that they win. Propaganda is in trouble too since one brutal post on YouTube is enough to wreck it.

I also suspect that if a few million Americans were to march on Capital Hill calling for the immediate dismissal of Congress and shut down DC until trials for corruption commenced that the USA would react no differently than any other police state. We just haven’t pushed the regime hard enough yet to see how ugly it would be. Would the US army fire on its own people if ordered to by the regime? I certainly hope not. If you are in the army I would love to know (anonymously of course) what you would do.

This brings me to the reason I am writing this. Many people here, including Glenn Greenwald, may very well be the ones that someday publish that masterpiece, the one that galvanizes millions into action and really upsets powerful people. He or you may very well be the next Julian Assange, Public Enemy. When that happens, many of you will be watched, accounts will be breached and your friends will be harassed. The fact that Glenn is on the radar (look up the HBGary scandal) ought to be pretty worrying.

I have been putting together a tutorial series on security / privacy issues that I think that all the readers here should take a look at. In particular, the last posting showing you how to encrypt your hard drive is important. This way, if anyone takes your laptop, your friends addresses and personal files will be safe. I think it is also worth considering learning how to post some things anonymously so that you can bounce ideas off each other without fear of ending up on the no-fly list or worse. If after reading the series you need additional tutorials, please ask and I’ll do my best to add them quickly.

BTW, salon.com stores your passwords so that they can send it to you when you forget. This is a bad practice. Make sure that your Salon.com password isn’t used for anything else.

Staying Alive in a mad world series – www.nlcpr.com/blog (seven tutorials as of this post)

Post to Twitter Tweet This Post

Posted in Security, privacy and protection, Society | Tagged , , | Leave a comment

Being Anon – Staying alive in a mad world – part 7

Posted on February 13, 2011 by Administrator

Encrypting your entire computer

Take away point: All computers should be encrypted so that they need a password to boot up.

From part 6 of this series, you saw some examples of how messy operating systems are at leaving activity traces everywhere. The simplest solution is to encrypt the entire hard drive of your computer with military grade encrypting so that you need a pass phrase to start it. If it is stolen or confiscated, absolutely nothing will be recoverable.

This example is uses a DELL XPS laptop with Windows Vista.

Start by running your copy of truecrypt that you downloaded and verified in part 4 of this series and press the create volume button and select “Encrypt system partition or entire system drive”. You should see the following:

Next select “Normal”. Hidden partitions are great but we want to keep things simple at this point.

Choose “encrypt the whole hard drive”

Select “no” to be safe.

Select “single boot”. If you already have multiple operating systems running on your laptop, it is highly unlikely you need this tutorial!

Select the default value, AES. The general consensus seems to be that AES is good and reasonably fast. However, it is always a good idea to do search on terms like Truecrypt best algorithm to see if there is anything new on this issue.

Choose a pass phrase. A long sentence with a few numbers and symbols thrown in is best. Use a unique password — not something that is the same as your twitter account. Many systems are hacked this way. Sometimes for example, you can select “forgot my password” on a web site and it will mail you your password! Assume the passwords you use on many web sites are actually stored unencrypted and that people with power can simply ask for them and get them no questions asked. Once they get a password of yours, they will try it out on every other account or encrypted file you own just to see if you reused it.

Move your mouse around for half a minute to generate random data.

Save the rescue image somewhere where you can burn a CD. You will need to burn this CD and let Truecrypt verify it before you can continue.


On this laptop, there was something installed that wanted to install a disk burning program. I decided to try it out and it worked fine. Normally I would let windows burn the iso image directly or use a third party product like Nero to burn the CD.




If you remove the disk after burning or burn it elsewhere, you will get this message. Truecrypt wants to verify the rescue disk so put it in the computer that you are encrypting.

I didn’t bother with the wipe. If you have previously had sensitive data on your drive and expect powerful enemies then use the wipe. Encryption takes about 4 hours on the DELL laptop and the 3-pass algorithm will make that take more like 16 hours to complete.




Once you have rebooted and the pre-test was successful, then encryption will begin. The first screen is very slow to appear so don’t lose patience and reboot. Once the system is encrypting, you will see the following screen. you can use the computer in the meantime but I chose to just let it run. It may also be wise to disconnect it from the internet in case you get some windows update that wants to run automatically and reboot your computer automatically afterwards.

This process is well automated — the truecrypt wizzard is very well done. While there are many really clever options like decoy operating systems and hidden volumes, most of the benefit will be gained by using the simple option of encrypting the entire volume. If has very little affect on the speed of the computer and guarantees that if someone takes your computer it will be useless without the encryption pass phrase. There is no way your adversary is going to crack a strong password. Far more likely they would resort to extortion or installing spy cameras in your house to watch you type or maybe install a hardware keystroke logger in parallel with your keyboard or use a method called a “cold boot attack”.

Another point to consider — don’t travel internationally with laptops. You can always encrypt the files you need into a file container and upload it somewhere for later download. A good way to do this is to create a gmail message and attach your file but leave it as a draft.

http://tinyurl.com/6fkwf2u

Post to Twitter Tweet This Post

Posted in Security, privacy and protection | Tagged , , , , | 1 Comment

Being Anon – Staying alive in a mad world – part 6

Posted on February 1, 2011 by Administrator

Activity Traces

Take away point: Almost everything you do leaves a messy trail which is far more extensive than you may have realized.

Anytime you do something on a computer, traces of it are left all over the place. Some of this is intentional, for example you save your archived emails or office documents while others are a byproduct of the operating system. Here are some examples.

Thumbnail images

The thumbnail database, Thumbs.db exists in all folders where you have viewed files as thumbnails. This option can be disabled, but is on by default. If you want to experiment, you can search for free thumbnail viewers and check out your system.

This is the contents of a Thumbs.db file using a free viewer called Thumbnail Database Viewer 2.0. Notice that even PDF documents have a miniature of the first page of the document.

junk

If you look in a directory that contains photos or pdf files, you will see a file called thumbs.db. If you don’t, you may have to turn on ‘show hidden files and folders’.

thumbs.db

To prevent thumbnails from being saved, select ‘Do not cache thumbnails’. You can find this menu in Windows explorer at tools->folder options->view. You can safely delete the thumbs.db file if you see them.

thumbs.db

Page File / Swap file
When windows runs low on memory, it swaps some of it out to disk, therefore it is possible to have all sorts of data in this file. If you have enabled the show hidden files and folders option in explorer, you will see a file in the C: directory called pagefile.sys

There is an easy solution. RAM is cheap, so install lots of memory (4G if you can) and turn off the page file all together. Control Panel -> System -> Advanced->Performance Options->Settings->Change Virtual Memory and select ‘No paging file’

Virtual memory

The Registry
Applications like to write all sorts of things, like the names of recently used files, in the registry. Even if you uninstall the programs, this data is usually left behind. The best tool I have found for getting rid of this is JV16 power tools by Macecraft. This product has a lot of other useful tools which I will cover later. You can download a 60 day trial which has all features enabled.

JV16 power tools

Deleted Files
You are probably already aware that deleting a file simply moves it to the trash folder. When you empty the trash it is marked as deleted to free up the space. However, it is not overwritten so it is possible in many cases to un-delete your files. JV16 Power Tools un-deletes files quite well as do many other utilities.

The solution to this is to periodically overwrite the free space on your disk and the slack space at the end of files with a utility like PGP Desktop, or Clean Disk Security. Clean Disk Security is a particularly good choice because it is free and clears the MFT table if you are using NTFS partitions. If you don’t clear the MFT, then someone can see all the names of the files you ever deleted. If you aren’t sure what file system you are using, look at the properties of your c: drive in windows explorer. For example:

NTFS file system

The basic download of Clean Disk Security will do everything (like wipe free space) but won’t allow you to run more than a few plug-ins at a time. Plugins are scripts that look for specific files like download histories of applications. If you pay for the product, you have unlimited use of the “process plugins” option.

Clean Disk Security

The image below shows what you see using JV16 Power Tools to undelete files. The entries would have had the original file names had Clean Disk Security not filled it up with “CDSNTFS….” entries.

MFT deletion

Browser Caches

If you are using Firefox, you can browse your cache by entering about:cache?device=memory as it it was an URL. If you want to ensure that these files are not left on the disk after you quit the browser, you can use the “Private Browsing” feature in the newer versions of Firefox. There are also options under tools->options->privacy to tell Firefox to never remember history.

Every browser, and often different versions of the same browser, stores its cache files somewhere different. You will probably find that if you have had your computer for awhile, that they are all over the place in various “temporary” directories.

This is only the tip of the iceberg. I will expand this post later and put in links for how to fix each of them, but for now I will just make a list and keep it growing as I remember things.

  • Copies of web pages in various temporary cache directories with different locations depending on the browser and its version
  • Application specific caches where you might find copies of videos you watched
  • File stamp information — some of which you need special utilities to clear
  • Most recently opened files littered all over the system registry, known as MRU’s
  • application log files

One brute force method is to encrypt the entire disk so that a password is needed when you power up the computer. This solves some obvious problems:

  • Laptop theft — the thieves will never get your data (you could be a lawyer with confidential records perhaps)
  • Seizure – if someone takes your computer, they will also need you to give them the pass phrase.
  • The need to keep your computer clean is less important since nobody can browse it without your permission.

An obvious down side if you are traveling with a laptop is that if you are asked to turn it on and they see it has whole disk encryption, you might be detained in some countries. Many corporations encrypt laptops for all employees that travel but they also include a corporate backdoor.

If you want to do this, you have several options. Truecrypt (recommended and free) and PGP Whole Disk Security are two that I have used. The latter is now owned by Symantec and cannot be trusted anymore not to have a back door. I have found PGP whole disk encryption to be extremely reliable.

Volume Encryption:

If you allow your computer to boot without encryption, then the first level of security is the logon screen. Don’t be fooled though, there are bootable UNIX CD’s that have utilities to clear the passwords from windows accounts. It is so easy to do it is ridiculous. Assume anyone can reset your account and log in if they steal your computer.

Once windows is loaded, you can use PGP or Truecrypt to create a volume. You can specify high grade encryption and choose a very long and secure pass phrase. The result is a file that you can click on (or mount manually) that will give you a new drive letter. It behaves just like if you added a USB stick to your computer. Insert the USB and you get a drive letter – mount the encrypted volume file and you get a drivel letter.

Once you have the drive letter, you can install applications to that drive or use it to save all your data. If the system is stolen, the volumes are inaccessible. If you configure it to not save the last volume’s file container name, then nobody will know which file you were using. Of course, they can look for large gigabyte files whose contents appear to be random and then assume that these must be encrypted volumes — but they would never know for sure.

At this point, if you haven’t tried Truecrypt, I recommend you download it and start experimenting.

This can be all taken to higher level. Consider the following:

  • You have whole disk encryption. If forced to, you will divulge the password.
  • You have created a hidden volume
  • You don’t use your computer for anything important at all. It is simply a host for a virtual machine.
  • You have installed a Virtual Machine player. This allows you to start up a new PC running UNIX or Windows — the operating system can be different from your host operating system
  • The Virtual machine’s image lives on the hidden True Crypt container
  • You log onto your PC, open the hidden volume, run the virtual machine, and now you have an entirely new PC, inside of a PC. You can afford to let this one be scattered with things and not worry about so much about the consequences. However, cleanliness is always a good idea.
  • Nobody can prove your machine within a machine even exists. They may see a player and there maybe an image to play but that may not be the image you are using.

more later in a few days.

Post to Twitter Tweet This Post

Posted in Security, privacy and protection | Tagged , , , | Leave a comment

Being Anon – Staying alive in a mad world – part 5

Posted on January 24, 2011 by Administrator

Browsing Anonymously

Take away point: You can browse anonymously and ensure that services like Twitter cannot track where you are tweeting from.

In part 4, we created an encrypted file container. Next we will create another one, this time 120M in capacity, and install tor browser. Go back to part 4 if you need a refresher on using TrueCrypt.

Using windows explorer, mount your file container (I used T: for Tor as my drive letter in this example), navigate to the T: drive, and copy into it the tor bundle file you downloaded and verified in Part 3.

Unlike most install programs, tor bundle is just a collection of files to decompress. It has an extension of .exe so you can just double click it since you have already verified its authenticity. However, clicking on self extracting archives is not a good idea in general – it could be something bad with a misleading name. The safest thing to do is to use a program like 7-zip and right click on the .exe file. You will have a menu option to decompress the file, and it will understand that the .exe file is actually a compressed archive.

Tor files

You have now achieved the following:

  • You have installed a copy of Firefox that is pre-configured to use Tor. This copy of firefox is completely independent of any other copies of Firefox that you have installed on your computer.
  • You no longer have to be as concerned about someone seeing your bookmarks or cache files because everything is installed in an encrypted file container.

To start up Tor Browser, double click on “Start Tor Broswer.exe”. You will see a the Vidalia control panel and once you are connected to the Tor network, Firefox will start automatically.

Vidalia control panel

One of the default pages that will load in Firefox is https://check.torproject.org which will verify that are accessing it via Tor. If all is well, you will see something like this:

Tor check

In particular, look at the IP address:
Tor check

It should NOT be your address. You can double check this by browsing to anonymizer.com and having a look at their front page. In this case it appears that I am in Germany right now, which would be nice if it were true.

Tor check

Next, turn off Java script for additional security. It is possible for Java script to reveal your IP address. The downside of course, is that some web pages don’t work without it.

Disable javascript

Now you can sign up for services like Twitter or web mail and even if they record the IP address you used to sign up, it won’t be linked to you.

I was going to suggest using Hushmail but javascript is required, and they have a bad reputation for privacy. Also see this thread. Always research any site that requires Java Script.

Avoid Hushmail

Browsing Twitter without Javascript works fine for now, as does logging into an existing account. However, I also tried creating a new Twitter account with Javascript disabled and found that the accept button didn’t work. I will update this post once I find a work around.

In summary, if you need to ensure that your tweets cannot be tracked, you can do the following:

  • Install tor browser in an encrypted container and use it to sign up for an e-mail account that you can associate with your twitter account.
  • Create a twitter account if you can using Tor. If the javascript is a problem, try signing up from an open ISP connection somewhere using Tor on your laptop with Javascript enabled.
  • Use Tor Browser when you want to send tweets.
  • Use https://twitter.com – note the ‘s’ in https:// This prevents eavesdropping between the Tor exit node and twitter.com.
  • Shut down Tor and dismount the file container using the TrueCrypt control panel when you are finished.

Once you get used to Tor, please read the documentation and consider turning on relaying to help the network. By allowing people to use your node as an exit, you are providing a valuable service and only taking a minor risk that some of the traffic existing your node will lead to harassment. Some websites also block all traffic from known Tor relays so it could cause some inconvenience.

Post to Twitter Tweet This Post

Posted in Security, privacy and protection, Society | Tagged , , , | Leave a comment

Being Anon – Staying alive in a mad world – part 4

Posted on January 5, 2011 by Administrator

File Containers

Take away point: It is easy to create drive volumes that are completely secret and secure – even if your PC is stolen and analyzed by adversaries and you are forced to give them a password.

We will now download True Crypt, verify its digital signature and install it. We will then create a volume that will be used in a future posting to contain Tor Browser.

First, download True Crypt and the signature file and save them to your GnuPG directory. The signature on this page should download as a file, so you don’t need to paste it into notepad and save as a text file.

Also look around and find the public key and download that to your GnuPG directory as well. The key I found was called TrueCrypt-Foundation-Public-Key.asc and located here and the details:

ID: 0xF0D6B1E0
Type: DH/DSS
Fingerprint: C5F4 BAC4 A7B2 2DB8 B8F8 5538 E3BA 73CA F0D6 B1E0

The next step is to add the public key to your key ring using this command:
gpg –import TrueCrypt-Foundation-Public-Key.asc

It should look like this:
adding the key

Now we are ready to verify the file. I got tired of mis-typing ugly file names, so I used the DOS command ren (rename) to shorten them to TrueCrypt7.exe and TrueCrypt7.exe.sig .

The command to verify is this: gpg –verify TrueCrypt7.exe.sig TrueCrypt7.exe
The result will be something like this:
verifying the file

Now that we know the file is good, we can run the installer. Accept the license agreement. There is nothing too special here, the defaults are probably fine for you.

After a possible reboot (if requested), run TrueCrypt from the windows menu and you should get this:
True Crypt

The next step is to create a container. We will make one that can hold 30 megabytes. Click the create volume tool button. Select “create an encrypted file container”. You will see the following:
True Crypt.

Next select “Hidden Truecrypt Volume”.
True Crypt

True Crypt

For the volume location, browse to where you want the file to be created and type in a name for the file that will be the contents of the volume. Truecrypt will then create this file in a subsequent step.

True Crypt

True Crypt

True Crypt

We decided earlier to make the volume 30M, but it can be gigabytes if you wish.
True Crypt

Now it gets interesting. Provide a password here that will be used by your adversary provided you give up your password of course. This will not be the password you use for your own work. Make sure is different enough that you will never accidentally confuse the two.
True Crypt

True Crypt

True Crypt

Press the open outer volume button to get a window where you can drop in some secret file. As you can see, I have a picture that proves Justin Bieber is a girl. Tax returns might be more appropriate, or some pictures of your girl friend.
True Crypt
True Crypt
True Crypt

Note that we don’t get the full 30M because some space has been taken by the files we added earlier. We set 20M so that there is some space to add some more files later to the decoy.
True Crypt

Now choose a password that you never give away and which is so long that nobody will ever guess it. A sentence is best, with some unusual extra characters thrown in and odd capitalization.
True Crypt

Next, move the mouse around for awhile to generate randomness and press format.
True Crypt

Now you are done. Press the exit key and then cancel.
True Crypt

Returning now to the True Crypt window, we select the file, foobar in this case, and mount it by supplying the password. This will give us a drive letter called T.
True Crypt

Some important points to remember.

  • there is only one volume file, foobar in this case.
  • Whether we get the volume with the pic of Justin Bieber with space for 10M or the volume for our work, with 20M, depends only on which password is chosen.
  • The volume with the pic of Beiber is a regular volume. You can keep writing to it but if you over fill it, it will clobber and destroy your secret work volume.
  • There is absolutely no way anyone can tell if there are two volumes in the same file.
    The choice of drive letter T is arbitrary. You can select any of the drive letters in the window.

Coming up next — our work volume is going to be home to Tor Browser.

Post to Twitter Tweet This Post

Posted in Security, privacy and protection, Society | Tagged , | Leave a comment

Being Anon – Staying alive in a mad world – part 3

Posted on January 5, 2011 by Administrator

Verifying Your Files

Take away point: You should verify your downloaded copies of Tor, Truecrypt and other security programs with PGP to guarantee they haven’t been corrupted or turned into spyware.

When you download a utility program, often you will often see something like this:
checksum utility

After you download your file, you are encouraged to see if it has been corrupted or perhaps modified by someone, either of which could compromise your security. To do this you need a checksum utility such as this one. There is nothing special about this utility – I am sure there are hundreds of them to choose from.

Click the browse button and look for your file, and you will see this:
checksum utility

Then, to make things easy, copy the checksum from the web page and paste it into the hash field at the bottom of the dialog and press verify. It will compare them for you and pop up a small box like this:

checksum utility

The checksum utilitity’s MD5 checksum is 3FCFFFD28F4DCBE2FBB96A9A72BE2287 .

Verification using PGP

Some packages (install programs) are signed with the PGP keys of the developers. This example will use tor bundle, which is indispensable for browsing the web anonymously. Start by going to the tor project page and downloading the installer and its signature. In this example we will download the file tor-browser-1.3.15_en-US.exe into the directory where GnuPGP was installed (see part 2 of this series).

Tor bundle download

Click on the signature and cut out the signature block and paste it into notepad. Save the signature block you pasted into notepad to the GnuPG directory. In this example the saved signature was called torbundle.sig.txt

Tor bundle download

Tor bundle download

The next thing to look for is the signing key. In the documentation I found the following:
gpg.exe –keyserver hkp://keys.gnupg.net –recv-keys 0x63FEE659

This command requests the key of Erinn Clark, 0x63FEE659, be retrieved and added to your key chain. You should see the following:

Tor bundle download

Now you can request that GnuPGP verify that the signature is the result of signing the install program with the developers key. Unlike a simple checksum, this indicates that not only is the program unmodified / uncorrupted but that the owner of the key vouches for it.

The command here is:
C:\Program Files\GNU\GnuPG>gpg –verify torbundle.sig.txt tor-browser-1.3.15_en-
US.exe
Tor bundle download

You can read more about verifying tor signatures here.
The file is safe. Keep it around, and we will look at installing it in an encrypted container in an upcoming posting.

Post to Twitter Tweet This Post

Posted in Security, privacy and protection, Society | Tagged , , | Leave a comment

Being Anon – staying alive in a mad world – part 2

Posted on January 5, 2011 by Administrator

File Encryption – ensuring only your intended recipient can read it

Take away point: PGP can be used to create a message that only the recipient can read. You probably don’t need to do this, but PGP will be used in a later tutorial to verify that the security programs you download have not been tampered with.

Suppose you want to send an important message to a newspaper reporter but it is absolutely imperative that nobody except the reporter can read the contents of the message. You see that the journalist has published a key that looks something like this:

pgp key

Note that this is an entirely random choice for an example. I know nothing about these people and have no reason to trust or not to trust them. They could be the CIA for all I know.

I will now step through the sequence required to prepare a message with this key, using some rather out of date methods, but I think it will give you better idea of what is actually happening than an automated solution. There are products that automate this by looking up the e-mail address of your recipient in a key server and encrypting the message on the fly but the downside is that you have no idea what is going on.

The first step is to download and install a version of PGP. In this example, I will use GnuPG. The best program I have found for this is PGP desktop, but unfortunately, after moving through various owners, Symantic being the latest, it can no longer be trusted. Given the ability of the US government to get corporations to do whatever they want with a simple phone call, you have to assume there is a back door in it or there will soon be. Therefore, it is safer to use an older, international version. I had a PGP license for many years but finally let it expire. GnuPG is also useful for verifying downloaded files.

Start by downloading GnuPG . The installation file for windows is called gnupg-w32cli-1.4.11.exe . You can use the default values when you install it.

This is a command line program, so for those that don’t remember MS-DOS (Microsoft Disk Operating System), you can go back in time on a windows XP machine by going to Start->Run and then typing cmd and pressing ok. You will then get a terminal window that looks like the screen on an IBM PC, 20 years ago.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\YourAccountNameHere>

Then you need to change the current directory to the location of the command line executables. The command for this in DOS is cd. If you type dir you will get a list of the files in that directory. If you need to kill a program and get back to the command prompt, pressing the Ctrl key and the C key at the same time will usually do the trick.

pgp key

The next step is to create a key pair for yourself by typing gpg –gen-key . Here is an example:

pgp key

The maximum level of encryption, 2048 bits was selected, the key expires in 1 year and it will be associated with the email address entered. Now we press o for ok followed by enter. You will be prompted for a pass phrase to protect your secret key. Use a long sentence something like this for the pass phrase: What is the use of a bOOk, without $99 pictures or conversations?. This is a quote from Alice in Wonderland with some oddities added to it. You can remember such foolishness and it is will never be guessed.

pgp key

You now have a key chain that has two keys in it. One is a secret key that when used with your pass phrase, can decrypt a document that was encrypted with your public key. The other is your public key – a key that you can post on your web site or store on a public key server. This is the key that other people will use when they want to send you a message.

The next step is to run the program notepad (just type notepad and press the Enter key and it will pop up). Cut the key from the web page and paste it into the notepad window. You will end up with something like this:

pgp key

The save command is in the file menu of the notepad window. The file name you choose isn’t important. Make sure there are no blank spaces at the beginning or end of the key block you pasted into the notepad window, otherwise adding the key will generate an error message.

The next step is to import this key into the key chain so that it will be available to encrypt messages. The command to import is: gpg –import scrap.txt where scrap.txt was the file name used when notepad saved the file containing the public key.

pgp key

The next step is to encrypt a message or file with the private key that was just imported. In this example, there is a file called message.txt in the current directory that I created earlier by typing it into notepad and saving it as message.txt. You can use the type command in DOS to display the contents of a text file. The file can be anything. As you can see, the message is very important.

pgp key

Now we are ready to encrypt the message so that only the recipient can see it. The command is gpg –encrypt message.txt

pgp key

There are a couple of important things to note here. They key is not trusted so there is a warning. This is to be expected because it is not signed, and we simply downloaded it from a web site. You can have trust relationships, but when dealing with anonymous users, having it signed by other anonymous users doesn’t really make much sense. On the other hand, a trusted key from the New York Times would make sense to be signed by reputable authorities. The second point is that it asks for multiple recipients. If you were using a commercial program and it added an additional recipient without your knowledge, there would be a back door. Remember that the message can be decoded by any of the recipients.

A new file has been created with the extension .gpg added. If you use the type command to print out the contents of message.txt.gpg you will just get binary junk.

The file just created is now junk for anyone other than the intended recipient. Not even you can read it. If you delete the original message.txt then you have lost the message forever. The recipient must have his secret key file and his pass phrase. If you had simply encrypted the file with 7-zip and told him the password, then anyone who intercepted the conversation and file could decrypt it. This way, they have to get physical possession of the file you sent, the key ring with the secret key on the recipients computer (and it may be somewhere else like on a smart card) and convince him to divulge the pass phrase.

The next step is to find a way to transfer the message. You could e-mail it to the recipient from a computer in a library, but that adds the risk of someone intercepting it. They wouldn’t know about Elvis, but they would know who you were trying to contact. I will cover this part more in a follow-on post.

Also remember that in DOS, when you delete a file, it isn’t really deleted. The space is freed up, but the information is there. To completely delete a file you need to delete it and then use a utility program to overwrite all the free space on the disk. PGP Desktop has a utility for this, plus there are several good free alternatives.

If you have to do this regularly, then you would want to look at setting up an integrated system that looks up the key server automatically to get keys and transparently takes care of the encryption and decryption. However, you would want to read up a lot of FAQ’s, tutorials and warnings and make sure you have configured everything perfectly. The last thing you need is a message that says “recipients public key not found, send insecurely anyway?” and accidentally press Yes.

There are some good references here:
GPG/PGP Basics
Official GnuPG documentation
Oxford University Computing Services – PGP
PGP International
JA.net PGP page

I will take a look at Hush Mail’s free accounts (Canadian based) in a separate posting.

Post to Twitter Tweet This Post

Posted in Security, privacy and protection, Society | Tagged , | Leave a comment

Being Anon – Staying alive in a mad world – part 1

Posted on January 5, 2011 by Administrator

Update January 7, 2011:
Not even twitter is safe. The US DOJ has subpoenaed twitter for records from Birgitta Jonsdottir, a member of the Icelandic Parliament asking for tweets and her personal information. On May 6, 2010, the Pennsylvania Attorney General, Tom Corbett, sent a subpoena for the identity of people criticizing him.

This kind of harassment requires you retain a lawyer who will likely want a few thousand dollars for a retainer, especially if your adversary is a state or national government agency. It is becoming evident that we are evolving into a police state and that if you have anything to say that reflects badly on powerful people, you had better be truly anonymous. If you look at the Pennsylvania subpoena you will see that it demands: This should include, but not limited to: name, address, contact information, creation date, creation Internet Protocol address and any and all log in Internet Protocol addresses.

You must assume that Facebook, Twitter, Google search records and ISP e-mail address will be handed over to authorities without your knowledge. The people and organizations you support today may be next years Wikileaks and you will be swept up in a wave of neo McCarthyism, where communism has been replaced with anarchists or some similar term that includes anyone that dares tell the truth or ask questions. When this time comes, you will be glad you don’t have a massive trail of IP addresses and comments that will be used to turn your life upside down or worse.

Introduction

This is a sequence of posts about privacy and keeping yourself safe. Each step by step tutorial is a lesson that you can try on your own computer. I have used Windows XP for the examples because it is the most common operating system used to access this blog.
OS breakdown for blog access

There are 4 posts so far, and I hope to have another 4 complete by the end of January. I will start with simple things like e-mail privacy and then successively cover far more advanced topics. I will attempt to distill what I have learned from a lifetime in information technology and sincerely hope that I can make a difference.

I may write these things in a random order as time permits, but the general sequence is this:

  • how to minimize spam and how to avoid giving out your primary mail address
  • how to communicate by e-mail with various degrees of anonymity
  • using encryption like PGP to ensure only your recipient (and no one else) can read your message.
  • how to verify downloaded files using checksums or PGP signatures.
  • how to encrypt your files and hard drives and the various issues you will encounter
  • Problems with Windows operating systems — you may be rather shocked at how much stuff is left behind and how hard it is to clean up a system. I will show you how to fix or minimize all the problems I am aware of.
  • The use of virtual machines to solve some of these problem.
  • Setting up Tor and I2P and why you want to use them.
  • VPN’s (virtual private networks)

    • and perhaps much more as time goes on, especially if you respond with specific concerns.

You can comment on the blogs, and I will update them immediately if you have uncovered an error or have concerns — so assume what you read is the latest.

Disposable e-mail Addresses

Take away point: Never give out the e-mail address associated with your ISP or a paid hosting service since it identifies your residence and or is linked to your financial information.

I will use spamgourmet as an example since it has been around for a long a works well.

spamgourmet

Often you need to give out your e-mail address or want to add one to your post but don’t want to get inundated with spam or give away your identity too easily. For example, bill@microsoft.com wants to tell Apple how much he loves his iPod but doesn’t want the publicity storm it will cause.

Here is another example: You want to post a resume at monster.com but don’t trust them. Instead you decide to invent an e-mail address like monster.9.bestemployeeever@spamgourmet.com

When someone replies to your e-mail, the following will happen:
spamgourmet.com (a free service by spam haters) receives the message. You have already created an account at spam gourmet called bestemployeeever but you have never used the e-mail address monster.9.bestemployeeever@spamgourmet.com before.

spamgourmet automatically sets up a counter for your e-mails that begin with the word “monster” because this is the first time it has seen you use “monster”, and sets the maximum count to 9 messages. The .9. told it to allow nine messages. It then looks up your real e-mail address for account bestemployeeever (assume you told them it was bandersnatch@hotmail.com) and forwards the message to you. It will add 1 of 9 to the subject line. Each time someone mails you, the message count will increment. After 9 messages, all additional messages will evaporate into cyberspace.

If you find monster.com trustworthy, you can tell spamgourment to trust this address so that you don’t have to reset the counter. On the other hand, you will probably receive Nigerian scams and be glad you didn’t trust them. Monster.com is terrible for things like this. It will be obvious where the spam is coming from if the Nigerian scam is sent to monster.9.bestemployeeever@spamgourmet.com.

If someone wants your real address, they would have to go after spamgourmet legally. Of course, all they would find is another e-mail address and the wild goose chase would begin.

If you reply to a spamgourmet message, it will be automatically relayed through spamgourment so they will still not know your real e-mail address. You can of course, reply directly to the recipient, in which case they will have your e-mail account address.

Many web services (Facebook for example) are on to this and ban the domain spamgourmet.com I will not list them here because someone might decide to update the blacklist — but with a few Google searches you can find other donated domains that are also the spamgourmet service, but obscure enough not to be blacklisted.

Don’t underestimate the amount of spam this service can eat. The statistics get reset from time to time, but even today I get this:

Your message stats: 5,472 forwarded, 96,443 eaten. You have 410 disposable address(es).

Post to Twitter Tweet This Post

Posted in Security, privacy and protection, Society | Tagged , , | 1 Comment