Western Rifle Shooters Association

Do not give in to Evil, but proceed ever more boldly against it

Tuesday, January 19, 2010

Robb on Encryption

From John Robb's Global Guerrillas:

Friday, 15 January 2010

NOTE: Public Key (Updated with some tips on private communication)

Here's my public key

Basically, encrypted communications (via simple tools, user interfaces, plug-ins for browsers) and private browsing is easy enough for anyone to use.

Here's a little primer on making your e-mail and browsing relatively secure from government and criminal snooping (by request). You never know, you might need it in the future. I'll do it for the mac (which is what I use)[Windows info in italic brackets]:

1) First thing you need is a PGP encryption kit. Personally, I like a kit called Gnu Privacy Guard. Here it is for the mac.[Here for Windows] Download both the core kit called "Privacy Guard " and the "GPG Keychain" Install them both.

Now to make it easy to use with e-mail.

2) Set up a Google mail account.

3) Download and install the Firefox browser.

4) Download and install FireGPG. It's an add-on to the Firefox browser that allows you to encrypt/decrypt your mail.

How to use it:

5) Use the key manager (click it). Make a new public key by clicking the button on the interface.

6) Start Firefox and enter your gmail account. Send your public key to a friend. Here's how. Right click in the body of the message. Select export. The keychain application pops up. Select the public key you created. The public key appears in a new window. Select copy to clipboard/exit. Paste the key into the body of the message. Send the e-mail. It's a little clunky, but it gets better after that.

7) You can also publish this new key to an open MIT key server (like I did). Just copy and paste it into the window provided and save. You are now searchable by the name and e-mail on the key. Save that link to your bookmarks.

8) If someone sends you a public key that you trust, you can save their key to the keychain. Highlight the string of numbers and select import to do that. When you get an encrypted e-mail from that person in the future, highlight the entire message (including the PGP header) and right click, select decrypt. The message will show up in a new window. Really simple process.

Anonymous browsing is even easier.

Basically, if you want to ensure that nobody can track you easily. You need to do a couple of things.

  • Select "private browsing" from the Firefox menu. This prevents your browser from being a spy.
  • Download Tor. Install it. Start it up (click it).
  • Download the Firefox plug-in for Tor called Torbutton. Customize the toolbar to add the icon for Torbutton to the menu. Click the icon whenever you want to block your IP address from sites you visit.
  • If you have extra cycles/bandwidth, become a relay on that network.

Anyway, hope this helps.

4 Comments:

Anonymous Anonymous said...

Having some relevant background in these matters, I'd just like to offer a few words of caution:

1. PGP-/GPG-style tools are very nice, provided:

- you can reasonably trust they haven't been tampered with prior to your installing them
- you can reasonably trust the security of the systems used to run the crypto packages

with the qualification that trust due to technical naivete is not reasonable trust.

The unfortunate reality is that building and maintaining a reasonably trusted system requires considerable knowledge and discipline. Using anything Windows-related to that end is a categorical non-starter, as the probability of the NSA *not* having back doors into Windows is less than that of Dear Reader *not* being a traitor to his office and oath.

2. Even beefy public-key encryption is vulnerable to truncheon cryptanalysis:

http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

3. If, like a lot of people, you're a casual critic of our blessed "fascism with a smile", go ahead and use GPG as needed since that'll protect you from general Echelon-style surveillance and no one would care to read your righteous indignation anyway.

If, like fewer people, you're a "person of interest" or on your way there, don't trust your computers/comms without obtaining *expert* assurance. Otherwise, if you're on NSA's radar, the safe assumption is that they're "all up in your sh*t" or can achieve that status at their convenience.

Baiting them with disinformation on a compromised channel is an interesting strategy, yes?

4. In sum, it would be great if everyone used crypto such as GPG as much as possible. This would make the bastards work all that much harder for their intercepts, and dilute important messages in a sea of scrambled bits. Please use it!

But continue to assume that the systems and channels are or can be broken, unless you have a *very* compelling reason to the contrary.

-S
III

January 19, 2010 at 6:23 AM  
Anonymous Anonymous said...

Google mail account? Thanks, but no thanks.

January 19, 2010 at 11:54 PM  
Blogger Crustyrusty said...

You can also get "Incognito" which is a Linux distro on a live CD that is already set up for anonymity, usable on any computer. It will also make a bootable USB stick.

Link here: http://www.anonymityanywhere.com/

Crusty
III

January 20, 2010 at 1:12 AM  
Anonymous Anonymous said...

When your OS is a sieve -

this is but the latest in an interminable parade of publicized vulnerabilities: http://blogs.computerworld.com/15416/ditch_ie_over_google_china_hack_bug?source=rss_blogs

- crypto is of limited use. What good is strong encryption if they have 20 ways of walking right in and grabbing the (asymmetric encryption) private key and the password that protects it?

Furthermore, think twice if you should ever receive an email from a friend saying, "They've parked a SWAT van on my lawn; this is it; get the guys and come give me a hand". If the other computer is compromised, this can all be forged and orchestrated, down to the GPG encryption and signature.

Concerned parties should work out special phrases, one-time passwords, or whatever, ahead of time in private.

Don't fully trust your computer, period. But do use GPG, Tor, etc.

Incidentally, I looked up the guy who runs scroogle.org and, while the site looks handy, I got the impression that the guy is ideologically aligned with the likes of SPLC to a significant extent.

I wouldn't use his anonymizer for anything militia-related.

January 20, 2010 at 5:08 AM  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home