Four Simple Technologies for Privacy We Should All Know


This recently PRISM scandal has made me concerned about security and privacy, even more than before. I truly do not think that the government is spying on me as an individual and will (hopefully) never kick down my doors and take me to the Ministry of Luv. I have nothing to hide. But that’s not the point. Its the principle. You have no right, neither moral nor practical, to monitor my communication. In fact, we have explicit rights protecting us!

But in the wake of the PRISM scandal, we now know with certainty that the government is actively monitoring everyone. Therefore, I would like to impart my knowledge of encryption to the public. Here are four simple ways to keep yourself safe from the government.

A) Pretty Good Privacy (PGP) – This is a widely used, tried and tested method of encrypting text and files prior to sending them to the end user. Because all encryption is done prior to the connection, this is one of the better systems out there.

Here’s how it works: You exchange public keys with whoever you want to communicate with. When you want to send the other person a message, you encrypt the data his public key (not your own). The end-user will decrypt the data with his private key (not yours). Conversely, if someone wants to send you a message, he will encrypt the message with your public key and you will then decrypt it with your (not his) private key.

If that’s confusing, think of it like giving people a lock-box that they can put contents in and lock and no one can unlock it but you. That lock-box is your public key. The key to the lock-box is your private key.

So, a few drawbacks to this method:

  • PGP’s major drawback is that without an infrastructure, anyone can create a fake public key in your name and send it around in your name. Then, he can intercept messages to you, decrypt them, modify them if desired, and send them back to you using your actual public key, and no one would be the wiser. Its a bit complicated, but entirely possible.
    • You easily can get around that by creating a “web of trust”, but it involves a bit more work.
    • You can create an infrastructure for PGP if you want. MIT hosts their famous key server, but there are several infrastructural problems with it.
  • Lets be real, its not 100% user-friendly or intuitive. Mailvelope is the best attempt I have seen to make it more user-friendly and I personally use it when not on Linux.
  • It is feasible that the NSA has the CPU and GPU power to brute-force a low-bit key.

If you are concerned about having your keys broken into, you can try using;

$ gpg --batch --gen-key << EOF
> Key-Type: RSA
> Key-Length: 8192
> Key-Usage: Auth
> Name-Email: [Your email here]
> Name-Comment: [Some comment]
> EOF

B) Tor, The Onion Protocol – The Tor protocol is a method of obscuring the originating source of a network connection. Tor accomplishes this by bouncing connections off of servers around the world. Each computer you bounce your connection off of knows the previous source and next destination, but does not know the two connections prior or two after. And given that all data through the network is encrypted, no one is able to meaningfully modify the intended next sources. After a number of hops, a final end-point will initiate the actual connection to the intended destination. That final destination perceives the end-point as the source of the connection, but does not know the original source.

Tor is largely used for anonymous web-surfing, but because it functions as a SOCKS5 proxy, it can be used for just about anything!

Another innovation of Tor is Hidden Services. In the aforementioned configuration, the client knows who the server is, but the server does not know who the client is. A Hidden Service is when a server hides its identity, but the client is still able to connect to it. The mechanisms are too complex to explain here, but you can read them on the Tor website.

You can download Tor here.

C) Bitcoin – Bitcoin is an operational electronic currency that are independent of any government. It offers security, anonymity, and is accepted by thousands of people worldwide.

Anonymity – User accounts, called Bitcoin addresses or simply addresses,  appear as 27-34 arbitrary numbers and letters such as 31uEbMgunupShBVTewXjtqbBv5MndwfXhb. In reality, addresses are the equivalent of public keys that are used by payers to sign transactions. Address are completely independent of names, addresses, numbers or any other identifying information. The user has control over them by having the corresponding private key, which again, does not have any associated identifying information.That’s more anonymous than a Swiss bank account!

Secure – Bitcoin uses the robust public-private key infrastructure to secure encryption between bitcoin sender and receiver. The sender of bitcoin (payer) obtains the receiver’s bitcoin address and digitally signs his bitcoins to the receiver. This makes electronic theft done by utilizing the Bitcoin system next to impossible.

The Bitcoin infrastructure has several components. Therefore, if you’re interested, I suggest you watch the following video. Its a bit dated, but n

D) Disk Encryption – Disk Encryption is when data is encrypted while it is stored on your hard-drive.

If someone were to obtain physical access to your machine, either through theft or government seizure (same thing?), they would be able to access everything on your machine, including services and systems you were currently logged in on such as Gmail or Facebook. Disk Encryption is a method of preventing the bad guys from accessing your machine. There are dozens of types of disk encryption. Before I talk about the exact implementations, I want you to understand the concept.

Disk Encryption means that everything on your computer is encrypted, rather than encrypting individual files one by one. However, files are only encrypted when they reside on the hard-drive. So, if you email out a file, it will not be encrypted during transmission. For that, you will need to use PGP or a related technology.

Windows has two main tools, the first is Microsoft Full Disk Encryption. However, this service is proprietary and will require you to have Windows Professional. A free alternative is TrueCrypt, which functions in a similar manor.

One note about disk encryption tools: It is more than theoretically possible to recover the hard-drive encryption keys from the memory. It requires the attacker to literally freeze the RAM with a cooling agent, soft-reboot the machine, then boot into a custom system that performs a RAM-dump via Firewire — I have personally seen this done, it is not just theory.

Conclusion and Comments

The aforementioned technologies are, to the best of my knowledge, technically secure against even to the most sophisticated attackers. However, there is one major weak link in this chain: the end-user. Many times, users make simple mistakes which allow attackers to circumvent the entire protective scheme.

For example, PGP and Disk Encryption ultimately require a password to protect the encryption, in the event that the attacker is able to gain physical access to the hard-drive or private keys. If your password is weak, such as being under 20 characters, your data is liable for decryption.

In the future, I hope that all of these technologies become more easy to use and user-friendly.

The only exception I can think of is if the computing power of the NSA is strong enough to break any of these mechanisms. That’s entirely possible. And violence trumps even that — put a gun to the head of even the most rabid Zionist and I’ll give anyone want they want to save his life.

That aside…happy encrypting!

Advertisements

I Support Erdogan and You Should Too


I have been part of many protests. Countless. I know the raw anger and emotional energy they channel. I also understand the group-think and ignorance that runs rampant among them.

Currently, Istanbul’s Taksim Square is embroiled in conflict. On one end are protesters, primarily Socialist, secularist and of general Leftist persuasion, and on the other end are the police and soon-to-be military. The protesters ostensibly started as an environmentalist movement, to preserve one of the few green areas in Istanbul. But over time it has been against the authoritarianism and increased religiosity in the country. But after carefully looking at the issue, and having followed Turkish politics for around 2 years now, its clear to me that these protesters have absolutely no legitimacy and are themselves duped into ignorance fuelled by emotionalism and blind rebelliousness.

In this article, I hope to convince you that you why the protesters are wrong and why you should side with President Recep Tayyep Erdoğan.

The Cold Hard Numbers

The Turkish GDP has sky-rocketed, from a mere 232 billion USD in 2001 to 775 billion USD in 2012. The 2002, a single year after Erdoğan took office, the CPI (inflation rate) was around 75%. It has dramatically fallen to 6.51%. The percentage of Turks below the poverty-line has fallen from 20% in 2002 to and held steady at 16.9%. That’s still a very high percentage until you consider the proximity of Turkey to the EuroZone.

A major question is whether the Turkish population has seen this amazing growth and stability or only the rich elite. A key way to measure this is by measuring the life expectancy. This aggregate not only the ballpark of life expectancy, it describes life quality which subsequently describes access to medical services and wealth distribution. The Turkish life expectancy has risen by an aggregate 4 years from 70 years in 2001 to 74 years in 2012.

Erdogan-PeresErdoğan publicly condemning Peres for ongoing Israeli terrorism against Palestinians

Geopolitics

Turkey’s role in major world politics has also seen a dramatic increase.

  • PKK – Erdoğan has been able to work towards legitimate peace with Kurdish rebels. (btw, I was hugged and kissed by group of Kurds during Hajj and love their clothes!)
  • Israel – Turkey weakened its military ties with the terrorist state and publicly condemned Shimon Peres for his oppression of the Palestinian people. One big incident was his outspoken support of the Freedom Gaza Flotilla, which was boarded by Israeli terrorists, resulting in the death of nine peace activists.
  • Syria – Turkey has forged its own independent policy against Assad by supporting the FSA, welcoming Syrian refugees, and the terrorism elements of the Syrian Rebel movements.
  • Broader Muslim World – Turkey is now immensely popular in the broader Muslim World. Turkey is seen as the “central state” of the Turkic people and has expanded its cultural influence. In 2010 following the devastating floods in Pakistan, Emine Erdoğan personally visited Pakistan and helped raise 3.5 million lira for relief efforts. She was awarded the Hilal-e-Pakistan award for her service.

Domestic Relationship with the Secularists

The Muslim-Right in Turkey are not akin to the Christian-Right in the US. It is not the same paradigm of the US religious-right opposing freedom. Its the exact opposite.

Turkey has been a Muslim country since the Seljuk Turks established the Sultanate of Rum (Rome) in 1100AH. But since the Kemalists took power, it has witnessed wide-scale persecution of the religious majority. Women who chose to wear headscarfs or men who wore turbans were forbidden to even enter public facilities, including schools and universities. I personally knew a Sufi Shaykh who was arrested for wearing a Turban in his own house. The Turkish military forced secularism on the government by military coup four times, in 1913, 1971, 1980, and 1997.

A prominent example was in 2001 with Merve Kavakçı, who I’ve twice had the honor of meet. She was democratically elected to parliament, but the radical secularists literally banged on their desks and made distractive noises for 45 minutes in protest of her headscarf until the parliamentary session was terminated. Her party was eventually declared unconstitutional and her citizenship was revoked.

Under Erdoğan, the religious majority has witnessed a return in their rights. They are once again allowed to wear whatever clothes they please and express their faith in public. Cultural repression has ceased and the minority Kurdish population are allowed to return to their heritage. At the same time, this was not done infringed upon the rights of the liberals, who have gone so far as to hold gay pride parades in Taksim Square.

Western Media


The actual Economist’s cover

I live in the West and my primary sources of media are Western. I have seen nothing but sympathetic views towards the protesters and images of police brutality (which, I concede, police are often guilty of committing). Most Westerns are innocently ignorant of Turkey, so they have no frame of reference to interpret the authenticity of what they are hearing.

One oft-repeated fact has been that Turkey has a high number of reporters in prison. However, they fail to provide the full context: that many of the reporters are in prison for making contact with Kurdish rebels groups. I do not disagree that this should not be a crime, but ironically this is a direct result of the secular-nationalist policies of denial of the Kurdish existence!

All major news sources, such as CNN, the Washington Post, New York Times, Slate, Fox News and Russia Today have all spoken of Erdoğan’s increased authoritarianism and religious fundamentalism. Even smaller news sources, such as Cenk Uygar’s The Young Turks, are guilty of the same misinformation. The irony is that, except for a few statements against the hours of alcohol sale (done in the US, mind you), Turkish laws can be characterized as militantly anti-religious!

In short, the media is ignorant speaking to in uninformed public, biased and ultimately unreliable.

Conclusion

Erdoğan and first lady Emine with triplets born at a Syrian Civil War refugee camp

By all commonly agreed upon measures, Turkey has witnessed unprecedented freedom, prosperity, growth, influence, and stability under the leadership of Recep Tayyep Erdoğan. These protesters have no rational basis for their anger. Instead, I would wager that its nothing more than group-think, raw emotion, ignorance.

One thing I would like to add, I sympathize with the protesters in the heavy-handed tactics of the police. I hate abuse in all forms.

I support Erdoğan and you should too.

Securing Email from PRISM


Well, sorta. This solution makes acquiring your stored emails a very difficult endeavour. This objective is to provide defense-in-depth security for email data at rest that is seamless to the causal email user. And while anyone with a gun can ultimately track your data (put a gun to the head of the most rabid Zionist and I would tell you anything you want to know to save even his Nazi life), this should make it prohibitively difficult and expensive to do so.

This method rests on two main components:

  1. Making the location of stored email difficult or prohibitively expensive to identify;
  2. Making stored email impossible to hostiley recover.

First, you obviously need an internet accessible SMTP server. Merely opening port 25 on your home connection would make tracking you down a trivial process. A better option is to purchase a VPS in a foreign country, either through Bitcoin or a pre-paid debit card. It goes without that you should never connect to the VPS directly. Always use a variety of layers of obfuscation. I personally prefer a public Wifi location, with Tor and finally a proxy running in a less-than-friendly foreign country. The domain name you purchase, again anonymously, needs to have the SMTP server pointing to VPS you purchased. This server will function only receive emails. It does not store them whatsoever.

Next you need to store the email in a format that is difficult to trace. My personal method is to setup Linux to use a hard-drive with full-disk encryption. Recovering hard-disk private keys from memory is not easy, but I have personally seen it done. So, we’re going to add in another layer of frustration by using a non-standard processor format such as ARM. Though it is still technically possible to recover keys from memory on an ARM processor, most memory-dumping software solutions are for x86 CPUs. My ideal setup would be to use a Raspberry PI because it runs on less power and is more likely to erase quicker. The size will also make concealment a ton easier.

These two machines need to communicate. My preferred method is over Tor. Configure a Tor hidden service on the second machine. Then, configure the VPS to network spool its mail through Tor to the storage machine. I have heard some clamour that Tor can theoretically be traced, but I have yet to find a technical paper detailing exactly the method. Either way, providing another layer of SSL-based encryption is recommended to at least ensure data integrity and confidentiality.

Now email is received by the anonymous VPS, and anonymously routed to your encrypted hard-drive. In order to request the email of whoever@domain.com, the government would have to know who owns domain.com’s SMTP server, get access to that server, then identify where email is stored, and break the encryption on the hard-drive without the key. I hope you’re not doing anything that would tempt them to spend that much time and energy!

Obvious Drawback

Email-in-transit is just about impossible to truly secure. Whoever owns the pipe owns the data. Yes, I could just use SMTP encryption, and you damn well should, but I cannot verify anyone’s identity except through the use of public certificate authorities. But I also have no illusions that the NSA could easily ask VeriSign to issue them forged certificates and VeriSign would immediately comply. I could always create my own certificates, but most SMTP servers would simply not send to questionable recipients without having to manually installing the certificates. And at that point, you’re not seamless to the user and might as well just use PGP.

So if you’re concerned about data-in-transit, yes PGP is your best bet. I don’t know the benchmarks for trying to brute-force PGP on an array of GPUs, but its entirely possible to use 8192-bit PGP keys. Too bad there are few to no easy to use PGP software packages out there.