The Internet: How to Protect Your Privacy

In lieu of my last post, Well Done America: Privacy Owned, I wanted to provide some information about how to protect yourself. Now, there are few things to note about everything that I’m going to say here. This protection only goes as far as you do, if you leave something open, well…good luck to you. It’s like what Thomas Edison said, “I found 2000 ways not to make a light bulb”, he only needed one. All security is about the weakest link, right? So long as I can find one way in, I’m in.

Also, any method of encryption I mention here can be cracked by the NSA. There are some brilliant minds working there, but in the spirit of being “big brother”, they put restrictions on the level of encryption that is _legally_ allowed. Thus, if you want to use something outside of the encryption algorithms that the NSA knows…happy hunting. Ok, lets get into it shall we?

Websites

When you visit a website you have a few ways of seeing the information. By this I mean there are a few protocols that your web browser understands. The two prominent ones are “HTTP” and “HTTPS”. HTTP is a protocol that pushes content around the internet. HTTPS, also known as HTTP with SSL, is purely an extension of that but it is _encrypted_. Using Public Key cryptography, when you visit a site the whole session is encrypted. This is very powerful and very useful. What happens here is when you go to the website you are sent a public key from the website. This public key allows you to see the contents of the webpage by decrypting the unreadable content. The website encrypts the content before sending using a private key. Such that when it passes the data along to you it appears to be jibberish. The private and public keys are linked together, meaning no other public key can work to decrypt the contents of the site that the private key encrypted. It’s a nifty technology that we’ll talk more about later.
Imagine this scenario: You want a different perspective on the “War on Terror”. You decide to hit up some Google for “Hezbollah” and then for “Jihad”. It is likely that a number of these sites will be offshore (assuming you are in the US) and so your traffic will be under the watchful eye. So, to in an effort to protect what you are viewing you can try to go to sites that only support HTTPS. Meaning if you type “https://” in front of the domain rather than typing “http://” you’ll know whether it is supported. If it is supported you can access the site only through that protocol and are therefore better protected from people snooping into your traffic.

Email

There are numerous times when I hear someone say to me that they sent their phone number or credit card number in an email. When I hear this I cringe, and I’m sure at that point they understand that something is wrong and that it isn’t lunch. One of the things that most people don’t realize or understand is that email is transfered in plain text. Meaning, when I send “Hey, how was your day?” over email, anybody that is between my computer and where it’s headed to can see that communication. It’s a very similar problem to the website problem, just a different originating source. So, again we come to private and public key encryption.

Because the email protocols do not care what format your email is in, they will pass bits along to wherever you ask. Thus, you can encrypt the body of your message such that nobody is the wiser and you now have secure communication. This means that I now cannot sniff your creditcard information out of the tubes and even if I were able to I wouldn’t know because it would look something similar to “$#Svdfg345$%#&*@Ded,mlpo(lo”. Catch my drift?

So, this being so great and all you need to figure out how to implement it. Because the purpose of this post is not to be a tutorial I’ll post some links.

• How to encrypt your email with Thunderbird
• Encryption in Apple Mail
• Encryption in Microsoft Outlook
• Microsoft: Encrypt Email Messages

This all being said, STOP EMAILING CREDIT CARD NUMBERS AROUND!

Personal

There are a number of times when you will want to have files on your system encrypted. Say your real brother wants to take a quick glance at your journal, diary, whatever and spill all your secrets? What can you do? Well, since I’m the oldest in my family, and the brother…not much, my sister never stood a chance. But, with this information she may have.

Truecrypt is a tool that allows you to make a volume on your system that is entriely encrypted. That means, you can essentially create a folder for all of your word documents, saved emails, and so forth. You can encrypt that folder. Then, when your arch nemesis tries to see what lowly secrets you behold, they will be stumped…Think Ben Stiller in Zoolander.

Lifehacker has a good article about the latest iteration of Truecrypt. I recommend this software to anyone. In fact, I use this software with clients because I trust it more than anything else. You basically tell it how large you want your volume to be and then which level of encryption you would like and it’s done. It’s impressive and powerful.

Anonymity

This one is somewhat stretched. The reason I say that is because nobody is ever fully anonymous on the internet. But, in trying to keep with the theme, I’m just providing you with some information. The Tor Project is a project focused purely on internet anonymity. I’ve actually used this tool to access sites that have been blocked from me before and so forth. It’s a great tool and provides a nice level of anonymous browsing.

Tor works like this: you request a website, that request is forwarded to n number of machines. The last machine in that chain makes the actual request to the site you are visiting. The data from that request is then sent back to you. By the way, when I say request I am talking about when you type in “http://google.com” and press enter or click the “go” button in your browser. You are, at that point, making a request for a web page.
Now, this gets a bit hairy when you talk about Web 2.0 interaction based sites and AJAX based sites. The reason is that one request may go through the chain A->B->C->D and the next request may go through B->C->A->E. This means that your session information which was associated with machine D is lost and that you need to open a new session with E.

The next problem that I can think of deals with public and private keys. You don’t ever want to use this tool if you are trying to manage secure information. Think about how these things work. If I send a public key to you so that you can decrypt my information but I did so through 5 other servers, if one of those servers is bad, you have just given it access to a key that can decrypt your message. Websites using HTTPS aren’t good to use here. For instance, assume you are viewing your banking information, every machine has the public key you used to decrypt that information. That means that they can decrypt that information.
It is cumbersome and has some risks associated, but if you are only trying to get some non-secure information and not send any data, it’s a nice tool for anonymous browsing. It lets you get past some of those work based restrictions to Myspace and Facebook! ;D