The Internet: How to Protect Your Privacy

In lieu of my last post, Well Done America: Privacy Owned, I wanted to provide some information about how to protect yourself. Now, there are few things to note about everything that I’m going to say here. This protection only goes as far as you do, if you leave something open, well…good luck to you. It’s like what Thomas Edison said, “I found 2000 ways not to make a light bulb”, he only needed one. All security is about the weakest link, right? So long as I can find one way in, I’m in.

Also, any method of encryption I mention here can be cracked by the NSA. There are some brilliant minds working there, but in the spirit of being “big brother”, they put restrictions on the level of encryption that is _legally_ allowed. Thus, if you want to use something outside of the encryption algorithms that the NSA knows…happy hunting. Ok, lets get into it shall we?

Websites

When you visit a website you have a few ways of seeing the information. By this I mean there are a few protocols that your web browser understands. The two prominent ones are “HTTP” and “HTTPS”. HTTP is a protocol that pushes content around the internet. HTTPS, also known as HTTP with SSL, is purely an extension of that but it is _encrypted_. Using Public Key cryptography, when you visit a site the whole session is encrypted. This is very powerful and very useful. What happens here is when you go to the website you are sent a public key from the website. This public key allows you to see the contents of the webpage by decrypting the unreadable content. The website encrypts the content before sending using a private key. Such that when it passes the data along to you it appears to be jibberish. The private and public keys are linked together, meaning no other public key can work to decrypt the contents of the site that the private key encrypted. It’s a nifty technology that we’ll talk more about later.
Imagine this scenario: You want a different perspective on the “War on Terror”. You decide to hit up some Google for “Hezbollah” and then for “Jihad”. It is likely that a number of these sites will be offshore (assuming you are in the US) and so your traffic will be under the watchful eye. So, to in an effort to protect what you are viewing you can try to go to sites that only support HTTPS. Meaning if you type “https://” in front of the domain rather than typing “http://” you’ll know whether it is supported. If it is supported you can access the site only through that protocol and are therefore better protected from people snooping into your traffic.

Email

There are numerous times when I hear someone say to me that they sent their phone number or credit card number in an email. When I hear this I cringe, and I’m sure at that point they understand that something is wrong and that it isn’t lunch. One of the things that most people don’t realize or understand is that email is transfered in plain text. Meaning, when I send “Hey, how was your day?” over email, anybody that is between my computer and where it’s headed to can see that communication. It’s a very similar problem to the website problem, just a different originating source. So, again we come to private and public key encryption.

Because the email protocols do not care what format your email is in, they will pass bits along to wherever you ask. Thus, you can encrypt the body of your message such that nobody is the wiser and you now have secure communication. This means that I now cannot sniff your creditcard information out of the tubes and even if I were able to I wouldn’t know because it would look something similar to “$#Svdfg345$%#&*@Ded,mlpo(lo”. Catch my drift?

So, this being so great and all you need to figure out how to implement it. Because the purpose of this post is not to be a tutorial I’ll post some links.

• How to encrypt your email with Thunderbird
• Encryption in Apple Mail
• Encryption in Microsoft Outlook
• Microsoft: Encrypt Email Messages

This all being said, STOP EMAILING CREDIT CARD NUMBERS AROUND!

Personal

There are a number of times when you will want to have files on your system encrypted. Say your real brother wants to take a quick glance at your journal, diary, whatever and spill all your secrets? What can you do? Well, since I’m the oldest in my family, and the brother…not much, my sister never stood a chance. But, with this information she may have.

Truecrypt is a tool that allows you to make a volume on your system that is entriely encrypted. That means, you can essentially create a folder for all of your word documents, saved emails, and so forth. You can encrypt that folder. Then, when your arch nemesis tries to see what lowly secrets you behold, they will be stumped…Think Ben Stiller in Zoolander.

Lifehacker has a good article about the latest iteration of Truecrypt. I recommend this software to anyone. In fact, I use this software with clients because I trust it more than anything else. You basically tell it how large you want your volume to be and then which level of encryption you would like and it’s done. It’s impressive and powerful.

Anonymity

This one is somewhat stretched. The reason I say that is because nobody is ever fully anonymous on the internet. But, in trying to keep with the theme, I’m just providing you with some information. The Tor Project is a project focused purely on internet anonymity. I’ve actually used this tool to access sites that have been blocked from me before and so forth. It’s a great tool and provides a nice level of anonymous browsing.

Tor works like this: you request a website, that request is forwarded to n number of machines. The last machine in that chain makes the actual request to the site you are visiting. The data from that request is then sent back to you. By the way, when I say request I am talking about when you type in “http://google.com” and press enter or click the “go” button in your browser. You are, at that point, making a request for a web page.
Now, this gets a bit hairy when you talk about Web 2.0 interaction based sites and AJAX based sites. The reason is that one request may go through the chain A->B->C->D and the next request may go through B->C->A->E. This means that your session information which was associated with machine D is lost and that you need to open a new session with E.

The next problem that I can think of deals with public and private keys. You don’t ever want to use this tool if you are trying to manage secure information. Think about how these things work. If I send a public key to you so that you can decrypt my information but I did so through 5 other servers, if one of those servers is bad, you have just given it access to a key that can decrypt your message. Websites using HTTPS aren’t good to use here. For instance, assume you are viewing your banking information, every machine has the public key you used to decrypt that information. That means that they can decrypt that information.
It is cumbersome and has some risks associated, but if you are only trying to get some non-secure information and not send any data, it’s a nice tool for anonymous browsing. It lets you get past some of those work based restrictions to Myspace and Facebook! ;D

Well Done America: Privacy Owned.

Normally I try to stay away from the politics and such. I don’t have much interest in dealing with people who understand very little about technology. In fact, I have very little patience for those who make decisions related to how I use my technology when they understand nothing about it. Today I read a post at Tech Crunch about an amendment to the FISA Act of 1978 that Barack Obama voted for today.

Now, I understand that bills will contain more information than just a specific topic but as Dan Kimerling points out:

Given that each day tens of millions of people have their data go across the networks of some of the larger telcos, the risk that these companies faced by working with the government on extra-judicial wiretaps was extreme. In giving companies that work with the government immunity from these penalties, H.R. 6304, and Barack Obama who voted for it, just took away the only reason stopping AT&T, Verizon, and others from helping the government use extra-judicial wiretaps.

This is a huge problem. How does allowing wiretapping and surveillance of my information help anyone? How is this really in the interest of the general public? I do often wonder what goes through these politicians minds when they are voting on some of these topics. Is it purely about votes? Do they genuinely feel that something as haneous as wiretapping is “good for us”?

Not only does this give the teleco’s free reign on our data, but it protects them from anything in the past! Also, this has given the government more insight into our data. This paranoia has gone too far and on for too long. We as a people need to stand up for what is right. We need to do more than just “believe” or “hope” that things will be O.K. and that our “leaders” will do right by us. We can’t wait for them to make more decisions such as the one Obama and many others did today. Is this the “red scare” all over again? Has it come to that?
Because of this I’ve decided to do some searching around. I realize that I am a bit out of the political loop and so I need to really do some research, but I can’t seem to find anything that would support such a thing. For instance, I saw a video clip over at The Bivouac showing a number of points from the CSPAN report.

What I fail to understand here is that the points made in support of this amendment seem to be things like “fear mongering” and “rhetoric”. How can this sway the judgment of the majority? There has to be something that I am missing here. Can someone clue me into what would make this many people support such bull?

So, as part of my travels across cyber-space I found the text of the amendment. In reading part of this amendment I found a bunch of it appalling. It is to the point where I feel I _have_ to be reading it wrong. For example, how else am I supposed to interpret the following passage:

Now, our proponents will argue that the plaintiffs in the lawsuits against the companies can participate in briefing to the court, and this is true. But they are not allowed any access to any classified information. Talk about fighting with both hands tied behind your back. The administration has restricted information about this illegal wiretapping program so much that roughly 70 Members of this Chamber don’t even have access to the basic facts about what happened. Do you believe that? So let’s not pretend that the plaintiffs will be able to participate in any meaningful way in these proceedings in which Congress has made sure their claims will be dismissed.

The way I read it is that we have people making a decision on the issue when they don’t even have access to the information. Am I wrong? I can’t believe that 70 people don’t even have a classification high enough to see the material being discussed! How can decisions be made this way? Maybe it is my ignorance in the ways of big brother, but can we honestly have a system that supports this kind of behavior? We have to hold our government accountable for their actions. This provides a “get out of jail free card” to those that feel like I could somehow be a terrorist. Hell, I wouldn’t be surprised if after writing this I’m thrown on the list.

So, I guess I will end with this. If I am missing something please inform my ignorant self because this just seems too far fetched. Yet everything I find seems to support the conclusions I’ve come to in this post. Why do away with our freedom. Why remove our privacy? As the amendment text says:

This framework, which has been in place for 30 years, protects companies that comply with legitimate Government requests while also protecting the privacy of Americans’ communications from illegitimate snooping.”

We have a responsibility to protect our freedom. If the government seeks to take that away then something should be done. We live in one of the greatest nations because many of our laws protect the citizens. Lets keep it that way.

For those interested, here is a list of articles I found while researching this topic:

• Crooks and Liars: FISA Bill
• ProgressiveDem: Caving on FISA Bill
• The Washington Monthly
• The Raw Story: House Intelligence Committee
• Cryptome: H.R.6304
• Tech Crunch: Barack Obama Breaks Promise…Supports Telcos
• Barack Obama Pic’s

* UPDATE *

There appears to be a decent amount of traffic related to this topic on these here tubes which is good. This issue shouldn’t be taken lightly. I’ve seen a bit more information and so I thought I’d share the links with you all.

• Huffington Post
• Salon.com: Betrayed by Obama
• Slashdot: Obama Losing Voters
• Digg: FISA Fight, Epic Failure
• Digg: Congress Supports Spying
• Digg: US Senate Annihilates Constitution
• Analysis - Obama’s Arguments on FISA
• Telecom’s Allowed to Spy
• Intelligence Abuses and FISA Amendment Act
• ACLU FISA Form
• Ars Technica: FISA compromise passes
• Ask Pelosi: FISA, telecom immunity and oath of office