Internet Security Week
Thursday, April 12, 2007
Naxal Revolution
Reactionary governments have shown themselves willing to attack and intimidate people who aren't even radicals and who are just researching social and political movements. They are also willing to repress or monitor people for other reasons. Repression is a real threat in some circumstances, and Naxalrevolution takes this seriously for the sake of the people who visit this site and other sites for different reasons.
Maintaining anonymity and practicing secure behaiviour makes it more difficult for agents and officials, often violating civil rights and breaking laws, to identify people interested in revolutionary knowledge.
It also makes things harder for right-wing activists, vigilantes and other groups to ruin the lives of people interested in revolutionary education.
As a part of Internet Security week the below posts will guide you on how to adopt some of the best internet security practices and how to secure your means of communication
For any doubts or clarifications please leave a request in the comments section.
Credits: I would like to thank irtr from whom I first heard about these security practices and riseup for the detailed information and good work that they are doing.
After reading the below posts.Naxalrevolution strongly recommends that you sign up for a new email account at either
Hushmail.com
or
Riseup.net
Please see to it that you adhere to their terms and conditions.
Full list of email providers is given in the below posts.
and use it for communicating with your friends and with us.
We will shortly be announcing our new email id.
Source : Riseup.net
There are many ways in which this kind of mapping of people's associations and habits is far worse than traditional eavesdropping. By cataloging our associations, a spying organization has an intimate picture of how our social movements are organized--a more detailed picture than even the social movements themselves are aware of. This is bad. Really bad. The US government, among others, has a long track record of doing whatever it can to subvert, imprison, kill, or squash social movements which it sees as a threat (black power, anti-war, civil rights, anti-slavery, native rights, organized labor, and so on). And now they have all the tools they need to do this with blinding precision.
We believe that communication free of eavesdropping and association mapping is necessary for a democratic society (should one ever happen to take root in the US). We must defend the right to free speech, but it is just as necessary to defend the right to private speech. Unfortunately, private communication is not possible if only a few people practice it: they will stand out and open themselves up to greater scrutiny. Therefore, we believe it is important for everyone to incorporate as many security measures in your email life as you are able.
Email is not secure
You should think of normal email as a postcard: anyone can read it, your letter carrier, your nosy neighbor, your house mates. All email, unless encrypted, is completely insecure. Email is actually much less secure than a postcard, because at least with a postcard you have a chance of recognizing the sender's handwriting. With email, anyone can pretend to be anyone else. There is another way in which email is even less private than a postcard: the government does not have enough labor to read everyone's postscards, but they probably have the capacity and ability to scan most email. Based on current research in datamining, it is likely that the government does not search email for particular words but rather looks for patterns of association and activity.In the three cases below, evidence is well established that the US government conducts widespread and sweeping electronic survillence.
full-pipe monitoring
According to a former Justice Department attorney, it is common practice for the FBI to practice "full-pipe monitoring". The process involves vacuuming up all traffic of an ISP and then later mining that data for whatever the FBI might find interesting. The story was first reported on January 30, 2007 by Declan McCullagh of CNET News.com.
AT&T
The Electronic Frontier Foundation (EFF) filed a class-action lawsuit against AT&T on January 31, 2006, accusing the telecom giant of violating the law and the privacy of its customers by collaborating with the National Security Agency (NSA) in its massive and illegal program to wiretap and data-mine Americans' communications.
Because AT&T is one of the few providers of the internet backbone (a so called Tier 1 provider), even if you are not an AT&T customer is is likely that AT&T is the carrier for much of your interent traffic. It is very likely that other large internet and email providers have also worked out deals with the government. We only know about this one because of an internal whistleblower.
Carnivore
For legal domestic wiretaps, the U.S. government runs a program called Carnivore (also called DCS1000).
Carnivore is a 'black box' which some ISPs are required to install which allows law enforcement to do 'legal' wiretaps. However, no one knows how they work, they effectively give the government total control over monitoring anything on the ISP's network, and there is much evidence that the government uses carnivore to gather more information than is legal.
As of January 2005, the FBI announced they are no longer using Carnivore/DCS1000 and are replacing it with a product developed by a third party. The purpose of the new system is exactly the same.
ECHELON
ECHELON is a spy program operated cooperatively with the governments of the United States, Canada, United Kingdom, Australia, and New Zealand. The goal is to monitor and analyze internet traffic on a wide scale. The EU Parliament has accused the U.S. of using Echelon for industrial espionage.
Call database
On May 10, USAToday broke the story that the NSA has a database designed to track every phone call ever made in the US. Although this applies to phone conversations, the fact that the government believes that this is legal means that they almost certainly think it is legal to track all the email communication within the US as well. And we know from the AT&T case that they have the capability to do so.
You can do something about it!
What a gloomy picture! Happily, there are many things you can do. These security pages will help outline some of the simple and not-so-simple changes you can make to your email behavior .What a gloomy picture! Happily, there are many things you can do. These security pages will help outline some of the simple and not-so-simple changes you can make to your email behavior.
* Secure Connections: by using secure connections, you protect your login information and your data while is in transport to riseup.net.
* Secure Providers: when you send mail to and from secure email providers, you can protect the content of your communication and also the pattern of your associations.
* Public Key Encryption: although it is a little more work, public key encryption is the best way to keep the content of your communication private.
See the next page, Security Measures, for tips on these and other steps you can take. Remember: even if you don't personally need privacy, practicing secure communication will ensure that others have the ability to freely organize and agitate.
Simple Measures for Email Security
Source : Riseup.netPractice secure behavior!
These pages include a lot of fancy talk about encryption. Ultimately, however, all this wizbang cryto-alchemy will be totally useless if you have insecure behavior. A few simple practices will go a long way toward securing your communications:- Logout: make sure that you always logout when using web-mail. This is very important, and very easy to do. This is particular important when using a public computer.
- Avoid public computers: this can be difficult. If you do use a public computer, consider changing your password often or using the virtual keyboard link (if you use riseup.net for your web-mail).
- Use good password practice: you should change your password periodically and use a password which is at least 6 characters and contains a combination of numbers, letters, and symbols. It is better to use a complicated password and write it down then to use a simple password and keep it only in your memory. Studies show that most people use passwords which are easy to guess or to crack, especially if you have some information about the interests of the person. You should never pick a password which is found in the dictionary (the same goes for "love" as well as "10v3" and other common ways of replacing letters with numbers).
- Be a privacy freak: don't tell other people your password. Also, newer operating systems allow you to create multiple logins which keep user settings separate. You should enable this feature, and logout or "lock" the computer when not in use.
Use secure connections!
What are secure connections?
When you check your mail from the riseup.net server, you can use an encrypted connection, which adds a high level of security to all traffic between your computer and riseup.net. Secure connections are enabled for web-mail and for IMAP or POP mail clients. This method is useful for protecting your password and login. If you don't use a secure connection, then your login and password are sent over the internet in a 'cleartext' form which can be easily intercepted. It is obvious why you might not want your password made public, but it may also be important to keep your login private in cases where you do not want your real identity tied to a particular email account.How do I use secure connections?
In the web browser, if the location starts with https:// then you have a secure connection. Your web browser should also display a little padlock icon either in the location bar or in the bottom corner of the window.The limits of secure connections
The problem with email is that takes a long and perilous journey. When you send a message, it first travels from your computer to the riseup.net mail server and then is delivered to the recipient's mail server. Finally, the recipient logs on to check their email and the message is delivered to their computer. Using secure connections only protects your data as it travels from your computer to the the riseup.net servers (and vice versa). It does not make your email any more secure as it travels around the internet from mail server to mail server. To do this, see below.Use secure email providers
What is StartTLS?
There are many governments and corporations which are sniffing general traffic on the internet. Even if you use a secure connection to check and send your email, the communication between mail servers is almost always insecure and out in the open. Fortunately, there is a solution! StartTLS is a fancy name for a very important idea: StartTLS allows mail servers to talk to each other in a secure way. If you and your friends use only email providers which use StartTLS, then all the mail traffic among you will be encrypted while in transport. If both sender and recipient also use secure connections while talking to the mail servers, then your communications are likely secure over its entire lifetime. We will repeat that because it is important: to gain any benefit from StartTLS, both sender and recipient must be using StartTLS enabled email providers. For mailing lists, the list provider and each and every list subscriber must use StartTLS.Which email providers use StartTLS?
Currently, these tech collectives are known to use StartTLS:- riseup.net
- resist.ca
- mutualaid.org
- autistici.org/inventati.org
- aktivix.org
- boum.org
- squat.net
- tao.ca
- indymedia.org
- eggplantmedia.com
- so36.net
- universities: berkeley.edu, johnhopkins.edu, hampshire.edu, evergreen.edu, ucsc.edu, reed.edu, oberlin.edu, pdx.edu, usc.edu, bc.edu , uoregon.edu, vassar.edu, temple.edu, ucsf.edu, ucdavis.edu, wisc.edu, rutgers.edu , ucr.edu, umb.edu , simmons.edu.
- organizations: action-mail.org, no-log.org
- companies: speakeasy.net, easystreet.com, runbox.com, hushmail.com, dreamhost.com, frognet.net, frontbridge.com, freenet.de, blarg.net, greennet (gn.apc.org)
What are the advantages of StartTLS?
This combination of secure email providers and secure connections has many advantages:- It is very easy to use! No special software is needed. No special behavior is needed, other than to make sure you are using secure connections.
- It prevents anyone from creating a map of whom you are communicating with and who is communicating with you (so long as both parties use StartTLS).
- It ensures that your communication is pretty well protected.
- It promotes the alternative mail providers which use StartTLS. The goal is to create a healthy ecology of activist providers--which can only happen if people show these providers strong support. Many of these alternative providers also also incorporate many other important security measures such as limited logging and encrypted storage.
What are the limitations of StartTLS?
However, there are some notable limitations:- Your computer is a weak link: your computer can be stolen, hacked into, have keylogging software or hardware installed.
- It is difficult to verify: for a particular message to be secure, both the origin and destination mail providers must use StartTLS (and both the sender and recipient must use encrypted connections). Unfortunately, it is difficult to confirm that all of this happened. For this, you need public key encryption (see below).
Use public-key encryption
If you wish to keep the contents of your email private, and confirm the identity of people who send you email, you should download and install public-key encryption software. This option is only available if you have your own computer. Public-key encryption uses a combination of a private key and a public key. The private key is known only by you, while the public key is distributed far and wide. To send an encrypted message to someone, you encrypt the message with their public key. Only their private key will be able to decrypt your message and read it.The universal standard for public-key encryption is Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG). GPG is Free Software, while PGP is a proprietary product (although there are many freeware versions available). Both work interchangeably and are available as convenient add-ons to mail clients for Linux, Mac, and Windows. For information configuring your mail client to use public key encryption, see our mail client tutorial pages. In particular, see the tutorials for Apple Mail and Thunderbird. Otherwise, you should refer the to documentation which comes with your particular mail client. Although it provides the highest level of security, public-key encryption is still an adventure to use. To make your journey less scary, we suggest you keep these things in mind:
- Be in it for the long haul: using public-key encryption takes a commitment to learning a lot of new skills and jargon. The widespread adoption of GPG is a long way off, so it may seem like a lot of work for not much benefit. However, we need early adopters who can help build a critical mass of GPG users.
- Develop GPG buddies: although most your traffic might not be encrypted, if you find someone else who uses GPG try to make a practice of communicating using only GPG with that person.
- Look for advocates: people who use GPG usually love to evangelize about it and help others to use it to. Find someone like this who can answer your questions and help you along.
Security resources for activists
This above posts contains a quick overview of email security. For more in-depth information, check out these websites:
- security.resist.ca Helping activists stay safe in our oppressive world.
- APC Security Docs A series of briefings on information security and online safety for civil society organizations.
- Guide to Email Security Using Encryption and Digital Signatures
- Computer Security for the Average Activist A downloadable PDF.
- An introduction to activism on the internet
Related links
Electronic Privacy Information Center: Electronic Frontier Foundation: American Civil Liberties Union: Center for Democracy and Technology: Wikipedia:News Articles
Labels: Internet Security
posted by Resistance 4/12/2007 09:10:00 AM,