Encryption Archives

What Wikileaks Should Have Done

As most of you are probably aware the ultimate whistleblower site, wikileaks, has once again been in the news quite a bit because it has published thousands of documents, messages and so on that have proven to be a major source of embarrassment to not only the US government but to several other governments around the world.

As a result, not only is it’s top guy up to his eyeballs in legal trouble of all kinds, the site itself has been under attack in a big way.  There’s several governments and mega-corporations pushing hard, doing their best to get the site taken down, even going so far as to remove DNS entries that make it work.

In response there’s a whole bunch of people working to mirror the site in several different places to keep it online.  This is all fine and dandy and will no doubt work to varying degrees depending on jurisdiction but there’s one option that they have apparently decided not to consider.

One of the first places to mirror the data that they have been releasing ought to have been Freenet Classic Opennet (FCon).

Why?

Because the primary reason for the existence of FCon in the first place is to provide a means to publish and obtain information on the Internet without fear of censorship.

You see, FCon isn’t just another run of the mill P2P file sharing system like Kazaa, Limewire, or Bittorrent.  Data inserted into FCon becomes part of an encrypted, distributed data store.  Additionally, because the data store is encrypted, node operators cannot be expected to know the contents of their node’s data store.  Nor do they have any ability to edit or censor that content.

Once something is inserted into the network it continues to be available even after the node that inserted it goes off-line.  For example, there are websites that were inserted into the network as long ago as 2001 that can still be retrieved today even though the original authors have long since left the network.

The reason that I think Wikileaks should make use of FCon is because once the information they wish to publish is inserted, they can ask other FCon users to republish that information on the conventional internet.  Thus the information still comes out while at the same time it’s in a position where it literally cannot be taken down or deleted.

In fact, once something is inserted into the FCon network, even the act of requesting it to see if it’s there will actually cause the network to propagate that data to more nodes, thus increasing the chances that it will still be available years later.

I’m not saying that wikileaks should use FCon exclusively but it IS something that they should add to their toolbox.  I should also say that the title of this post isn’t necessarily the end of he situation.  Wikileaks still has the option to download freenet (FCon), set up a node (or six, or a few dozen) and start inserting stuff that they don’t want taken down.

Technorati Tags: prevent takedown, freenet 0.5, freenet, censorship, wikileaks, distributed data store, anonymous publishing, censor proof publishing, encryption, encrypted data store, takedown, cannot censor, safe anonymous publishing, anonymous publishing, whistleblower, censor proof, cannot takedown

Matterhorn Remailer Back Up

I recently posted about the Matterhorn remailer being down.  This morning I found an announcement in alt.privacy.anon-server that it’s been restored to normal operation.

It does however, have a new mixmaster key.  The best way to get the new key is to send an email to remailer AT rip DOT ax DOT lt with the subject line: remailer-key

Technorati Tags: anonymity, type 2, type 1, mixmaster, anonymous, cypherpunk, anonymous email, remailer

4th Amendment Protection Eliminated In E-mail

I just read something on Slashdot that should be a great big red flag to anyone that has any interest in email privacy at all.

The 11th Circuit court handed down a decision in Rehberg v. Paulk which severely limits how much fourth amendment protection there is for Email.  The decision was that constitutional protection in stored copies of e-mail held by third parties disappears as soon as any copy of the communication is delivered.

The problem with this is that because of how email works, Just because a copy of the message was delivered to you when your email program downloaded it from the server it doesn’t mean that the copy on the server instantly ceases to exist.  This means that the government or any Law Enforcement Agency can just wait until email is delivered and then snag a copy from the server it was delivered from.

If you’d like an in depth look at why this decision is wrong I suggest you have a look at this article.  The author goes into the legal nuts and bolts of why the 11th circuit court is wrong.

Regardless of whether it’s ever overturned or not, this case serves as a reminder that even with forth amendment protections, email is NOT very private at all unless you take steps to MAKE it private.

The only real answer to the problem of course is to use encryption.  And before you start going with the “If you haven’t got anything to hide then you have nothing to worry about” crap think about this.  For the average person (even law abiding people), it’s not a question of having “something to hide” so much as having privacy.  Back in the days when everybody used postal mail, if you didn’t want the contents of your message to be read then you would use a security envelope or perhaps even put it into a package that was much more difficult to open.

The same thing applies to email.  People send emails every day the contents of which they very much do NOT want to be read by anyone but the intended recipient.  Those emails can be literally anything from important business matters about a new secret project to you Aunt Jane’s secret collection of home remedies for acne.  The point is that you want them to be read only by the person that you’re sending them to and that anyone else reading them is an invasion of privacy.

This is where encryption comes in.  For example if you use Thunderbird as your email program it’s a small thing to get a plugin called Enigmail and a copy of GnuPG, take a few minutes to read some instructions about how to set them up and create a keypair, publish the public part of the key and you’re ready to begin encrypting your email.

Ok, Granted, it’s not much use to encrypt email unless the other party has the same kind of setup but that’s really easy.  All of the programs I just mentioned are free and take only minutes to set up.

I have personally been using encryption for years.  Even when I don’t encrypt emails I use Enigmail & GnuPG to digitally sign all of my emails so that the recipients can A, verify that it was me that sent it and B, they can tell if the message has been altered in any way.

If you want your email to be private the ONLY way to insure this is to use encryption.  I think that it’s long overdue for encryption to come into mainstream use.  It’s not hard to do and does something that regular, unencrypted, email can’t do: It guarantees that you have an “Expectation of privacy” because you have taken extra steps to make it clear to anyone looking at the message that you don’t want anyone but the intended recipient to read it.

Technorati Tags: email, gnupg, forth amendment, enigmail, privacy, encryption, 11th circuit court

Matterhorn Remailer Down

I just ran across a post on alt.privacy.anon-server from yesterday announcing that the Matterhorn anonymous remailer is down, apparently due to a hard drive failure.  Since the operator is out of the country it’s likely to be months before it’s restored to operation.

What I thought was a completely non-thought out answer to that post was somebody suggesting that they just give instructions to somebody with physical access to the machine it runs on so that they could get it going again.

Obviously this is a bad idea.  Why?  Because a remailer is a security application and the only way that it can STAY that way is if ONLY the operator has the passphrases needed to access the machine and the PGP keys for the remailer program itself.  Having anyone else do anything with it means giving those passphrases to them in order for them to be able to do it.  It’s right up there with sharing your personal PGP/GnuPG key passphrase.  You just don’t do it… ever.

Why can’t people see really obvious things like this?

Technorati Tags: anonymous, remailer, encryption, pgp, security, passphrase

Why I PGP Sign All My Emails

I’ve been making it a point to PGP sign all of my emails for several years now and I still get the occasional question asking why I bother.  The answer is simple really, I’m using it as a form of identity theft protection.

You see about five or six years ago I and people I know suddenly started getting spam that had my email address in the From line.  I had known for a long time that it was actually a trivial matter to spoof the from line in an email but this is when it really hit home.  Just by faking the origin of the email somebody could, if they wanted to, send literally anything they wanted to my friends & family and there wouldn’t be any real way for me to convince anyone that I didn’t send it.

Granted, family members are most likely to believe me if I tell them I didn’t send that nasty email with my address in it’s header but most people don’t tend to be as forgiving if they’re not family.

I had been using PGP occasionally to encrypt private messages but I hadn’t used it much otherwise.  This is when I instituted a policy of always signing emails that I send.  That way, if there’s ever a question of “did you send such-and-such?”, I can ask them “Does it have a valid PGP signature created with my personal key?”.  If the answer is no then I didn’t send it.

After deciding on this I let everyone know that if there was ever a question about the validity of an email appearing to be from me, all they have to do is look for and check the signature.

It insures that nobody can send something claiming to be me because they can’t duplicate my signature without my private key and the passphrase.

And no, you can’t just copy the signature block from one email and past it in another.  It doesn’t work that way.  Any PGP signature is totally unique to message it appears in.

Technorati Tags: encryption, identity protection, pgp, digital signature

 Page 2 of 8 « 1  2  3  4  5 » ...  Last »