topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday March 19, 2024, 2:48 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Looking for Security Software/Solutions  (Read 4424 times)

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Looking for Security Software/Solutions
« on: April 22, 2012, 11:17 AM »
I'm looking for some software to provide secure communications under the assumption of state sponsored surveillance. The budget is near zero.

I'm thinking that any web services are completely out of the question (way too many exploits and if you don't own the server, all the worse), and that the only real solution is to use strong passwords in public key encryption of documents to email. If the email is intercepted, then it won't matter much.

Is that about right? Am I missing anything?

Remember, the key assumption is state surveillance.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

worstje

  • Honorary Member
  • Joined in 2009
  • **
  • Posts: 588
  • The Gent with the White Hat
    • View Profile
    • Donate to Member
Re: Looking for Security Software/Solutions
« Reply #1 on: April 22, 2012, 11:45 AM »
It all depends on the sort of surveillance you expect. Only digital? Or do you expect your analog life to be monitored as well?

In the end, it comes down to trust. A single 'compromised' module makes the entire system void, which essentially means you cannot even trust the OS you use. An example: think of the Debian OpenSSL vulnerability that happened by accident a year or two ago. of which similar tricks could easily be implemented by governments on purpose.

Another mind game to serve as an example is as follows... suppose your system is compromised. But you have the full source code, and you could rebuild it from scratch. The problem is.. what will you rebuild it with? Even if your source code is safe, what is to say about the compiler, maybe it is rigged so everything you compile with it has a backdoor. Or maybe only very specific stuff like security software has a backdoor! Fine, you say, I'll make sure my build environment is safe, and check MD5 or even better a SHA hash that's not been cracked yet. But how can you check it? The md5sum tool or whatever may also be backdoore. Copy it to a system that is theoretically safe? Who knows, your copy command might remove the backdoor...

Long story short: without a clean-room to pick the machine apart in, you can not be sure your system is secure. Sure, there's projects like TinyCC which are built for transparency to combat this sort of dilemma to a point, but they are not performant and take a lot of expertise to use properly to combat this problem. (And _really_ rebuilding a system from scratch, to vet every single piece of code... can easily take months, or even years.)

Do you trust your OS? Do you trust the people who made it? Do you trust the people who supplied it? Do you trust the people who create your encryption software? How about your communication channels? And this is not 'trust to make a good product', nor is it 'trust to mean well', and it isn't 'trust to make a perfect product' either.

It is a 'trust these people with your life' sort of trust. Because once you talk state-sponsored surveillance, that is obviously how high the stakes have gotten. :)

The safest way would be to layer, layer, and layer more. Do manual encryption based on code books. Throw that through military grade encryption. Don't send it through digital means only, use pre-arranged drop spots. Digital stuff can be monitored for far more easily than drop spots and the sort, which take human sentience and human attention to be on your person or your receiver in order to get caught. Etc. If the state is your enemy, no precaution is a precaution too many.

db90h

  • Coding Snacks Author
  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 481
  • Software Engineer
    • View Profile
    • Bitsum - Take control of your PC
    • Read more about this member.
    • Donate to Member
Re: Looking for Security Software/Solutions
« Reply #2 on: April 22, 2012, 02:16 PM »
A properly configured VPN should allow entirely unbreakable communication between client(s) and server(s). With a VPN, you create a secure, encrypted, private virtual network that can span the Internet. Mail servers would be internal to the VPN, same with web servers.

The security of the clients and servers themselves them comes into question, which worstje went into a bit of depth on.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Looking for Security Software/Solutions
« Reply #3 on: April 22, 2012, 09:16 PM »
I think that I need to assume that any given server can be compromised, so I can't rely on them being secure. The only way to secure a server is to run it yourself and make certain that security is locked down, but without a budget, this is off the table. Besides, it would require highly skilled people to run, which again, without a budget, is off the table.

The surveillance is digital, analog, and physical. So I think the key is to have strong public key encryption, but layering will be difficult because the people that need to use it won't be able to handle too much information or too much complexity. Something that could layer easily would be good. I'm afraid that multiple steps would be too difficult.

Think of third-world farmers/peasants that will be challenged simply to send an email. (GUI would be infinitely better than command line...)

I forgot to mention in the first post that information needs to be sent out to multiple people as well, so some way to bulk encrypt with public key encryption and email will be needed. Has anyone ever heard of anything that can do this?

So far, looking around Cryptophane seems to be about the best thing to fit the bill:

http://code.google.com/p/cryptophane/

Does anyone have any better suggestions?
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Looking for Security Software/Solutions
« Reply #4 on: April 23, 2012, 06:48 AM »
Simplest is to not draw attention to yourself (e.g. by using a constant encrypted stream). Here's the thing 90% of the Marijuana grow houses that got busted in the past few years got busted the same way, by the same people. The local power company. Because the power usage was just too oddly high (lots of grow lamps...).

Low tech tends to get ignored by high tech. The only "encryption" that was never broken by the Germans during the war ... was actually a simple open discussion by Cherokee Indians. Low tech is key ... Because high tech tends to draw too much attention.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Looking for Security Software/Solutions
« Reply #5 on: April 23, 2012, 07:17 AM »
Simplest is to not draw attention to yourself (e.g. by using a constant encrypted stream). Here's the thing 90% of the Marijuana grow houses that got busted in the past few years got busted the same way, by the same people. The local power company. Because the power usage was just too oddly high (lots of grow lamps...).

Low tech tends to get ignored by high tech. The only "encryption" that was never broken by the Germans during the war ... was actually a simple open discussion by Cherokee Indians. Low tech is key ... Because high tech tends to draw too much attention.

That's what I was thinking. Go low-tech as much as possible. For the low-tech stuff, I'm simply not going to ask about any of it as I don't need to know. I've already recommended going low-tech for as much as possible for the same reasons that you've outlined -- and the fact that hi-tech is too easy to spy on now. (This isn't for me -- it's for other people and their particular circumstances.)

However, at some point some hi-tech will be needed, so that's why I'm asking here.

40hz sent me some info on OTP:

http://en.wikipedia....rg/wiki/One-time_pad

It looks like it may prove useful.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Attronarch

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 147
    • View Profile
    • Donate to Member
Re: Looking for Security Software/Solutions
« Reply #6 on: April 23, 2012, 07:45 AM »
On the topic of low tech encryption - something like this might be useful.