Welcome Guest.   Make a donation to an author on the site November 27, 2014, 10:05:43 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
View the new Member Awards and Badges page.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Looking for Security Software/Solutions  (Read 1352 times)
Renegade
Charter Member
***
Posts: 11,839



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« on: April 22, 2012, 11:17:44 AM »

I'm looking for some software to provide secure communications under the assumption of state sponsored surveillance. The budget is near zero.

I'm thinking that any web services are completely out of the question (way too many exploits and if you don't own the server, all the worse), and that the only real solution is to use strong passwords in public key encryption of documents to email. If the email is intercepted, then it won't matter much.

Is that about right? Am I missing anything?

Remember, the key assumption is state surveillance.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
worstje
Honorary Member
**
Posts: 555



The Gent with the White Hat

View Profile Give some DonationCredits to this forum member
« Reply #1 on: April 22, 2012, 11:45:27 AM »

It all depends on the sort of surveillance you expect. Only digital? Or do you expect your analog life to be monitored as well?

In the end, it comes down to trust. A single 'compromised' module makes the entire system void, which essentially means you cannot even trust the OS you use. An example: think of the Debian OpenSSL vulnerability that happened by accident a year or two ago. of which similar tricks could easily be implemented by governments on purpose.

Another mind game to serve as an example is as follows... suppose your system is compromised. But you have the full source code, and you could rebuild it from scratch. The problem is.. what will you rebuild it with? Even if your source code is safe, what is to say about the compiler, maybe it is rigged so everything you compile with it has a backdoor. Or maybe only very specific stuff like security software has a backdoor! Fine, you say, I'll make sure my build environment is safe, and check MD5 or even better a SHA hash that's not been cracked yet. But how can you check it? The md5sum tool or whatever may also be backdoore. Copy it to a system that is theoretically safe? Who knows, your copy command might remove the backdoor...

Long story short: without a clean-room to pick the machine apart in, you can not be sure your system is secure. Sure, there's projects like TinyCC which are built for transparency to combat this sort of dilemma to a point, but they are not performant and take a lot of expertise to use properly to combat this problem. (And _really_ rebuilding a system from scratch, to vet every single piece of code... can easily take months, or even years.)

Do you trust your OS? Do you trust the people who made it? Do you trust the people who supplied it? Do you trust the people who create your encryption software? How about your communication channels? And this is not 'trust to make a good product', nor is it 'trust to mean well', and it isn't 'trust to make a perfect product' either.

It is a 'trust these people with your life' sort of trust. Because once you talk state-sponsored surveillance, that is obviously how high the stakes have gotten. smiley

The safest way would be to layer, layer, and layer more. Do manual encryption based on code books. Throw that through military grade encryption. Don't send it through digital means only, use pre-arranged drop spots. Digital stuff can be monitored for far more easily than drop spots and the sort, which take human sentience and human attention to be on your person or your receiver in order to get caught. Etc. If the state is your enemy, no precaution is a precaution too many.
Logged
db90h
Coding Snacks Author
Charter Member
***
Posts: 455


Software Engineer

View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: April 22, 2012, 02:16:47 PM »

A properly configured VPN should allow entirely unbreakable communication between client(s) and server(s). With a VPN, you create a secure, encrypted, private virtual network that can span the Internet. Mail servers would be internal to the VPN, same with web servers.

The security of the clients and servers themselves them comes into question, which worstje went into a bit of depth on.
Logged
Renegade
Charter Member
***
Posts: 11,839



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #3 on: April 22, 2012, 09:16:02 PM »

I think that I need to assume that any given server can be compromised, so I can't rely on them being secure. The only way to secure a server is to run it yourself and make certain that security is locked down, but without a budget, this is off the table. Besides, it would require highly skilled people to run, which again, without a budget, is off the table.

The surveillance is digital, analog, and physical. So I think the key is to have strong public key encryption, but layering will be difficult because the people that need to use it won't be able to handle too much information or too much complexity. Something that could layer easily would be good. I'm afraid that multiple steps would be too difficult.

Think of third-world farmers/peasants that will be challenged simply to send an email. (GUI would be infinitely better than command line...)

I forgot to mention in the first post that information needs to be sent out to multiple people as well, so some way to bulk encrypt with public key encryption and email will be needed. Has anyone ever heard of anything that can do this?

So far, looking around Cryptophane seems to be about the best thing to fit the bill:

http://code.google.com/p/cryptophane/

Does anyone have any better suggestions?
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
Stoic Joker
Honorary Member
**
Posts: 5,404



View Profile WWW Give some DonationCredits to this forum member
« Reply #4 on: April 23, 2012, 06:48:07 AM »

Simplest is to not draw attention to yourself (e.g. by using a constant encrypted stream). Here's the thing 90% of the Marijuana grow houses that got busted in the past few years got busted the same way, by the same people. The local power company. Because the power usage was just too oddly high (lots of grow lamps...).

Low tech tends to get ignored by high tech. The only "encryption" that was never broken by the Germans during the war ... was actually a simple open discussion by Cherokee Indians. Low tech is key ... Because high tech tends to draw too much attention.
Logged
Renegade
Charter Member
***
Posts: 11,839



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #5 on: April 23, 2012, 07:17:47 AM »

Simplest is to not draw attention to yourself (e.g. by using a constant encrypted stream). Here's the thing 90% of the Marijuana grow houses that got busted in the past few years got busted the same way, by the same people. The local power company. Because the power usage was just too oddly high (lots of grow lamps...).

Low tech tends to get ignored by high tech. The only "encryption" that was never broken by the Germans during the war ... was actually a simple open discussion by Cherokee Indians. Low tech is key ... Because high tech tends to draw too much attention.

That's what I was thinking. Go low-tech as much as possible. For the low-tech stuff, I'm simply not going to ask about any of it as I don't need to know. I've already recommended going low-tech for as much as possible for the same reasons that you've outlined -- and the fact that hi-tech is too easy to spy on now. (This isn't for me -- it's for other people and their particular circumstances.)

However, at some point some hi-tech will be needed, so that's why I'm asking here.

40hz sent me some info on OTP:

http://en.wikipedia.org/wiki/One-time_pad

It looks like it may prove useful.
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
Attronarch
Supporting Member
**
Posts: 60


View Profile Give some DonationCredits to this forum member
« Reply #6 on: April 23, 2012, 07:45:23 AM »

On the topic of low tech encryption - something like this might be useful.
Logged
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.03s | Server load: 0.02 ]