Main Area and Open Discussion > General Software Discussion

houseforge recommendation December 2007: Protection

(1/6) > >>

housetier:
About houseforge:
In this series I recommend tools that meet certain criteria: they have to be free of charge, useful or fun, and they have to work at least on both linux and windows.

Suggestions are welcome :)
Oh well we are halfway into the month of December already and I couldn't decide on something specific yet. So let's weaken our criteria a little an decide to recommend not a specific tool but a specific kind of tool: tools that can help to protect your privacy. However, this will not be a full-fledged privacy protection thing, I will suggest a few things to get started, and to make you think about protecting your privacy.



Here goes...

:Thmbsup:The houseforge recommendation for December 2007! :Thmbsup:
Short

Do everything you can to protect your privacy, starting with your electronic communications! Encrypt your email, encrypt your instant messages and IRC chats. It is possible with the help of:

* PGP
* GnuPG
* mircryption
* FiSH
* OTR
* and others
Longer

Let's look at two popular means of modern electronic communication: email and chat.

email
Because email uses a let's say clear text protocol, anyone between you and the recipient of your email can read it without any problems. With a so called packet sniffer one can see the complete email, header, subject, and body, as it "goes over the wire". If you send confidential or sensitive information, or even if you don't want everybody to read your email, you need to encrypt them. There are various encryption algorithm of various strength.

houseforge recommendation December 2007: ProtectionFor encrypting email, PGP (Pretty Good Privacy) and it's open source equivalent GnuPG (Gnu Privacy Guard) have become popular; partially because their encryption is very strong and because they are compatible: PGP encrypted email can be decrypted with GnuPG and vice versa. This scheme is called public-key cryptography and is explained at Wikipedia.

There are plugins for various email programs, for example enigmail (which uses gnupg) for mozilla thunderbird. What a coincidence, these are both available for many platforms  ;) I can't go into detail about setting these up now, because I want to finish this article :)

IRC
OK, after you know you should encrypt you email communication and how to do it, we go to instant messages and the likes. The matter is equally complicated because of the many clients for each protocol and because there are several (sometimes incompatible) encryption schemes. Let's pick a few and bear the wrath of the users whose clients we neglect now. For IRC xchat and mirc seem popular.

instant messaging
Of course here I recommend pidgin! There is an OTR-plugin available, which works very well. Another choice is Miranda IM, which is particularly attractive because its security and privacy addons include OTR and GnuPG.

For these clients we have mouser's mircryption and http://fish.sekure.us/FiSH. IIRC, they are even compatible and use a quite strong encryption scheme. Messages are encrypted before sending, and are decrypted before displaying them to the user. So, again, the evil MIM (man in the middle) cannot peep in to find out what you are talking about. From my point of view, installation and use is pretty easy: load the plugin, set a masterkey, exchange a key with your peer, and start cyb3rsex0ring.



Wrapping it up
fitting the criteria
This has been a rather vague recommendation, but I think it fits our houseforge criteria: The tools are (mostly) free and (mostly) cross-platform. GnuPG works on several platforms, so does http://mozilla thunderbird, and therefore http://enigmail. http://XChat is cross-platform too, as are http://mircryption and http://fish (both work with http://mirc AND http://xchat!).

obstacles
There obviously is no point in encrypting when your peers can't decrypt. This is one obstacle you have to overcome: get them to use encryption too!  :deal:

Previous Recommandations:

* September 2006 KeePass
* November 2007 Pidgin

housetier:
If needed I'll explain various aspects of securing your online life in more details. I just wanted to get this post done now :)

I think it is very important people start protecting their conversations. Not because they might have something to hide, but because they have nothing to show. These days administrations and governments tend to store more and more data about their citizens, but they do not protect these databases. So the citizens have to protect themselves from the ineptitude of their representatives. Some ISPs also change the data streams sent to their customers; mostly html pages, but who knows what they do to email?

One cannot really predict which route their data packages will take across the internet. Likewise it is difficult to determine if said data has been changed between sender and recipient, or if the MIM was eavesdropping. Encrypting your data will not stop the MIM from listening in on your conversations, but it will make eavesdropping useless. Also, the recipient can tell if the data (email) was changed after the sender sent it off.

I want people to be aware of these threats to their privacy.

Please do ask any questions you might have! I will try my best to answer them  :Thmbsup:

iphigenie:
The key point is that you have to encrypt and protect even mundane information - if you only do it when sending something sensitive, it is like a beacon blinking: "look, something worth trying to crack!".

If people encrypted more things it would be more expensive for criminals and governments to just routinely sniff stuff they have no reason to, just in case...

Not to sound paranoid, you never know when something totally mundane like taking a facial cleanser on a plane might become a suspicious activity. Or when discussing innocent topics with friends in a chat room might become a thought crime (eg: discussing games, i recall some conversations we had back in '99 about assassination maps in counter strike - i wonder whether we could have these discussions in irc or icq chat nowadays without the police beating down our doors within hours)

J-Mac:
Just wanted to note that encryption - not properly implemented - can be very troublesome.

Back in October 2006 I installed the Freenigma extension for Firefox - it encrypts/decrypts web mail.  Or, well at least it does encrypt it - but maybe doesn't allow you to decrypt it - which is more than a little annoying!

When I realized that I really didn't use it much at all I uninstalled Freenigma.

Then almost exactly one year later - in October 2007 - I started receiving various emails in Thunderbird that looked fine upon initial opening, but when I opened them again to read them through - these were all newsletters - the messages were replaced by the standard invitation to sign up for and install Freenigma!  I am then never again able to read those messages.

Freenigma says, "No Way - not our problem".  I contacted the one source of a newsletter and they did not say at first, but eventually admitted that they encrypt their email with Freenigma, but that if you don't use it the mail is supposed to be non-encrypted.... (How's that supposed to work?!?!). Anyway, fortunately for me I do have a good bit of redundancy built-in to my email, so I was able to read the newsletters in a duplicate in another client.  Those were with the premiom version of the Windows Secrets Newsletter. Two days ago it started happening with Gizmo's Tech Alert premium newsletters!

Note that Freenigma was only used in Firefox - not Thunderbird. But it apparently is affectiung Thunderbird!  Which will probably drive me right back to Pocomail again. But NEVER again will I install an email encryption client. As far as I am concerned - NO form of electronic mail is private, and critical personal or financial info should NEVER be transmitted via email.

Stick with that and you'll have a lot more protection!

My opinion, of course.

Jim

housetier:
Note that the above post is not about encryption, but about a specific tool. Also I would never trust another entity with encrypting my emails, which is what freenigma does. Hushmail does this also, and recently turned over their customers' private keys to "teh fedz"...

Good encryption IS secure! However, the layman cannot tell if something uses good encryption; they will have to trust others. I can tell you that GnuPG and PGP are good. So good in fact, some countries view them as weapons.

IIRC, fish and mircryption use blowfish which is considered pretty secure. One has to understand, that these encryptions CAN be broken. The only security one has is the time it takes to break them. In most cases it's long enough: several decades if not centuries or even eons.

I use firegpg for my webmail needs. It uses an installed version of GnuPG to do all the work; if there is no GnuPG firegpg will not work. If you want to use it on several machines, you have to find a way to securely carry your private key with you and to use gnupg... but I distress.

My point was: You can protect yourself, and yes, it takes a little more effort. And false implementations can actually harm you, in that they give you a false sense of security. But that's what I am here for: to tell you what to look for and to explain :)

To sum things up: Don't entrust your private key to anybody. (Well maybe keep a sealed copy with your notary or bank.)

Navigation

[0] Message Index

[#] Next page