topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 11:41 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: houseforge recommendation December 2007: Protection  (Read 24279 times)

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
houseforge recommendation December 2007: Protection
« on: December 13, 2007, 05:35 AM »
About houseforge:
In this series I recommend tools that meet certain criteria: they have to be free of charge, useful or fun, and they have to work at least on both linux and windows.

Suggestions are welcome :)

Oh well we are halfway into the month of December already and I couldn't decide on something specific yet. So let's weaken our criteria a little an decide to recommend not a specific tool but a specific kind of tool: tools that can help to protect your privacy. However, this will not be a full-fledged privacy protection thing, I will suggest a few things to get started, and to make you think about protecting your privacy.



Here goes...

:Thmbsup:The houseforge recommendation for December 2007! :Thmbsup:

Short

Do everything you can to protect your privacy, starting with your electronic communications! Encrypt your email, encrypt your instant messages and IRC chats. It is possible with the help of:

Longer

Let's look at two popular means of modern electronic communication: email and chat.

email

Because email uses a let's say clear text protocol, anyone between you and the recipient of your email can read it without any problems. With a so called packet sniffer one can see the complete email, header, subject, and body, as it "goes over the wire". If you send confidential or sensitive information, or even if you don't want everybody to read your email, you need to encrypt them. There are various encryption algorithm of various strength.

pgp_logo.jpggnupg-logo.pnghouseforge recommendation December 2007: Protection
For encrypting email, PGP (Pretty Good Privacy) and it's open source equivalent GnuPG (Gnu Privacy Guard) have become popular; partially because their encryption is very strong and because they are compatible: PGP encrypted email can be decrypted with GnuPG and vice versa. This scheme is called public-key cryptography and is explained at Wikipedia.

There are plugins for various email programs, for example enigmail (which uses gnupg) for mozilla thunderbird. What a coincidence, these are both available for many platforms  ;) I can't go into detail about setting these up now, because I want to finish this article :)

IRC

OK, after you know you should encrypt you email communication and how to do it, we go to instant messages and the likes. The matter is equally complicated because of the many clients for each protocol and because there are several (sometimes incompatible) encryption schemes. Let's pick a few and bear the wrath of the users whose clients we neglect now. For IRC xchat and mirc seem popular.

instant messaging

Of course here I recommend pidgin! There is an OTR-plugin available, which works very well. Another choice is Miranda IM, which is particularly attractive because its security and privacy addons include OTR and GnuPG.

For these clients we have mouser's mircryption and http://fish.sekure.us/FiSH. IIRC, they are even compatible and use a quite strong encryption scheme. Messages are encrypted before sending, and are decrypted before displaying them to the user. So, again, the evil MIM (man in the middle) cannot peep in to find out what you are talking about. From my point of view, installation and use is pretty easy: load the plugin, set a masterkey, exchange a key with your peer, and start cyb3rsex0ring.



Wrapping it up
fitting the criteria

This has been a rather vague recommendation, but I think it fits our houseforge criteria: The tools are (mostly) free and (mostly) cross-platform. GnuPG works on several platforms, so does http://mozilla thunderbird, and therefore http://enigmail. http://XChat is cross-platform too, as are http://mircryption and http://fish (both work with http://mirc AND http://xchat!).

obstacles

There obviously is no point in encrypting when your peers can't decrypt. This is one obstacle you have to overcome: get them to use encryption too!  :deal:


Previous Recommandations:
« Last Edit: December 13, 2007, 06:29 AM by housetier »

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #1 on: December 13, 2007, 07:44 AM »
If needed I'll explain various aspects of securing your online life in more details. I just wanted to get this post done now :)

I think it is very important people start protecting their conversations. Not because they might have something to hide, but because they have nothing to show. These days administrations and governments tend to store more and more data about their citizens, but they do not protect these databases. So the citizens have to protect themselves from the ineptitude of their representatives. Some ISPs also change the data streams sent to their customers; mostly html pages, but who knows what they do to email?

One cannot really predict which route their data packages will take across the internet. Likewise it is difficult to determine if said data has been changed between sender and recipient, or if the MIM was eavesdropping. Encrypting your data will not stop the MIM from listening in on your conversations, but it will make eavesdropping useless. Also, the recipient can tell if the data (email) was changed after the sender sent it off.

I want people to be aware of these threats to their privacy.

Please do ask any questions you might have! I will try my best to answer them  :Thmbsup:

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #2 on: December 16, 2007, 05:29 AM »
The key point is that you have to encrypt and protect even mundane information - if you only do it when sending something sensitive, it is like a beacon blinking: "look, something worth trying to crack!".

If people encrypted more things it would be more expensive for criminals and governments to just routinely sniff stuff they have no reason to, just in case...

Not to sound paranoid, you never know when something totally mundane like taking a facial cleanser on a plane might become a suspicious activity. Or when discussing innocent topics with friends in a chat room might become a thought crime (eg: discussing games, i recall some conversations we had back in '99 about assassination maps in counter strike - i wonder whether we could have these discussions in irc or icq chat nowadays without the police beating down our doors within hours)

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #3 on: December 16, 2007, 11:22 AM »
Just wanted to note that encryption - not properly implemented - can be very troublesome.

Back in October 2006 I installed the Freenigma extension for Firefox - it encrypts/decrypts web mail.  Or, well at least it does encrypt it - but maybe doesn't allow you to decrypt it - which is more than a little annoying!

When I realized that I really didn't use it much at all I uninstalled Freenigma.

Then almost exactly one year later - in October 2007 - I started receiving various emails in Thunderbird that looked fine upon initial opening, but when I opened them again to read them through - these were all newsletters - the messages were replaced by the standard invitation to sign up for and install Freenigma!  I am then never again able to read those messages.

Freenigma says, "No Way - not our problem".  I contacted the one source of a newsletter and they did not say at first, but eventually admitted that they encrypt their email with Freenigma, but that if you don't use it the mail is supposed to be non-encrypted.... (How's that supposed to work?!?!). Anyway, fortunately for me I do have a good bit of redundancy built-in to my email, so I was able to read the newsletters in a duplicate in another client.  Those were with the premiom version of the Windows Secrets Newsletter. Two days ago it started happening with Gizmo's Tech Alert premium newsletters!

Note that Freenigma was only used in Firefox - not Thunderbird. But it apparently is affectiung Thunderbird!  Which will probably drive me right back to Pocomail again. But NEVER again will I install an email encryption client. As far as I am concerned - NO form of electronic mail is private, and critical personal or financial info should NEVER be transmitted via email.

Stick with that and you'll have a lot more protection!

My opinion, of course.

Jim

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #4 on: December 16, 2007, 11:59 AM »
Note that the above post is not about encryption, but about a specific tool. Also I would never trust another entity with encrypting my emails, which is what freenigma does. Hushmail does this also, and recently turned over their customers' private keys to "teh fedz"...

Good encryption IS secure! However, the layman cannot tell if something uses good encryption; they will have to trust others. I can tell you that GnuPG and PGP are good. So good in fact, some countries view them as weapons.

IIRC, fish and mircryption use blowfish which is considered pretty secure. One has to understand, that these encryptions CAN be broken. The only security one has is the time it takes to break them. In most cases it's long enough: several decades if not centuries or even eons.

I use firegpg for my webmail needs. It uses an installed version of GnuPG to do all the work; if there is no GnuPG firegpg will not work. If you want to use it on several machines, you have to find a way to securely carry your private key with you and to use gnupg... but I distress.

My point was: You can protect yourself, and yes, it takes a little more effort. And false implementations can actually harm you, in that they give you a false sense of security. But that's what I am here for: to tell you what to look for and to explain :)

To sum things up: Don't entrust your private key to anybody. (Well maybe keep a sealed copy with your notary or bank.)

Armando

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,727
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #5 on: December 17, 2007, 02:09 AM »
Thanks for all these infos ! Very useful to me.  :up:

urlwolf

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,837
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #6 on: December 17, 2007, 04:44 AM »
I wonder if Opera M2 will ever implement PGP...

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #7 on: December 17, 2007, 05:04 AM »
Good encryption IS secure! However, the layman cannot tell if something uses good encryption; they will have to trust others. I can tell you that GnuPG and PGP are good. So good in fact, some countries view them as weapons.

The problem with all those private/public key schemes is the reliable swapping of keys - if I have met you in person then it is easy for me to be sure that the key I receive is yours etc. but online it is a lot more murky.

You have a lot of people making a business of selling validated keys but I know they usually rely on their resellers to validate keys (and many just sell direct online, no validation), and it gets more and more remote after that - so you can only trust things so far...

Which I suspect is a business opportunity for banks as the intermediaries - my bank knows me and I know my bank, you know your bank and your bank knows you - and our banks can probably communicate securely...

Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #8 on: December 17, 2007, 07:09 AM »
Hmmm, can we get Microsoft to use encryption in Windows Live Messenger? (That would be the only way to have encrypted communications with ALL my contacts in MSN).

IRC in the other hand... I could use OTR in Miranda for when we are chatting about taking over the world in the DC channel. When do we get encryption in the forum? ;D

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #9 on: December 17, 2007, 07:18 AM »
Which I suspect is a business opportunity for banks as the intermediaries - my bank knows me and I know my bank, you know your bank and your bank knows you - and our banks can probably communicate securely...

Mark Shuttleworth became rich doing just that: ensuring a key belongs to the person he/she claims belongs to. Well he became rich after he sold the company... So there is money to be made. Like notaries used to validate a document, CAs (certificate authorities) now validate electronic "documents".

gjehle

  • Member
  • Joined in 2006
  • **
  • Posts: 286
  • lonesome linux warrior
    • View Profile
    • Open Source Corner
    • Read more about this member.
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #10 on: December 17, 2007, 07:18 AM »
Messages are encrypted before sending, and are decrypted before displaying them to the user. So, again, the evil MIM (man in the middle) cannot peep in to find out what you are talking about.

i just want to point out some important details

neither mircryption, fish, nor otr are safe from a man in the middle (MITM) attack.
same holds true for pgp, and therefor gnupg.
the wikipedia article mentions OTR as a counter measure against mitm, this is not true

this is not a problem with the encryption itself, but with the way keys are exchanged / agreed upon.

fish and mircryption use (can use) DH1080 (which is straight forward diffie-hellman key agreement) to exchange secrets.

to work around mitm attacks one has to establish a truly secure channel to exchange secrets, or part of a secret.
for instance, meet in person and exchange keys in a safe/secure environment.

to make it more difficult for eavesdroppers one can use multiple weak security channels to transmit parts of the secret
with the intend of making the exchange happen in so many places at once, that it's too complicated to wiretap all channels.

anyways, nice article housetier!
and to everyone: protect your privacy!

gjehle

  • Member
  • Joined in 2006
  • **
  • Posts: 286
  • lonesome linux warrior
    • View Profile
    • Open Source Corner
    • Read more about this member.
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #11 on: December 17, 2007, 07:20 AM »
Hmmm, can we get Microsoft to use encryption in Windows Live Messenger? (That would be the only way to have encrypted communications with ALL my contacts in MSN).

use pidgin
i use pidgin for all my IM contacts, specifically: icq, aim, yahoo, msn, jabber
should work also with miranda, or, if you like it non-free: trillian

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #12 on: December 17, 2007, 07:23 AM »
Hmmm, can we get Microsoft to use encryption in Windows Live Messenger?

I dunno what you can do to make Microsoft do anything, but you can use miranda and its plugins for OTR and GnuPG.

Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #13 on: December 17, 2007, 07:24 AM »
Yes, but what I was talking about is what housetier mentioned: if the other part doesn't use the plugin, you can't encrypt the information you're sending as well. Practically all my friends use WLM, except one who uses aMSN, and another who uses Adium (when he's on the Mac, anyway), and WLM is not exactly the privacy champion, more the opposite <_<

I use Miranda for everything, so no problem there :)

gjehle

  • Member
  • Joined in 2006
  • **
  • Posts: 286
  • lonesome linux warrior
    • View Profile
    • Open Source Corner
    • Read more about this member.
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #14 on: December 17, 2007, 07:28 AM »
Yes, but what I was talking about is what housetier mentioned: if the other part doesn't use the plugin, you can't encrypt the information you're sending as well. Practically all my friends use WLM, except one who uses aMSN, and another who uses Adium (when he's on the Mac, anyway), and WLM is not exactly the privacy champion, more the opposite <_<

I use Miranda for everything, so no problem there :)

if they value privacy, they will switch to a client that allows more security.

there is also OTR support for adium.

Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #15 on: December 17, 2007, 07:31 AM »
If I posted the never ending discussions with one of them about my stubbornness in not installing anything labeled "Messenger" by Microsoft... they won't care that much about privacy, anyway.

I'll look into talking with my Adium-user friend for using OTR, thanks for the tip.

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #16 on: December 17, 2007, 07:34 AM »
i just want to point out some important details

Well FINALLY we get down to the beefy details! :)


for instance, meet in person and exchange keys in a safe/secure environment.

For GnuPG/PGP it should be enough to exchange the fingerprint, of the key, because said fingerprint (e.g. 0986 736D 468B 5D28 7C6A  811D D609 3240 38BA B1B4) is much shorter than a key

gjehle

  • Member
  • Joined in 2006
  • **
  • Posts: 286
  • lonesome linux warrior
    • View Profile
    • Open Source Corner
    • Read more about this member.
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #17 on: December 17, 2007, 07:50 AM »
for instance, meet in person and exchange keys in a safe/secure environment.

For GnuPG/PGP it should be enough to exchange the fingerprint, of the key, because said fingerprint (e.g. 0986 736D 468B 5D28 7C6A  811D D609 3240 38BA B1B4) is much shorter than a key

of course, but only in person or over a secure channel ;-)
if you can mitm key exchange, you can mitm fingerprint exchange :D

Armando

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,727
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #18 on: December 17, 2007, 10:40 AM »
for instance, meet in person and exchange keys in a safe/secure environment.

Not always convenient...  :(

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #19 on: December 17, 2007, 12:13 PM »
Bad People, Good People

I wish it was more convenient to protect oneself. Even more so I wish it wasn't necessary to do so... But there are bad people, who won't care whether or not you are a nice person. It's against those "bad people" that you have take inconvenient steps. Although not the whole internet is bad, it isn't completely good either.

Really Convenient?

The conveniences that are offered (hushmail, freenigma) take control from you, which might be even less convenient later.

False Sense of Security

And to say it again: taking the wrong steps can leave you with a false impression of security.

Secure Conferences

And for IRC-like conversations (group chats) consider using SILC. Even if you don't employ all the security measures mentioned above right away, if you started thinking about privacy and protection, it was worth writing so much about protection :) :)

Ask me more!

:tellme: Go ahead please and ask questions or voice your concerns! :tellme: PM me, or send email (here is my public GnuPG key), or ask right here in this thread.


Ralf Maximus

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 927
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #20 on: December 17, 2007, 10:34 PM »
for instance, meet in person and exchange keys in a safe/secure environment.

"I like you, and you like me, so I think we should take the next step."

"Erm... really.  What's that exactly?"

"We exhange keys."

"Oh!  I know what that is.  We did it once in college.  Everyone sits around on the floor with a big bowl in the middle, and we all place our room keys in there, and people close their eyes and reach in there and randomly pick one out, and--"

"No!  No, I meant... encryption keys.  So we can, you know, encrypt our..."

"Oh.  So you don't want the key to my apartment?"

"Didn't say that."

Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #21 on: December 19, 2007, 07:12 PM »
A little question about OTR. Though it works really good in MSN (turns out Adium packs OTR by default in the package), I am curious about the privacy scope in the IRC. Can it be used when talking in the public chat of the channel or does it only works when I am having a private IRC conversation, with, say, Ralf Maximus? (shameless plug for Ralf to join us at #donationcoder sometime. That, and being the last poster :P)

Armando

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,727
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #22 on: December 19, 2007, 09:08 PM »
Bad People, Good People
I wish it was more convenient to protect oneself.  [Etc. etc.]

Good points, of course. Thanks a lot for sharing your knowledge housetier!
I'll have to think about how to protect my privacy a bit better. I encrypt all backups already, so that's one thing. I was also thinking of encrypting my whole laptop drive with truecrypt (many files are already encrypted with various programs, like axcrypt)... But it's stuff like what J-Mac described earlier that frightens me... Anyway, sorry about being a bit off-topic here.

gjehle

  • Member
  • Joined in 2006
  • **
  • Posts: 286
  • lonesome linux warrior
    • View Profile
    • Open Source Corner
    • Read more about this member.
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #23 on: December 20, 2007, 01:38 AM »
A little question about OTR. Though it works really good in MSN (turns out Adium packs OTR by default in the package), I am curious about the privacy scope in the IRC. Can it be used when talking in the public chat of the channel or does it only works when I am having a private IRC conversation, with, say, Ralf Maximus? (shameless plug for Ralf to join us at #donationcoder sometime. That, and being the last poster :P)

AFAIK OTR only works for 2 parties. I'm not 100% sure, tho.

There is a similar problem with key-agreement using DH1080 for mircryption/fish.
The 'simple' solution is:
- generate a long and random password for the public channel and set it
- perform DH1080 key agreement with each party that wants to talk encrypted in the channel
- exchange the channel password of the so secured private 1on1 chat
- manually set received channel password

i was planning on incorporating code to automatically perform this rather simple task in mircryption/xchat but haven't found the time to do it yet.

housetier

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 1,321
    • View Profile
    • Donate to Member
Re: houseforge recommendation December 2007: Protection
« Reply #24 on: December 21, 2007, 09:20 AM »
In another recent thead some of our dear users are talking about encrypting, and thus protecting, data on the harddisk. It seems a little bit windows-specific, so I can't recommend all their tools, but I think I should mention them.

It's your data and you should protect it!