Opt out of PRISM

Closely related to self-defense, this Board focuses in other aspects such as Communications, and Financial.

Re: Opt out of PRISM

Postby Lexington Bill » Mon Feb 16, 2015 4:38 am

This is my first post, but a topic I've had some personal experience with.

I run a TOR bridge. Since the level of security available there is, in part, dependent on the number of nodes online at any given moment (making it incrementally harder to do timing attacks with each node added), I strongly encourage anyone using TOR to "pay into" the system by allowing their machine to serve as a node of some sort. There are three types of node: exit node (makes actual contact with the destination server), non-exit node (any point in the chain except exit) and bridge (allows people behind, for example, the "Great Firewall of China" to access the web. Some people simply do not have the bandwidth to spare or have a pay-by-the-byte plan and should use TOR in client mode. Everyone else has an ethical decision to make ... whether to be a leach or to be a partner.

TOR is a proxying service with some unique features which make it relatively secure. That said, do not rely on it, alone, for any communications which, if discovered, could result in serious negative consequences -- use strong encryption at every opportunity.

That said, I would counsel you to think long and hard before using some other proxies. Here's why: http://forum.palemoon.org/viewtopic.php?f=26&t=2806

Set your computer to look to the USB ports for boot code ahead of the hard drive. If there is nothing bootable in the USB drive, it will roll-over to the hard drive.

Then keep a copy of DBAN (Darik's Boot and Nuke) on a USB key near (but not IN!) the computer. If you ever need to make the contents of your hard drive "go away", insert the key and reboot.

Even a partial wipe is better than none at all. If the PTB can't find your physical computer for a few minutes, you are a few miles further away from a successful prosecution. If you have a "bait" computer they can sieze, you might be able to get a 100% wipe that would take the NSA to read.

There is also some software called "Secure Erase" whose development was halted a long time ago. However, if your hard drive is of the type it was designed to work on, it is even faster than DBAN and arguably better. Do a Google search (DAGS) for it.

If using Linux, you can write a one line BASH script that will write, over and over, to every byte on the hard drive, including, of course, both used and unused space, surprisingly quickly. After a half-dozen iterations, even the NSA will have trouble reading that disk.

You can skip Gmail or Yahoo or Hotmail or whatever free service you are probably using right now by setting up your own e-mail server on your desktop or laptop computer and using a service such as DynDNS.com or noip.com to have your email sent to the new under-your-control server. For no-ip, the cost ranges from free to $25 a year. Nosing around in your router settings may reveal that signing up for one or the other is only a few clicks away. Setting up the server software on Linux offers more $free$ options (Postfix is my personal favorite), but Windows users will find that Sendmail works just fine, too.

You might further tighten access to your computer from the outside (without actually unplugging it from the wall) with port knocking. http://portknocking.org/ The idea behind port knocking is to have your computer completely closed to the outside world and then, based on the pattern or contents of attempted accesses to it, run a script to perform specific actions without ever actually acknowledging that the sequence or contents had any meaning to it. For instance, it might open a port allowing remote shell (terminal) access or it might just trigger an event, such as wiping the hard drive, remotely. To an eavesdropper, it appears that your computer ignored the knock ... even as it is firing detonation charges around the compound and arming the thermal imaging automatic machine guns and rocket launchers. 8~]

Linux is based on Unix which was, by design, secure from day one.

The NSA agrees ... it helped write Secure Linux, which, while a bit of a "PITA" to set up, is locked down solid by default. That said, the tools for locking down SELinux are present in pretty much ALL versions (distributions) of Linux, differing only in the default configuration file settings. Many extremely agile minds have reviewed the code for SELinux .. you can be confident that it has NO "backdoors".

It will take a new user 45 minutes to an hour or so to install Linux on a computer from a free-to-download *.iso file and give it your entire hard disk or a few minutes more if you want to leave the original operating system intact ... much of which is spent sipping coffee while waiting for the hard disk to do a low level format.

Or you can install it on a USB key of moderate capacity and use it as a "portable computer" (DAGS "Portable Linux") ... Tails is one distro designed for exactly that sort of use, but there are others.
Lexington Bill
Posts: 2
Joined: Fri Feb 13, 2015 9:36 am

Re: Opt out of PRISM

Postby editor » Tue Feb 09, 2016 9:04 pm

In another thread, a member said something about having "no idea... about the encryption". This seems like a more helpful thread in which to post an answer.

I'm a far shout from being an expert on encryption, but I've been using it for years. Commonly available free and open source (FOSS) programs make it easy to protect your privacy. Here's a little basic information, just to clear things up for readers.

Secret Codes

Secret codes have been around for a long time. Lots of people have used them. One early and very simple code is substitution. You start with the alphabet, and then you shift the letters like this:


Using this code, "Hello World" would look like this: "Urxxa Jcdxq". Easy to figure out, as long as you have the key. By modern cryptography standards, it's also pretty easy to crack even if you don't have the key, but you probably see what I'm getting at.

There are all kinds of ways to make a code like this harder to crack. For example you could randomize the key on the second line, instead of listing them in order. You could include a "blank space" in your alphabet, giving you 27 letters instead of 26. This makes it harder to figure out where the word breaks really are. But there are a few things all codes like this have in common:

  • The same key both encrypts and decrypts the message.
  • Anyone who has the key can easily read the message.
  • To use the code you must put the key securely into another man's hands.
  • You may never know for sure if the key has fallen into enemy hands.

Trapdoor Encryption

There is a type of encryption known as trapdoor encryption, and also known as public key encryption. In a nutshell, here's how it works:

Using a computer program, you generate what is known as a key-pair. This is really just two simple text files containing what appears to be random characters. But they are not random. The two files have something unique in common.

Each file is a key. Using the encryption program, together with either one of these keys, you can encrypt a message so that no one can read it unless they have the other key.

One key file is arbitrarily named Public, and the other is named Private. This makes it easier for you to keep track of them, and not mix them up. Any message encrypted using the Public key can only be decrypted using the Private key. Likewise, any message encrypted using the Private key can only be read using the Public key. It's an exclusively one-way system. There is no way to decrypt a message using the same key it was encrypted with. Also there's no way to figure out the contents of one key, using the other key.

So in actual practice, you may now post your Public key on a public bulletin board, or anywhere you like. No more need to worry about how to put a secret key into anyone else's hands, or worry whether security has been compromised. Keep your Private key private and protected. Now anyone who wants to send you a secret message can easily do so. All they have to do is encrypt the message with your Public key. Since you are the only one who possesses the Private side of that key-pair, you are the only one who can read the message.

Another problem with sending messages from one person to another, is the man in the middle. Let's say Adam sends Barbara a letter with an important question. A few days later Adam receives a response. The response claims to be from Barbara, but can Adam be absolutely sure it was actually Barbara who sent it?

With trapdoor encryption, Adam and Barbara can always be sure. It just takes a second step: Barbara encrypts the message twice. The first time she uses her own Private key, which can only be decrypted with her Public key. This is the equivalent of signing the message with her unique identity. No one else could create a message which could be decrypted with her Public key. Only Barbara. Then she encrypts it with Adam's Public key, for the sake of privacy.

When Adam receives the message, he first decrypts it with his Private key. Then he decrypts it again with Barbara's public key. If he can read the resulting message, then he knows for certain it was sent by Barbara.

The only thing complicated about this is that you may not have used the encryption program before, and so it is in the realm of the unknown. The program is well documented, and easy to use. It's called gnupg (GNU Privacy Guard).

The program works with more than just simple messages. You may use it to encrypt any sort of file, like audio clips, videos, spreadsheets, photographs, you name it. No file is too large or too small.

Modern encryption is much harder to crack than the simple examples I gave above. Of course there's no guarantee your messages can't be cracked, given enough time and effort. But that's the point, it takes a lot of time and effort. This is a good argument for encrypting everything, whether it's important or not. That way a potential enemy has no way of knowing which messages he should expend effort to read. He may eventually get something important, but in the meantime he spends a lot of time and money to get nothing but Aunt Millie's sugar cookie recipe, and a photo of your dog catching a Frisbee.

For example, on my own computer, every personal data file on the entire computer is encrypted. Even the filenames are encrypted. If you're looking for something in particular on my hard drive, even if you have millions of dollars and twenty years to find it, good luck. Doing this was as easy as checking the box on the screen: "Encrypt my Home Folder" while I was installing Kubuntu Linux.
Site Admin
Posts: 531
Joined: Thu Feb 21, 2013 9:24 am


Return to Security

Who is online

Users browsing this forum: No registered users and 1 guest