Crypto-Anarchism – Page 19 – A Geek With Guns

That Awkward Moment When You Realized Those Crazy Crypto-Anarchists Were Right

As if spying on our telephone conversations wasn’t bad enough another disturbing fact was revealed about the National Security Agency’s (NSA) vast spying operations. Although we all suspected that the NSA had access to the databases of the largest technology companies in Silicon Valley we now have proof:

A top-secret surveillance program gives the National Security Agency surreptitious access to customer information held by Microsoft, Yahoo, Apple, Google, Facebook, and other Internet companies, according to a pair of new reports.

The program, code-named PRISM, reportedly allows NSA analysts to peruse exabytes of confidential user data held by Silicon Valley firms by typing in search terms. PRISM reports have been used in 1,477 items in President Obama’s daily briefing last year, according to an internal presentation to the NSA’s Signals Intelligence Directorate obtained by the Washington Post and the Guardian newspapers.

This afternoon’s disclosure of PRISM follows another report yesterday that revealed the existence of another top-secret NSA program that vacuums up records of millions of phone calls made inside the United States.

What does this mean? A lot. Effectively the NSA has access to every e-mail sent to or from Microsoft, Yahoo, and Google’s services. It also means that the NSA has access to everything you’ve posted on Facebook including comments, pictures, and private messages regardless of your privacy settings. Microsoft, Yahoo, and Google searches are also obtainable by the NSA. In other words, anything you’ve ever send to or accessed from the servers of the involved technology companies is at the fingertips of the NSA.

Concern about this very thing is what lead me to move all of my needed online services to my personal server. My e-mail, calendaring, address booking, Virtual Private Network (VPN), and websites are all hosted on a server physically located in my dwelling. Hosting all of your own services can be a pain in the butt at times but it’s the only way to have any reasonable assurance that your confidential information remains confidential. I recommend everybody buy a domain name and move their online services away from major technology companies and onto their own services. If you’re not sure how to do that then it’s time to learn and I will gladly help anybody want asks for it.

If you can’t pull yourself away from third-party services then you need to encrypt everything. I’ve written a few tutorials that explain how to encrypt e-mail using OpenPGP. As of this writing the tutorial for OS X is completed, the first part of the Windows tutorial is completed, the first part of the Linux tutorial will be posted later today, and the tutorial explaining how to use Thunderbird and Enigmail to send and receive encrypted e-mails will be posted in the near future. When the Cyber Intelligence Sharing and Protection Act (CISPA) was being debated in Congress I wrote a short guide that explained a few technologies that could be used to avoid the state’s prying eyes, learn how to use them (I will write detailed guides at some point).

To quote a famous phrase, shit just got real.

The War on Privacy Explodes

After Wednesday’s reveal that the National Security Agency (NSA) has been indiscriminately spying on all of Verizon’s customers things have exploded. Yesterday morning the White House came out and justifed the NSA’s actions:

A senior administration official said the court order pertains only to data such as a telephone number or the length of a call, and not the subscribers’ identities or the content of the telephone calls.

Such information is “a critical tool in protecting the nation from terrorist threats to the United States,” the official said, speaking on the condition of not being named.

“It allows counter terrorism personnel to discover whether known or suspected terrorists have been in contact with other persons who may be engaged in terrorist activities, particularly people located inside the United States,” the official added.

The revelation raises fresh concerns about President Barack Obama’s handling of privacy and free speech issues. His administration is already under fire for searching Associated Press journalists’ calling records and the emails of a Fox television reporter as part of its inquiries into leaked government information.

That justification, to put it frankly, is weak. A subscriber’s phone number is their identity because each phone number is unique and is almost always associated with only one person. Saying that the NSA is only collecting phone numbers but not identifying information is no different than saying the NSA is collecting Social Security numbers but not identifying information. When you’re collecting data that is associated with a specific person you are collecting identifying information.

Even if we assume the statement is true and the NSA has no idea who possess what phone number we’re still left wondering how they can tell whether or not somebody is calling a known terrorist if they don’t know what the known terrorist’s phone number is. If they only know the terrorist’s number then they can easily obtain the identities of the terrorist’s contacts by asking Verizon for the identities of the persons who possess the called numbers. In other words the NSA is collecting identifying information no matter how you look at it.

Furthermore, any terrorist possessing even a minute amount of intelligence isn’t going to use a phone number tied to their person. Instead they will use another person’s phone (either by asking to borrow their phone or by using a cloned SIM card) or buy a disposable phone with cash. Either way the identity of the terrorist won’t be associated with the phone number so it will be almost impossible to identify who the terrorist is calling. At most the NSA will be able to identify extremely stupid terrorists, bust them, and give the remaining terrorists a reason to educate themselves and, in so doing, become far more difficult to capture or, in all likelihood, kill (that’s what the current administration enjoys doing most).

The White House is, as usual, feeding us bullshit. But that’s not the end of the bullshit train. In order to keep up the appearance that strong disagreement exists between the Republicans and Democrats you would think a powerful Republican would come forth and criticize the Obama administration for allowing indiscriminate spying on Americans. Instead one of the more influential Republicans came forward and defended the NSA’s actions:

Sen. Lindsey Graham said Thursday that he is “glad” that the National Security Agency is collecting millions of telephone records — including his own — from one of the nation’s largest telecommunications companies in an attempt to combat terrorism.

Mr. Graham said that he is a Verizon customer and has no problem with the company turning over records to the government if it helps it do its job. The South Carolina Republican said that people who have done nothing wrong have nothing to worry about because the NSA is mining the phone records for people with suspected ties to terrorism.

I’m not surprised to hear a state agent saying he’s OK with the state collecting his information. He is on the safe side of the gun pointed at our heads after all. I’m even less surprised to see Dianne Feinstein is in favor of the NSA’s expansive spying operations:

“As far as I know, this is the exact three-month renewal of what has been in place for the past seven years,” Feinstein asid. “This renewal is carried out by the [Foreign Intelligence Surveillance Court] under the business records section of the PATRIOT Act. Therefore, it is lawful. It has been briefed to Congress.

Feinstein said she could not answer whether other phone companies have had their records sifted through as Verizon has.

“I know that people are trying to get to us,” she said. “This is the reason why the FBI now has 10,000 people doing intelligence on counterterrorism. This is the reason for the national counterterrorism center that’s been set up in the time we’ve been active. its to ferret this out before it happens. “It’s called protecting America.”

What makes Feinstein’s comment interesting is her admittance that Congress was briefed on the operation. If any members of congress feign surprise we now know to call them on their bullshit.

Being a nation of laws somebody is obviously going to perform an investigation into this matter, right? Although it sounds like there will be an investigation it doesn’t sound like it will be an investigation into the NSA:

NEW YORK –- The U.S. Department of Justice may try seeking out the source of a bombshell article that revealed National Security Agency surveillance of millions of Americans, according to NBC News Justice correspondent Pete Williams.

[…]

Williams, a well-sourced reporter who just interviewed Attorney General Eric Holder last night about the leak investigations, jumped in with an answer.

“I was told last night: definitely there will be a leak investigation,” he said.

Before the state ascertained the identity of the person who leaked what is now referred to as the Collateral Murder video there was plenty of opportunity to investigate the pilots of the gunship that killed those Iraqi civilians and Reuters reporters. Instead the current administration moved to investigate the source of the leak. The person who leaked the video was Bradley Manning and, once identified, he was arrested, held in solitary confinement, and is now being put on trial for aiding the enemy. If the source that leaked the court order that revealed the NSA’s indiscriminate spying is discovered I’m sure he or she will be arrested, held in solitary confinement, and tried for aiding the enemy as well.

Bitching about this isn’t going to accomplish anything so we must ask what can be learned from this. I think there are several lessons. First, it’s obvious that the current administration is corrupt to the core. While Obama promised the most transparent government in history his administration has been shrouded in secrecy and embroiled in continuous scandals. His administration has also demonstrated that they prioritize hunting down people who leak classified information above hunting down criminals within the government’s employ. Second, we can no longer afford to communicate through unsecured channels. Every piece of data we send to each other must be encrypted and anonymized to prevent the government’s prying eyes from violating our privacy. Third, those crazy conspiracy theorists who have been telling us that the government is spying on our every communication aren’t so crazy. We must now assume that they are correct and that the government is spying on our every communication because, as this most recent leak shows, the government’s spying operations are vast and giving absolutely no regard to due process. Fourth, there is another war being waged by the federal government, a war against our privacy. The only way to defend ourselves in this war is to violate the government’s privacy in turn. Our violations of the government’s privacy will be met with arrests, imprisonments, and possibly executions but will also cause its legitimacy to erode.

The government will continue to use technology to suppress us but that very same technology can be used to suppress the government. We must wield technology more effectively than the government in order to keep our privacy.

Revealing the State’s War on Privacy

Bradley Manning collected a great deal of classified government information and released it to Wikileaks. In so doing he effectively stripped some of the state’s privacy and is now standing trial for his actions (although his trial is almost certainly for show not to determine guilt). As I said, I support Manning’s actions because the state is waging a war against our privacy. As time goes on we’re learning more and more about how extensive this war really is. Yesterday it was revealed that the National Security Agency (NSA), on of the most vicious combatants in this war, has been collecting the phone records of millions of Americans :

The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers, under a top secret court order issued in April.

The order, a copy of which has been obtained by the Guardian, requires Verizon on an “ongoing, daily basis” to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.

The document shows for the first time that under the Obama administration the communication records of millions of US citizens are being collected indiscriminately and in bulk – regardless of whether they are suspected of any wrongdoing.

Although we’ve known that the NSA has been spying on our phone calls for some time but the release of this court order gives us a better idea of how extensive its spying is. Once again I’ll iterate that a government that doesn’t trust the general population enough to respect their privacy should not be given the privilege of privacy itself. So long as the state continues to violate our privacy it is right to violate its privacy. I will also point out that extensive spying operations such as this are prime examples of why all communications should be encrypted, which is why I started the Encrypt Everything series. Increasing the number of people who use cryptographic tools to prevent prying eyes from seeing their communications will render large scale spying operations, such as those being performed by the state, far less effective.

Judge Rules Decryption Keys are Protected by the Fifth Amendment

Last month a federal magistrate in Wisconsin refused to order a suspect to decrypt his hard drive stating that such an order would violate the suspect’s Fifth Amendment rights. This week a federal judge ruled that such an order was, in fact, a violation of the Fifth Amendment:

A federal judge in Wisconsin today granted an emergency motion filed by Feldman’s attorney for additional time to establish that her client’s Fifth Amendment right to self-incrimination would be violated.

U.S. District Judge Rudolph Randa lifted the threat of contempt of court and jail time, at least temporarily, and asked for additional briefs from Feldman’s attorney and Justice Department prosecutors. A hearing is likely to take place this fall.

What makes this case particularly interesting is that the suspect, Jeffrey Feldman, is accused of possessing child pornography. Possession of child pornography is one of those crimes that instigates such a strong emotional response in people that they demand due process being tossed out the window and any suspects be immediately burned at the stake. There are a lot of arguments being made trying to argue that ordering a suspect to decrypt his hard drive isn’t a violation of the Fifth Amendment because the crime, in this case, is so heinous. Such an attitude, in my opinion, is extremely short sighted because it sets a precedence that allows the state to justify ordering anybody accused of any crime to decrypt their hard drive or be found in contempt of court (for which the punishment is being locked in a cage until you comply, effectively indefinite detention without due process).

At some point I predict that determining whether or not the Fifth Amendment protects suspects from court orders demanding their decryption keys will reach the Supreme Court. Regardless of whether or not that happens one thing is for certain, encrypting your hard drive is the best way to protect yourself against snooping state agents who come into possession of your devices.

Encrypt Everything: Installing Gpg4win for Windows

Last week I wrote a walk through explaining how to use OpenPGP to encrypt your e-mail on OS X. Today I’m going to write a walk through explaining how to install GNU Privacy Guard in Windows. GNU Privacy Guard is a collection of OpenPGP tools. GPGTools, which was covered in last week’s OS X tutorial, is actually built on GNU Privacy Guard. After installing GNU Privacy Guard in Windows you will be able to generate OpenPGP key pairs, import public OpenPGP keys, and encrypt and decrypt messages using OpenPGP. Furthermore, installing GNU Privacy Guard is needed for sending and receiving OpenPGP encrypted e-mails, which will be covered in a future tutorial.

The first thing you need to do is download Gpg4win from here. As of this writing version 2.1.1 is the latest and the version used to create this guide. Previous versions of Gpg4win may not work with this guide.

Now that you have Gpg4win downloaded it’s time to begin installing it. Installing Gpg4win is pretty straight forward. Just click the Next button five times and the Install button. After clicking the Install button you’ll get a progress bar informing you of what packages are being installed. Once everything is installed click the Next button again. Now you’ll be informed that Gpg4win needs a list of root certificates. Check the box labeled Root certificates defined or skip configuration and click the Next button again followed by the Finish button. Gpg4win is now installed.

Now you will need to generate your key pair. There are two ways you can do this. The first method is using Kleopatra, a graphical interface installed with the Gpg4win package and the second method is to use the command line tools. I will walk you through using the command line tools because Kleopatra only allows you to generate 3072 bit keys while the command line allows you to generate 4096 bit keys. Don’t worry, using the command line isn’t hard.

To create your key pair open the Command Prompt and issue the following command:

gpg --gen-key

You should get the following output:

Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?

Since you will want the ability to sign and encrypt e-mails using OpenPGP select 1. Now you will be asked to enter a key length:

RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)

Type 4096 and hit enter. You will now be asked to enter an expiration date:

Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0)

I tend not to set expiration dates for OpenPGP keys because issuing new keys periodically is an inconvenience for the people I e-mail regularly. When you want your key pair to expire or not is entirely up to you so enter whatever you want. If you go with the default (no expiration date) you will be asked to verify that you don’t want to key pair to expire:

Key does not expire at all Is this correct? (y/N)

Enter y if you don’t want an expiration date and N if you’ve changed your mind. It’s now time to enter your personal information. For this example I will enter my name in the Real name field, openpgptest@christopherburg.com in the Email address field, and leave the Comment field blank:

GnuPG needs to construct a user ID to identify your key.

Real name: Christopher Burg Email address: openpgptest@christopherburg.com Comment:

You will not be given one more chance to change things:

You selected this USER-ID: "Christopher Burg "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Selecting O will result in a dialog box appearing asking you to enter a passphrase. This passphrase will be used to encrypt your private key. Whenever you want to use your private key you’ll need to enter your passphrase first in order to decrypt it:

Enter a strong passphrase[1] and click enter, which will result in you being asked to re-enter the passphrase:

That’s it, you now have an OpenPGP key pair that can be used to sign and encrypt e-mails. I will cover sending encrypted e-mails in a future tutorial because the method I use in Windows, Thunderbird with Enigmail, is the same method I use in Linux. Therefore, to make less work for myself, I will first write a tutorial explaining how to install GNU Privacy Guard in Linux before writing a tutorial on using Thunderbird and Enigmail.

[1] For example, the passphrase “passphrase” is very poor. It’s not only short, but it’s also easily guessed and commonly found in dictionary files. The passphrase “This is a random phrase that says nothing but probably isn’t easily guessed nor commonly found in most dictionary files.” is notably better since it’s not easily guessable or a commonly used phrase (although, now that it’s publicly published to the Internet, it’s worthless so don’t use it). Mixing in numbers and special characters will improve the passphrase even more.

Edit: 2013-06-13: 22:26: Corrected the command –key-get to be –gen-key. Thanks Luca for pointing it out.

Encrypt Everything: GPGTools for OS X

Yesterday I gave a high level overview of OpenPGP. Today I want to dive into the practical portion of OpenPGP by explaining how to use GPGTools on OS X to encrypt e-mail communications. The first thing you will want to do is get the latest version of GPGTools from here (versions prior to 2013.05.20 will not work with Apple’s Mail application in 10.8). Installing GPGTools is a straight forward affair, just click Continue, Install, and Close (for this tutorial it is assume that you performed the default installation, if you customized the installation all bets are off).

After installation has completed GPG Keychain Access will automatically open and, if this is your first installing it, ask you to generate a new key pair (click to embiggen):

For the duration of this tutorial I will be using the e-mail address openpgptest@christopherburg.com (it’s a junk address, don’t both spamming it). Besides your e-mail address I would recommend changing the Length field to 4096. When it comes to encryption keys you need to go big or go home. Since openpgptest@christopherburg.com is a junk address I set the key to expire but you may want to uncheck the Key expires box if you plan to use your key pair with your e-mail address on a permanent basis (reissuing keys to everybody you e-mail can be a pain in the butt so setting them to expire can be a notable inconvenience). The only other field you need worry yourself with is the Upload key after generation check box. If checked the key will automatically be uploaded to the keys.gnupg.net key server (whether you want to do this is an entirely personal matter).

Once you’ve entered your key pair information click the Generate key button, which will result in the following dialog appearing:

Feel free to muck about with your computer for a bit to increase randomness. While the application is waiting around on randomness a dialog asking you to enter a passphrase will appear:

The entered passphrase will be used to encrypt your private key. Even if somebody manages to steal a copy of your private key file it will remain useless to them unless they also have your passphrase or can brute force it. To prevent the latter it is recommended that you enter a long, complex passphrase that won’t be easily guessed or likely found in a dictionary file (which is a table of words and common phrases used to brute force passphrases quickly).[1] Remember this passphrase because you will need it to decrypt your private key in order to use it to decrypt e-mails. After clicking the OK button you will be asked to re-enter the passphrase:

It should be pretty obvious but you need to enter the passphrase again and click the OK button. If you left the Upload key after generation checkbox checked you will see this dialog box:

Once the file is uploaded you will see your key pair added to the GPG keychain and it will be displayed in GPG Keychain Access:

You are now able to decrypt messages encrypted with your public key however you don’t have any public keys for other users. Encrypted e-mail isn’t much fun when you don’t have anybody to talk to so you’ll want to import the public keys of the people you converse with via e-mail. For this tutorial I will be adding the public key for blog [at] christopherburg [dot] com to my GPG keychain. To do this click the Import button in the GPG Keychain Access toolbar. A dialog box will appear asking you to select an .asc file to import into your GPG keychain:

.asc files are simple text files with a different extension. As I explained in yesterday’s installment of Encrypt Everything, OpenPGP public keys are blocks of text. To create an .asc file from a copied public key you simply need to past the text into a new text file and save it as a name ending in .asc. After you click the Open button you will be notified that the public key was imported:

The public key will not appear in your GPG keychain in the GPG Keychain Access application:

Now you can encrypt e-mails with the blog [at] christopherburg [dot] com public key. E-mails encrypted with that public key can only be decrypted by the holder of the corresponding private key (which, in the case of blog [at] christopherburg [dot] com, is me).

Now you are ready to communicate over e-mail securely. Let’s send an encrypted e-mail to blog [at] christopherburg [dot] com. Open up the Mail application and start a new e-mail. When composing your e-mail you will notice two buttons sitting below the subject field on the right-hand side:

Clicking the left button will encrypt the e-mail and clicking the right button will sign the e-mail. Signing your e-mail allows the recipient to verify you sent it (so long as they have your public key). I always sign my e-mails so authenticity can be ensured by the recipient. For this test we will click both buttons so the e-mail will be encrypted and signed:

You’ve probably noticed the new button in the upper right-hand corner of the form. This button allows you to select whether you want to encrypt and/or sign the e-mail using OpenPGP or S/MIME. By default it’s set to OpenPGP, which is what we want. Upon click either the encrypt or sign button the OpenPGP button will turn green. When you click the send button you will be asked to enter the passphrase for your private key:

Unless you check the Save in keychain checkbox this dialog will appear every time you send a signed e-mail (since you use the recipient’s public key to encrypt the e-mail you won’t have to enter your private key passphrase when you encrypt but don’t sign an e-mail). I recommend not checking the Save in keychain checkbox because doing so will store the passphrase for your private key in OS X’s login keychain, which means anybody who obtains your login password will be able to decrypt your private key, which will allow them to decrypt encrypted e-mails send to you.

That’s it, you’ve just sent your first OpenPGP encrypted e-mail. Any e-mails sent to your account that have been encrypted with your public key will be automatically decrypted and their contents displayed in Mail. That wasn’t too bad, was it?

Encrypt Everything: OpenPGP

I firmly believe that all communications should be encrypted. Even if you have nothing to hide you can contribute to the greater good by encrypting your communications. How so? Simple, encrypted communications appear as garbage data to prying eyes that lack the keys necessary to decrypt them. The more encrypted communications flying across the wires the more garbage data prying eyes have to dig through. If all communications were encrypted spies in organizations such as the National Security Agency (NSA) would entirely ineffective.

Tools that enable users to encrypt e-mails have been around for ages but, sadly, few people take advantage of them. In the hopes of alleviating this problem I am going to provide guides to help people get this stuff encrypted. For the first entry in my Encrypt Everything series I’m going to discuss a tool that will allow you to communicate securely over e-mail, OpenPGP.

OpenPGP can be briefly summarized as a software package that allows users to generate public/private key pairs that can be used to securely communicate with other OpenPGP users.

The first question most people are likely to ask is, what the heck is a public/private key pair? Don’t worry, it’s not complicated. Public/private key pairs are used for asymmetric cryptography. Asymmetric cryptography is a fancy way of noting an encryption method that uses two keys, one public and one private. Data encrypted with the private key can only be decrypted with the public key and data encrypted with the public key can only be decrypted with the private key. After generating a public/private key pair you provide your public key to those who want to communicate securely with you. In turn they will provide you with their public key. When they want to send you a secure communication they will encrypt the message with your public key. That message can only be decrypted with your private key, which, as the name implies, is held by only yourself. When you want to reply to the secure communication you encrypt your response with their public key, which can only be decrypted by their private key.

OpenPGP allows you to generate a public/private key pair, encrypt messages with either your private key or another person’s public key, and decrypt messages sent by people who have provided their public key.

An OpenPGP keys looks something like this (which is the public key to blog [at] christopherburg [dot] com):

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin)

mQINBFGkG1IBEACa4FOajIwxUFdwC0C12c1DCg6+gmWcZBnQdfRtV6Z2d1yP9trM AxdT0ZCSJP5MkEI1t3pvc+r79oPbyK0f4QVe1rJerOVAjEglZhdrWqDyf3Rp5rIH Ukca7keZ+5Wf9dA+9B//LECzG4sj5qr6Kcssqb27PjK0XLq6O9963/6Lubkdomzj R/fKjmM2WMLs/tBF0HEZp6sSEeoot+28QtXgzDIE0um2l/ccK4tTLR08NC43+uVu dh7IJ6CX9bNoeCbmAEjOBONt0pKufvzTMsmGjMuFRc+cJnmXYeAjon9CitnUEXV9 Wmpw2K6XIKxo3PlDQcomKDV6inZySXnzXsOmomTR9XO1G4kaE9BYKdCaOdzCncPb Au0JeTNu6eqTwrUfQZXuVdKhfRQsqrhxEAEZgpa5ojbseVNt3oOJnYXOYgl3JCku naILz7hXMGKFQoGOojN6IpffJTjeWNiuj4KMDLTWuOKU1bX1yWJhz84U2HdhoI0L bWiWVZDLHSjLareSJvXjtdi0v4CgvgF6b+xpIH8pfP+wqBnqZUGT96B5jRUOKuaI MlHXHkfF070gOa4UbqJtjOHSwU9PcMUXcOxTqJen643+tAXAoqAEHLjIp2fNzmkc 6NB0T1h8JCmqHz+fv5rnKZM9lKkFO6eNPVYz2OoPb+4Zlu2pBvwsja0kBQARAQAB tCtDaHJpc3RvcGhlciBCdXJnIDxibG9nQGNocmlzdG9waGVyYnVyZy5jb20+iQI4 BBMBAgAiBQJRpBtSAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAXquxa uJ2eMegiEACWDIcNPQibNBNWQ5bBl/sCTxoeQvZrf0aFK4y5n1fLxqGhyZmTZdb2 IWyO5kSyEJ0Q3M3JwFIQOnl09aYT9g75omz3EAjtJCL3XKwc3DPYvKpPj/Zq9iiM Ou4ClXXuR9mqbvu4JOCYVq2r+NZuoQ+mOvEPjp5zA5ARoJ/9r7nO3/foQZ/22PZZ t7NMUfv+IYwlQ7vBun01gymC1u4ViBOgyl0DzlXKtUPmmPp8PB6E+I6OvnSmRLdt tfxFzXYGLPZWva6/hGQeptvofYhv0kAvMgOmPtkCpf4RpUz4ebT2mr9vHgVH+VYc BNFYJLXPdJmbqqD9KdesQ48YvAi50G/MaP8xxVaYI5YD004HO7h2lp9WX0CMWN/l jRW1yHP/AW+5aw06/LohcDdG/HQjYYkzjX6qUSYg/U/Tky7hmDile9WkMUP22eOk AkV7OBKly4c3uxqR5+fH5N9GcSbSk6avkbPU8w27t3E6m0PnKRkpUrn/2OFd7u7h TuQGvfy3LqsVliTruHCOfIY5pmi3qcGeKkaXu7LCnNbNg86VEYYYTEHyoMw1cC99 9IMXKuvGtKaJ7mjj03n0e+7VpcRd646gw3KuQNRd0GTV2xOAJ/vEgoA30Of7Gxoa PXRuyo67WATgU36kl9yVS5EfT3m1mMUihI5zeN1R1EJn6/tlMnyY/okCHAQTAQIA BgUCUaQbnwAKCRADj+sE5VF3XY+TD/9jt3hgGyjFKjhRza9KTRJwBV6gFFcQU3MT 8j5evFtbMjZ1oNc5oongwJ7OtLHFVmst4cQMmupems1X7z8mj5we6MQd24CFChKf xfJj5YwunIWXIpfilY1QznvZ1YlqNkSaQAFRFjdVY2ip4UxnRY4vf4LGT8+WO33j gG9CXJ8VLjFs+vbXFtvsCabfJk2aNWgbaKMXzrlzlyaQokb7/tXVECNtpdBn454L FkNMNK19pzgJcNyQMFl6ApxQJzXu8+vPTdZQCvPrEZOL28cNYU35IL3yZoz+CHR5 j123kJVdXOUyA3Z27S4qmJOC6RR9iAx+Us/W/LT03tyMrKyLZaPT90ZhCG9UDnIg DDlXoLfPYEaVmXU5MfitwsWgtv/gSHNWTIIvc/5JB6U7XEReZw66oyngQdZSP/s3 uV670Yvvl3PaH7UvMRFmfeazqUG/+r+PFxfoMzfOFSixi+uwbT7nbBa7Iyw3F9A0 5HDP9+28PqJvfUTdGgISbvvPAB50rC2FRFhBtvoMYMROaGn87ANH96caKn8a4ynW nJqwzCGj2l006BciJlWgvZ0jg4ndW2TJU/neuOHEoPkgdLmqaC6QeQNcWryIgX75 q0iZeqjvzWh8rhaQfPNGUS0yF2JxFU14muvvC55Ar0SKnF005Zs8Za8p9PKRfuTr DQfVVQiAELkCDQRRpBtSARAA1W5yOTe3JxOLwjBBZeUPJjWn20HPk979593iiq6N 6GBqXNHtI8Vboeyq27qAjZoY9FXnibrIXaIJ40mcNj6yXc7n5tImpLByLPy8Ztyx Jcpu+wC404Av879e8E8gqhbDhpQpMXHNtiuQHMwbN9kr/ohH0GgaKyJhRoJY4Rap ++CeO42v2nRYtAk9RhXehOCbXRF3szU1vdfqrL5LclqZ8rwksIqAjO6imFtvplwt xcSXvP0slFtpEHVnY5KwUzMbgGsNuz6Fs1biyRzg9qePd2bDmZ7+/cMvasUvP2Qq vUlxf9lyzx65i123ax4EgWDM14jWhiy+wLc+jjtXtmQ/EcDaNykoir9Gz+WPSYsp NO6YZg4vDhGT/Afxd4Q5LNoRZ/lGfjXhmgQOgriMaKOTPAe2SgB8Qc0eYDUWO2qu /bI3orUbeEsIMCZU3mNOhCNOhm/vhyAcdpXtnfMqQeKx4TkgZZO+lotzJa6KHhay vCGxkZxzR3o8LP72wUke0apZprEoDymU5HSAoHv3o4aFV0AVBdjVCxcsMeCS0fJ3 aLZP9WZ0DrRktrLO8sjAsFutodInD99Ki+pYCjdS5/jixN6+R9EJ4Ud44PT84PtH qwRVyzF+bC8Mc/QEY4PNl/698liscEe53WqPBelfR6UdvVEvKxI4jibqHwVjc6K8 e38AEQEAAYkEPgQYAQIACQUCUaQbUgIbLgIpCRAXquxauJ2eMcFdIAQZAQIABgUC UaQbUgAKCRBAXiyJxWbQ4Zk7D/90MW3mf4tCP4yhBqc01FnZEqJuaeBQxBbK6qDw fMPDYA1D0LRFfLoAxs40lExQQjAtwcxvuF59K0S1XoVQSPq1NyAcGyTUGwu/P7Lz VCYsDOcBZgwFRzMZFIhSvEpBSTgnX+uKREXecoaI+MzfZbSCChnPYULIKMK3ONqD pAfGxNIkHOYcIC93f7hB8ZFnszuyfRasgW7xyv26J4w9W0xPIRwH6dNFDpBXvQcx JMl5jVb55u6tATGhNy7rXWAqgm5w70UNyUJFAmHfSJftfZKHAhvPmRWamnuZ22rH cVoj9HeJgxO48BGt0tmRPu0XpCk6oSWzKU+STlSutw4DbpgCLwy+Y6Ll24ik2r+f YpNp1t2jh/SkypLUK9YVxNGCJXtxom/awqND5QMxsziukqSptd2ltrTP4/jCdShU FN1Srov/29ZXrM/VA7Jqf3HFOB31cHr1J+ftsqtdHsDFerw8emd9VJKSO0dHGh9f wsZtBAz7MPS1q4qwVn8lYgrVkoohbhiSft6tHircvSX8pX78kTjUNXBkojx4FL3L SKg9FoSYuC1nqaUobOyuy28hW5sA2FEoWVf/qb5g6lJSJ+u7zhJmis5b8aeuZ6qS lE3KtCH35bhj63oRlCEgQUjaqTGFoueIbRrdy+wFbh7zqQuKIgQpwDo0SbvJbjfN FEsXMemqD/947IjTloC0nFDjWJssLhNBaR1GIl0cQYktfrscCB8y+17jc7fymK3/ rnHYvjC1WpdLRHY4H30yyMutPawgnzjdViJW21sLmf/3HSDDP+0qvYRaq356FkpY 7SWj1wvS93B7UCs4A6VRvFnp5sHGPmIgSo5mqG4E36zrcnKQapPOdDfJ41Aj9l3i f0I1Q0w+PVe6EZBHtYEOyNrT2OqAR9mq/hbM6HeZM+UilG1g6TLk11JJyKfA1V9Q guzcjzockfePY+NQe7dy+Zc9l5TBIMBECX5YRa9A8OhZ5+q4SNMqM6itq7z1F66k NWoFGkI+kx2e75tO7o8b5izueJbD7VPNUeE7T+WCSB8Pf4wBfuwuVbu69QpXH0XQ WihGSJTHETqA1EoBRN6G6WKsq0affN3nO8GeSubwd3Ip/TPH4tfglxHAxegMqvLE YLX96XueqzeCxyZroH9xqsFmUhszZz3BtuCO8h705Cv2DNprSZJah3+OTLwgMuLZ GM2ogcvLzPTjZgib5h5j5Pp9tjBYrYnOE4/tctvQ26X2ipedV4/O1gBNTMY6ba+1 2HuLrhgrtbL698KhQahlSfTq9a0GO/GLHM+wtlrVlslSjnZt0eldQf4M+UFIEOxh w38h55tSuK1XbKSuTpmTE5MIjebksHy6ynAco4ZQo7MLWciGcFbTQQ== =3COR -----END PGP PUBLIC KEY BLOCK-----

OpenPGP users can use that gobbledygook to encrypt messages that can only be decrypted by me. Generally people also post their public keys to key servers such as the one provided by the Massachusettes Institute of Technology (MIT) or Canonical, the creators of Ubuntu Linux. If you go to either of those key servers and enter my e-mail address into the search box you will be provided with my published public key.

Many OpenPGP applications can be configured to automatically check key servers for public keys. Later in this series, when I cover specific implementations of OpenPGP, I will explain who an e-mail client can automatically search OpenPGP key servers for public keys associated with e-mail addresses that have send OpenPGP encrypted e-mails. Suffice it to say publishing your public key to a key server makes life easier for other OpenPGP users but there is no requirement to do so (OpenPGP is a decentralized system).

OpenPGP public keys can also be signed by other OpenPGP users. When you sign a public key you are verifying that the person who holds the corresponding private key is who he claims to be. This establishes, what is referred to as, a web of trust. What is a web of trust? A web of trust is a decentralized alternative to the chain of trust system most of us use every day.

When you access this site through its secure connection you receive a public key that has been signed by StartCom. StartCom is a certificate authority, which is an organization that signs Secure Socket Layer (SSL) certificates (certificates used to provide secure connections to websites). StartCom’s public signing key is included in most major web browsers and operating systems so whenever you access a site secured by a certificate signed by StartCom your browser will trust it. By signing the certificate StartCom is verifying that your website is who it claims to be (in my case, blog.christopherburg.com). This system is highly centralized since it relies on a handful of certificate authorities.

Returning to the original question, what is a web of trust, the answer is that a web of trust is a system where individuals sign public keys instead of centralized authorities. If I sign your public key anybody who trusts my public key will see that I trust your public key. A person who trusts my judgement of character will then be more inclined to trust that your public key corresponds to a private key in your possession. This system becomes more effective as more people sign your public key, which is why key signing parties exist (yes, us geeks know how to party). When somebody sees your public key has been signed by several people they personally trust they can be reasonably sure that it is your key.

Now you have a general overview of OpenPGP. In the next installment of my Encrypt Everything series I am going to explain how to use GPGTools to encrypt your e-mails with OpenPGP on OS X (Why am I starting with OS X? Because that’s the operating system I generally use for e-mail. Don’t worry, I will cover other tools as the series progresses).

The Importance of Anonymity

If you have nothing to hide you have nothing to worry about… until you do. Remaining anonymous, especially in the lawyer loving police state that is America, is crucial if you’re taking direct action to challenge the state. Last Friday the federal government begun its arrests of people involved with the Liberty Reserve:

On Tuesday, federal prosecutors unsealed the indictment of seven men alleged to be involved with Liberty Reserve, one of the world’s most notorious digital currencies. (Liberty Reserve was the preferred payment choice of a booter site used to attack Ars in March of 2013.)

Federal authorities seized LibertyReserve.com and four other related domain names, effectively shutting down the site. The site’s founder, Arthur Budovsky Belanchuk (who apparently renounced his US citizenship in 2011 to become a Costa Rican citizen), was arrested last Friday in Costa Rica.

In a 27-page indictment (PDF), the defendants are charged with money laundering and conspiracy to operate unlicensed money transmitting business. They are ordered to surrender “all property, real and personal” including: “at least $6 billion” and tens of millions of dollars more allegedly contained within bank accounts across Costa Rica, Cyprus, Russia, Hong Kong, Morocco, China, Spain, Latvia, and Australia.

The federal government has a long history of attacking anybody who attempts to challenge the Federal Reserve’s monopoly on currency. The Washington Post asks if Bitcon may be the next target of the state’s aggression. Bitcoin, however, will be much harder to strike against. Why? Because the creator of Bitcoin, Satoshi Nakamoto, isn’t a real person. Satoshi Nakamoto was a pseudonym for the real developer(s). Since the person or persons responsible for Bitcoin can’t be identified the state has nobody to lash out against.

Many people believe they have nothing to hide. I’m sure Mr. Belanchuk believed he had nothing to worry about when he founded Liberty Reserve. There are not statue of limitations when one has affronted the state. While your actions may not be illegal today there is no guarantee that the state won’t move against you tomorrow. Yet the state is not omnipotent, it can only strike against those it can identify. So long as you remain anonymous, as the real person(s) behind the screen name Satoshi Nakamoto did, you are safe from the state’s wrath.

YaCy

I’m a big fan of decentralized technologies. In my quest to decouple myself from the major corporations that seem inclined to wage war on the Internet I’ve been looking high and low for a search engine not run by Google or Microsoft. My quest has finally provided some fruit in the form of YaCy.

YaCy is a peer-to-peer search engine that can be run on Windows, Linux, or OS X (technically, since it’s written in Java, it should also run on other platforms). Instead of relying on centralized entities to crawl and index the Internet YaCy relies on each peer. I’ve setup a test server running YaCy to see how well it works and so far it shows promise. Granted, the search data isn’t nearly as complete as Google or Microsoft’s data at this point but that will almost certainly improve overtime. YaCy doesn’t do as good of a job at ranking search criteria based on how useful it is (at least in the eye’s of whatever search algorithm is being used) but that is likely to improve in time as well.

With those criticisms aside, and considering the limited amount of time I’ve had to play with it, YaCy does have one major advantage over Google or Bing: there is no central authority. State’s rely on central authorities to coerce into removing data when they want to enforce their archaic censorship laws. If no central authority exists it becomes much harder to enact censorship, which is where my primary interest in YaCy derives.

I’m planning to make the search interface publicly accessible in the near future so you guys can test it out. While I won’t promise a replacement for Google or Bing I will promise an interesting technology that’s worth experimenting with.

You Can’t Stop the Signal

It finally happened, the state finally made it’s move to suppress 3D printable firearms:

On Thursday, Defense Distributed founder Cody Wilson received a letter from the State Department Office of Defense Trade Controls Compliance demanding that he take down the online blueprints for the 3D-printable “Liberator” handgun that his group released Monday, along with nine other 3D-printable firearms components hosted on the group’s website Defcad.org, while it reviews the files for compliance with export control laws for weapons known as the International Traffic in Arms Regulations, or ITAR. By uploading the weapons files to the Internet and allowing them to be downloaded abroad, the letter implies Wilson’s high-tech gun group may have violated those export controls.

“Until the Department provides Defense Distributed with final [commodity jurisdiction] determinations, Defense Distributed should treat the above technical data as ITAR-controlled,” reads the letter, referring to a list of ten CAD files hosted on Defcad that include the 3D-printable gun, silencers, sights and other pieces. “This means that all data should be removed from public acces immediately. Defense Distributed should review the remainder of the data made public on its website to determine whether any other data may be similarly controlled and proceed according to ITAR requirements.”

I think we all knew this was coming. To tell the truth I hoped it would come. This was the overt act of censorship that was needed kick the Streisand effect into action and, in so doing, ensure that the 3D printer models created and hosted by Defense Distributed will never die. As it stands the number of seeds for the Defense Distributed files has jumped to several hundred. I’ve even found a Tor hidden service that is hosting the files (you need to use the Tor Browser Bundle to access that link). As I’ve heard several people say, you can’t stop the signal.

As I stated in my post explaining methods to render the Cyber Intelligence Sharing and Protection Act (CISPA) irrelevant, the need for anonymity and strong encryption is greater today than ever. The state is trying to spy on our communications and censor material posted online. While some may wish to beg the state to allow information to flow freely we know they aren’t going to comply. Because of their desire to control information we must bypass their ability to detect and censor information they find objectionable.

When the state makes attempts like this to censor information it allows us to test our ability to preserve said information. As it stands more people have downloaded the 3D printer models provided by Defense Distributed than would have if the state hadn’t made an effort to censor the models. In fact I’ve had several friends who were uninterested in 3D printed guns ask if I knew where to get the files. Now that the files have been declared verboten everybody wants a copy. The state really shot themselves in the foot with this one.