Tag: Technology

The Ever Changing Terrorist Narrative

Following along with the war on terror is difficult because the state’s official story constantly changes. One moment we’re lead to believe that the terrorists are a very sophisticated group that utilizes many high-tech communication methods in order to avoid surveillance. The next moment we’re lead to believe that the terrorists are idiotic cavemen who barley have enough intelligence to comprehend the invention of the wheel. Before Snowden leaked information regarding the National Security Agency’s (NSA) PRISM program we were told that the terrorists were sophisticated, now that he has leaked that information we’re being told that the terrorists were simpletons:

The U.S. intelligence community says terrorists are trying to change the way they communicate because of what they learned from Edward Snowden’s admitted leaks of classified information about government surveillance programs.

“We can confirm we are seeing indications that several terrorist groups are in fact attempting to change their communications behaviors based specifically on what they are reading about our surveillance programs in the media,” a U.S. intelligence official told CNN.

This is bullshit. Last year a report noted that most terrorist forums existed on, what is often referred to as, the deep web:

In a January 2012 report titled “Jihadism on the Web: A Breeding Ground for Jihad in the Modern Age,” the Dutch General Intelligence and Security Service drew a convincing picture of an Islamist Web underground centered around “core forums.” These websites are part of the Deep Web, or Undernet, the multitude of online resources not indexed by commonly used search engines.

The only terrorists using communication channels that can be watched by the NSA are the dumb ones, the ones who pose no legitimate threat. Most terrorists aren’t retarded, they know how to use a search engine to find information on securing communications. By claiming that terrorists are now moving to communication systems that can’t be watched by the NSA the United States government is also claiming that the terrorists are stupid. If the terrorists are that stupid then the government has been lying to us when it claimed that terrorists were sophisticated and therefore a legitimate threat to Americans.

Don’t fall for the bullshit, if the terrorists are intelligent enough to pose a threat then they’ve been using unwatchable forms of communications for decades. The state simply wants to run Snowden’s name through the mud in order to erode popular support for the man’s actions.

CryptoParty Postmortem

I don’t have anything else for you today because last night’s CryptoParty went longer than I expected. The turnout exceeded my expectations by a notable amount so I think we managed to get a good number of people setup with OpenPGP. As it turns out, explaining OpenPGP in two hours isn’t feasible so there is still some fine tuning requires on our behalf but I think we did far better than last time. If anybody reading this has previous CryptoParty experience feel free to comment below or send me an e-mail covering what you’ve learned.

Encrypt Everything: Installing Thunderbird and Enigmail

After a longer than expected break I’m returning to the Encrypt Everything series. Previously I discussed OpenPGP and explained how to generate keypairs in OS X, Windows, and Linux. In this installment I will explain how to install the Thunderbird e-mail client and its Engimail plugin, which enables sending and receiving OpenPGP signed and encrypted e-mails. Be sure you’ve followed the previous guide for your operating system as installing GNU Privacy Guide and generating a keypair is a prerequisite. This guide will apply to OS X, Windows, and Linux.

Step one is to download a copy of Thunderbird. This can be done by going to Mozilla’s Thunderbird website, which should automatically detect what operating system you’re running and provide you with the appropriate binary. If you, like me, run NoScript then separate links for each operating system will be displayed.

OS X

If you haven’t installed GPGTools yet do so.

After GPGTools has been installed download the latest version of Thunderbird from Mozilla’s website. The file you download will be a .dmg. Double-clicking on the file will mount it and you’ll be greeted with the following window:

To install Thunderbird simply drag the Thunderbird icon over the Applications folder shortcut and release the mouse button. That’s it, Thunderbird is installed.

Windows

If you haven’t installed Gpg4win yet do so.

Once you’ve installed Gpg4win download the latest version of Thunderbird from Mozilla’s website. The downloaded file is a standard Windows installer. Double-click on it to start the installation process:

Once the installer has opened click the Next button twice followed by the Install button. Once Thunderbird is installed click the Finish button and you’re done.

Linux

GNU Privacy Guard is installed by default on many Linux distributions but you still need to generate a keypair. If you haven’t generated your keypair yet do so.

As with my previous Linux guide this guide was created using Xubuntu 13.04, which includes Thunderbird as the default e-mail client. Likewise, according to Ubuntu’s website, Thunderbird has been the default e-mail client since version 11.10. According to this guide Thunderbird is also included by default on Fedora Core.

Therefore, if you’re using any of the distributions this guide is applicable to, you already have Thunderbird installed. Wasn’t that easy?

Installing Enigmail

Now that you have Thunderbird installed you will need to install the Enigmail plugin. Doing so is simple thanks to Thunderbird’s built-in ability to find and install plugins. The following steps apply to OS X, Windows, and Linux. Screenshots will be taken on an OS X virtual machine because it is my default operating system.

First, if you are running OS X or Linux, go to the Tools menu and click Add-ons:

If you are running Windows click the menu button on the right-hand side of Thunderbird (next to the search box) and click Add-ons:

This will open the Add-ons Manager tab:

See the box in the upper right-hand corner of the tab labeled “Search all add-ons”? Enter “enigmail” into it and hit the enter key. You will get a list of available plugins:

The Enigmail plugin will likely be the first result:

Click the Install button to begin the installation process. You will see a progress indicator:

Once Enigmail has been downloaded and installed you will be asked to restart Thunderbird:

That’s it, you’re setup and ready to begin sending OpenPGP signed and encrypted e-mails. As you can guess sending actual e-mails will be the topic of the next Encrypt Everything installment.

Make the NSA Pay, Encrypt and Anonymize Your Communications Today

As it turns out there is yet another reason to encrypt and anonymize your communications, it will directly cost the National Security Agency (NSA):

Using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for US-based communications to be retained by the National Security Agency even when they’re collected inadvertently, according to a secret government document published Thursday.

The document, titled Minimization Procedures Used by the National Security Agency in Connection with Acquisitions of Foreign Intelligence, is the latest bombshell leak to be dropped by UK-based newspaper The Guardian. It and a second, top-secret document detail the circumstances in which data collected on US persons under foreign intelligence authority must be destroyed or can be retained. The memos outline procedures NSA analysts must follow to ensure they stay within the mandate of minimizing data collected on US citizens and residents.

While the documents make clear that data collection and interception must cease immediately once it’s determined a target is within the US, they still provide analysts with a fair amount of leeway. And that leeway seems to work to the disadvantage of people who take steps to protect their Internet communications from prying eyes. For instance, a person whose physical location is unknown—which more often than not is the case when someone uses anonymity software from the Tor Project—”will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person’s communications give rise to a reasonable belief that such person is a United States person,” the secret document stated.

The more encrypted and anonymized data sent across the Internet the more hard drives the NSA has to buy. Do your duty to cost the NSA money, encrypt and anonymize your data today.

Oh, and it goes without saying but, the NSA is certainly lying when it claims it ceases surveillance upon determining a target is within the United States. This is the same agency that claimed it wasn’t spying on American citizens while it was spying on American citizens.

The NSA’s Complete Lack of Oversight

Since Edward Snowden leaked information regarding the National Security Agency’s (NSA) PRISM program the state has been ensuring us that a great deal of oversight exists between the NSA’s agents and private communications. As it turns out, that isn’t the case:

Top secret documents submitted to the court that oversees surveillance by US intelligence agencies show the judges have signed off on broad orders which allow the NSA to make use of information “inadvertently” collected from domestic US communications without a warrant.

That is a major point to note. If the NSA “inadvertently” collects data on people living in the United States, the very same people the NSA claims it’s not spying on, it can use that data without so much as a warrant. I ask you, what motivation does the NSA have not to collect domestic communications? If there’s no punishment for doing so then there is no motivation against doing it. What makes this even worse is that this policy comes from the top:

The Guardian is publishing in full two documents submitted to the secret Foreign Intelligence Surveillance Court (known as the Fisa court), signed by Attorney General Eric Holder and stamped 29 July 2009. They detail the procedures the NSA is required to follow to target “non-US persons” under its foreign intelligence powers and what the agency does to minimize data collected on US citizens and residents in the course of that surveillance.

The documents show that even under authorities governing the collection of foreign intelligence from foreign targets, US communications can still be collected, retained and used.

Is anybody surprised that Eric Holder has authorized the NSA to collect data on people living in the United States? After all the skeletons that have been pouring out of his closet I doubt anybody is even slightly shocked by this revelation. Just how far does this authority go? Pretty damned far:

However, alongside those provisions, the Fisa court-approved policies allow the NSA to:

• Keep data that could potentially contain details of US persons for up to five years;

• Retain and make use of “inadvertently acquired” domestic communications if they contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity;

• Preserve “foreign intelligence information” contained within attorney-client communications;

• Access the content of communications gathered from “U.S. based machine[s]” or phone numbers in order to establish if targets are located in the US, for the purposes of ceasing further surveillance.

In other words, there is no real oversight or any form of protection against the NSA spying on people residing in the United States. Most of us have suspected this for a long time but until now we’ve been unable to surface proof.

The Granddaddy of Police States

I know Americans like to think of themselves as number one. However, when it comes to establishing and running a police state, the United States is still learning from the truth granddaddy of the police state, Great Britain. As it turns out the British government was spying on foreign officials who came to London for the 2009 G20 conference:

Foreign politicians and officials who took part in two G20 summit meetings in London in 2009 had their computers monitored and their phone calls intercepted on the instructions of their British government hosts, according to documents seen by the Guardian. Some delegates were tricked into using internet cafes which had been set up by British intelligence agencies to read their email traffic.

The revelation comes as Britain prepares to host another summit on Monday – for the G8 nations, all of whom attended the 2009 meetings which were the object of the systematic spying. It is likely to lead to some tension among visiting delegates who will want the prime minister to explain whether they were targets in 2009 and whether the exercise is to be repeated this week.

America may have PRISM but Britain had Closed-Circuit Television Cameras (CCTV) on almost every street corner before the National Security Agency’s (NSA) massive surveillance network was a twinkle in a snoopy bureaucrat’s eye. Unfortunately, as the unveiling of PRISM demonstrated, the United States is quickly catching up to its ally across the pond.

NSA Gets Early Access to Information Regarding Zero-Day Exploits on Microsoft Windows

A lot of information regarding the National Security Agency (NSA) has come to light in the last few weeks but none of the information we’ve seen so far as been as disturbing as this:

The National Security Agency (NSA) has used sensitive data on network threats and other classified information as a carrot to gain unprecedented access to information from thousands of companies in technology, telecommunications, financial, and manufacturing companies, according to a report by Michael Riley of Bloomberg. And that data includes information on “zero-day” security threats from Microsoft and other software companies, according to anonymous sources familiar with the data-swapping program.

In the security industry this is what we would call bad news. Having early access to otherwise unknown zero-day exploits would give the NSA an window of opportunity to attack systems before the owner’s knew a problem existed. Effectively, the NSA could do anything from take down a network controlled by Microsoft systems to installing back doors into networks controlled by Microsoft systems. Beyond receiving information regarding zero-day exploits the NSA may have even more influence over Micorsoft.

This information, combined with the information that Microsoft was the first company to sign onto the PRISM system, makes me wonder how much influence the NSA has over that company. Could the NSA convince Microsoft to hold back patches that fix exploits that the NSA is currently using to attack systems?

I’m also curious how many other companies are giving this type of preferential treatment to the NSA. Is Apple giving the NSA information regarding exploits? Are the lead developers of Linux? Things could become very interesting in the next couple of weeks.

Apple’s Worldwide Developers Conference 2013

Yesterday Apple held it’s Worldwide Developers Conference (WWDC) and announced a slew of new software and hardware. Most notable were the introductions of a new Mac Pro and iOS 7. Of course Apple also unveiled a new version of their desktop operating system, OS X. OS X 10.9 no longer follows the tradition naming convention of large cats, instead 10.9 is called Mavericks. Frankly, I think it’s a stupid name but the name really is irrelevant. What is relevant are the features.

The first feature Apple announced in 10.9 is property multi-montior support. Yes, Apple has finally joined the 1990s. No longer are users relegated to a menu bar and dock only on one screen and users can now have a full-screen application running on each monitor! All I can say is that it’s about fucking time.

OS X will also include Apple Maps. What does this mean for consumers? It means they can get the same shitty direction on OS X as they get on iOS and even transfer those shitty directions from their Mac to their iPhone or iPad.

iBooks will also be included in OS X. Mac users can now not read the books they didn’t buy in the iBooks Store because they were too busy buying them from the Amazon Kindle Store. As you can tell I’m absolutely ecstatic about this announcement.

That’s basically it. Apple did talk about new Safari features but nobody uses Safari so nobody cares what features are included in it.

Switching over to more exciting things Apple also announced new MacBook Airs. The new Airs are based on Intel’s new Haswell processor, which means the battery life is mind blowing. Apple claims the 11-inch Air will get 9 hours of battery life and the 13-inch will get 12 hours. Even if those claims are exaggerated and the 11-inch only gets 7 hours and the 13-inch only gets 10 hours those numbers of fucking impressive.

Hell hath also frozen over because Apple has finally announced a new Mac Pro. The new Mac Pro is an impressive piece of hardware. It’s no longer a large box. Instead the computer is shaped like a cylinder with a crap load of ports on the back of the device. It also includes new Xeon processors that are 256-bit, which I didn’t even know existed. The rest of the specs are equally impressive. In the end the new Mac Pro was probably the best thing that was announced. Sadly it’ll probably cost $5,000 because of the obviously alien technology included in the case.

I also mentioned the new version of iOS was announced. The biggest difference between iOS 6 and iOS 7 is the graphical interface. Apple gave iOS a complete overhaul. The shitty skeuomorphic applications are finally gone; replaced with flat icons in pastel colors. I’m not sure if I’m wild about the color scheme since it looks like the Easter Bunny vomited all over the screen but I’ll take a new design that looks a little nutty over the old design that I was getting bored of.

iOS 7 also includes a new feature called Control Center. Control Center is a small dashboard that allows users to quickly disable wireless interfaces, adjust the phone’s volume, adjust the screen brightness, and several other features Android users have been enjoying for ages. I’m glad Apple has finally joined the party, it would have been better if they arrived on time.

There’s also some unspecified multitasking features. I hope this means applications can have some limited access to network resources while sitting in the background but I’m guessing the implementation won’t be as good as I’m hoping. I’ll have to play with this feature before I make any ruling. On the upside Apple has finally copied WebOS’s app switcher, which was basically the best app switcher implemented in smartphone history.

The other iOS features were pretty minor in my opinion. It was good to see Apple didn’t announce any new iPhones or iPads. Why is this good? Because it means iOS 7 won’t be gimped on my iPhone 5. I hate downloading a shiny new operating system only to find out various features are disabled.

Overall this is the first product announcement Apple has done in a while that impressed me. Granted the only thing that really impressed me was the new Mac Pro but impressed I was. I may not be as impressed when I see the price tag but that’s another story.

Encrypt Everything: Using GPG on Linux

Now that I’ve explained how to use GNU Privacy Guard on OS X and Windows it’s time to cover Linux. Writing a tutorial on Linux is slightly more difficult because different distributions have different ways of doing things, which means I have to limit this tutorial’s scope. This tutorial is aimed at users running mainstream distributions based on Red Hat and Debian. I wrote this tutorial using Xubuntu 13.04 and looked up Fedora Core specific instructions. This tutorial is known to work on Xubuntu, all but entirely guaranteed to work on Ubuntu, and most likely applicable to Fedora Core. The good news is GNU Privacy Guard is in the standard installation of Debian and Fedora-based distributions meaning you don’t have to install it manually if you’re running Debian, Ubuntu, Xubuntu, Kubuntu, Fedora Core, or Red Hat. I will explain how to install Seahorse, a graphical GNU Privacy Guard front end for Gnome and Xfce.

The first thing you need to do is install Seahorse. On Debian-based systems, such as Ubuntu, you will need to open a terminal and enter the following command:

sudo apt-get install seahorse

On Red Hat-based systems, such as Fedora Core, you will need to open a terminal and enter the following command:

su -c "yum install seahorse"

Seahorse should now be installed. It may or may not be automatically added to your application menu, depending on the distribution you’re running however the application can be launched from all systems by entering the following command in a terminal:

seahorse

You will be greeted with Seahorse’s main screen:

Generating a new OpenPGP key pair is easy. First, click on the green plus button. You will be asked what type of key you want to create:

Select PGP Key and click the Continue button. You will now be presented with a dialog where you can enter the key pair information:

Although it’s not necessary I do recommend click the little triangle next to Advanced key options so you can manually enter a key pair length. By default it’s set to 2048 and I recommend you max it out to 4096 but you’re not required to. Whether you want to manually enter a key pair length or not you should fill in your identifying information. For this example I entered my name into the Full Name field and openpgptest@christopherburg.com into the Email Address field. Once you’ve entered your desired information click the Create button.

You will now be asked to enter a passphrase:

Enter a strong passphrase[1] as it will be used to encrypt your private key, which will prevent it from being used should it fall into unwanted hands. Remember, whoever possess the private key can use it to sign or encrypt data. If a malicious user was able to obtain and decrypt your private key they could impersonate you. After you’ve entered your passphrase into both fields click the OK button. Now comes the fun part, waiting for your key pair to be generated:

For some reason generating a key pair in Linux took much longer than generating a key pair in either OS X or Windows. It took my system approximately 20 minutes to generate the key pair. During this time Seahorse is waiting to collect enough random data, which will occur faster if you use other applications. After doing some research online I found several methods that are supposed to decrease the amount of time needed to collect enough random data. The most common recommendation I came across was an application called Entropy Gathering Daemon. I didn’t have time to download, install, and test it so I will leave you to experiment with it if you want.

After the key pair has been generated it will appear in your list of keys:

That’s it, you now have an OpenPGP key pair to encrypt and sign e-mails. Now you need to know how to import the public keys used by those you correspond with. Importing a key is easy. First, you need to obtain a copy of the public key you want to input. For this example I will use the public key for blog [at] christopherburg [dot] com. If you obtained a copy of the public key in text format paste it into a text file with a name that ends in .asc. Now go to the File menu and click Import:

In the Import Key dialog box select the .asc file containing the public key. For this example I named the file blog.christopherburg.com.asc:

A dialog box will present information from the key being imported:

If you want to see all the details click the little triangle next to Details. Once you’re satisfied that the details are correct click the import button. You will be returned to Seahorse’s main screen but the key won’t be listed. In order to see imported keys you need to go to the View menu and select Show any:

Now you will see all the keys Seahorse knows about:

As you can see the public key for blog [at] christopherburg [dot] com is listed but isn’t trusted. If you double-click on the key you can open a dialog box that will list the key’s details:

If you click on the Trust tab you can check the box labeled I trust signatures from ‘Christopher Burg ‘ on other keys:

Now the key will show up in your list of trusted keys. If you so desire you can sign the public key with your private key. Signing a public key is a way of alerting other people that you have verified that the person with the corresponding private key is who he says he is.

That’s how you setup OpenPGP key pairs in Seahorse. Now that we’ve covered methods to generate OpenPGP keys on OS X, Windows, and Linux we can move onto using Thunderbird and Enigmail to send encrypted and/or signed e-mails and decrypt and/or verify signatures on e-mails, which will be covered in the next tutorial.

That Awkward Moment When You Realized Those Crazy Crypto-Anarchists Were Right

As if spying on our telephone conversations wasn’t bad enough another disturbing fact was revealed about the National Security Agency’s (NSA) vast spying operations. Although we all suspected that the NSA had access to the databases of the largest technology companies in Silicon Valley we now have proof:

A top-secret surveillance program gives the National Security Agency surreptitious access to customer information held by Microsoft, Yahoo, Apple, Google, Facebook, and other Internet companies, according to a pair of new reports.

The program, code-named PRISM, reportedly allows NSA analysts to peruse exabytes of confidential user data held by Silicon Valley firms by typing in search terms. PRISM reports have been used in 1,477 items in President Obama’s daily briefing last year, according to an internal presentation to the NSA’s Signals Intelligence Directorate obtained by the Washington Post and the Guardian newspapers.

This afternoon’s disclosure of PRISM follows another report yesterday that revealed the existence of another top-secret NSA program that vacuums up records of millions of phone calls made inside the United States.

What does this mean? A lot. Effectively the NSA has access to every e-mail sent to or from Microsoft, Yahoo, and Google’s services. It also means that the NSA has access to everything you’ve posted on Facebook including comments, pictures, and private messages regardless of your privacy settings. Microsoft, Yahoo, and Google searches are also obtainable by the NSA. In other words, anything you’ve ever send to or accessed from the servers of the involved technology companies is at the fingertips of the NSA.

Concern about this very thing is what lead me to move all of my needed online services to my personal server. My e-mail, calendaring, address booking, Virtual Private Network (VPN), and websites are all hosted on a server physically located in my dwelling. Hosting all of your own services can be a pain in the butt at times but it’s the only way to have any reasonable assurance that your confidential information remains confidential. I recommend everybody buy a domain name and move their online services away from major technology companies and onto their own services. If you’re not sure how to do that then it’s time to learn and I will gladly help anybody want asks for it.

If you can’t pull yourself away from third-party services then you need to encrypt everything. I’ve written a few tutorials that explain how to encrypt e-mail using OpenPGP. As of this writing the tutorial for OS X is completed, the first part of the Windows tutorial is completed, the first part of the Linux tutorial will be posted later today, and the tutorial explaining how to use Thunderbird and Enigmail to send and receive encrypted e-mails will be posted in the near future. When the Cyber Intelligence Sharing and Protection Act (CISPA) was being debated in Congress I wrote a short guide that explained a few technologies that could be used to avoid the state’s prying eyes, learn how to use them (I will write detailed guides at some point).

To quote a famous phrase, shit just got real.