December 23rd, 2009

omg

The Privacy Mandate

Here lately, things in the good ol' US of A have not being going to so well. Really they haven't been going well for a long time, but they pace of not going well has definitely sped up in the last 5 years. With the recent loss of due process and approval of torture (by SCOTUS none-the-less), the USA PATRIOT Acts, and other privacy and freedom depriving laws, even the law abiding citizen has to now watch his back else s/he be declared an enemy combatant.

So what can the average, every day, freedom-loving, privacy-advocating, red-blooded American (or any other nationality) do? There are several things that can make at least your online experience that much safer and more secure. Here are a few of the ones I've implemented.

The first is simple enough, but might be a bit insulting. Buy a clue, people! How far down the road do we have to go before the clue-bat of liberty smacks you hard enough for you to realize that what is going on in Washington, DC (and even in Copenhagen and at other treaty summits we are party to) effects you and I in a very real, every day sort of way?! Don't think you or your parents will get taken away? Think again. Even Roman citizens in Christ's time had access to due process under Roman law. Once you have the clue you need and decide to get serious about security, safety and your privacy, here are a few tools that — when implemented intelligently — will give you some modicum of privacy, verification of who you are talking to, and security in knowing that what you sent cannot be read by someone you don't intend it to.

Of course there are ways to circumvent and compromise every tool I'm going to mention here, but in combination it should be enough to provide some of the basics. Once you get more serious about security and anonymity, you'll know where to look for more advanced tools.

The Tools of the Trade


Search Engines


Believe it or not, despite any privacy policy a company may have, most search engine companies keep a complete log of what you are looking for, when you looked for it, and what links you followed away from them. They then sell that data to ad companies like Doubleclick.net (a Google property to boot) so as to allow them to better follow you and tailor ads to you. While I'm all for using ads to generate business and make some money, they can do so without my personally identifiable information. So the first tool requires the biggest change of all and will help you make the other changes much easier. Startpage is a search engine of a different breed. They do not log your IP address nor pass it along to anyone else. They have ads based on search results alone if you're concerned about that and seem to take care of their own advertising. They also, via the link above, provide bank-grade encrypted connection to their servers so that no one in the middle can see what you are doing. They are more along the lines of a search provider then a search engine.

What they do, in essence, is take your search term and submit it to 11 different popular engines (Google being noticeably absent), then return those results to you without you having to go to the other sites. They provide private, anonymous searching for free. They provide a search plugin for Firefox and IE (so if you choose to continue to use IE, for whatever reason, you can enjoy private searching with it too).

Web Surfing


Web surfing is probably the least private thing anyone does. Tracking cookies, referrer logs, and the like. Browsing the Internets is generally insecure and completely public. Anyone can sniff your connection. Anyone can intervene themselves into your session and capture, track, log and even divert your session. In general they can recreate every byte of data being sent out, modify it, and resend it somewhere else. They can see your passwords, your login names, and if you're using a shopping site that doesn't have a valid SSL certificate, credit card information. Phising sites use social engineering to capture all of these without directly engaging in any sort of hacking. All they have to do is successfully recreate the site whose users they want to scam, mask their URL into something believable, and have you provide all the information to them voluntarily.

So is there anyway to truly protect your data? Yes. Pay attention to the URLs you are visiting, if your browser is telling you that a site's security certificate is suspect, invalid or expired, be wary. It could just be lazy (or cheap) admins, or it could be something more malicious.

So what tool(s) are there for surfing more safer? Aside from the using your brain more bit, there is anonymous relay proxies. It is a bit slower then what you're generally used to, but the security provided is of immense benefit to those who value their privacy. Granted, it does have some limitations, but there are work-arounds to that if you're willing to give up anonymity in the process. I won't go into how this works, the linked site provides a better explanation then I ever could.

There are other proxy tools available, but this is the one I've found that even works. Eventually I'm sure I can find better solutions, but until then I'm happy with Tor.

Instant Messaging


Instant messaging, that ubiquitous tool that has been with us for a very long time now. They've become more highly evolved (voice and video chats, once thought the domain of of the telcos and their dreams of a video-phone (which they do have), are a prime example of the evolution of IM) since their initial inception as simple senders of quick text messages. Some clients can even send SMS messages.

Most people, though, don't give a second thought to IM security though they might use it for business purposes, or even governmental uses. So what can we do for IM to make it more secure? First there is the same proxy servers we used for web browsing that we can use to connect our clients through (Pidgin, among others, supports connections to proxy servers). Then there are plugins such as Off-the-Record messaging, which allow for encrypted chats. Of course that's only as good for how much you can verify the person sitting on the other end. The more means you have of contacting them and verifying the person you are IMing is the same person you think it is, the better off you'll be using OTR. This will lead into our final section, as well.

Email Security


Think your SSL or TLS connection is secure? Don't even kid yourself about your connection to port 110. That's pure plain text. Anyone who can intercept your connection will be able to read your login and password on that port. It's more difficult with SSL and TLS. The best way of preventing that is, again, with an anonymous relay proxy server. We can use the same one we're using for browsing and IM. Different pathways for different connections. It's just that good. There is also encrypted or digitally signed email. Like with OTR, though, it's only as good as far as you can truly verify the person you're talking to is who they say they are.

General Encryption and Digital Signing


SSL works by the web site providing you, via the browser, a certificate claiming that the website is who it says it is and that your information is safe as long as you are connected to them. Again, though, there is that matter of trust. Do you trust the issuing/signing authority? Do you trust the website you are connecting to to begin with? Be wary of the trojan horse. Since there really isn't anything more you can do once you've anonymized your surfing, IM and email clients connections to the Internet, and even https (the protocol used for SSL connections), what else is there?

Encryption and self-signing of documents via tools like GNU Privacy Guard (a free, open-source implementation of PGP) is a start. For email clients like Thunderbird, there is Enigmail (you will need GPG installed to use Enigmail). It allows you to sign and/or encrypt your email messages so only the intended recipients can open them.

Paranoid yet? You should be.

Even with all these precautions there is still the chance a session can be tracked back to you, there is still the chance that your encryption can be compromised and broken, there is still the chance that any number of malicious things can still happen with your data. Nothing we create is perfect. These are steps, though, that when properly implemented and routinely use will highly increase your security, anonymity, and privacy while you are online.

[tags]technology, browsers, security, web[/tags]

Originally published at Ameliorations 1.0.