Archive

Monthly Archives: August 2013

VPN is an old concept in the world of computing and it allows you to set up a more or less safe communication method between two points through a public network. It enables you to better hide your internet traffic and also may help circumvent censorship and supports anonymization.

In case you choose a VPN provider you need to consider the following points:

  1. Your VPN provider shouldn’t keep any logs – especially no logs which would allow the matching of an IP-address and a time stamp to a VPN user.
  2. Your VPN provider should neither be a US company nor running US-based server. Also a strict no data sharing and an Email deletion policy should be in place.
  3. Your VPN provider should not run a system where the technical possibility to take down content is implemented (at what extent ever)
  4. Your VPN provider should have an Anonymous payment system (like Bitcoins) in place.

Out of the “infamous” Cryptoparty Handbook (in fact it’s very useful and most of the people bitching about it, are those who gives a shit helping the community for free) there are the following points to consider:

  • Information that is required from you to register an account – the less that is needed the better. A truly privacy concerned VPN provider would only ask you for email address (make a temporary one!), username and password. More isn’t required unless the provider creates a user database which you probably don’t want to be a part of.
  • Payment method to be used to pay for your subscription. Cash-transfer is probably the most privacy-prone method, since it does not link your bank account and your VPN network ID. Paypal can also be an acceptable option assuming that you can register and use a temporary account for every payment. Payment via a bank transfer or by a credit card can severely undermine your anonymity on and beyond the VPN.
  • Avoid VPN providers that require you to install their own proprietary client software. There is a perfect open source solution for any platform, and having to run a “special” client is a clear sign of a phony service.
  • Avoid using PPTP based VPNs, as several security vulnerabilities exist in that protocol. In fact, if two providers are otherwise equal, choose the one not offering PPTP if feasible.
  • Look for a VPN provider that’s using OpenVPN – an open source, multi-platform VPN solution.
  • Exit gateways in countries of your interest. Having a choice of several countries allows you to change your geo-political context and appears to come from a different part of the world. You need to be aware of legislation details and privacy laws in that particular country.
  • Anonymity policy regarding your traffic – a safe VPN provider will have a non-disclosure policy. Personal information, such as username and times of connection, should not be logged either.
  • Allowed protocols to use within VPN and protocols that are routed to the Internet. You probably want most of the protocols to be available
  • Price vs. quality of the service and its reliability.
  • Any known issues in regard to anonymity of the users the VPN provider might have had in the past. Look online, read forums and ask around. Don’t be tempted by unknown, new, cheap or dodgy offers.

In case you want to see, download and study the Cryptoparty handbook (Version 2013-08-21) is here.

There’s also a very useful article at TorrentFreak about “VPN Services That Take Your Anonymity Seriously, 2013 Edition” here.

I tested and used most of the available VPN provider by myself. At the very end I always prefer small, European based service providers, run by someone I met in person.

It’s all about trust, isn’t it? 😀

We know for years that Tor is funded by the US Government. (2012 Financial Statement is here)

Some say that’s because the US government need a secure method to communicate with their agents. They’re everywhere around the world and they need secure communication.  This tool can help organizing things with strategic interest for the US economy as well. This group (including the developers of course) say: It’s all Open Source and good and safe and secure. Trust us!

But there’s another group of people who think different. They say – just follow the money and you’ll see that it’s paid by the US Government. They created a honey trap for all the dissenters to categorize, bundle and monitor them. Maybe they use it for secure communication with their agents as well, but we’re pretty sure that theirs a backdoor and they spy on all of us. They’re running a lot of exit-nodes and… You know what I mean.

What’s the truth? Can we trust Tor?
First you need to know that every security package ever delivered is deceptive.
You can’t trust neither the organizations nor the people working on it. You can’t trust the software created or the service provided. You’ll never understand the whole picture when it comes to the “Security industry”. This branch of the Military Industrial Complex is far above average growth. It’s a perfect cash machine that sells immunity – the irrational feeling of being save whatever happens. Countries (like the USA) are happy to spend billions of dollars for this illusive feeling. And then… a (more or less talented) playing kid hacks into SCADA or grabs some personal data from a poorly coded website and another bunch of millions of dollars are spend on security. The industry is like the Casino – it cannot loose.

Secondly you need to understand that the area of operation of a spy agency is –well, spying. This is not limited to foreign countries, diplomats and military secrets. It’s a all-embracing approach of gathering data about each and every one worldwide. The only limits are set by strict policies and oversight by lawmakers. Governments need that gathered data to rule, police needs it to preserve the system, economy needs it to find their advantage in competition … and so on.

Keeping above in mind and being (eventually) a US masterspy I would spend whatever amount of money to develop and run something like Tor.  But I also want to be very sure that there’s a “secure” backdoor implemented that enables my organization (and only my organization) to have all the information flowing through that net in plain text. Maybe later I would share the information or this backdoor with other agencies in return to having access to information gathered by them.

Wait – there’s a failure.
If there’s nothing like security (in the real world) there’s also nothing like a “secure backdoor”. So when we search the code we’ll find that backdoor and get access to that information. Cool.
Sorry, but that sounds much easier than it is. You need to be Jacob or one of maybe one hundred coding gurus to understand the program and the crypto stuff in it.

So what – is Tor secure, or not?
To be honest: I’ve no idea.

Best approach is to expect being monitored. You may use a fresh cash paid computer, install GNU/Linux, VMs, VPNs, use Tor, gnupg, jabber, encrypt all your files and communication, do everything ‘internet’ only via free open public WIFI, get paranoid  – and you know – feeling followed doesn’t mean you’re not actually followed…Stop!
You may follow my path by using different VPNs and Tor as well but please: Do Not Trust!
Anyhow you may join in, read the code and try to understand what’s going on. But be warned that’s hard work and it separates you from the blabbering nitwits. 🙂

29.08.2013, JD

Werner Koch wk at gnupg.org wrote on Mon Aug 19 14:38:16 CEST 2013:

Hello!

We are pleased to announce the availability of a new stable GnuPG-2
release:  Version 2.0.21.

The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
and data storage.  It can be used to encrypt data, create digital
signatures, help authenticating using Secure Shell and to provide a
framework for public key cryptography.  It includes an advanced key
management facility and is compliant with the OpenPGP and S/MIME
standards.

GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.14) in
that it splits up functionality into several modules.  However, both
versions may be installed alongside without any conflict.  In fact,
the gpg version from GnuPG-1 is able to make use of the gpg-agent as
included in GnuPG-2 and allows for seamless passphrase caching.  The
advantage of GnuPG-1 is its smaller size and the lack of dependency on
other modules at run and build time.  We will keep maintaining GnuPG-1
versions because they are very useful for small systems and for server
based applications requiring only OpenPGP support.

GnuPG is distributed under the terms of the GNU General Public License
(GPLv3+).  GnuPG-2 works best on GNU/Linux and *BSD systems but is
also available for other Unices, Microsoft Windows and Mac OS X.

What's New in 2.0.21
====================

 * gpg-agent: By default the users are now asked via the Pinentry
   whether they trust an X.509 root key.  To prohibit interactive
   marking of such keys, the new option --no-allow-mark-trusted may
   be used.

 * gpg-agent: The command KEYINFO has options to add info from
   sshcontrol.

 * The included ssh agent does now support ECDSA keys.

 * The new option --enable-putty-support allows gpg-agent to act on
   Windows as a Pageant replacement with full smartcard support.

 * Support installation as portable application under Windows.

Getting the Software
====================

Please follow the instructions found at http://www.gnupg.org/download/
or read on:

GnuPG 2.0.21 may be downloaded from one of the GnuPG mirror sites or
direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ .  The list of mirrors
can be found at http://www.gnupg.org/mirrors.html .  Note, that GnuPG
is not available at ftp.gnu.org.

On the FTP server and its mirrors you should find the following files
in the gnupg/ directory:

  gnupg-2.0.21.tar.bz2 (4200k)
  gnupg-2.0.21.tar.bz2.sig

      GnuPG source compressed using BZIP2 and OpenPGP signature.

  gnupg-2.0.20-2.0.21.diff.bz2 (39k)

      A patch file to upgrade a 2.0.20 GnuPG source tree.  This patch
      does not include updates of the language files.

Note, that we don't distribute gzip compressed tarballs for GnuPG-2.

Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a trusted version of GnuPG installed, you
   can simply check the supplied signature.  For example to check the
   signature of the file gnupg-2.0.21.tar.bz2 you would use this command:

     gpg --verify gnupg-2.0.21.tar.bz2.sig

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by that signing key.  Make sure that you have the right key,
   either by checking the fingerprint of that key with other sources
   or by checking that the key has been signed by a trustworthy other
   key.  Note, that you can retrieve the signing key using the command

     finger wk ,at' g10code.com

   or using a keyserver like

     gpg --keyserver keys.gnupg.net --recv-key 4F25E3B6

   The distribution key 4F25E3B6 is signed by the well known key
   1E42B367.

   NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE
   INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION!

 * If you are not able to use an old version of GnuPG, you have to verify
   the SHA-1 checksum.  Assuming you downloaded the file
   gnupg-2.0.21.tar.bz2, you would run the sha1sum command like this:

     sha1sum gnupg-2.0.21.tar.bz2

   and check that the output matches the first line from the
   following list:

5ba8cce72eb4fd1a3ac1a282d25d7c7b90d3bf26  gnupg-2.0.21.tar.bz2
cd94a6267088eeff4735641b1fc832a1e6770ba3  gnupg-2.0.20-2.0.21.diff.bz2

Documentation
=============

The file gnupg.info has the complete user manual of the system.
Separate man pages are included as well; however they have not all the
details available in the manual.  It is also possible to read the
complete manual online in HTML format at

  http://www.gnupg.org/documentation/manuals/gnupg/

or in Portable Document Format at

  http://www.gnupg.org/documentation/manuals/gnupg.pdf .

The chapters on gpg-agent, gpg and gpgsm include information on how
to set up the whole thing.  You may also want search the GnuPG mailing
list archives or ask on the gnupg-users mailing lists for advise on
how to solve problems.  Many of the new features are around for
several years and thus enough public knowledge is already available.

Almost all mail clients support GnuPG-2.  Mutt users may want to use
the configure option "--enable-gpgme" during build time and put a "set
use_crypt_gpgme" in ~/.muttrc to enable S/MIME support along with the
reworked OpenPGP support.

Support
=======

Please consult the archive of the gnupg-users mailing list before
reporting a bug <http://gnupg.org/documentation/mailing-lists.html>.
We suggest to send bug reports for a new release to this list in favor
of filing a bug at <http://bugs.gnupg.org>.  We also have a dedicated
service directory at:

  http://www.gnupg.org/service.html

The driving force behind the development of GnuPG is the company of
its principal author, Werner Koch.  Maintenance and improvement of
GnuPG and related software takes up most of their resources.  To allow
him to continue this work he kindly asks to either purchase a support
contract, engage g10 Code for custom enhancements, or to donate money:

  http://g10code.com/gnupg-donation.html

Thanks
======

We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, or answering questions on the mailing
lists.

Happy Hacking,

  The GnuPG Team
-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 204 bytes
Desc: not available
URL: </pipermail/attachments/20130819/2b5baae0/attachment-0001.sig>

Every day we learn more about the spying of US three-letter agencies on ordinary citizen worldwide. Through the tight collaboration with their respective foreign equivalences we can easily acknowledge that the used method and actions are killing what these organizations are pretending to protect. Breaking down the policies it comes to imbecilities like “Excuse me, but we have to take away your freedom to secure your freedom” or “We need to avoid too much free speech to make your right for free speech possible”. You need to be mentally deficient to believe that.

I’m not looking forward living in a system that’s somewhat in between authoritarian and fascistic and tells me what to think, what to believe and when to speak. Enforcing censorship, gagging orders and harassment of whistleblowers and journalists uncovering the failures and the corruption of governments are inevitable leading to an environment that can’t be called democratic anymore.

Do we want to ride roughshod over the rule of law? Let’s start to take back our countries from these out of control spy agencies and their outsourced private profit centers. Rigorous oversight, strict orders, impeachments and defunding will do the trick. Maybe rethink your position and the extent of annoyance you’re facing before wiping.

27.08.2013, JD

You hear all the noise about the NSA, how and why they violated our rights, our privacy?

Time for the European Union and the Governments of the EU Member States to stop their grovelling behavior and order Europe’s secret agencies like GCHQ in Britain or the BND in Germany to not go along with the US Governments efforts anymore.

Besides the concerns about the privacy of every European citizen (that includes all the elected government officials and lawmakers) there’s also the dimension of economic espionage. The European companies loose billions of Euros every year by the US spying machine.

Please let me know if you need more information or reason to change your position. You may reach me at here.

26.08.2013, JD

Related articles
%d bloggers like this: