Search

Professional Troublemaker ®

 Jonathan Corbett, Civil Rights Attorney

Category

No Surveillance State Month

No Surveillance State Month, Part 12: Try for SSL

httpsToday’s tip is an easy one. When you’re browsing the Web, if the address of the page you’re viewing starts with “http://”, you’re viewing a non-encrypted Web page, which means that it’s possible someone can intercept what you’re doing (a neighbor listening in on your WiFi, the NSA, etc.). On the other hand, if the address starts with “https://”, it is encrypted using “SSL” and likely safe. The “s” means secure!

Chances are, you’re viewing this blog with the unsecure URL (since we’re not really trasmitting anything secret here, that’s ok!), but you can easily go up to the address bar of your Web browser, add in the “s”, and press Enter to see this page over a secure connection. Not every Web site supports SSL, but many do, so before you enter a password or other personal information, try adding the “s” and seeing if you can change your unsecure connection into a secure one.

[Update: Commenter featherwinglove reminds that there is a plug-in for Firefox & Chrome users to do the above automatically for you. See: https://www.eff.org/https-everywhere]


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 11: Tor — Peer-to-Peer Encrypted Traffic

TorYesterday I announced my new software project called 1985 (Web Site | fundraiser), which uses peer-to-peer encryption and relaying to prevent your call — and the “metadata” about your call — from being intercepted. While we work to bring this to cell phones and voice traffic, this already exists for Internet browsing, and it’s called Tor.

Here’s how Tor works: you connect to a network of Tor users and get a list of peers that will help you. You select 3 peers at random, take your message (data), and encrypt it so that only the third peer can read it. Then you take that encrypted message and encrypted it so that only the second peer can read it. Then you take that encrypted message and encrypt it so that only the first peer can read it. Now in order to read the message, all three peers are required, in order, to unwrap each of the three layers of encryption. The message is then sent to the first peer, who unwraps a layer and forwards to the second peer, who unwraps a layer, who forwards to the third peer, who unwraps a layer, and forwards to the destination (Facebook, Gmail, whoever).

The second and third peer have no idea who you are since they got the message from the previous peer, not from you. The first and second peer have no idea what your message is, since there will still be encryption layers on it. The ultimate destination of the message is also included beneath the three layers, so they also have no idea to whom your message is to. What this means is that no peer has all the information, and in order to piece it together, all three peers would have to collude.

Take a look at the Tor Web site and Wiki page for details on how you can use it. It requires a little bit of technical skill to use in a way that affords you strong security, but not too much technical skill just to get going. The best part is that the more people who participate in Tor, the more anonymous it is because the peers are selected from a larger random pool.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 10: Low Tech Password Security

The Guardian interviewed Edward, and it’s a fascinating read/watch at any rate, but relevant to our 10th tip is this quote: “He puts a large red hood over his head and laptop when entering his passwords to prevent any hidden cameras from detecting them.”

This little fact occurred to me one day while logging into my computer in an airport. If I’m typing in my passwords while sitting in front of a surveillance camera, I’ve essentially given away my passwords to anyone with access to the camera. A quick way to mitigate this vulnerability to all but the most well-placed cameras is to simply tilt down the screen of your laptop such that it covers your fingers on the keyboard while typing your password.

Here’s another one for the less paranoid: key loggers. Any time you’re using a computer other than your own (and sometimes, even your own) there’s a risk that software is installed to record all keystrokes. Computers at Internet cafes are especially vulnerable to this. Try not to use public computers for entering passwords that can access financial accounts, which is what most hackers will target.

Stay tuned for the big announcement in half an hour… 🙂


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 9: Don’t Trust Bad Certificates

Have you ever been browsing the Internet and seen a screen like this:

Bad Cert

…or this:

Bad Cert

This is your browser telling you that it can’t be sure of who’s on the other end of your data transaction. SSL (the encryption technology used whenever you type in a URL that starts with https://) ensures that your data is transmitted securely between two endpoints. But what if the endpoint that you think is, say, Facebook, is really just someone pretending to be Facebook? We call this a “man-in-the-middle attack,” and it’s the most significant threat to the security of your data in transit across the Internet.

Certificates are what make sure that the endpoint is who you think it is. A certificate is a key set that is assigned to (e.g.) a Web server by a certificate authority (CA) — a company that is trusted to assign certificates only to the authorized owner of a domain name. Your computer comes pre-programmed (by your OS vendor or Web browser vendor) with a list of valid CAs, and using digital signatures, your computer can verify that the certificate a Web server presents to you was signed by a valid CA.

If all this is confusing, no worries: the tl;dr version of this is: If you see a screen like the one above, your computer wasn’t able to confirm that the endpoint is valid because it didn’t present a valid certificate. You should understand that if you tell your computer to proceed anyway, your information may be going to a hacker (whether or not that hacker has a badge). If the site you’re trying to access is a bank, your e-mail account, or pretty much anywhere else that asks for a password, financial information, or anything else you might want private, don’t proceed and contact the owner of the Web site.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 8: Encrypted Text Messages

Locked PhoneText messages are an awesome way of communicating with friends and family. They’re short, to the point, and you don’t end up stuck on the line for 30 minutes hearing about someone’s bad break-up.

But, they’re prime targets for government interception. First, they’re small, so they’re easy to store en masse. While a minute of phone conversation might take up a few hundred thousand kilobytes, a text message with metadata would take up around 0.2 kilobytes. Second, text messages are easily searchable. While computers have difficulty turning voice into searchable text, text messages are already text, making it easy for the government to search for anything from “Allahu Ackbar” to “I think that the Patriot Act is un-American.” And, like phone calls, text messages are great ways to build databases of who your “associates” (read: friends and family) are, as well as your location information calculated by the cell towers.

There are a ton of services that offer to send your text messages using encryption, generally for free. Here are a few that I found (and for which I have no association and get no commission):

  • WhatsApp (free, all major devices)
  • Black SMS (free, iPhone only)
  • Seecrypt (as discussed yesterday, also good for calls — $3/month)

If you know of other good services please post in the comments and I’ll update the thread.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 7: Encrypted Phone Calls

WiretapNews broke yesterday that the NSA secretly collects call data from all major U.S. providers. We all, perhaps, expected this, but The Guardian released proof, in the form of a leaked FISA court order, that en masse collection of the source and destination of every call, the IMEI of cell phones involved in the call, location information, etc. is logged by the government, without requiring you to be on some kind of list. So much for no searches without cause, eh?

Skype used to be a great alternative as it encrypted the data being transmitted, but at this point, it is nearly certain that Skype (now owned by Microsoft) has included back doors in the software to allow for government interception. Now we must turn to other providers who allow for encryption to be used from end to end (when making Internet-to-Internet calls, at least).

Here are a few that I found (and for which I have no association and get no commission):

  • SilentPhone ($49/month — ouch)
  • VSee (Internet-to-Internet only, free)
  • Seecrypt (calls to people with mobile app only, $3/month)

If you know of other good services (especially ones that let you call landlines) please post in the comments and I’ll update the thread.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 6: TrueCrypt & Full Disk Encryption

TuecryptWe’ve done a few posts so far about how to secure your data in transit over the Internet (still more to come on that… promise!). But, none of that protects your data from a thief who steals your laptop, whether or not that thief has a badge. The U.S. has taken the position, for example, that at the border, Customs can search through your hard drives based on nothing more than a hunch. “Must protect the children! Child pornography,” they say. “Must protect the economy! Industrial espionage,” they say. “TERRORISTS,” they shriek. But, behind all this hyperbole, they offer no explanation as to why any child pornographer, intellectual property thief, or terrorist with an I.Q. above room temperature would literally walk their digital contraband across the border rather than send it via the Internet from the convenience of their cave in Pakistan (or wherever “the enemy” hides these days).

I first wrote about TrueCrypt only 4 days after founding this blog. TrueCrypt is the gold standard, publicly-vetted (but not open-source) full disk encryption software package. Full disk encryption means that the entirety of your computer is unreadable without a password. This is our — we, the people’s — best defense against government prying into our personal documents, family photos, communications with friends, and really, our everything in this day and age. If done properly, full disk encryption cannot be broken even by the government (and again, if the government were able to unscramble it, they would never admit to it or waste such a valuable secret to spy on random citizens).

Please have a look at TrueCrypt’s Web site, read through their documents (they’re not very long), and protect your computer by utilizing it.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 5: Anonymous Electronic Payments

Bitcoin Sometimes, electronic transactions are the only practical method of payment. Making a purchase at Amazon.com or holding open a bar tab will be frustrated if you have no plastic. You can still complete these transactions without creating a log that can be tied back to you thanks to prepaid debit cards that you can purchase virtually anywhere these days.

At my local Walgreens, you can grab $200 cards for $205.95, which works out to a 3% fee or the cost of about 2 ATM transactions. You can also find these guys at banks, money services companies (Western Union), and department stores (Kmart, Walmart). Terms vary, and you can find better or worse deals than Walgreens has to offer. In addition to holding on to some of your privacy, you also reap the benefit that a fraudster can’t clean out your bank account if that Internet retailer you just shopped at gets hacked, and there won’t be any surprise recurring fees from any merchants — by the time recurring fees would hit your card, it’s empty. A beautiful thing.

Prepaid cards can also be turned into Bitcoin, an untraceable (if done right) Internet currency that is starting to gain significant acceptance at Web-based merchants. Bitcoin works by using a peer-to-peer transaction database and strong encryption that allows only the present “owner” of the money to send it to someone else. The “owner” of the money is identified only by a string of random numbers (think like a debit card number, except there’s no name on the card). How to use Bitcoin is beyond the scope of what I can fit into a brief blog post, but the Wiki article is a great place to start if you’re interested.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

No Surveillance State Month, Part 4: Ditch the Plastic

Credit Card TrapI love putting things on credit and debit cards. It’s more convenient than dealing with change and ATM trips, and it organizes my business expenses for tax purposes at the end of the year.

But, when I go through my statements at year-end to find tax deductable expenses, I find that I can basically pinpoint exactly where I was for pretty much every day of the year based on my purchases. In addition to the location information, credit card companies have detailed information on your spending patterns.

Will your credit card company sell your spending pattern data? Who knows, but when last year during my deposition for my lawsuit against stop-and-frisk, the attorney for the city asked me to list my credit cards, it became abundently clear that all of this data is just waiting to be abused. (The idea that someone suing the city for abuse should have to bend over and expose his private information in order to have a shot at justice is offensive and wrong, but I digress…)

So, I shall endeavor to use cash whenever possible (tomorrow’s post will allow you to keep your privacy for those when times cash is not an option). To keep track of business expenses, I’ll be using my smartphone to take a picture of receipts rather than holding onto crumpled up, faded pieces of paper. And I’ll save my local small businesses the ~3% they pay to run credit cards rather than see that money go to the banks. Win win win.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

Blog at WordPress.com.

Up ↑