Help Secure Everyone’s Email by Encrypting
Previously I wrote about the protection I am adding to my mail by using PGP or GPG. You can find the article by clicking here. My involvement with the EFF and AVNation have also included comments about privacy: AVNation Privacy & EFF Mail Links.
Something I realized while thinking about this subject is that if one sends very few encrypted e-mails, the ones that are encrypted will stand out in the mail being sent. Now you might wonder what I am doing that requires encrypting. The previous blog post explains why I am encrypting my mail.
I have an additional reason now, confuse the government and anyone else monitoring traffic. This idea is discussed in Cory Doctorow’s book Little Brother http://craphound.com/littlebrother.The section below is used under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 license. This quote below came from line 1826 in the HTML version available on Mr. Doctorow’s website.
“So how come you weren’t on Xnet last night?”
I was grateful for the distraction. I explained it all to him, the Bayesian stuff and my fear that we couldn’t go on using Xnet the way we had been without getting nabbed. He listened thoughtfully.
“I see what you’re saying. The problem is that if there’s too much crypto in someone’s Internet connection, they’ll stand out as unusual. But if you don’t encrypt, you’ll make it easy for the bad guys to wiretap you.”
“Yeah,” I said. “I’ve been trying to figure it out all day. Maybe we could slow the connection down, spread it out over more peoples’ accounts –“
“Won’t work,” he said. “To get it slow enough to vanish into the noise, you’d have to basically shut down the network, which isn’t an option.”
“You’re right,” I said. “But what else can we do?”
“What if we changed the definition of normal?”
And that was why Jolu got hired to work at Pigspleen when he was 12. Give him a problem with two bad solutions and he’d figure out a third totally different solution based on throwing away all your assumptions. I nodded vigorously. “Go on, tell me.”
“What if the average San Francisco Internet user had a lot more crypto in his average day on the Internet? If we could change the split so it’s more like fifty-fifty cleartext to ciphertext, then the users that supply the Xnet would just look like normal.”
“But how do we do that? People just don’t care enough about their privacy to surf the net through an encrypted link. They don’t see why it matters if eavesdroppers know what they’re googling for.”
“Yeah, but web-pages are small amounts of traffic. If we got people to routinely download a few giant encrypted files every day, that would create as much ciphertext as thousands of web-pages.”
This action is a relatively small action and is rather simple to do. However, the fact that it will change the traffic view could be helpful for others. It will prevent other PGP/GPG encrypted traffic from being such an outlier as to be noticed. As EFF posted on Data Privacy Day, privacy is a team sport. There are additional directions for how to do this task at https://ssd.eff.org/, hover over the tutorials section. If you want to test if it worked, My public key identifier is C93A52C6. You can download my public key from https://www.bradfordbenn.com/BradfordBenn-C93A52C6.asc
I also will freely admit, I am not sure if it will make a difference, but it could not hurt.
January 31, 2017
No, you can’t look in my computer…
Some of you may already be aware that the Electronic Frontier Foundation (EFF) is one of the groups I support. Privacy, security, and freedom for the individual is one of my touchstones. I have written about these topics previously, both here and at AVNation.tv. (Yes, there will be overlap between this post and the one over there. My opinion hasn’t changed.)
There are proposed rule changes within the Federal Rules of Criminal Procedure that the EFF has made me aware of. I do not claim to be an expert on all the legalities and intricacies, however from the comments that the EFF have provided I immediately felt it was important to comment on. The proposed amendment to procedural Rule 41 would allow a judge to issue a warrant allowing law enforcement to remotely enter (hack) a computer when “the district where the media or information is located has been concealed through technological means,” or when the media are on protected computers that have been “damaged without authorization and are located in five or more districts.”
The first portion of this means that if one uses a means to hide their location, for any reason, a search warrant would be allowed. At AVNation I spoke about how this applies to business environments where Virtual Private Networks (VPN) are used to provide a secure connection between remote users and the office. A byproduct of that process is that one’s location is incorrect quite often, sometimes on purpose. When I travel to China I use VPN for personal use. I purposely set my VPN to connect me to a point of presence located in the US. This decision allows me to access my e-mail as well as other sites, such as news sites like New York Times or Los Angeles Times. I can continue on about the Great Firewall of China, but these couple of links should help provide background https://en.wikipedia.org/wiki/Great_Firewall or https://www.eff.org/search/site/china%20firewall.)
I also use a VPN connection, as well as other tools, when I am using a public hotspot. In fact I am using one right now as I sit in Starbucks using their WiFi. This approach prevents eavesdroppers to my communication. I will say that Google and Starbucks do a good job keeping things safe, however not everyplace is as secure. I want to keep my data encrypted as long as I can. Yes, there is Hyper Text Transfer Protocol Secure (HTTPS) that is secure and I use it as much as possible, but not every site supports it or for all traffic.
I can continue on as to why I use VPN, the important thing to take away is that there are legitimate legal reasons to use VPN. The fact that I use it should not change the way my data/privacy is viewed by the courts. To overly simplify it would be like saying, you locked the door to your car so you have given us a reason to issue a search warrant.
The second portion of the new procedure is also damaging in that it allows for innocent computers to be searched if they have been remotely hacked. If a computer is an unwitting member of a botnet that would meet a qualification for a search warrant. The infected or innocent computer could be searched even if the owner is not involved or suspected of wrong doing. Basically if someone has already broken into your computer, the government can break into it again as your computer might be doing bad things.
To me there is a third reason that this issue is important – this process is being done under the guise of procedural rules. There is no debate, no review by elected officials, just a procedural change to allow more access. Yes, Congress has to vote to approve the rules, but there was very little notice of the process. Luckily groups such as EFF and others are around to alert people to the changes. There is the comment of, “Well if you aren’t doing anything wrong, you have nothing to worry about.” I agree and understand that sentiment, but I also believe that once the first domino has fallen the erosion of privacy will continue. To quote James Madison, “There are more instances of the abridgement of freedom of the people by gradual and silent encroachments by those in power than by violent and sudden usurpations.” This procedural step is a gradual and silent move to most people.
Also if there is nothing to worry about, please send me your laptop or phone without clearing the history first. I will be more than happy to inspect it for you.
Much of this information was gathered from the webpage https://www.eff.org/deeplinks/2016/06/help-us-stop-updates-rule-41.
The lock pick image is public domain from Wikimedia. More information about it at https://commons.wikimedia.org/wiki/File%3ALockpicking_Pickset.jpg.