[CoLoCo] Computer Security and Online Privacy Workshop Notes

[Ringo Kamens]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to thank everybody who took the time to come down to the
Computer Security and Online Privacy Workshop for activists and
whistleblowers this weekend. I/We might
be throwing another one in a month or so, so if you're interested or
know people who might be, send me an email
(2600denver{at}gmail{dot}com). I have compiled some reminders for
whose who came, others might find this interesting.

Programs We Discussed:

Truecrypt http://www.truecrypt.org
Notes on Truecrypt:
*Even after you close/eject/dismount your encrypted folder, the
password might still be stored in memory so don't forget to open lots
of programs such as movies/documents to help overwrite the memory
*Use the algorith Twofish-Serpent for your encryption as it is the most
secure
*Anything your put in your truecrypt folder is encrypted on-the-fly
*Don't just unplug a computer running truecrypt, always click
"dismount" and shut down properly. If you mess up your encrypted
folder, too bad for you
*Beginner's guide available at http://www.truecrypt.org/docs/
*Hidden partitions are cool, you should look into them

Tor bundled with Firefox, Privoxy, Vidalia, and TorButton
getfirefox.com (install this one first)
torproject.org
We also installed noscript to stop anonymity-breaking scripts, and you
can find noscript at https://addons.mozilla.org/en-US/firefox/ (search
for it)
Notes on the Tor bundle:
*Install Firefox first, then the Tor Bundle, then NoScript
*If you use Firefox 3.0 and Tor, don't use "live bookmarks"/rss
*Use the button at the bottom right of Firefox to enable/disable tor
and your anonymous connection
*Before enabling tor in firefox, go to Tools> Clear Private Data in
order to clear data that could connect your "tor identity" to your
real one
*If tor is being too slow, restart it
*If you're using Internet Explorer... STOP!

Eraser (eraser.sourceforge.net)
Notes on Eraser:
*Only use the open source version
*You can also use http://sourceforge.net/projects/tfs/
For Max/Linux/Unix, use the command (in the terminal/console)
srm /directory/directory/filename
*If you need to quickly and securely wipe a hard drive/floppy in an
emergency, you can run a magnet over it a bunch of times.
*As for flash drives, I have heard microwaves work but that might be
rumour. Just crush it and set it on fire and go apeshit on it for best
results.

PGP/OpenPGP/GNUPG
Windows version at http://www.gpg4win.org/
OS X Version http://macgpg.sourceforge.net/ (install GNU Privacy
Guard, then KeyChain Access, File Tool, Dropthing, and preferences)
Linux version gnupg.org
Plugin for OSX Apple Mail
http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html
Notes on encryption in general:
*Don't use in public areas or places that might be subject to camera
surveillance
*Send your public key to anybody you wish, that's what they use to
encrypt things to you
*Store your private key in a safe place (not your computer) and make
sure you don't leave it laying around. Have a plan in place to destroy
it if needed.
*The more "bits" a key has, the stronger it is
*Never use passwords that are in the dictionary, include numbers and
weird characters, make your password long but rememberable. Ideas for
passwords include phrases in a favourite book of yours
*You are not required by US Law to reveal your private key or password
(fifth amendment). You may be held in contempt if a court order
requires you to do so, but such an order would be unconstitutional
*Encryption (in truecrypt and public key systems) is nearly impossible
to crack. Only adversaries such as the NSA have such abilities.
*Ask your friends to encrypt+sign emails to you
*It is not rude or intrusive to ask others working in groups with you
or giving/receiving information to/from you about their security
precautions. Insist that others use encryption, it's your safety
*Don't use your private key or view encrypted things on public
computers at the library, your friends house, etc.

Other Notes:
*If you want to remain anonymous using public wireless, you'll need to
change your MAC address.
Mac Address Changers (make the first two digits zero to make it more
believable)
Windows
http://www.download.com/SMAC-MAC-Address-Changer/3000-2085_4-10536535.html?tag=lst-1&cdlPid=10796334
OS X http://www.coolosxapps.net/2007/11/08/macdaddy-spoof-your-mac-address/
On Linux, type sudo ifconfig to see your interfaces. Your wireless
card is probably eth1 or ath*. Then do sudo ifconfig
interface_name_here hw ether yournewmac here
*If the information on your computer could have life-changing
implications for you, consult an expert. Hackers are your friends, and
you might find some help from the guys at hackthissite.org or
hackbloc.org, mention that you're an activist.
*The Exit The matrix guide is a good security primer
http://exitthematrix.dod.net/matrixmirror/index.html
*Consider anything you place on a computer or send over email to be
available to anybody who wants to read it
*Every time you open something on a computer there is probably a copy
of it stored somewhere and there is always some reference to it on the
computer, it is good to periodically wipe everything
*Microsoft has a rich history of cooperating with the government, as
do other "closed source" software makers
*Open source software is generally more secure and reliable. Never use
closed source software for security-intensive tasks
*You're better off not using Windows. For a free (as in freedom and as
in money) alternative, check out Linux. One popular distrobution is
Ubuntu (see ubuntu.com)
*When you delete something from your computer or format your hard
drive, the data can be easily recovered using free software. Use a
secure eraser. Always.
*If you are looking for an open-source email program with support for
encryption, try Thunderbird with encryption plugins.
(getthunderbird.com)
(https://addons.mozilla.org/en-US/thunderbird/search?q=openpgp&cat=all).
It works with Gmail, etc. if you enable POP in your gmail settings
*Watch out for keyloggers. They may be connected in-between your
keyboard and computer or installed as software. Use Anti-Virus
software to combat the software type
*Some document formats can reveal sensitive information about you such
as your name. Examples are DOC, JPG, JPEG, PDF, XLS, etc. Make sure
you properly delete such data with the appropriate program or send the
information in "plain text" ie copy it into notepad.

Here is my public key so you can send encrypted messages to me. I have
signed this message so you can verify that I, Ringo Kamens, sent this
email. If you do not have PGP encryption, please see above for
information on how to use it.
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (GNU/Linux)

mQGiBEhm26gRBACQTaB4jWQgIjuw5MkwWlXlzvTtQmyDNU6IzYqiEeYSaGvRd09b
WxBxnYfATmwfcwBlt7/6YnmVaxvQPJAZh9E5CvUVFBsV/ORH0GXAGSbDWEveq2sQ
T+P/f6mQWcEALnAoMFaIhA1DOHsa/od05wLPFdX1Of/KPCvgr7BRyxJMXwCg1kmW
OWLUtp2rjrjToFrbcSc36y0D/1ngQcaXziXfgDDi3f8AhXWqYepQ4VLUaHB0hpn5
lyfU0Bz2Stc7IN/iRzH0SHvwTrYiMkCgoHz2HY+3M/JaDk5010k2FSSiXeFzTeS/
ROTb109jVOAsjemrwILLWF+n1DwtG0foj8uO1mWDe73ExD5znBM9YCth5LIUIVvS
MqgqA/9NlJw06hBqxkIPHc8HoWAaBcDxY5Egim9ab1Pr+H9e7+CHO1/VW3Hmf1FJ
fHswaZXUOXUinAczepQyANkdlhiJw08In1yXdLJbI8PeLOiR/WXQ7Thr4pTslK3l
hqYzW5GeLwM+J16FPvbBuaz/qkX1vgEUPtgoLdHNAHYlopceyrRPUmluZ28gS2Ft
ZW5zIChUaGlzIGlzIG9ubHkgZm9yIG1haWwgdG8gdGhlIGVtYWlsIGxpc3RlZCkg
PDI2MDBkZW52ZXJAZ21haWwuY29tPohgBBMRAgAgBQJIZtuoAhsjBgsJCAcDAgQV
AggDBBYCAwECHgECF4AACgkQmBTzXUpNYqQkSwCeITuCZMOFq1IZJ8s5ppv6g+im
hDoAoJT4FFDWMm6U9H9Ce3KPq28B4yM9uQQNBEhm3DsQEACTylTxyW2Q9vZDfa6k
RBfD9EY+RlUT4reSKBddFJzXbULvlez1VOYQ8DgClZf8k39E2AoC70/VfVRQ4Dw1
o4lnznVv0b8rXL+sVTodcWsQ2SvilVD7RbE1pdFO66vOlE0A5PenBUR860S7LRbt
VFFe33w0RgJTI0fY3qxI3z+A/A4d7hBDKtIFicuW8/Wf9licD08bRSUeP2/RmyE1
s2bb7AgI8hyB8QAkTCJqf3jokwHtVecdnfILo7r45GU+xbOz5PcQh/bEJkgE7kGC
oAC/elwaULw7l1Mgnc2B+0XfjRojO+qokD/AQKg1nUy/vpbnYnqLJuETSEwCoT66
n0MtyGju9kYFGtqfdZTyIP9VMqRoanPuA+EdnR6U5SazvfVk4kRn3lVbsk2QhVms
0y056xyMp0WaP6+T0OZ5uSPowu4EUWRl5ZQJ/arHTUSnZvxepG5Tru4rfn+nnXeB
17a1CNRUOI5fJCRtBa7xMQbBfVYbsdq5Q/76q5bA2XEWgCDw8ohlZpSUY/Ngh6VV
7KizNFjQc6jSDfDhn/0zvSn7OMHvxY3jCbnD+R59bgpO1hGnBAE3r/H5TaA1kcYQ
mLLWHfvkTZkliocT9LYz8sn/ily26CghmK5VzbYkf+UczQAJDSLLumufFUno5y5D
3zGold4C7kiwsJg+cGVLDJFsRwADBw/9Hs1JdZ1y9niY/E40sRzXT38jmQXv64KQ
Jsbyf7/zZ86O/ftZkyP6eI0MnYcbdZB36rlCB57BiiL85CLWp8GKQxTH3KUWy5q1
nExye+/Pvs1fx1spdcJpTthz++OaIJz1giISMVI3woSaQoZXmXkjMQzJZC6QowCD
O3lj34kYeJWpjtU8vk5qPoZkuKj3HcjVHt003ByC+wBEj6ZCM5OsecuY9pHsz9tN
A1hT3tivqrAkuxO05fmaaUQZglrQw1xFgBYpvRedaedUS3TRoLSiJ6aR9oNV2olL
BsUi9GDyVatMqsngu6PYgsQTDkpPd9wYIO0riqmBRl+g5gsJiS1JlC9OBTQ6S2Cl
89hHRF4ST/0KvLxZjw7FjPK9z+ReS5EHo3SYCVkJ3vUGjfmiO1RpKP9UvE2lBfTn
4jUFQwC9/yFYEK28uDpsBU5dR0/E2PFCuyiRCtBomRLFMb16GDpW2QnlFM/DfWOt
HkH9urPA/D2l5nDaGDzmhk0aW6qwZj4uWPX8NlXlHxTfr6i3bLHnqPn+6mNGbkwf
IyVkLuBhLvH1wA4P+381wLOtpJpZCY4zwROnGCZsi3yXN2Ec3Rc8cOlcEw3j/Km2
uR3gH9fs9DiG5Y2UoZ7QuluvKwXve69tcSEO8Tk2QAbfz9/H0Q8hlVsQAnqzmof4
ZWaoRGNUjMCISQQYEQIACQUCSGbcOwIbDAAKCRCYFPNdSk1ipJY9AJ9FOk56yLQK
vlrVo82DRG5C0droOACfZXD/7USncwGA1Db3C3VQuxPDpEg=
=eX5j
- -----END PGP PUBLIC KEY BLOCK-----


Strength, Solidarity, and Security,
Comrade Ringo Kamens
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIaFnhmBTzXUpNYqQRAhM9AJ0cX5zmYFgYhGdrcAVjiVztVHXu4gCgxgwZ
56q4I6kNpvzSJRUSUFKRG0A=
=OD7b
-----END PGP SIGNATURE-----