[CoLoCo] Computer Security and Online Privacy Workshop Notes

Mon Jun 30 20:27:03 BST 2008

cool. sounds very useful. The part about hidden partitions sound
particularly neat.

the part about about gmail and keyloggers is a good tip too.

here is a link to a cool, but scary open source clock hack.
http://www.bunniestudios.com/blog/?p=234

On Sun, Jun 29, 2008 at 9:58 PM, Ringo Kamens <2600denver at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I would like to thank everybody who took the time to come down to the
> Computer Security and Online Privacy Workshop for activists and
> whistleblowers this weekend. I/We might
> be throwing another one in a month or so, so if you're interested or
> know people who might be, send me an email
> (2600denver{at}gmail{dot}com). I have compiled some reminders for
> whose who came, others might find this interesting.
>
> Programs We Discussed:
>
> Truecrypt http://www.truecrypt.org
> Notes on Truecrypt:
> *Even after you close/eject/dismount your encrypted folder, the
> password might still be stored in memory so don't forget to open lots
> of programs such as movies/documents to help overwrite the memory
> *Use the algorith Twofish-Serpent for your encryption as it is the most
> secure
> *Anything your put in your truecrypt folder is encrypted on-the-fly
> *Don't just unplug a computer running truecrypt, always click
> "dismount" and shut down properly. If you mess up your encrypted
> folder, too bad for you
> *Beginner's guide available at http://www.truecrypt.org/docs/
> *Hidden partitions are cool, you should look into them
>
> Tor bundled with Firefox, Privoxy, Vidalia, and TorButton
> getfirefox.com (install this one first)
> torproject.org
> We also installed noscript to stop anonymity-breaking scripts, and you
> can find noscript at https://addons.mozilla.org/en-US/firefox/ (search
> for it)
> Notes on the Tor bundle:
> *Install Firefox first, then the Tor Bundle, then NoScript
> *If you use Firefox 3.0 and Tor, don't use "live bookmarks"/rss
> *Use the button at the bottom right of Firefox to enable/disable tor
> and your anonymous connection
> *Before enabling tor in firefox, go to Tools> Clear Private Data in
> order to clear data that could connect your "tor identity" to your
> real one
> *If tor is being too slow, restart it
> *If you're using Internet Explorer... STOP!
>
> Eraser (eraser.sourceforge.net)
> Notes on Eraser:
> *Only use the open source version
> *You can also use http://sourceforge.net/projects/tfs/
> For Max/Linux/Unix, use the command (in the terminal/console)
> srm /directory/directory/filename
> *If you need to quickly and securely wipe a hard drive/floppy in an
> emergency, you can run a magnet over it a bunch of times.
> *As for flash drives, I have heard microwaves work but that might be
> rumour. Just crush it and set it on fire and go apeshit on it for best
> results.
>
> PGP/OpenPGP/GNUPG
> Windows version at http://www.gpg4win.org/
> OS X Version http://macgpg.sourceforge.net/ (install GNU Privacy
> Guard, then KeyChain Access, File Tool, Dropthing, and preferences)
> Linux version gnupg.org
> Plugin for OSX Apple Mail
> http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html
> Notes on encryption in general:
> *Don't use in public areas or places that might be subject to camera
> surveillance
> *Send your public key to anybody you wish, that's what they use to
> encrypt things to you
> *Store your private key in a safe place (not your computer) and make
> sure you don't leave it laying around. Have a plan in place to destroy
> it if needed.
> *The more "bits" a key has, the stronger it is
> *Never use passwords that are in the dictionary, include numbers and
> weird characters, make your password long but rememberable. Ideas for
> passwords include phrases in a favourite book of yours
> *You are not required by US Law to reveal your private key or password
> (fifth amendment). You may be held in contempt if a court order
> requires you to do so, but such an order would be unconstitutional
> *Encryption (in truecrypt and public key systems) is nearly impossible
> to crack. Only adversaries such as the NSA have such abilities.
> *Ask your friends to encrypt+sign emails to you
> *It is not rude or intrusive to ask others working in groups with you
> or giving/receiving information to/from you about their security
> precautions. Insist that others use encryption, it's your safety
> *Don't use your private key or view encrypted things on public
> computers at the library, your friends house, etc.
>
> Other Notes:
> *If you want to remain anonymous using public wireless, you'll need to
> change your MAC address.
> Mac Address Changers (make the first two digits zero to make it more
> believable)
> Windows
>
> http://www.download.com/SMAC-MAC-Address-Changer/3000-2085_4-10536535.html?tag=lst-1&cdlPid=10796334
> OS X
> http://www.coolosxapps.net/2007/11/08/macdaddy-spoof-your-mac-address/
> On Linux, type sudo ifconfig to see your interfaces. Your wireless
> card is probably eth1 or ath*. Then do sudo ifconfig
> interface_name_here hw ether yournewmac here
> *If the information on your computer could have life-changing
> implications for you, consult an expert. Hackers are your friends, and
> you might find some help from the guys at hackthissite.org or
> hackbloc.org, mention that you're an activist.
> *The Exit The matrix guide is a good security primer
> http://exitthematrix.dod.net/matrixmirror/index.html
> *Consider anything you place on a computer or send over email to be
> available to anybody who wants to read it
> *Every time you open something on a computer there is probably a copy
> of it stored somewhere and there is always some reference to it on the
> computer, it is good to periodically wipe everything
> *Microsoft has a rich history of cooperating with the government, as
> do other "closed source" software makers
> *Open source software is generally more secure and reliable. Never use
> closed source software for security-intensive tasks
> *You're better off not using Windows. For a free (as in freedom and as
> in money) alternative, check out Linux. One popular distrobution is
> Ubuntu (see ubuntu.com)
> *When you delete something from your computer or format your hard
> drive, the data can be easily recovered using free software. Use a
> secure eraser. Always.
> *If you are looking for an open-source email program with support for
> encryption, try Thunderbird with encryption plugins.
> (getthunderbird.com)
> (https://addons.mozilla.org/en-US/thunderbird/search?q=openpgp&cat=all).
> It works with Gmail, etc. if you enable POP in your gmail settings
> *Watch out for keyloggers. They may be connected in-between your
> keyboard and computer or installed as software. Use Anti-Virus
> software to combat the software type
> *Some document formats can reveal sensitive information about you such
> as your name. Examples are DOC, JPG, JPEG, PDF, XLS, etc. Make sure
> you properly delete such data with the appropriate program or send the
> information in "plain text" ie copy it into notepad.
>
> Here is my public key so you can send encrypted messages to me. I have
> signed this message so you can verify that I, Ringo Kamens, sent this
> email. If you do not have PGP encryption, please see above for
> information on how to use it.
> - -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> mQGiBEhm26gRBACQTaB4jWQgIjuw5MkwWlXlzvTtQmyDNU6IzYqiEeYSaGvRd09b
> WxBxnYfATmwfcwBlt7/6YnmVaxvQPJAZh9E5CvUVFBsV/ORH0GXAGSbDWEveq2sQ
> T+P/f6mQWcEALnAoMFaIhA1DOHsa/od05wLPFdX1Of/KPCvgr7BRyxJMXwCg1kmW
> OWLUtp2rjrjToFrbcSc36y0D/1ngQcaXziXfgDDi3f8AhXWqYepQ4VLUaHB0hpn5
> lyfU0Bz2Stc7IN/iRzH0SHvwTrYiMkCgoHz2HY+3M/JaDk5010k2FSSiXeFzTeS/
> ROTb109jVOAsjemrwILLWF+n1DwtG0foj8uO1mWDe73ExD5znBM9YCth5LIUIVvS
> MqgqA/9NlJw06hBqxkIPHc8HoWAaBcDxY5Egim9ab1Pr+H9e7+CHO1/VW3Hmf1FJ
> fHswaZXUOXUinAczepQyANkdlhiJw08In1yXdLJbI8PeLOiR/WXQ7Thr4pTslK3l
> hqYzW5GeLwM+J16FPvbBuaz/qkX1vgEUPtgoLdHNAHYlopceyrRPUmluZ28gS2Ft
> ZW5zIChUaGlzIGlzIG9ubHkgZm9yIG1haWwgdG8gdGhlIGVtYWlsIGxpc3RlZCkg
> PDI2MDBkZW52ZXJAZ21haWwuY29tPohgBBMRAgAgBQJIZtuoAhsjBgsJCAcDAgQV
> AggDBBYCAwECHgECF4AACgkQmBTzXUpNYqQkSwCeITuCZMOFq1IZJ8s5ppv6g+im
> hDoAoJT4FFDWMm6U9H9Ce3KPq28B4yM9uQQNBEhm3DsQEACTylTxyW2Q9vZDfa6k
> RBfD9EY+RlUT4reSKBddFJzXbULvlez1VOYQ8DgClZf8k39E2AoC70/VfVRQ4Dw1
> o4lnznVv0b8rXL+sVTodcWsQ2SvilVD7RbE1pdFO66vOlE0A5PenBUR860S7LRbt
> VFFe33w0RgJTI0fY3qxI3z+A/A4d7hBDKtIFicuW8/Wf9licD08bRSUeP2/RmyE1
> s2bb7AgI8hyB8QAkTCJqf3jokwHtVecdnfILo7r45GU+xbOz5PcQh/bEJkgE7kGC
> oAC/elwaULw7l1Mgnc2B+0XfjRojO+qokD/AQKg1nUy/vpbnYnqLJuETSEwCoT66
> n0MtyGju9kYFGtqfdZTyIP9VMqRoanPuA+EdnR6U5SazvfVk4kRn3lVbsk2QhVms
> 0y056xyMp0WaP6+T0OZ5uSPowu4EUWRl5ZQJ/arHTUSnZvxepG5Tru4rfn+nnXeB
> 17a1CNRUOI5fJCRtBa7xMQbBfVYbsdq5Q/76q5bA2XEWgCDw8ohlZpSUY/Ngh6VV
> 7KizNFjQc6jSDfDhn/0zvSn7OMHvxY3jCbnD+R59bgpO1hGnBAE3r/H5TaA1kcYQ
> mLLWHfvkTZkliocT9LYz8sn/ily26CghmK5VzbYkf+UczQAJDSLLumufFUno5y5D
> 3zGold4C7kiwsJg+cGVLDJFsRwADBw/9Hs1JdZ1y9niY/E40sRzXT38jmQXv64KQ
> Jsbyf7/zZ86O/ftZkyP6eI0MnYcbdZB36rlCB57BiiL85CLWp8GKQxTH3KUWy5q1
> nExye+/Pvs1fx1spdcJpTthz++OaIJz1giISMVI3woSaQoZXmXkjMQzJZC6QowCD
> O3lj34kYeJWpjtU8vk5qPoZkuKj3HcjVHt003ByC+wBEj6ZCM5OsecuY9pHsz9tN
> A1hT3tivqrAkuxO05fmaaUQZglrQw1xFgBYpvRedaedUS3TRoLSiJ6aR9oNV2olL
> BsUi9GDyVatMqsngu6PYgsQTDkpPd9wYIO0riqmBRl+g5gsJiS1JlC9OBTQ6S2Cl
> 89hHRF4ST/0KvLxZjw7FjPK9z+ReS5EHo3SYCVkJ3vUGjfmiO1RpKP9UvE2lBfTn
> 4jUFQwC9/yFYEK28uDpsBU5dR0/E2PFCuyiRCtBomRLFMb16GDpW2QnlFM/DfWOt
> HkH9urPA/D2l5nDaGDzmhk0aW6qwZj4uWPX8NlXlHxTfr6i3bLHnqPn+6mNGbkwf
> IyVkLuBhLvH1wA4P+381wLOtpJpZCY4zwROnGCZsi3yXN2Ec3Rc8cOlcEw3j/Km2
> uR3gH9fs9DiG5Y2UoZ7QuluvKwXve69tcSEO8Tk2QAbfz9/H0Q8hlVsQAnqzmof4
> ZWaoRGNUjMCISQQYEQIACQUCSGbcOwIbDAAKCRCYFPNdSk1ipJY9AJ9FOk56yLQK
> vlrVo82DRG5C0droOACfZXD/7USncwGA1Db3C3VQuxPDpEg=
> =eX5j
> - -----END PGP PUBLIC KEY BLOCK-----
>
>
> Strength, Solidarity, and Security,
> Comrade Ringo Kamens
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFIaFnhmBTzXUpNYqQRAhM9AJ0cX5zmYFgYhGdrcAVjiVztVHXu4gCgxgwZ
> 56q4I6kNpvzSJRUSUFKRG0A=
> =OD7b
> -----END PGP SIGNATURE-----
>
> --
> Ubuntu-us-co mailing list
> Ubuntu-us-co at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-co
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-us-co/attachments/20080630/0587fbdb/attachment-0001.htm 