Web Security

The Digital Hub offers classes on password and social network security.

We live in an age where we post our lives on line,  shop online and communicate online.
There are precautions you should take and we will talk about these issues and how best to be anonymous (or at least to know when you are not).

Recently a whistle blower revealed that the US government is looking and listening at all communications from Google, Facebook, Skype, Ebay etc.
We live in an age of very little privacy, do not make it easier!

Here is an article by technology writer Stilgherrian explaining how being totally ‘private’ is like swimming against the tide.

How to keep the NSA out of your email
Technology writer


The Internet is a wash today with handy click-magnet lists of software and tips to stop the National Security Agency spying on your online activities and phone calls after it was revealed the US spy agency had access to a vast amount of its citizens private data. This is not one of these lists. I will give you a list, sure, but then I will explain why it can only be the very, very beginning of your path to becoming the James Bond of your laughable fantasies.

Anyway here is the list. Other handy hints can be found in slate on Friday, The Washington Post, The Guardian and others.

  1. Examine the privacy and security settings of every piece of software that you use. Methodically, turn off everything that is not vital.
  2. Encrypt your email. On the public Internet, your communication passes through computers over which you have no control, and from which you can be monitored trivially. Use the commercial PGP software or the free GPG. It is not a click-to-install, but there are tutorials for Windows and for Mac. Obviously every person you email needs to use this as well.
  3. Install privacy-protecting web browser and chat plug-ins, as detailed in the articles I have linked to.
  4. Use Tor to hide your Internet Protocol (IP) address. It bounces your data traffic all over the Internet, making it harder to track (but not impossible).
  5. Encrypt everything. Turn on the encryption tools on your computer and smartphone, so that the data cannot be recovered if they are stolen. Encrypt your backups as well. Do not upload anything to an online service without encrypting it first.
  6. Attend a CryptoParty and learn how to use all those tools.
  7. Check out Silent Circle, which offers encrypted end-to-end communication. Its servers are in Canada, where the US government cannot hit them with a warrant. (Disclosure: I’ve been drinking with Silent Circle’s Chief Technology Officer).
  8. Always work on a software “virtual computer” that runs on your actual computer. Even if you have the best anti-malware (anti-virus and the rest) protection, a unique piece of malware that will pass straight through your defences costs just $250 on the black market. Delete your potentially infected virtual computer at the end of every session online and start again with a fresh one.
  9. Remove your phone battery when you are not using it, so your location cannot be tracked.
  10. And so on.

The key problem with all of that? Imagining that security can be fixed by sprinkling some “magic security dust” technology, as infosec megastar Bruce Schneier puts it (he literally wrote a textbook on this, Applied Cryptography).

“Using encryption on the Internet is the equivalent of arranging an armoured car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.”

No matter how well you encrypt the “data in transit,” every communication has two endpoints. Those endpoints are the way in. In his subsequent book” Secrets and Lies,” Schneier quotes another security megastar, Gene Spafford, on the pointlessness of this focus on data in transit:

“Using encryption on the Internet is the equivalent of arranging an armoured car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.”

No matter how well you use tools like Tor, there will still be a record of your location somewhere.  As American Civil Liberties Union chief technologist Chris Soghoian told the WaPo,  ”The laws of physics will not let you hide your location from the phone company,” and while Tor may help stop tracking via your web browsing, what about all the other software you use and what about the people at the other end of your communication?

Even if you cannot be tracked constantly, the NSA does not need much to identify you by cross-matching your movements with other records. Research has shown that fewer than a dozen time-and-location data points will do the job. Similarly, everyone has a unique pattern of communication with friends, family and colleagues.

So here’s a better list:

  1. Learn about security. Not from the popular press, but from experts. Start with Schneier’s books “Secrets and Lies” and “Beyond Fear” and then follow some of  the security blogs written by actual security experts.
  2. Learn about who you are up against. Start with the books by James Bamford, including “The Puzzle Palace”, “Body of Secrets” and “The Shadow Factory” and work it out from there.
  3. Plan your defensive strategy. Publishing material anonymously but where it is exposed it  is a different scenario from setting up hidden communications among a small group.
  4. Switch to an open source operating system such as Linux. With Microsoft, Apple and Google’s operating systems, you are relying on software that someone else has compiled. You have no idea what is really inside. With open source software, you can look at the program source code and compile it yourself so you know it does not contain any spyware or back doors.
  5. Use only open source application programs. Reassure yourself that the software is safe to use.
  6. Learn programming and systems administration. Otherwise you will not be able to read the program source code, and surely you cannot trust someone else to maintain your technology.
  7. Use “burner” phones and computers, just like on The Wire. Phones have unique IDs, as does most of the software on computers. Using the same device will quickly build a unique pattern.
  8. Never buy anything on the Internet. The global banking system logs everything, and they are already looking for patterns that indicate crime and terrorist activities.
  9. Never publish anything online. Everyone has a unique writing style. If you are posting political rants anonymously, they can still be matched with what you have published under your own name. Consider hiring a ghost writer. Then kill the ghost writer.
  10. Never speak on the telephone. Everyone has a unique voiceprint too. Centrelink has been doing this stuff for years.
  11. Actually, never do anything anywhere. Who knows what data traces you will leave behind and how easily that might be analysed by the spooks?
  12. Make sure that everyone and every company you ever communicate with does all of this as well. Who knows what they log? Better kill them all too, and burn their offices.
  13. Invent a time machine and use it because you have already failed to follow this list and your digital fingerprints are smeared all over the internet. They are coming for you right now.

So you thought you could go up against the NSA — an organisation with an annual budget of maybe $8 billion, a 60-year heritage of developing secret high-tech snooping gear and vast supercomputers. They have tens of thousands of the best and brightest employees, including the world’s largest collection of actual mathematicians — armed with nothing more than a list of tips from the Huffington Post and an adrenalin rush? Well done.