Open source software developers released the exploit of an attack method used by unknown hackers. This one is similar to the FBI’s exploit, about which the judge blocked information. The FBI isn’t going to be the only party who would know about their exploit. So, is it better kept in the hands of people who can use it for whatever purpose? Or, are we all better off having these security flaws published so that software developers can fix them to keep users secure, and users can know when they may be at risk? Which decision keeps more people safe? Who really has your back?

Add a Tor relay for #torstrike

In a graphic, what Tor does.
In a graphic, what Tor does.

Tor is used around the globe by human rights activist, journalists, political dissidents, persecuted minority groups and many others at great personal risk for things many of us often take for granted. It’s used daily in order to access or share information on the web without being arrested or worse. Some (a few? one?) people want to turn it all off.

There’s been a good amount of drama with the project in recent months, which you can search out for yourself instead of me trying to summarize things here. Suffice to say, no matter what you find published, you won’t know the whole story. No one outside the people involved actually do. No matter what you’re thinking about it right now, it’s most likely based on assumed knowledge. Stop it.

It actually hasn’t stopped a scruffy group of (oh, how to put it with decorum) butthurt trolls from deciding what’s true and what isn’t based on fanboy loyalty, as it turns out. They’ve tried to launch a “Torstrike” (with a hashtag, and a logo and everything!) to try and get Tor node hosters to turn off their machines for a day. That is, unless a series of mostly highly improbable and nigh unachievable demands are met. Great, punish at-risk internet users around the globe because you want to throw a take-our-toys-home temper tantrum. Apparently that’s set for 1 September.

A number of people are using this as an opportunity to set up Tor relay nodes and turn it into a strike for better Tor speeds for all. I would think that’s actually what any self-proclaimed defender of the internetwebs would want in spite of what their personal axes to grind with this or that individual may be.

Tor is open source software. You can use it in the form of the Tor Browser, for example, to achieve a more anonymous web cruising experience.

Setting up  Tor relay is actually remarkably simple. It’s installing the Tor software, uncommenting some code, fidgeting some digits and restarting things until it all goes right. I’d warn against going for an Exit node unless you know what you’re getting into, and are prepared for it. But a relay can run on your own machine, or another one in the house. If you can get your company or large organisation to support it, then you can scale up. If you don’t want one in the house, setting it up somewhere like Digital Ocean is quick, and may run you $10 a month. After it’s been running a few hours, you can see how your relay compares to the rest here.

Guides on starting a relay abound, but I tend to think this one gets it most clear and succinct. Mine was up in working within 1 glass of wine and 4 tracks into the Spotify “Film Noir & Crime Jazz” playlist. The above linked walk-through works for Ubuntu 14.04, and I think it would be essentially the same for a Mac. If you want to try it on a Windows machine… well, I just don’t know what to do with you. Let me know how you get on.

Profile of a #TORrorist

Technology has automated a number of tasks required of a secret police state.  Consider how things used to be: The likes of Joseph McCarthy and J. Edgar Hoover had to employ teams of people to  infiltrate groups, run blackmail and sting operations, threaten and pay off a load of people to maintain paper records of folks who may or may not have been communists, most of them in the latter category.

Modern methods aren’t any more precise, but you can employ far fewer people to create much bigger lists in a shorter amount of time and scare the shit out of many more people much faster. Miracles of the new age.

Will Potter says green is the new red.  He may be right, but I think the onion is actually the new hammer and sickle.

The onion is the new hammer & sickle.
This is the Tor projec’s aim that’s currently freaking out the United States. Pretty scary stuff, eh?

The program XKeyscore is an excellent case study in America’s schizophrenic attitude towards the internet, and more specifically, the Tor Project. I’m not going to go into how XKeyscore works, because Wired has done that.  And there are scads of resources explaining Tor.

More interesting is how XKeyscore is being used against Tor. This has been a fascinating week of revelations about America’s global data hoovering efforts, at least if you know German. XKeyscore is all over the news in Germany, where its source code has been leaked and analysed. It automates how people can be listed as potential threats simply based on which websites they visit. You could be up for automatic targeted surveillance if…

Hoover or McCarthy could have only dreamed of  such a toy. There’s bound to be more information on who gets listed in the source code that seems to have been released by an NSA whistleblower who may not be Edward Snowden.  “One of the biggest questions these new revelations raise is why?” asks Kyle Rankin on the Linux Journal blog. I thought it may have come down to beards. A lot of Linux users and Jihadists are known for them. Maybe it’s confusing.

The now infamous NSA powerpoint slide that launched a thousand Tor bridges.
The now infamous NSA powerpoint slide that launched a thousand Tor bridges.

Kyle points out: “the Boing Boing article speculates that it might be to separate out people on the Internet who know how to be private from those who don’t so it can capture communications from everyone with privacy know-how.” This is about activists. Who’s hosting, creating and teaching how these things work… and to whom? This reason seems to be backed up by testimony in Germany by two former NSA staffers.

It shouldn’t be surprising. A couple of weeks ago, we learned how the NSA remains able to access and retain American citizen private communications without a warrant. Earlier this week the NSA’s practices were endorsed by President Obama’s own appointed “privacy board” which reported finding “no trace of any such illegitimate activity associated with the program, or any attempt to intentionally circumvent legal limits.” Of course they didn’t.

XKeyscore itself has been known about for almost a year now. This new information only offers a bit more insight into some of the interests it targets. You’re interests, for example, if you’ve actually read this far. May as well keep going at this point.

America is far from alone in creating innovative ways to list people. In UK, the government wants internet service providers to block content unless users specifically ask to see it. Described as a porn filter, people wanting to opt out would also have to tell their ISP they want to access information on various topics, not all of them related to watching people shag in innovative ways. You’d also need to let your ISP know you want access to sites featuring web blocking circumvention tools, esoteric material, web forums, extremist material, and so forth. The ISP puts you on lists for each category. The government decides whether something is esoteric, extremist, pornographic, or the rest. How convenient.

Meanwhile, a group of seven international ISPs popular amongst human rights, environmental and civil liberty activists are taking GCHQ to court over attacks against their networks. There’s good reason to think they should have success in the lawsuit, though I’d be skeptical that it results in a shift of GCHQ practices.

This all fits nicely with my Bailing Hay thesis. Governments are in panic mode. We can see this elsewhere in Europe as well. The Index on Censorship and Osservatorio Balcani e Caucaso are using Ushahidi to  crowdsource a map of attacks on free expression and investigative journalism across Europe. It includes threats, intimidation, violence, censorship, detention against journalists and bloggers alike. It’s getting to be a pretty full map.

It’s not only media types who are facing more intimidation in countries that would rather be better known for civil liberties and democratic principles.  Increasingly across Europe unlawful monitoring and methods of coercion are being aimed at environmental activists and human rights advocates. Not exactly ISIS, but then the U.S. can’t seem to track them at all and they’re on Twitter.

Article 19’s report: “A Dangerous Shade of Green: Threats to Environmental Human Rights Defenders and Journalists in Europe,” documents how most nations across Europe are using laws ostensibly created to fight terrorism are re-interpreted to go after GreenPeace and other entirely non-violent activists and trying to portray them as terrorist threats. Safety isn’t the main concern. Stopping disruption is. That’s not easy, really, because back in the U.S. you have a government that wants to simultaneously stir things up and shut things down.

The meme trending  on Twitter is #TORrorist. Someone’s already make a T-shirt, so you know it’s got legs. We’ve got a bizarre situation in which the NSA is attacking  users of an open source project originally sponsored by (though no longer related to) the U.S. Naval Research Laboratory that is still receiving funding from the State Department. Talk about your mixed messages. What’s important, though, is that it works.  Properly set up and used, Tor can make it much more difficult to track your online doings.

Be a #TORrorist

When it comes to production, America’s longest tradition is in producing its own adversaries. The profile of a #TORrorist is you. Happy 4th of July, all.

Tails: The operating system for today’s internet

I’m sitting on a computer that’s not mine, using an operating system that’s not installed on this it to write this blog post. When I finish it, I’ll log out, and when the computer’s actual owner fires up his machine, there will be no record that I’ve ever used it (outside of this blog post, of course).

It was internet privacy X-mas this week. Tails 1.0 was released to… not so much fanfare outside of certain circles. There are some great strides in security between this version and the previous. It’s also taken a big leap forward in usability since I last looked in. And it seems more people are finding a reason to use it. According to the Tails site, “In the last 18 months, the approximate number of Tails users has been multiplied by 4.” I don’t know what that means in total numbers, but it I’d bet the NSA and GCHQ have provided it a great marketing boost.

Like all good open source projects, it’s got a name that won’t make sense to most people. Tails stands for “The Amnesic Incognito Live System.” Only two of those words may translate into something you’d relate to what it may be doing for you, and The isn’t one of them.

  • Amnesic: The system (a very light-weight Linux distribution) lives on a DVD disk, USB stick or SD card, which you use to boot up a machine. It’s set up to leave no trace behind on the computer itself.
  • Incognito: Tails routes all its internet traffic through Tor by default, and includes solid encryption kit, OTR messaging, and other bits and bobs to assist people wanting to maintain healthy portions of either privacy or anonymity.

Tails (in a much earlier version) was used by Edward Snowden, Glenn Greenwald and Laura Poitras to communicate and plan around their NSA exposé.  It helped them thwart the NSA then, and it was much buggier and limited at the time. Calling something “1.0” can give you a great sense of accomplishment, but in real terms, it doesn’t mean that terribly much. New versions are generally released using numbers higher than the previous. You can be snazzy like WordPress and name them after jazz musicians, because all the numbers mean is that this one comes after that one.

Typically, anything post zero-point-anything should mean that it’s finishing its Beta phase. For something aimed at providing the level of security Tails promises, you could argue that there will never be a post-beta. New threats and exploits emerge all the time. But in tails case, 1.0 means something to me.

In 2012 Lifehacker promoted it as a way to “Browse Like Bond.” I could see that the project was on to something then, but it wasn’t quite up to 007 standards back then. Most every machine I tried it on didn’t loadfrom a USB stick. Using it on a DVD helped with a few, but even then you ran a good chance of seeing more machines without a drive than with one. But the promise was there.

Two years on, it’s turned a sharp corner. Thus far, I’ve tried this new release out using a USB stick on various machines running Windows and Ubuntu and have even started it on Macs that use different systems named after various cats. All worked. On a couple, I found it preferable to the system that’s otherwise there.

The Tails OS doesn’t store anything. Every time you boot it, it’s like it’s not been used before. For my purposes, two USBs do the job. One has the Tails system on it, and the other contains an encrypted partition with the data I want to use in Tails (documents, browser bookmarkrs, email settings, KeePass entries, etc.).

Let’s remove hackivism, whistle blowing,  invasive government spying and so forth from the equation for just a moment. This is great travel gear. All your data is encrypted; you don’t need to worry about lugging around or losing your laptop; you’re going to be more resistant (though not impervious) to attacks by scammers, and you don’t have to worry about leaving some trace of your login details behind. You can pack your computer in less space than your shaving kit.

Back to serious things that you can use the internet for: As someone with a job that’s at least partly concerned with digital security for journalists, Tails is a system any investigative reporter should at least have on stand by. Activists serious about winning should also be using it whenever they sit down at a machine.

The operating system isn’t sexy, but it’s also not Vista. It’s a minimal no-nonsense thing that I actually prefer to a lot of overly designed desktops that seem to be made by people who think icons should bevel or menus should have pretend shadows behind them. And it’s not as bad as other attempts at anonymous OS desktops of the past. Someone walking behind you wouldn’t raise an eyebrow at this…

Image courtesy of DistroWatch
Image courtesy of DistroWatch

It’s not just got the privacy stuff, but also a lot of open source productivity tools, so you can create and edit documents in Office Libre (which also work in Microsoft Office), photo edit with Gimp (though, not sure you’d want to) and it comes with audio editor Audacity, which is quite neat. It’s also got a number of other little productivity apps that will help you get work done from the shadows.

V1.0 shows an amazing result in security and usability from where it was five years ago. It was already a pain to the NSA, but with this release it’s much less of a pain to the end user in installing and using it. The most secure computer you’ll own can now be almost anyone else’s computer.

From around the webs:

Tails works by booting your computer off of an external disk — usually a USB drive, an SD card or a CD — but getting Tails onto the right storage drive is harder than it sounds. Ideally, you’d keep it on a CD: once it’s burned into the plastic, the code can’t be changed, making it completely immune to malware.”  — The Verge

“Version 1.0 status is apt because the release quashes numerous nasty flaws. Detailed here, the fixes include client-side blacklists for Tor directory authority keys vulnerable to the headline-grabbing Heartbleed bug that mean Tails 1.0 clients will be protected even if attackers compromised a majority of authority signing and identity keys.” The Register

“Effectively, this is the ParanoidLinux I fictionalized in my novel Little Brother.” — Cory Doctorow

This is an incredible breakthrough (and dig the new logo as well). The weakest link in the system is that humans will be using it. There still exists a browser option in Tails, which it calls “the unsafe browser” that allows you to search the web without protection. You can also create a version on the USB stick that allows you to save data to it and add new software that may or may not work with Tor or your other incognito and amnesia kit. With great power comes great responsibility not to injure yourself, I guess.

this sticker has newfound meaning, now. (Photo by Aaron Muszalski)

These are my Tails tips:

  1. Don’t expect technology to save you. At all.
  2. Keep any personal data you use with Tails encrypted somewhere secure or there’s absolutely no point.
  3. If you start a sessions using an anonymous identity, don’t switch over and check your Facebook or personal Gmail or an other Real You whatnot. Your Tails session activity and times can still be correlated, and tied in numerous other ways.
  4. Practice data minimalism: You need online accounts to use some things in Tails (Email, Jabber, etc.) Enter no more than is required and don’t be consistent in what information you use on any service.
  5. Decide if you’re focusing on privacy or anonymity before starting. What are you trying to protect? Who potentially from?

Tails is a platform that makes the internet a very specific thing. It encourages productivity. Looking at it through Tails, you focus on less anything-goes-social-twaddle, and more on targeted communications. Though, if more of the internet was like that it would probably be more interesting.