“I spoke with a number of journalism schools, to see how the growing issue of cyber-security was being handled, and found a range of approaches. I turned to my alma mater, Columbia’s Graduate School of Journalism, and spoke with Emily Bell, the director of Columbia’s Tow Center for Digital Journalism, a dual master’s program in journalism and computer science, which is in its first year. She says that issues of cyber security bother her “immensely,” but at this point, most students aren’t receiving detailed instruction about it. The only cyber-security course being taught takes place within the computer science program, which is only offered to the students enrolled in the Tow Center’s double major. Bell says discussions are underway for how to introduce this more broadly to the curriculum.”

This is great, but not all journalism students want to (or have the means to) go on to graduate school, much less at Columbia, much much less as a double major. Everyone I’ve spoken to who’s taken undergraduate journalism or general communications classes said that data security wasn’t brought up in the classroom.

Now I’ll be honest, as an undergrad, I’m a bit lazy with my data. I’m not reporting on anything particularly hard-hitting or of national interest, so I’m not too worried that anything journalistic on my computer or iPhone is incriminating. Most of what I know about journalistic data security is from my own research and a seminar I attended at the national Society of Professional Journalism conference hosted at Boston College this past April. In only about an hour, the presenters explained TOR, encrypted messaging, email protection, and general data security measures journalists should know about like using burner phones. There’s no reason these skills shouldn’t be applied in every undergraduate journalism class. Since I’m not done with my degree program I’ll give my school the benefit of the doubt for now, but most students I talk to don’t even know what TOR is, and that’s extremely problematic for the future of this field.

A few years after Santo’s piece, NYU journalism professor Adam Penenberg had this gem of an excuse why not:

“… the NYU program didn’t require all students to learn comsec [communication security] for the same reason that they didn’t require all students to learn ‘how to line up ‘fixers’ in a war-ravaged nation or go undercover with a hidden camera. Only a fraction of students will ever need those skills.'”

Only a fraction of journalism students need to learn how to protect their information? It should be a no-brainer that any type of data, particularly email or phone correspondence, which journalists use most often, can potentially fall into the wrong hands and become incriminating. Not all students are techies, but modern journalism requires at least a base knowledge of technology, considering most of it is now on the internet. The days of meeting Deep Throat at a parking garage are long gone; although face-to-face conversation is still the most secure method of gaining information, this is not always possible as your sources may be halfway across the globe.

Susan McGregor, Columbia journalism professor offered the best rebuttal:

“As for the question, Does everyone have to learn this stuff? McGregor says, absolutely. Journalists have a collective responsibility; it’s as important as closing and locking the door behind you when you walk into your apartment building. ‘You may not be covering the NSA, but a colleague of yours might,’ says McGregor. ‘Unless you’re working really on your own, you have a responsibility to protect the person who is vulnerable or may be targeted within your organization by being responsible yourself. If you are not being responsible, you are exposing the people you work with, potentially.'”

Undergraduate journalism classes usually have a section on media law; my school has a whole required class on it. While of course it’s important to know how to deal with a lawsuit, wouldn’t it make sense to learn how to prevent one in the first place? There is concern over making students paranoid, but isn’t a healthy amount of paranoia necessary in the current security state?

McGregor is right – if you wouldn’t leave your apartment door unlocked, you wouldn’t leave all of your data out in the open fields of the web.

Lo stato vuole informazioni sicure sui suoi soggetti. Fin dal primo censimento in Egitto 5.000 anni fa, gli stati hanno sempre cercato di ottenere informazioni personali sui propri cittadini, soprattutto le tirannie, dove informatori e polizia segreta raccolgono informazioni su ogni attività potenzialmente sovversiva. Nell’era di internet e dello spionaggio governativo, le agenzie di spionaggio raccolgono informazioni su di noi – per lo più offerta ingenuamente da noi stessi tramite i social media – a livelli che avrebbero reso verde d’invidia l’NKVD di Stalin. Quando finirà tutto ciò non lo sa nessuno; intanto, meno informazioni utili si possono raccogliere e meno efficace è il controllo dello stato su di noi. Per quanto riguarda gli attivisti nel primo mondo, forme di comunicazione private o anonime potrebbe la soluzione ideale per evitare l’arresto preventivo. In posti come la Siria, poi, diventa una questione di vita o di morte.

All’inizio speravo che compagnie come Google sarebbero venute in soccorso implementando potenti sistemi di criptografia; purtroppo sembra sempre più improbabile che imprese in mano agli azionisti e intrecciate con il governo possano offrire servizi sicuri efficacemente. Se è vero che queste compagnie, che fanno grossi profitti e spendono grosse somme in attività lobbistiche, sono le meglio posizionate nella lotta contro lo spionaggio di stato, è anche vero che sono quelle che hanno più da perdere se non tirano dritto.

Lavabit di Ladar Levison era un servizio di email quasi sicuro. Ad agosto Levison lo ha chiuso citando interferenze e minacce da parte del governo. Secondo speculazioni terze, Levison aveva ricevuto una lettera della Nsa che chiedeva di ottenere dati sui clienti, probabilmente Edward Snowden. Recentemente si è scoperto che un giudice aveva emesso un ordine rivolto ad ottenere la chiave d’accesso SSL dei servizi offerti da Lavabit. Questa chiave permette una connessione criptata sicura tra utente e server. Il suo possesso dà la possibilità al governo di accedere in tempo reale alle informazioni mandate al sito dagli utenti. Questo a sua volta avrebbe reso possibile il rastrellamento delle credenziali e l’accesso alle email criptate dei 400.000 utenti di Lavabit.

Con suo grande merito, Ladar Levison decise di chiudere Lavabit, negando l’accesso all’archivio in cui sono custoditi i messaggi dei suoi clienti. Il suo rifiuto di principio è un’eccezione. Levison non aveva azionisti a cui rendere conto; solo se stesso e i suoi clienti. Non possiamo aspettarci che grosse imprese come Google, che finge di stare dalla nostra parte mentre in realtà cerca di favorire l’intrusione del governo, decidano di sfidare realmente lo stato. Altri, come la Microsoft, sembrano entusiasti di collaborare con l’NSA e altre agenzie a tre lettere.

Cosa significa per noi? Siamo condannati ad abbassare la testa? No! Dobbiamo prendere la cosa nelle nostre mani. Ci sono molti sistemi di criptografia gratis, open source e a standard aperto. Da quel che sappiamo, l’NSA è riuscita a penetrare i sistemi criptografati solo tramite la coercizione e la sovversione, non decodificando il codice. Molto probabilmente, possiamo ancora fidarci della matematica.

Quando un progetto è open source, il suo codice è disponibile allo scrutinio generale. Possiamo esaminarlo, possiamo sapere esattamente come fa quello che fa. La maggior parte di noi non ha le conoscenze tecniche per esaminare il codice di un programma prima di compilarlo, ma ci sono esperti e accademici fidati che possono farlo e lo fanno per noi. Così possiamo conoscere i potenziali punti deboli del software di criptografia e capire i limiti delle sua capacità. Quando comunichiamo usando PGP, ad esempio, usiamo uno standard aperto. Non abbiamo bisogno di affidare i nostri messaggi ad una compagnia che magari è stata costretta dal governo a compromettere la nostra riservatezza. Con PGP la chiave d’accesso è nelle tue mani; nessun altro può essere costretto a rivelarla. Il progetto Tor, più complesso, non è altrettanto ben definito. Per via della sua natura distribuita, le possibilità di abuso aumentano, ma il progetto è open source e questi possibili abusi sono documentati, e dunque possiamo studiarne i limiti.

La conclusione è che siamo tutti dentro. Se decidiamo di servirci dei servizi offerti dalle grosse compagnie, dobbiamo tenere conto del fatto che potrebbero comprometterci da un momento all’altro: non con la forza bruta ma con la coercizione. Con il software proprietario non c’è modo di valutare e prendere per buone le dichiarazioni dello sviluppatore. E quando usiamo un software open source dobbiamo renderci conto delle sue limitazioni e usarlo di conseguenza.

La sicurezza su internet è responsabilità nostra.

Traduzione di Enrico Sanna.

Approximately 23 bitcoins were taken, with a value of about 14,500 USD. No small sum. This theft occurred despite reasonable safety measures undertaken by Fr33 Aid on the Blockchain.info site. Including the use of two factor authentication. This kind of event is not new. Frequently we are given stories of bitcoins being stolen from people’s wallets. This has happened at coinbase, it happened to MtGox to the tune of $500 million dollars, which ultimately brought down the exchange, and it also happened to Fr33 Aid’s account at Blockchain.info.

The common theme in all of these is that the wallets were stored in online accounts. Storing ones bitcoins in an online wallet on a third party server is one of a few options that users of the cryptocurrency have. In keeping with my argument that Internet security is our responsibility I will argue that a locally stored wallet should be the option used by those who wish to keep their bitcoins safe.

While there are no shortages of horror stories to be found from people who have lost bitcoins from local storage due to malware or data loss, this can be mitigated and potentially eliminated by following best practices. The issue with online third party storage is that we are required to trust that they are undertaking best practices, in cases such as MtGox, where poor practices were followed, many found out too late.

Probably the most secure way to protect your bitcoins from online theft is to have it air gapped, ie on a device that is not connected to the internet. An example could be to place your wallet on a thumb drive, and put it in a safe place. If you are using a Linux OS, taking the extra step of encrypting the thumb drive is trivial while formatting the drive. While safe, this is probably best if you are only collecting bitcoins, or if you want to use it to store the majority of your bitcoins while using a secondary wallet for frequent transactions, because while you are still able to be on the receiving end of transactions, you must physically find the thumb drive, and break the air gap before using it. There is also the issue of losing the physical media – which thumb drives appear especially prone.

A practical middle ground that I endorse is a multi-factor solution that uses a few simple tools to keep your wallet secure from theft and from coin loss. It’s not particularly revolutionary, and these basic principles are outlined on bitcoin.org. Here is a simple specific example of how to undertake these steps.

This example will be using Bitcoin Core (formerly Bitcoin-QT) as the wallet program. Though not feature rich, it is simple and secure. When downloading your wallet, always make sure to download from a trusted source. A random website serving you Bitcoin Core may have malware designed to steal your coins with it. Barring a breach of the Bitcoin foundation’s servers, you can be reasonably sure that you are getting the software you asked for from their site. If you are using an older version of Bitcoin-QT, it is good practice to keep your software up to date and install the latest version of Bitcoin Core.

When using Bitcoin Core, the first step to securing your wallet is to use the encryption feature in the wallet. This can be accessed from Settings > Encrypt wallet.

Choose a strong passphrase that you will not forget. If you forget this passphrase, you have effectively lost your bitcoins. This feature encrypts your private keys and prevents bitcoins being sent from your address without an authorisation with the passphrase. This means if someone gains physical access to your machine, or an air gapped physical storage, they will be able to see the contents of your wallet, including your address, but they will not be able to steal your coins without breaking the encryption – which is not trivial.

Such a simple feature protects against coin theft, though coin loss presents a far greater risk than theft. So we move on to backing up our wallet. Online storage is far more convenient than physical storage, and less prone to loss. Often these storage solutions are not secure, so when backing up a wallet, an extra level of security is not to be disregarded.

In order to backup your wallet using Bitcoin Core, from the menu go to File > backup wallet.

Choose a save location and save. This creates a copy of your ‘wallet.dat’ which contains your private keys. An extremely secure solution to back this up is to use PGP to encrypt and email the file to yourself. This has a number of advantages, as it obscures the fact that you are even sending a wallet backup, meaning it will be less likely to be targeted by a malicious entity. You can use a keyword in the subject line of the email to make it searchable later, It will automatically time-stamp the email. This is important because right now because you will need to create a new backup if you create a new address within your wallet. If you have mulitple email accounts using PGP, you can automatically have a copy saved in each account.

If you have not yet, but are interested in setting up PGP with your email, you can follow this guide here.

If you do not wish to set up PGP, another solution is to take your wallet.dat and encrypt it with WinRar/Rar. To encrypt a file using Rar, on most machines will involve right clicking on the file and selecting “add to archive”. From here select the Advanced tab, and then Set Password.

As always, a strong passphrase is crucial. Checking the Obscure file names box will increase security by concealing the existence of the wallet backup from any potential attacker. From here you can take this encrypted compressed file and place it in some online storage such as dropbox, or email it to yourself for safe keeping.

Technologically there is nothing stopping cryptocurrencies from changing the world, bypassing the need for conventional banking systems and flouting government regulation of commerce. We just need some great minds to implement this, and we need people to have the confidence to adopt it.

Following these steps is just one way to conveniently access your wallet while at the same time keeping your Bitcoins safe from theft or loss. The future of crytocurrency is predicated on trust and confidence in the system. Over time, better integrated solutions are likely to be developed for wallet security. In the meantime keeping ourselves safe from loss and theft not only benefits us personally, but also creates better confidence in the concept of cryptocurrencies, and ensures a more robust future for these technologies.

Translations for this article:

• Portuguese, Como garantir a segurança do seu bitcoin.

PGP relies on what is called “Public Key Cryptography” to cipher and decipher messages. In times gone by, to send cryptographic messages to a recipient, an agreed upon key or method would need to be shared beforehand. This may have required meeting with the recipient in person to establish the “key” without fear of interception. If an encrypted letter was likely to be intercepted, it is just as likely that a letter detailing a secret decryption algorithm would be intercepted. This situation is clearly impractical in the current state of mass communication across the world with people you cannot easily meet in person.

Public Key Cryptography, or Asymmetric Key Cryptography, is a solution to this problem. First both parties wishing to engage in an encrypted conversation must generated key pairs. Each participant will generate a public and a private key using their PGP software (this only needs to be done once per person). The public key is the cipher. This is the key used to encrypt a message. The private key, which is mathematically related to the public key, is used to decipher the message. In reality, a symmetric session key is generated to encrypt each message. The session key itself is then encrypted with the public key and sent within the message.

How this works, practically,

• Person A shares their public key with Person B.
• Person B uses this key to encrypt a message and send it back to Person A.
• Person A then uses their own private key to decrypt the message.
• Person B‘s public key can be included in the return message or published publicly.

The efficacy of modern cryptography relies on the fact that certain mathematical problems are extremely difficult to solve. Such problems used are Prime factorisation and elliptic curve relationship; knowing this is not necessarily required to effectively use modern cryptography, but it is worth mentioning for those who may be interested.

A good analogy to this would be Person A sending Person B a lock-box with just a padlock, but no physical key. Person B then places a message inside the lock-box and locks it. From that point onward, Person A is the only one able to unlock the box with the key they have in their possession. Using this method, it is safe for anyone to have access one’s public key because all that it allows someone to do is encrypt messages to for that person. Only by compromising someone’s private key or failing to authenticate who you are communicating with will this secrecy and security be readily broken.

Now that there is a basic understanding of how PGP works, we will go through an easy method to implement it in email communications. Keep in mind that PGP will protect the privacy of communications, but not anonymity. An effective eavesdropper will still be able to know that you, Person A, has communicated with Person B. They will only be unaware of what is being communicated.

One of the easiest methods of setting up and using PGP is a browser plugin called Mailvelope. This is what I will be covering in the rest of the article. I suggest this because it does not require the installation of software to the PC, as it runs on the browser platform. This along with the fact that PC Email clients are in declining use is why I think Mailvelope is a worthy option. I will also link my public key and email at the end of the article, if you wish to practice sending and receiving encrypted email.

Mailvelope is currently only available for Chrome. It can be downloaded as an extension here: http://mailvelope.com/

Once you have Mailvelope added to your browser, a padlock icon will appear in the top right next to the Chrome settings button.

Left click on it and select “Options.” From here we need to generate a public/private key pair. This option will be in the left hand menu button.

Input your details in the fields provided. Make sure the passphrase you use is both long and something you can remember. If you forget this passphrase, you will no longer be able to encrypt or decrypt messages using that particular key pair. In the “Advanced>>” section, choose a keysize longer than 1024 bit for future’s sake. Once you have filled in the forms, click “Submit.”

Once you have completed this, go to the “Display Keys” option in the menu. From here you can “Export” your public key. You can choose to send it to another PGP user via email or you can export it as a block of text and shared via other means. Do not give out your private key – ever. Your public key is totally public and can be safely shared far and wide or published anywhere without worry – as promiscuously as you like. All the public key allows someone to do is send a message to you.

In order to send encrypted messages to others, you must import their public key. You can do this by importing an “.asc file” with the public key or copying their public key block. When obtaining someone’s public key, make sure you have, to the best of your ability, ascertained that who you are speaking to is really who you are speaking to.

Now that you have your keys set up and have imported someone else’s public key, you need to know how to send an email.

Open up your email client. Mailvelope comes configured to support Gmail, Outlook.com, Yahoo Mail and GMX. For this Demonstration I will use Gmail:

Go to compose an email. You will immediately notice a new “pencil and paper button” inside the compose box. First enter the recipient and subject, then, once you get to the body of the email, click this “pencil and paper button.”

Compose the email in the box that opened up – this prevents clear text email from being automatically saved as draft by your email provider and potentially compromising the secrecy of your message.

Once you have written your message, click on the “padlock button,” choose the recipient’s public key from the drop-down menu, click “Add” and “Ok.” You then press the “Transfer button” to move the encrypted text back to the compose box. Note that because PGP encrypts your message with a generated session key, then encrypts the session key with the recipient’s public key, it is possible to encrypt a message for multiple recipients.

An encrypted block of text will look like this:

—–BEGIN PGP MESSAGE—–
Version: OpenPGP.js v.1.20130820
Comment: http://openpgpjs.org
wcBMAxLijeXaycuCAQgAl8n4g5ilhHXKoAqawIxn/bT3i8cZ4HP6JxtCZWWM
rzjX75QFffr3U6OSByqpU+DRBmhd2zG0akzkImUqrkVmQbbZv4vqEpQMMwzh
heX+MuZeUCXKAWTCGfcIMbeXKjpuqbuL0F8NkHeAkqFJ8hcMY8aYX3VtaRbQ
oVdL5aPzMbS5kPxjtr1OY93dwy1jV7JvrYgpyuk4wpynfS1AfKpn2lDyCQGH
sTxu6yqrJUDnnYrs0TkgLvkPXueggA8+yw7zDd3iQ5P2VeMWHH7EAUa+gFj7
x/M3DtHsGvfdssiPP35PZrglHCsJGCTZScO+Re1M2IxZtnZNHfDU0V9lhX4i
Q9JQAQlHtm8etEXlyvovsXDfIE2SdKgcj1bgx359V+zZsvPNyOtqfYEuyszM
7i65cEqz9GdLGFusSYSFpespUCHC71zFmaHEGcmUpglLIvvX2W4=
=g9Kk
—–END PGP MESSAGE—–

You can now send your message knowing that if intercepted, it will be unreadable.

When you receive an encrypted email, Mailvelope will detect this and overlay a “padlock and envelope symbol” over it. Clicking on this “padlock and envelope symbol” will prompt you to enter your passkey. Entering this will display the message in clear text for you to read.

Now you should be fully capable of using PGP to encrypt and decrypt emails to and from your contacts.

If you wish to test Mailvelope out and don’t yet know anyone else with PGP set up, I have set up an email account to receive encrypted messages. The Email is: williamsheppard101@gmail.com

My public key can be found on the MIT server: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x12E28DE5DAC9CB82

I will respond to all encrypted emails I receive. Ensure you include your public key in the email.

Below are a number of other tools that are worth noting, if Mailvelope does not suit your specific habits or setup.

EnigMail for Thunderbird mail client
https://www.enigmail.net/home/index.php
A very clean and versatile addon for those who still use local mail clients, once it is set up it is arguably easier to use than mailvelope.

PGP4win
http://www.PGP4win.org/download.html
Comes with a number of utilities, including the certificate manager Kleopatra, which allows you to import and export encrypted messages, allowing you to copy send encrypted messages over other platforms.

GNU Privacy Guard
http://www.gnupg.org/download/index.en.html
For Linux users, GPG can be downloaded from the distro’s repository, or a source package can be downloaded from the website.

GPG Tools
https://gpgtools.org/
A PGP suite for Mac users.

Translations for this article:

• Portuguese, Como usar criptografia PGP para comunicação privada.

O estado requer que a informação acerca de seus súditos seja útil para os resultados desejados. Desde o primeiro censo no Egito, há mais de 5.000 anos, os estados buscaram informação pessoal acerca de seus cidadãos, especialmente em estados tirânicos, onde informantes e polícia secreta coletam informação acerca de qualquer e toda atividade potencialmente subversiva. Na era da Internet e do estado espreitador, agências de espionagem coletam informações acerca de nós que fariam a NKVD de Stalin morrer de inveja — muito dela ingenuamente entregue via mídia social. Quando o estado espreitador será extinto depende do palpite de cada um mas, enquanto isso, quanto menos úteis forem os dados coletados a nosso respeito, menos eficaz será o controle do estado sobre nós. Para ativistas, o uso de comunicação privada ou anônima em países do primeiro mundo poderá ser a chave para evitar prisão preventiva. Em lugares como Síria, torna-se questão de vida e morte.

Inicialmente eu tive a esperança de que empresas como a Google acorreriam em socorro, por meio da implementação de poderosos sistemas de criptografia; infelizmente parece cada vez mais improvável que corporações comprometidas com acionistas e envolvidas com o governo possam criar, eficazmente, serviços da espécie. Embora essas grandes empresas, com seus alentados lucros e seus orçamentos para lobby, estejam provavelmente na melhor posição para revidar ao estado espreitador, são também as que mais têm a perder se não cooperarem ou fingirem cooperar.

A Lavabit, de Ladar Levison, era serviço de email semisseguro. Em agosto, Levison fechou a Lavabit citando ameaças e interferência do governo. Observadores especularam que Levison havia recebido uma Carta de Segurança Nacional exigindo dados de cliente, provavelmente do denunciante da Agência de Segurança Nacional – NSA Edward Snowden. Recentemente deslacrado documento de tribunal mostra ter sido expedido mandado para obtenção da chave do protocolo de segurança SSL do serviço Lavabit. Tal chave permite conexão segura criptografada entre usuário e servidor. Ter acesso a essa chave daria ao governo acesso em tempo real a informações enviadas ao site pelos usuários. Isso, por sua vez, permitiria ao governo coletar credenciais de login e ter acesso a emails criptografados dos 400.000 clientes da Lavabit.

Muito louvavelmente, Ladar Levison resolveu fechar a Lavabit — negando acesso às comunicações privadamente armazenadas dos clientes da empresa. Esse tipo de postura baseada em princípios éticos não é a regra. Levison não tinha acionistas aos quais prestar contas. Ele respondia a si próprio e a seus clientes. Não podemos esperar que grandes corporações tecnológicas como a Google, que projeta imagem pública de estar do nosso lado e em verdade tenta dar divulgação ao intrometimento do governo, efetivamente enfrente o governo quando compelidas por lei. Outras empresas, como a Microsoft, parecem entusiasmadas com colaborar com a NSA e outros órgãos governamentais de espionagem.

Ora bem, o que significa tudo isso para nós? Está tudo contra nós? Não! Temos que tomar o problema em nossas próprias mãos. Há uma multidão de projetos livres e de fonte aberta e padrões abertos para criptografia. Do que entendemos, a NSA tem quebrado criptografia por meio de coerção e subversão, não por meio de tentativas de atacar cruamente os números e decifrar os códigos. Muito provavelmente, ainda podemos confiar na matemática.

Quando um projeto é de fonte aberta, seu código fica aberto para escrutínio. Ele pode ser examinado pormenorizadamente e podemos saber exatamente como faz o que faz. Embora a maioria de nós não tenha conhecimento técnico para examinar o código de programa específico para esquadrinhá-lo antes de compilá-lo, pesquisadores e acadêmicos fidedignos podem fazê-lo e esquadrinhá-los para nós. Portanto, podemos estar cientes de vulnerabilidades em potencial do software de criptografia e saber os limites de suas aptidões. Quando nos comunicamos usando PGP, por exemplo, estamos usando padrão aberto. Não precisamos confiar nossa comunicação a uma empresa que poderá ter sido coagida pelo governo a comprometer nossa privacidade. Com PGP, estamos de posse de nossachave privada e ninguém outro poderá ser forçado a entregá-la. O projeto Tor, por causa de sua complexidade, não é tão claro. Por causa de sua natureza distribuída, há mais oportunidades de vulnerabilidade, mas o projeto é de fonte aberta e suas fraquezas em termos de exploração que dele tire proveito estão documentadas e, portanto, temos como entender seus limites.

As conclusões a que temos de chegar são no sentido de que estamos nisso juntos. Se resolvermos usar serviço de empresa que afirme ser tal serviço seguro, teremos de estar cientes de que o serviço poderá ser comprometido a qualquer momento — não por meio de força bruta, mas mediante força coercitiva. Com software de criptografia de fonte fechada não há como avaliar ou confiar nas afirmações do desenvolvedor. Quando usamos software de criptografia de fonte aberta, podemos tornar-nos conhecedores de suas limitações e usá-lo acordemente.

Segurança na Internet é responsabilidade nossa.

Artigo original afixado por William Sheppard em 26 de outubro de 2013.

Traduzido do inglês por Murilo Otávio Rodrigues Paes Leme.

The state requires information on its subjects to be effective. From the first census in Egypt more than 5000 years ago, states have sought personal information on their citizens, especially in tyrannical states, where informants and secret police gather information on any and all potentially subversive activities. In the age of the Internet and the surveillance state, spy agencies collect information on us that would make Stalin’s NKVD green with envy — much of it naively handed over via social media. When the surveillance state will be dismantled is anyone’s guess, but, in the meantime, the less useful data that can be collected on us the less effective the state’s control of us. For activists, use of private or anonymous communication in first world countries could be key to avoiding pre-emptive arrest, In places like Syria, it becomes a matter of life and death.

Initially, I had hoped companies like Google would come to the rescue by implementing powerful encryption systems; unfortunately it seems less and less likely that corporations beholden to shareholders and intertwined with government can effectively and securely create these services. While these big companies with their large profits and lobbying budgets are probably in the best position to fight back against the surveillance state, they  also have the most to lose if they don’t play along.

Ladar Levison’s Lavabit was a semi-secure email service. In August, Levison shut down Lavabit citing government threats and interference. Observers speculated that Levison had received a National Security Letter demanding customer data, likely that of NSA whistleblower Edward Snowden. Recently unsealed court document show that a warrant was issued for the private SSL key for the Lavabit service. This key allows a secure encrypted connection between user and server. Having access to this key would give the government real time access to information being sent by users to the site. This in turn would allow them to scoop up log-in credentials and access the encrypted emails of any of Lavabit’s 400,000 customers.

Much to his credit, Ladar Levison decided to shut down Lavabit — denying access to the privately stored communications of its customers. This sort of principled stance is unexpected. Levison didn’t have shareholders to answer to. He answered to himself and his customers. We cannot expect large tech corporations like Google, who put forth the public image of being on our side and actually attempt to publicize government intrusion, to actually defy the government when compelled by law. Other players, such as Microsoft, appear to be enthusiastic in their collaboration with the NSA and other 3 letter agencies.

So what does this all mean for us? Is it all doom and gloom? No! We have to take this into our own hands. There are a multitude of free and open source projects and open standards for encryption. From what we understand, the NSA has broken encryption through coercion and subversion, not by raw attempts at bashing away at the numbers and cracking the codes. Most likely, we can still trust the mathematics.

When a project is open source its code is open to scrutiny. It can be vetted and we can know exactly how it does what it does. While the majority of us do not have the technical know-how to look through the code of a specific program to vet it before compiling it,  trusted researchers and academics can and do vet these for us. Thus we can be aware of potential vulnerabilities of encryption software and know the limits of its capabilities. When we communicate with PGP, for example, we are using an open standard. We do not need to trust our communications to a company that may have been coerced by government to compromise our privacy. With PGP, you are  in possession of your private key and no one else can be made to hand it over. The Tor project, due to its complexity, is not so clear cut. Because of its distributed nature, there are more opportunities for exploitation, but the project is open source and these potential exploits are documented so we are able to understand its limits.

The conclusions we must draw is that we are in this together. If we decide to use corporate service that claim to be secure, we must be aware that they could be compromised at any time — not through brute force, but coercive force. With closed source encryption software, there is no way to evaluate or trust the developer’s claims. When we use open source encryption software we must make ourselves aware of its limitations and use it accordingly.

Internet security is our responsibility.

Translations for this article:

• Portuguese, Segurança Na Internet É Responsabilidade Nossa.
• Italian, La Sicurezza su Internet È Responsabilità Nostra.

With the ever expanding surveillance systems being employed in the United States and around the world, the ability to use the internet anonymously is becoming increasingly important, especially for activists, or anyone who is not okay with your Search Engine provider, ISP (Internet Service Provider) and your government knowing everything about your internet use. Here, I will go into brief detail about the technical aspects of Tor, give reasons why you should use Tor and finally guide you through the installation of the Tor browser and how to contribute to the network by setting up a relay.

What is Tor?

Tor, formally an acronym for “The Onion Router“, is a distributed proxy network designed to provide anonymity on the web. Much like a VPN (Virtual Private Networks). Tor encrypts your traffic and bounces it through a number of relays before arriving at it’s destination. Preventing third parties from being able to see what you are sending through the network, and where your traffic initially came from. Tor can also be used for servers, to anonymize the physical location of websites, and those who visit them.

How does it work?

There are a number of very in depth resources that explain in a lot of detail how the network works, this is not that. This is a brief guide to introduce you to the concept of onion routing, and if you wish to learn further, there will be a number of links included.

When you attempt to contact a website using the Tor Browser, the Tor client randomly selects 3 nodes from the network. The client then encrypts a message to be sent to the final recipient (e.g a website you want to visit). The encrypted message is sent to the first node, the first node then peels off an initial layer of encryption, revealing where to send the message to the second node, this process is repeated until it reaches the third and final node, also known as the “exit relay”, where the message is unencrypted and sent to the final recipient. The effect of this is to obscure your IP address from the destination server by providing multiple barriers between you and the server. Keep in mind however, personal information that you choose to give to a website, such as in a sign up form, is treated like any other data by the website, it can be looked at by an administrator, or subpoenaed by Law Enforcement, Tor works most effectively if you keep your information private as well as anonymous.

Why should you use it?

Increasingly, governments around the world have become preoccupied with what is known as Total Information Awareness, the ability to track every piece of digital information that we create: financial transactions, instant messages, email, web history, etc. This information can be used to intimidate, harass, or even jail dissidents, journalists and those who may pose some form of nuisance to the government. Many nations have strong controls on what people can search for and view on the internet. Tor allows for the bypassing of these filters, and has been especially useful in Iran, a nation which enjoys extremely high usage of the Tor network.

In the short term, there is little we can do to stop this encroaching surveillance state. But we are able to protect ourselves and others by obscuring as much data as possible. Tor is one such solution. The more people who use Tor, among other things, to browse the web, when they feel it necessary, the less useful our data will be to the government. The more of us who run relays for the Tor network, the faster the system will function for those who need to use it.

Setup

In recent times, attention has been paid to making the use of Tor extremely easy for the less technically proficient, with minimal setup required. The Tor browser bundle can be downloaded from here:

• https://www.torproject.org/download/download-easy.html.en

This will install the components needed to use the Tor network, including a modified version of Firefox specifically configured for Tor and Vidalia, a graphical front-end that will allow you to configure your Tor settings, including setting up a relay to contribute to the network.

If you do not feel the need to use the Tor browser on your system, but wish to set up a Tor relay, the package can be downloaded by following this link, choosing your operating system, then choosing the Tor Relay Bundle. This will be especially useful on desktop computers, or dedicated computers that run constantly. While a temporary relay does not harm the network, a permanent one is much more useful. When you run a relay from your system, you will be making the Tor network larger and faster. By adding a node, you make the network more distributed, providing for more robust anonymity. You are also spreading the traffic load, increasing the speed of the network.

The Tor Relay bundle can be downloaded from here:

• https://www.torproject.org/download/download.html.en – Choose your operating system, then “Tor Relay Bundle”.

Setting up the browser is simple, just download the file, extract it to the folder of your choice, then click the “Start Tor Browser” in the folder. Vidalia should start to run, and once it is connected to the network, the browser will open and will notify you if you are successfully running Tor.

If you wish to run a relay along with the browser, go to “set up relay” in Vidalia and check “relay traffic inside the Tor network (non exit relay)”, set how much bandwidth you wish to donate and you are good to go.

If you have installed the relay bundle, the relaying option should be set up automatically, and Vidalia will attempt to run whenever you boot your computer. You may wish to run as an exit relay, but do so at your own risk. If you run as an exit relay, your IP will be what the destination websites see when someone uses your relay, the traffic runs unencrypted from your connection to the destination, and if someone is using Tor for less than savory purposes; spamming, Wikipedia vandalism, child pornography, etc. You run the risk of having your IP banned from many websites due to actions of others, have your computer seized or even be arrested by law enforcement. If you wish to run an exit node, please follow this guide from the Tor Project to mitigate the risks involved. I must emphasize however, these are not issues if you run a relay inside the network, as all traffic you send and receive will be encrypted.

I hope this guide has been useful and convinced those not already using Tor to give it a try. If you do set up a relay, please let us know in the comments section.

There are further resources available for a more in depth look at:

• https://www.torproject.org/docs/faq.html.en
• https://www.torproject.org/dist/manual/short-user-manual_en.xhtml
• https://trac.torproject.org/projects/tor/wiki

As an anarchist, I’m a big fan of competing currencies, especially competing freed-market currencies not issued by, or subject to direct manipulation by, states. The reasons for that should be obvious: If government can’t supervise and control the flow of money, it gets a lot harder for it to steal (“tax”) part of that money and spend it on killing and enslaving people. So Bitcoin made quite an impression on me, and I’m still sold on it.

One issue I’ve come around on is the absence of commodity backing. In the past, I’ve been of the opinion that to be sound a currency should actually represent a pile of some scarce, homogeneous material (e.g. gold) that’s valuable for other purposes in addition to constituting a convenient medium of exchange.

The problem with commodity currencies, though, is that those piles of material have to be physically stored. They’re vulnerable to roving gangs of thieves, including but not limited to government “law enforcement” agencies. More than one commodities-based currency has been shut down, or at least yanked into government regulatory schemes, by the scruff of its neck.

Bitcoin is just bits of data; it’s created by the process of crunching the numbers involved in exchanging it. That drives commodities-based currency aficionados nuts: No pile of gold in a vault. But it also represents a kind of security: No number of jack-booted thugs can break into the vault and take the stuff backing the currency, because there IS no stuff backing the currency. And because the generation and exchange of Bitcoin is distributed and peer-to-peer, governments would pretty much have to shut down the Internet to put a stop to Bitcoin commerce.

Said commerce, however, is not completely immune to government intrusion.

Internet services that facilitate the storage and use of Bitcoin may be vulnerable (and indeed some are trying to “go legit,” or else shutting down in the face of government threats).

Contrary to popular belief, Bitcoin is not inherently anonymous. In fact, every last Bitcoin transaction is transparent and publicly viewable. You can use Bitcoin anonymously, but it takes a little work: Don’t keep your wallet at one of those vulnerable services, generate new addresses for each transaction, anonymize your IP address or work from public Wi-Fi connections, etc. And help is on the way: The good guys are working on ways to make Bitcoin commerce more private and secure.

So, why the “boom and bust?” The main reason is that Bitcoin’s user base is still fairly small: “Buy low, sell high” traders constitute a large portion of that base and thus have a big effect on price when they decide to take profits, or panic, or sit on their stacks. There are “forex” markets in all currencies, of course and the relative values of those currencies fluctuate, but not as much, because for every day trader bouncing back and forth between dollars and euros and yen, there are hundreds or thousands of people using dollars, euros and yen as money to buy cars, concert tickets and bags of potato chips with. As Bitcoin’s user base grows, and as the proportion of people using it as a medium of exchange grows versus those treating it as an “investment” to grab low and dump high, its valuation will probably stabilize quite a bit.

Is Bitcoin the end of political government? No, but it’s part of the beginning of the end of political government. Hang on. It’s going to be a heck of a ride.