Sunday, January 30, 2011

The Government Has Shut Down the Internet – Part Three

Sure, You're Paranoid, But Are You Paranoid Enough?

Before we start, and in keeping with the subtitle, there's something I neglected to mention.  When you get your amateur radio license, you are given a call sign by the FCC, which you are required to identify your transmissions with.  The amateur community is a very open community, and often use their calls on everyday postings and all sorts of places.  Your call, though, is in a national database, and with websites like QRZ.com and several others, if someone has your call, they have your address and even a satellite photo of your house, with no additional research required.  This isn't entirely new: the concept of getting an address for anybody's call dates to the earliest days of ham radio when “callbooks” were published.  These were alphabetical listings of every ham in the US (or the world) with a mailing address.  Usually their home address.  Nowadays, instead of phonebook-like compilations, callbooks are published on CD ROM and sold at every hamfest.  Many hams, especially newbies, use this to send each other confirmation cards when they talk to each other on the radio. 

Likewise, hams are well known for sitting on the air in discussions with people and telling each other they're going away for a while or other personal details.  While the guy on the other end is probably not an issue, anyone with a radio can listen in on what you're saying.  I'm not sure that it has happened, but it would be simple enough for criminals to get a scanner, hear a local say he's going on vacation, look up the call, get the address and come rob the place while the ham is away. 

With that out of the way, let's get to today's big topic, privacy. 

Would you leave your bank account number lying around?  How about your credit card numbers?  Would you send an email to someone with all of these numbers?  How do you protect that information online or on a radio network when you can't very well put a thick envelope around it? 

Welcome to the world of encryption.  People tend to talk about “secret codes”, the stuff of spy movies and books, but encoding something is not the same as encrypting it.  The root word in encryption is crypt, or hidden.  When you encode things, you simply change their language; when you encrypt something, you attempt to hide its meaning.  For example, any language is a coding of symbols, and in typing this, I'm encoding my thoughts into a computer code (ASCII) that can be read on your terminal.  The difference is subtle, but it matters - especially in legal context.  Some systems prohibit encryption, or “non-standard” codes.  I could transmit the phrase, “the wheat is ready for harvest” in plain English to someone who knows that I mean, “I've planted the evidence” and it is encoded, not encrypted.  If, instead, I told them, “516EE75994BA0DC137BE1074E46CB27D069C39A4” and it means the same thing, it has been encrypted. 

The most popular and effective encryption system available to the public is PGP, or “Pretty Good Privacy”, a program developed in the early 1990s by Phil Zimmerman, and that has started an informal open source product line.  The program (as is all modern cryptography) is based on mathematical operations on the text to be encrypted.  Consider that string of numbers and letters in the last sentence in the previous paragraph.  Every two characters can represent a letter in the computer's text.  I don't want to get into a long description here, I want this to be more “how to use it” than what it is, but these systems use two keys: a public key and a private key.  When I send a message to someone I need their public key and my private key.  To decode it, they need my public key and their private key.  With those two numbers, they can get the plain text back. 

PGP is available as a Windows program, a DOS program, MacOS, and others at  http://www.pgpi.org/products/pgp/versions/freeware/   The problem with PGP is that it has become a brand name and in order to maintain their proprietary name, there are problems with the older versions (free versions) reading files encrypted by the newer versions.  My recommendation is to use the open source program, the Gnu Privacy Guard, Gnu-PG or GPG,  which generates encrypted files compatible with PGP.  If you insist on using PGP by name, the MS-DOS version on that PGPI.org web page, version 2.6.3i, seems to be the best version to use.  Even that website is recommending the Gnu-PG program for all other Windows or DOS versions.  If you have problems with that site for any reason, Gnu PG is at http://www.gnupg.org/download/  or http://www.gpg4win.org/

If you are truly, truly paranoid, you will want to get the source code, inspect it yourself – to make sure no one has left a “back door” into the code – and compile it yourself.  If you're less suspicious, or couldn't tell by reading the source code if had been broken, you'll either use code from a trusted friend or other “open” source or buy it from a trusted source.  You see, there are always limits to how secure you can be, and always limits to whom you trust. 

The idea behind the name “Pretty Good Privacy” is that there are many ways to ensure privacy with all sorts of layers of protection.  This is just one.  It has been estimated that if every computer in the world was employed to decrypt a PGP message encrypted with a long key, it would take longer than the age of the universe.  There is talk that the quantum computing just now coming on line will render this obsolete, and quantum encryption will replace it.  We tend to think in terms of how hard it is to break the encryption.  Remember that it's easier to break the person who encrypts it.

From the inimitable XKCD.


So how do you use it?  The details of exactly how you install and run the program will vary with the system you have and the program you choose. 
Quick Start: http://www.cs.rutgers.edu/~watrous/pgp.html
User's Guide: http://www.cs.rutgers.edu/pgp/pgpdoc1/pgpdoc1.html
For Ubuntu Linux users: http://ubuntuforums.org/showthread.php?t=680292

To see what it's like, I downloaded the zipped file from http://www.gnupg.org/download called “GnuPG 1.4.11 compiled for Microsoft Windows” (down the page, under "binaries").  This is a windows installer for program that works from the command line.  If you install this with the defaults, it goes into a location in your main drive’s Program Files folder, generally c:\Program Files\GNU\GNUPG  If the term “command line” is something you’ve never seen, it's  MS-DOS in 2011.  There are Windows-only versions, at GPG4Win.  Which ever way you go, your circle of friends needs to run the same program, but I’ll assume you want to use the free, widely compatible Gnu-PG.  In XP, go to the start menu, choose run, then type in “command.com” (no quotes).  You’ll get a window that opens with a command line prompt, something like C:\DOCUME~1\NAME> where “Name” is your user name on your computer.  From there, you'll navigate to the \GNU\GnuPG directory to run the program. 

An alternative that I haven't tried is the GPG4Win package http://www.gpg4win.org/  that seems to be more Windows-based and a donation-based funding.  As I am running Linux almost exclusively these days, I haven't tried to duplicate my efforts with GPG in Windows.

There are excellent online help sources that realize this is a whole new world to a lot of people.  They explain what you’re doing and why, and then show how to do it.  See http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html for a good step by step tutorial for how to actually do the various tasks.  It is a little awkward at first, but not bad once you’re used to it.  Essentially, you will run the program to generate a pair of keys, one that is secret, meant to be on your computer only (with a back up somewhere safe) and one that is shared publicly.  You give your public key to your friends and people you want to communicate with.  If you’d like it to be available to anyone who might want to talk with you, there are open repositories for your public keys, and since they are plain text, your public key can even be provided with the email you’ve encrypted.  To send a message or file to someone, you need each others’ public keys.  It is encrypted with your private key and they decrypt it with your public key. 

The most common use is probably for email.  There are plug-ins for mail programs that automate the task.  Thunderbird, the free email program from Mozilla, the group that gives away Firefox, has a program called EnigMail available for it that will automate the process with simple choices from a pull down menu.  If your mail program doesn’t have a secure plug-in, the most direct way is to write the email in your mail program, then cut and paste it into a text file with Windows notepad or other plain text editor.  Next, encrypt the plain text file, then cut and paste the encrypted text (usually in another file) back into your email program.  When you receive an encrypted email the process is pretty much the same.  Copy the text out of the email into a text file.  Decrypt it, which will write the output to another text file.  Then just read the plain text. 

Here's an example.  I took a paragraph from above and using my (double secret) home email address sent it to the graybeard address on the right sidebar.  The message I sent started out like this:
The idea behind the name "Pretty Good Privacy" is that there are many
ways to ensure privacy with all sorts of layers of protection.  This is
just one.  It has been estimated that if every computer in the world was
put to use to decrypt a PGP message, it would take longer than the age
of the universe.  There is talk that quantum computing, just now coming
on line will render this obsolete, and its encryption will replace it.
After encryption with my home private key and graybeard public key, it looked like characters chosen at random:
-----BEGIN PGP MESSAGE-----
Charset: ISO-8859-1
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla  http://enigmail.mozdev.org/

hQEMAy2GgGPnGxJkAQgAj6Ot4HjETZFTsGtYCzt4RZDeZa31nKkYnG0n1Fuhz7ywJmbB5+YOck+mVBr9Ua25nQIFwu45vHhvi+S3Hv21npNAs6WzCKXXNQ/NGxSQEbwwNfsVk1RQ3DCOjo5DtmrSvxWagV7e+d1fDPkV9u+qq+j1RqYIbwMv0kMn6ZywK2XDzc+P9ri7VWgLI8gVVg7YLxKhSF9JDcoioz80fJrFbUOtVni59JS2YsWnC0APt0WnLclgX+gnAWOfWFL6JcbQWxGpHeAMrD2C2l8gsMZxdFb8dDv0QN6oajCJMeVPWm7ondzFDp7qAVWdJ6T6RqCnwsAs4IjE6/w69DZ7COhYvIUBDAPwYWQt4FFuxgEH/1kFZps+NJmiiMvPW9olaEZEjhR2EKy15gSKH2DO99cOcGueXPQ2B1DLEtzENRjJ2miuu4yKwBjCXrX4+Cnimb+DZVX9poPlh17bL+lSpOpnvpkiKgRnxAClTWRIkSWEH+D4Wty/OpwE2NMN+btqtpUSneFhlGOmy+mJ2alWeW7MO/hAGm7OpRaYSg5fIjymRAuxSSjhi3TvUf3BmcLEY/fqOYwzlGCE7NHGHvdwoRMDozFfPjbIML2mOoG2klWyZ38ztmeH8WOWM4Ty0pvpYfq2DwHZfhyktsWfFx4A7Edh7IOCD8pXzsetFfSwPABuJuj1u2wF0zIWAE0AGm6SMX92w7ig0qx2rOLllDdqdawtWcwD87nyzAVokWAaWNDC/5aAGxqw5ggKVJkPJ3g91WNKEAqzRyy8PfapkRjboUafMkIHcq3lFYQC7Et0icIoY6AfyGSC79rNPsZx5mTDmCLsnbHd/6nK8UTYluyplrurfkh+wMh2JJ0IaOzup12R5F3nYbgeu0oUWpB/zhVEQtH67U+82b/SdPW9b8aQSieattuh/Ndhecu0md8PW1iLGW6h8NTeAs7v8ZzkFXD/o2sWgE5iAccFtclM/by1aTjul16zcVtJcI/CoBWO4OUlkldAT3Ora6Y7UfDM0oxIGncbWPjkPJ3OURim8f2a2dNsALWkH1+j
F7X6wHZ486DD/3wdLWAdEFg=

=fRa
-----END PGP MESSAGE-----
 
When I got the email at gmail, I copied the encrypted text into a plain text file, saved it, then ran GPG from the command line in Linux.  It asked for my passphrase, then the name of a file to send the result to.  The result was the starting text. 

If you are sending messages to friends over a packet radio network, there are file transfer protocols that allow you to send files.  Encrypt the plain ascii text file before you send it.  If you need to get text files to someone by dropping USB sticks somewhere, encrypt them.  Anytime you would want to put something in an envelope is the time to encrypt. 

This is, and can only be, an introduction.  Don't be intimidated about starting down this road, it's harder to explain than to do.  In my mind, it's easier to do this than many tactical tasks.  In the end, you'll have a secure means of communicating that is more secure than the https secure protocols used for banking on the web, and something to fall back on if the main methods of communication go down. 

3 comments:

  1. That XKCD is awesome. Marcus Ranum says he keeps all his private keys short so he can scream them out faster ...

    ReplyDelete
  2. Ah, so you insist on appealing to my geeky side, eh? Seriously, this is an awesome series. I'm going to have to print them out for use as reference material in the future. My father-in-law is a ham and I've considered getting into it myself as it does appeal to my EE background (and I even made an A in Electromagnetic Fields years ago so I kinda understand it a little).

    Of course, I've been consuming myself with reloading stuff lately so until I get that hobby firmly in hand the radio stuff will have to wait. Now the encryption is worth looking into. I've imported quite a few public keys in my linux meddling but I'd never taken much time to figure out exactly what they were. I guess its time to find out. ;)

    Thanks!

    ReplyDelete
  3. Heh heh... just seeing if I can recruit more to the dark side.

    Glad you liked the series. It ended up being more work than I thought it would be. Took most of my time this weekend. Since I was mostly sitting around on a heating pad for a sore back, no big deal. And if a security guru like Borepatch doesn't have anything negative to say, I'll have to claim it as a Win...

    I've gotta say, I've been interested in radio since I was a little kid, and even though I design radios for a living, it's still magical to sit in your house and talk with people on the other side of the world with the output power of a desk lamp and a piece of wire hanging off a tree for an antenna.

    ReplyDelete