Veilig communiceren power point presentatie
-
Upload
leonardoleno -
Category
Self Improvement
-
view
331 -
download
1
description
Transcript of Veilig communiceren power point presentatie
Safe communication for activists
How to prepare an action safely without leaking information
Overview
Focus of today : prepare actions without information leaks
Concentrate on cell phones and email 1. Most common information leaks : overview 2. Telephone guidelines : keep it practical 3. Email : how to encrypt your email and how it
works
Drawbacks of advancing technology
Data storage hardware has become much cheaper during the last decade
How much do you pay for a 500 GB hard disk ? How much did you pay for 5 MB in the eighties ?
Data mining hardware is much cheaper Data mining software is getting more advanced
Monitoring ”less important” action groups becomes less costly
Investing hours in preparing an action, arriving at the moment of action with everything blocked is an experience most of us would like to avoid
Audio tapping without inside installed equipment
SOURCE : BBC Website
Standby troubles
Outsiders can mess with your phone
Cell phone companies are reluctant to give information on :
Standby modes (alarm clock) Privacy : what they pass on to
intelligence agencies Encryption : is non open
source and known methods are cracked easily
Special features : standby modes (software and hardware implementation)SOURCE : BBC Website
Evil cell phones
Your communication is easily captured Your location is easily determined up to 20 –
100 m ”Switched-off” phones are technologically
capable of sending information Your social networks become more visible (you
are calling some people from certain locations) Cell phones with the batteries removed or
acoustically isolated phones behave nicely
Conversation tapping
It is not necessary to put a receiving antenna in the neighborhood of your cell phone
Calls are routed through centrals No battery : no energy : no waves : no leaks ! ”Switched off” not always means switched off
Sort of standy state : a trigger signal can reactivate your phone : you won't notice it when it is happening
Ardito case : judge's memorandum opinion stating tapping is allowed even when phones are switched off
Siemens patent : reactivating cell phones in case of emergencies
The Ardito case
<<The government applied for a "roving bug," that is, the interceptionof Ardito's conversations at locations that were "not practical" tospecify, as authorized by 18 U.S.C. § 2518(11)(a). Judge Jonesgranted the application, authorizing continued interception at thefour restaurants and the installation of a listening device inArdito's cellular telephone. The device functioned whether the phonewas powered on or off, intercepting conversations within its rangewherever it happened to be.>>
United States District Court,S.D. New York.UNITED STATES of America,v.John TOMERO, et al., Defendants.No. S2 06 Crim. 0008(LAK).Nov. 27, 2006.
MEMORANDUM OPINION
LEWIS A. KAPLAN, District Judge.
The Siemens patent
<< ... This activates an emergency call routine. The emergency routine comprises the following steps, which are partially optional: 2. In case the mobile is switched off it may activate the mobile. In case or as soon as the mobile is switched on, a module for broadcasting over the emergency network, that may operate on frequencies distinct from those of the cellular communication network, is activated. This activation can be done optionally also regardless of the possibility to establish a connection to a cellular communication network. ...>>
http://www.wipo.int/pctdb/en/wo.jsp?IA=EP2002012292&DISPLAY=DESC
Software ”roving bugs”
<< Nextel and Samsung handsets and the Motorola Razr are especially vulnerable to software downloads that activate their microphones, said James Atkinson, a counter-surveillance consultant who has worked closely with government agencies. "They can be remotely accessed and made to transmit room audio all the time," he said. "You can do that without having physical access to the phone." >>
http://news.zdnet.com/2100-1035_22-150467.html
Network mapping with cell phones
Prepaid calling doesn't help when they want to relate who you are calling
Unless everyone in a group changes cell phones and SIM cards, relating the calls of the group is easy, which is needed is :
A person monitoring locations / calls / SIM / telephone numbers
A person looking in the database of previous monitoring reports and using software to link information
It needs time and resources to do so
Your cellphone reveils your location
Triangulation : three basis stations record your distance to the stations → geometry → your position is known up to 20 – 100 m
Distance measurement is part of standard working procedure of cell phone technology!
If quite some cell phone users are crowded near a suspect location → maybe it is interesting to have look there
Simultaneously switching off your cell phones might be giving away important information too
DIY-ers : beware of pitfalls
Faraday cages : a completely sealed metallic box must be sealed really well →
Minor wave leaks are sufficient for cell phones to do their job anyway
Metal cookie boxes are leaky as can be Loud sounds next to cell phone : if sound is
”structured”, then removing your ”noise” is done in a second :
Loud music : doesn't work (even chaotic death metal)
Loud machines : don't work
Cell phone guideluines
Don't use a cell phone unless you really have to Think of the eighties !! Prepare your action some time earlier, which gives
you time to drop by and enjoy real company When having a meeting :
Remove battery or store cell phones in an adjacent room from where you normally cannot overhear the meeting (then no sound can be picked up by the microphone and only noise can be sent)
When going to your action location : Remove battery of cell phones and leave phones
switched off until the very start of the action
Email issues
Intercepting email conversation is really easy The only robust way to prevent leaking
information by email, is good encryption Before sending your email, you convert it in
something undecipherable One or more keys :
Encrypt your email : make it unreadable Enable you to decipher encrypted emails
Encryption
Transforming your email into unreadable cryptic writings : you need a secret code
1. Message : ”action” 2. Code : one letter further up the alphabet 3. Encrypted message : ”bdujpo” 4. Decription : one letter back down the alphabet 5. Decripted message : ”action”
THE ENCODING PROCESS IS REVERSIBLE
IF SOMEONE KNOWS THE CODE SHE / HE CAN DECRYPT
Symmetric encryption
Sarah has to walk to Tom and give him the encryption key
Not practical : sometimes the key is sent over the internet, which is not safe in most cases
If someone intercepts the key, your conversations are compromized
SARA
TOM
THE EVIL INTERNET
Sara sends an email to Tom with asymmetric encryption
Sarah encrypts her email with Tom's public key, which everyone can download from the internet and she sends the encrypted mail over the internet
The encrypted email can only be deciphered by Tom by using his private key, his private key doesn't leave his personal computer and is protected by a password
SARA TOM
THE EVIL INTERNET
PUBLIC KEYPRIVATE KEY
Now wait a minute !
If everyone knows the public key, how come nobody can decipher Sarahs message? After all, it was the public key Sarah used to encrypt the message.
Public encryption must be irreversible !! Tearing paper into small pieces, burn 'em, throw ashes in the sea One-way trapdoor (turn back the time) function All mathematicians on earth are smarter than intelligence agencies ?
Are you really sure it is impossible to derive Tom's private key when you know what his public key is ?
You can only do this by solving a VERY difficult mathematical problem Factorization problem of very large primes All mathematicians on earth are smarter than intelligence agencies ?
A bit of mathematics (two slides only – don't run away ... yet)
2 . 2 . 2 = 2^3 = 8 and (2 . 2 . 2) . (2 . 2 . 2) = (2^3)^2 = 2^(3 . 2)
5 = 19 mod 7 because if you try to divide 19 by 7, there is 5 left over (19 = 2 . 7 + 5 )
A prime is a natural number (1 , 2 , ...) with divisors itself and 1
1. Choose two large distinct prime numbers p and q 2. Compute n = p q 3. Compute f = (p – 1)(q – 1) : Euler's totient function 4. Choose e such that
1 < e < f f and e share no other factors than 1 (”they are coprime”)
5. Determine d such that : d . e = 1 (mod f) Public key : (n, e) Private key : (n, d)
Encrypting the message
Convert a text message into a number M
Sara encrypts her message M : she sends the undecipherable text c = M^e (mod n)
Tom recovers the message by calculating : M = c^d (mod n)
Why does this work ?
Since e . d = 1 + k . f (by step 5) M^(e . d) = M^(1 + k . f) = M . (M^k)^f = M (mod n)
Last step follows from Euler's theorem (see step 3) You really need d (part of private key) in order to decipher the
message
You can only derive d if you can find the original primes p and q
PGP : pretty good privacy
PGP encrypts every new message with a new symmetric key (session key)
The symmetric key is encrypted with asymmetric encryption (public and private keys)
Some precautions are taken to make it impossible to guess the keys from monitoring multiple emails (adding random nonsense)
Open source software (OpenPGP) gets updated regularly and takes mathematical pittfalls in account
Getting PGP to work on your computer
www.openpgp.org : the developer's website but maybe too much information and too techie
http://enigmail.mozdev.org : Enigmail is a pgp plugin for Mozilla Thunderbird email program
Click on ”Quick start guide” STEP 1 : Install GnuPG on your platform
(Mac/Linux/Windows) STEP 2 : Install Enigmail
The first time you use pgp, the program itself guides you through the setup
Take your time to get used to pgp !
Pgp functionality in Thunderbird
Thunderbid after installation plugin
PGP/MIME makes encrypting attachments easy
You have to know whether the recipient uses MIME too
Pgp Preferences
Account settings
Some considerations
Use a seperate emailadress with a good emailclient to use pgp
You check ”always encrypt messages” : avoid sending unencrypted mails by accident
Look for your friend's key on a keyserver OpenPGP → Keymanagement → keyserver →
search for keys Make your own key available for your friends :
OpenPGP → Keymanagement -->right click your key → upload public keys to keyserver
PGP : concluding remarks A lot of PGP workshops are being given, but still not a lot
of people are using it
If you are a good computer DIY-er : Take your time to install PGP Allow yourself some practice time Read this presentation for tips and tricks
Computers are annoyant machines never doing what they should do, in your opinion, then :
Ask someone who is already using pgp If it is installed, and you played around with it a bit, it becomes a
second nature If you are a group of people, have a techie come over and install
it on your computers
Use safe passwords
All passwords of less than 6 characters are unsafe, use at least 8, 10 is even better
Brute force attacks (trying every possible password – with some good starting guesses) are more succesfull than ten years ago
Easy to remember passwords are easy to crack Difficult to crack passwords are difficult to remember
Use a lot of characters (8 - 10), and use a large set of characters (AaBb94-+:!)
Example : three letter password : 26 . 26 . 26 = 17576 vs. 256 . 256 . 256 =16777216
Solution → ”code” your password
Easy to remember and difficult to crack passwords
1. Invent a code (here is an example, but invent your own)
a → 6 i → 1 o → Q t → + l → / 2. Invent a ”special rule” The third symbol is always ”:” and at the end I
add : ”{-}” Appelboom → 6p:e/bQQm{-} Lappersfort → /6:persfQr+{-} Queerilla → Qu:er1//6{-}