Tag Archives: encryption

Privacy Rights (part 1)

1 Reply

I don’t know if I’m really allowed to mention it, but it turned out that my recently-deceased brother worked for MI6 …which puts him in the same company as James Bond, though I was reliably informed he was never a field agent himself. He simply ran agents from a London-based desk… which nevertheless puts the sort of stuff I do in perspective! It was a little surprising to discover just how private he’d kept that part of his life: you think you’d know, especially about your own brother; but he was very careful to ensure we didn’t.

I mention this now because this fact has combined with a few recent and not-so-recent news stories to give me considerable concerns over security matters when it comes to personal computing.

I give you, for example, the Australian Government’s proposal to mandate compulsory filtering of all internet connections, preventing anyone from accessing material which has been “refused classification”. Whilst child pornography quite rightly warrants an “RC” assessment, the plan was also to have prevented anyone from accessing information about voluntary euthanasia, anything someone had complained was racist, or anything to do with the (perfectly legitimate) politicians of the Sex Party. Or any information that promoted any crime -and what constitutes a crime can vary more or less at the government’s pleasure, of course. So this was dangerous legislation with an in-built tendency to be the thin end of a steeply-sloping wedge. Fortunately, the Australian Government has now backed away from this proposal and opted for a much more norrowly child-porn-focussed blacklist produced by Interpol. I still have concerns as to how exactly Interpol -which counts Syria, Zimbabwe and Cuba as members- decide what to go on the blacklist, but at least it’s not subject to one government’s whims or moral panics.

However, the Australian Government is now proposing that ISPs retain data about their customer’s online activities for 2 years. The scope of what data is to be retained is (naturally!) vague: “information about the identity of the sending and receiving parties and related subscriber details, account identifying information collected by the telecommunications carrier or internet service provider to establish the account, and information such as the time and date of the communication, its duration, location and type of communication”… but that sounds pretty broad to me. The idea has yet to be turned into law and maybe never will be, but that’s now twice the Australian Government has proposed to monitor or limit what it is people do online: there’s an authoritarian habit developing there that I don’t like the look of.

Of course, it’s not just Australia. The US Congress were narrowly persuaded that the SOPA and PIPA legislation were unpopular because they seemed to infringe things like freedom of speech, so that bullet was dodged (at least for now). But there will soon be the Centre for Copyright Information: an organisation intended to point ISPs in the direction of file sharers and copyright infringers with a view to, eventually, slowing their Internet connections to a crawl. I wouldn’t mind, in principle, enforcing copyright in a graduated way… but their technology is flakey and has been used to detect a printer committing copyright infringement! As the last bit of this report has it, “Although content providers are increasingly relying on systematic monitoring of P2P networks as a basis for deterring copyright infringement, some currently used methods of identifying infringing users are not conclusive.Through extensive measurement of tens of thousands of BitTorrent swarms and analysis of hundreds of DMCA complaints, we have shown that a malicious user can implicate arbitrary network endpoints in copyright infringement, and additional false positives may arise due to buggy software or timing effects” (emphasis mine).

So we have false positives and arbitrary “endpoints” (i.e., users) being falsely implicated in copyright violation, for which they may be punished without judicial review. Mounting a defence against a false accusation of copyright violation will, it so happens, cost you $35 a pop (see paragraph 11 of the CCI’s FAQ), and if you don’t go to that trouble, the presumption will be that you acknowledge your guilt in the matter. I don’t remember when they altered the US constitution to reverse the burden of proof like that, but maybe I wasn’t paying attention.

There are plenty of other examples of this sort of thing from elsewhere around the globe, too: governments restricting what citizens are allowed to see; police agencies wanting ever-broader scope to seize and retain information about citizen communications; big business wanting to ever-more forcefully assert their intellectual property rights by monitoring what people get up to and reversing the presumption of innocence. I guess we have 9/11 and its cousins to thank, at least in part. Plus a “think of the children” mentality.

Of course, about this time, it’s usual for someone to pipe up with the old saw, “If you’ve done nothing wrong, you’ve nothing to hide”, but I think that’s baloney. My mother pulled the front room curtains of an evening for privacy, not concealment of crime; and privacy is a right that even the UN Declaration of Human Rights (Article 12) acknowledges:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Besides, none of us are saints… but we don’t warrant burning at the stake for minor transgressions. I myself have downloaded music via bittorrent (I might add that in every case, I have then gone on to purchase the relevant boxed set), but I don’t think I should be busted as a copyright thief for what amounts to temporary sampling of a bit of music to see if I’m interested in buying it.

In any case, the presumption now is that the use of bittorrent is, per se, evidence of guilt of something! And as one who downloads and shares Linux distro ISOs via bittorrent, that’s definitely not something I’m happy about.

For these reasons and others like them, therefore, I’ve decided it’s time to unwrap the tinfoil and to take the sort of precautions I thought only JFK conspiracy fans or Diana-murdered-by-Prince-Phillip nuts would be interested in: assertion of data and communications privacy at all times. I honestly think it’s time we all stopped hoping governments and industry would be largely benign about our reasonable and respectable data habits: they are increasingly not being so. I genuinely believe data and communications privacy is a right that we now have to exert purposefully and deliberately: the time for thinking it’s all a bit geeky and unnecessary is already past.

Accordingly, I am going to write a few articles in the next week or two explaining how to assert privacy rights by means of encryption, VPN tunnelling and so on. For some, I guess it will be old-hat …but it’s certainly something I’ve just woken up to, and I don’t think I’m alone in my naivety about the intentions of government and big business.

Keepass on Linux

6 Replies

I mentioned several posts ago that my old Yahoo account had been hacked and that, as a result, I was madly changing passwords on everything I’d ever touched. I’m happy to report that this seems to have done the trick: no more dodgy sign-ins from the likes of Peru or Slovenia, for example, and no more spam (as far as I can tell) being sent from my old yahoo email account.

I also mentioned earlier that I was now keeping all my passwords in the completely zero-cost password manager called Keepass. Not only do I store the passwords there, I also get Keepass to generate the passwords in the first place… properly randomised, upper- and lower-case, plus numerals, plus special characters: you get the idea! In fact, I now don’t know what my passwords are to anything! If I need to log in to something, I simply run Keepass, copy the encrypted password into the clipboard (from which it is auto-cleaned after 30 seconds) and paste it into the password field. I know my Gmail password is 64 characters long, therefore, but I don’t know anything else about it and, so long as I can run Keepass, I don’t need to.

It’s a little fiddly, perhaps. But it’s definitely a more secure way to do things.

Provided I can run Windows, that is, because Keepass is a Windows-only application. (Yeah, a security product running on Windows… quit the laughing already!)

I only realised this flaw in my methodology when I got stuck on one of my old PCs which happened to have Fedora 15 x86_64 installed on it and found I couldn’t log in to anything!

Happily, there is a (fiddly) workaround: there’s an equivalent product, called KeepassX, which will run on Linux, provided you compile it from source. Doing that is just a little trickier than I’d like, so here’s the Fedora 15 64-bit recipe for doing that, should it be needed in future:

  1. Download the KeepassX software. Save it to a convenient place: I use my Desktop folder.
  2. Right-click the downloaded .tar.gz file and select ‘extract here’. You should end up with a directory called keepassx-0.4.3
  3. As root, issue this command to install a necessary prerequisite: yum install libXtst-devel
  4. As root, cd to the new keepassx-0.4.3 subdirectory and run the command: yum install mingw32-qt-qmake
  5. Still as root, run the command: /usr/lib64/qt4/bin/qmake
  6. Still as root, run the command: make
  7. Still as root, run the command make install

You should now be able to type the command keepassx in a terminal session as yourself and have the software run correctly.

The only other issue you’ll have is that if you’ve used the latest version of Keepass on Windows (version 2.something or other) to create your password ‘vault’, you won’t be able to open it in the Linux version (which is compatible only with version 1.x) because of file format changes between versions. Happily, if you go back to the Windows version and select File -> Export, you’ll be able to output a copy of your vault in 1.x format, which KeepassX will then be able to read without drama.

Which only leaves the small matter of saving the password vault (and its 1.x equivalent) on an encrypted USB thumb drive. On Windows, I use Truecrypt to encrypt the entire device (and to subsequently mount and unmount it) -and, happily, it’s available for Linux as well. Installation is an absolute doddle:

  1. Download the Linux version of the Standard Truecrypt software (I prefer not to go console-only!)
  2. Right-click the download and select ‘extract here’
  3. As root, in a terminal session, invoke the extracted file (which is a shell script) by issuing the command:
    /home/hjr/Desktop/truecrypt-7.0a-setup-x64.
    Substitute your own path and file name in that lot, obviously.
  4. Select option 1 (to install Truecrypt), agree to the license… job done.

You now just type the command truecrypt in a terminal session as yourself to run the software, which behaves exactly as it does under Windows. The only slight twist is that when you mount your thumb drive, Truecrypt will first prompt you for the encrypted device’s master password, which is fine. But it will then prompt you for your Linux user account’s password -which may well not have the necessary privileges to mount devices. If that’s the case, it will complain that it ‘Failed to obtain administrator privileges: hjr is not in the sudoers file’.

Which, finally, prompts the inevitable question: how do I add myself to the sudoers file, then?! Easy: as root, issue this command:

echo ‘hjr ALL=(ALL) ALL’ >> /etc/sudoers.

(Use your own username, obviously, unless you too happen to log on to your OSes as ‘hjr’!) As soon as you’ve done that, re-run Truecrypt as yourself and you should be able to mount and dismount the encrypted thumb drive at will.