Security and Whistleblowing with Signal and Moxie Marlinspike

Signal

New Orleans   Not long ago in the Edinburgh office of ACORN, I got a crash course in some simple things about basic email and text protection from spying and other weirdness thanks to one of our leader/organizers, Jon Black, who has done a deep dive on some of this stuff, so now that everyone is looking over our shoulders, maybe it’s time to share some tips.

I had fooled Black and masked my basic techno-peasantness because I knew about the legendary Moxie Marlinspike who is seen by many as the world’s expert on encryption. Of course I only really knew about Marlinspike because I had read a number of articles by him, thought the name was fantastic, and liked the fact that he was not your standard issue Silicon Valley greed grubber. Jon has actually read all of the terms and conditions so he was able to explain to me exactly why Moxie’s Signal was better than WhatsApp, which Marlinspike also developed and is now owned by Facebook. There was an important difference involving setting specific controls on WhatsApp for the user to be notified if someone was creeping up on their account, which are automatic for Signal. At least I think that’s what he told me.

But, anyway, Signal is actually owned and run by Marlinspike, so that should just be enough. Importantly, when WikiLeaks dropped the dime on the CIA at first I shouted out for Jon that they had managed to break through the encryption at Signal, but that was wrong. I heard the Moxie-man on the radio and he made it very clear, and it’s been confirmed elsewhere since, that they cracked the smartphones, not the apps. Of course one thing is still important to remember. To really encrypt your phone calls, video calls, and texts on Signal, the other party also needs to be on Signal. It’s an easy switch, and I’d recommend it as a “why not be safe rather than sorry” move.

Another recommendation for moving in this direction were some tips I saw recently in the magazine, “Wired,” for being a leaker or whistleblower and hoping to protect your anonymity. When it came to doing so with a phone they made the following suggestions, which many would have known form any close viewing of the great HBO series, “The Wire:”

“Buy a burner – a cheap, prepaid Android phone – with cash from a nonchain store in an area you’ve never been to before. Don’t carry your regular phone and the burner at the same time, and never turn on the burner at home or work. Create a Gmail and Google Play account from the burner, then install the encrypted calling and texting app Signal. When you’re done, destroy the burner and ditch its corpse far from home.”

They never say the words GPS, cell tower triangulation, or Stringer Bell, but almost all of these cautions underscore the fact that when you’re rolling with your phone – especially if it’s switched on – anyone and everyone can track you anywhere and anytime. Regardless, I would call those instructions a huge product endorsement for Signal as top of the line, best in class now especially for the price. Heck, it’s free, so you get more security for nothing. What’s to lose?

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Is This Really the End of Email?

password-creator-for-androidNew Orleans   In the wake of massive and disruptive hacking of emails in the corporate and political world, there was a piece in the paper the other day essentially announcing the end of email. The author was making a case that it was time to return to direct and telephonic communication on any matters pretty much more important than a grocery list. We might wonder about all of that even if it is abundantly clear that soon email systems should come with a caution or a cigarette pack warning that pops up before you hit the “send” button. In fact, is there already an app for that? If so, we should all get it!

We think of email as ubiquitous now with a gazillion messages sent daily, but is it? There’s every indication that texting, Facebook messaging, Snapchat, and even Instagram are more common communications tools for many of the under-30’s in the developed world than email. No small part of that may be the ability to utilize a more informal language and briefer protocols than even common in emails. On the other side of the divide, there are the old dogs, and there are some of them still barking in union halls, corporate corridors, and even political offices who have their assistants print out their emails and often handle their replies.

Some of these dogs know how to bury their bones or at least keep others from uncovering them. Senator Lindsey Graham from South Carolina was quoted during the first of the Democratic National Committee released by WikiLeaks that he had never used email yet, and had no plans to ever use email in the future. I’ve often told the story of Mayor Marc Morial of New Orleans, now the longtime head of the National Urban League, based in New York City, telling me he looked forward to leaving office so he could see what a Blackberry was like and use email. Politics is almost the ultimate transactional business, so at the best some were huge fans of the Animals and were always humming, “Please Don’t Let Me Be Misunderstood,” and at the worst, well, as Hillary Clinton’s email program has demonstrated, let’s just not go there. On the other hand we had John Podesta a former White House Chief of Staff and ultimate political professional using a Gmail address, when he must have known even if never hacked, Google never destroys emails leaving a permanent record just out there waiting.

Can we keep email and use encryption? I’d like to think so, but then there’s the federal lawsuit trying to break Moxie Marlinspike’s best-in-class system. Can messaging encryption like WhatsApp be better? Maybe, but then I read a long article in The New Yorker about the coup in Turkey and how the Gulenists were in deep trouble once the Turkish intelligence got into their homemade app called ByLock that had 200,000 users forcing them to “go underground” with something else called Eagle. We’ve all read about the FBI having to pay big bucks to “unlock” an IPhone. You have to wonder whether or not there’s anything that cannot be hacked?

Should we worry about this at all? Most of us not only have nothing to hide, but pretty low key, boring correspondence and lives for that matter in the eyes of the outside world, even if vital to ourselves, our work, and families. Nonetheless, we’re somebody, too! Do we just sigh and accept the tradeoff between privacy and convenience? Do we exchange paranoia for openness?

Where is this all going? My companera and I watched an episode of a widely touted, and supposedly “most relevant” show on television the other night on Netflix. The episode featured an implant behind the ear and a small thumb drive size device everyone carried around constantly that filmed and recorded every part of everyone’s lives, allowing someone to search back in old experiences from their past, unless they had deleted it. Is that where we’re going? If so, I guess we should enjoy email while we have it, and start calling these days, the good old days!

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Secrets? Who Has Secrets Anymore?

yahoohackLittle Rock   If you ever want to keep a secret, don’t ever write it down anywhere. Don’t walk, but run away the internet! That’s increasingly the single biggest clue to protecting your privacy.

The evidence mounts daily as the tidal surges of data seep out of every conceivable internet portal and stream into hands both nefarious and purposeful. Let’s look at some cases in point.

  • WikiLeaks has to be in the conversation, but someone has to explain Julian Assange to me these days. Is he about transparency or anarchy? Is he serving a greater cause or an agent of the KGB? The fact that we’re scratching our heads, means there is a big warning sign attached to anything with a WikiLeaks label these days.
  • Yahoo had all of the critical data lifted from a half-million customers in the latest and largest hackfest, including social security numbers and the whole enchilada. The biggest concern in the papers was whether it would lower Yahoo’s sale price to the telecoms.
  • The FBI arrested someone in August who had lifted the source code for hacking into foreign government websites (and just maybe we should discuss that sometime, too!), but now they aren’t clear if he was a Snowden wannabe or a hoarder who couldn’t keep himself from taking stuff home. Booz Allen has made billions subcontracting to NSA and other agencies for this kind of spy craft, but seems to be running a Swiss cheese factory.
  • Yahoo seems to have answered a secret subpoena from the government and created a scanner for its email to try and isolate messages for an alleged terrorist the G-men were tracking.

The list is endless: Apple, one bank after another, credit companies, department stores, hotels, and on and on. Pretty much if you operate in the modern economy, your data is eventually going to end up everywhere, partly because it cost money for companies to protect it, and they would rather apologize for the breech and say, “it’s happening to everyone,” rather than provide the security they are implicitly promising whenever you turn over your information.

No worries, you could go with encryption right?

Not if you follow what is happening to Open Whisper, reputedly the best encryption site out there developed by Mr. Encryption, Moxie Marlinspike, an eccentric, genius hacker and programmer. The government has secretly subpoenaed his company for information. We know this because the ACLU has won some court proceedings trying to protect Marlinspike and his operation. Nonetheless the government is still after Open Whisper because they are trying to collect information that the company expressly says that it does NOT collect.

We’re living in a catch-22 world now. We can’t live with the internet, but we can’t live without it. At this point we need to come to grips with the fact that unless we’re hand signaling to someone out in the wilderness somewhere, no secret is safe, and of course even while our lips might be moving and our hands waving, an eye in the sky probably has our GPS coordinates handy and some footage available.

Our lives are an open book. Get used to it!

***

Please enjoy Suzanne Vega’s We of Me. Thanks to KABF.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Hacking is Everywhere, What are You Saying on Your Email?

silhouettenoire-blocked22            Douala, Cameroon     Crossing the world to places where you feel lucky to have internet, rather than thinking it’s as common as air, I follow this hacking thing perhaps more than the average bear.

In Germany between Hamburg and Berlin, a funny thing happened to me that in my naiveté, I ignored blithely until returning to the United States. It was a situation I wrote off, jokingly, in mi companera’s words as Mercury-in-Retrograde, when mechanical things and even simple communications go awry. I would send an email in Hamburg tightening down a meeting or a pickup, and somehow it would never be received. My blog wouldn’t show up for posting in New Orleans. Finally hitting New Orleans I consulted our server mastermind, thinking, duh, it might be me, not them. Sure enough he and his team found that 87 of my emails had been blocked from so-called “blacklisted” sites. I’m still sorting it out, and working to tell people that in some cases their homes are even blacklisted, not just random buildings, coffeehouses, and hostels. They recommend that I go through a VPN network like people do in China and Russia, so that I’m linking virtually to an eye-spy server in the US with a random address and then bouncing on from there. Maybe their right. Maybe it’s the way we all need to go?

With emails being randomly hacked throughout the US now, first with tech companies and Hollywood, and now politics and most recently former General and Secretary of State Colin Powell, I read that a network anchor had stayed home to delete his entire Gmail account so that he wouldn’t be taking a chance. Others in public life are also scouring their emails. Senator Lindsey Graham told a reporter, no problem, he had never sent an email yet, so he wasn’t worried. What world does he live in, and can we move it farther from the rest of us?

The simple lesson might be, don’t say anything in private that you wouldn’t want to have made public, but who among us could ever live in that glass house forever. Even if we tried, that doesn’t protect us from misinterpretation or, you know, Mercury-in-Retrograde.

Veterans of the burn from previous hackers say that in fact you learn to be more careful. Law firms have created abbreviations that essentially say, talk to me in person, and don’t put it in an email.

None of this is a step towards more transparency and in fact it seems to be a step away from the quick and fluid communication that is part of the gift of email.

So what’s the solution? Go all German and flip IP addresses and blacklists like cards in a deck in the name of privacy, but that may mean even emails that you might want to read are being blocked from you or slow-death in a spam file. Meanwhile weeks may go by before some poor sucker, like me, realizes he’s talking to the internet, and not the people he’s trying to reach.

I’m with the “no substitute for good judgement” crew, because we have to communicate to move forward, but what a mess!

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Were We Conned by Apple in the Privacy versus Security Dispute?

iphoneLittle Rock    Apple and its products are ubiquitous. No matter how much I might dislike the company and its historically elite and overpriced values, begrudgingly I have to admit that the IPod and even the IPads are hard to beat, which means hard not to own. With Steve Jobs gone and a new sheriff now running the world’s most valuable company, it seemed like maybe things might change. Tim Cook, the new dominant voice for the company as its CEO now, stood tall around same sex marriage for example, and seemed willing to look the government in the eye on a facedown over whether it would protect IPhone users’ privacy or work with the FBI to hack its own phone. He even did so in a tactical situation he could not have relished since the phone was owned by one of the San Bernardino terrorists. Right or wrong, it seemed like the company might be getting a values injection, and that had to be a good thing, so even when the government claimed it was just another Apple marketing ploy to help their global image, I was inclined to root for Apple as a surprising underdog in the fight.

Now I’m not sure. Now it’s looking a little bit more like Apple may be the wolf in sheep’s clothing.

The grand lawsuit between the government and Apple may be collapsing because some hacker group, and believe me, there are hundreds of them, uncharacteristically approached the FBI saying essentially, “We can crack open the IPhone for you, chief.” Over the next week the FBI now has to see if they are all boots and no cattle, or can really get into the phone.

Something didn’t feel right when the story broke. It must be some kind of violation of a cardinal hacker rule of outlaw ethics to go to the government with a fix? What was up?

It turns out that Apple is one of the only big tech companies that refuses to deal with hackers when they find a bug in its software. Microsoft, Facebook, Uber and almost all of the other big companies routinely encourage, which means pay, hackers for finding a bug in their software so that they can improve the security and patch it up. Apple it seems does not. Instead it claims to have the world’s best security and encryption system, but that’s all marketing because while also claiming they don’t want to get into a financial “arms race” of paying more and more to hackers, instead they have implicitly created a black market where hackers who break their codes can be paid even more by the bad guys who exploit the bugs, while Apple markets security without really providing it.

This case between the government and Apple falls apart if the hackers are able to open the IPhone as they claim, because the more than 100-year old law that allows the government to compel the company to comply is a last ditch thing available only if there are no other alternatives. The hacker community has stepped up and provided the potential alternative, which would make the case moot on a number of fronts. If it works, the FBI, meaning the government, will now be able to have its own backdoor to all IPhone users’ data, because they are under no obligation, once they have paid the hacker company, to tell Apple how to lock them out.

It seems that arrogance and unaccountability may still be a fundamental part of the Apple corporate culture and DNA. New boss is just the same as the old boss. The more things seem to change, the more they may be staying the same when it’s all about the dollar, even when the company has more dollars than any other company in the world that doesn’t mean it will loosen its grip, even if it means protecting their devoted cult of customers.

***

Eric Clapton Can’t Let You Do It. Thanks to KABF.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Dragnet Nation Finds Personal Privacy Unobtainable with Some Tips

dragnetLittle Rock  One of my crew of personal librarians at the Alvar Street Library recommended that I read, Dragnet Nation:  A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance by former Wall Street Journal reporter, Julia Angwin.  Since usually they comment after I return something, rather steering me towards something, I thought I should honor them and their efforts by checking it out and giving it a good, hard look.  It’s a good book, but after reading Angwin’s overview and exhaustive personal experience in trying to reduce her digital footprint, deal with her own “threat model,” protect her family, and regain some semblance of privacy, here’s my own takeaway:  it’s virtually impossible!  Literally.

            And, not for lack of trying, because Angwin went above and beyond from buying services to disguise her phone number, creating false identities, buying $200 “burner” phones, and hiring companies to supposedly d-list her from computer cookie based ad tracking services. She took all of the easy steps as well, trying to navigate all of the security controls on Google and Facebook, without feeling she was making much progress.  She even abandoned Google except for “mom business” to a new search engine, DuckDuck Go, which saves nothing, and with great effort switched email services to the anarchist collective, Riseup, which swears it will fight any effort at government seizure. 

            I was eager to learn all of that, as well as to discover from her that Google has a Data Liberation Project that allows a Googler to find all of the records of their past searches, contacts, emails, and seemingly just about everything else where fingers hit the keys under their auspices. Fascinating and scary, huh?  When she mentioned that she discovered pictures she had forgotten on Google’s Picasa, I tried it but at least so far have not been able to access anything there, though I know that we all used Picasa at some point, so WTF? 

And, those were the easier and cheaper parts of her journey.  Being a journalist with an eye out of her next job in a declining industry, Angwin believes in saddling up with a smile to every paywall she sees and paying for the best, so she does things like buy a Faraday case to hide her burner phones for a pretty penny, and contracts wildly with companies to try and get her off the grid, along with paying a researcher and using her own time to do countless thankless tasks.  All of which irretrievably separates her already from all of the rest of us, meaning that as the book progressed, we quickly went from fellow travelers to bystanders watching her journey as voyeurs knowing that it was all a bridge too far from our energy and pocketbooks. 

I learned valuable tidbits though, and I’m thankful for them, even if I’m not sure how to get there from here or am honest enough to say, I won’t even try.   Things like the fact that it’s possible to reorder Google search so that it will first find things that you wrote when they hit your name rather than things written about you.  Of course she got someone to show her how to do that, and I wish she had shared that with the rest of us, because I would love to get the haters off my front pages so that they are part of the search caboose, rather than the engine.  The tip about using mnemonics as passwords was fascinating, such as converting phrases like “It’s 12 noon now I am hungry” into <I’s12Iamh> to thwart hackers and spammers.  I’d never heard the term, “wardriving” used by tech companies driving on streets to find wireless hotspots.  Scary, huh?  I loved the story about Charlie Ward from the Conway, Arkansas Ward Bus Company family having founded Demographics to help his buddy, Senator Dale Bumpers, with direct mailing in his political quests, which has now evolved into Axciom with a fancy building in downtown Little Rock, and truly one of the scariest companies in the world in this area.  I had to agree with Angwin that the “irrational compulsion to keep doors open” that undoes so much of our efforts to achieve privacy is universally shared.

But, mainly I learned something that she may or may not have intended to teach which is that at the present time given the state of corporate control, lack of regulation, and the inability of policy makers to even imagine the fact that the internet has no boundaries and trumps all borders, we simply can’t expect privacy or that we can escape the dragnet.  Angwin created an alias to escape named Ida Tarbell after the famous muckraker, and constantly worries that the fake Ida would become a part of her “family” network and defeat its purpose.  She failed to mention the fact that Osama Bin Ladin met his fate the same way using a courier to handle all communication, until eventually they found the courier and tracked him to Osama.

Meanwhile in making the best of a terrible situation here are two safeguards that I pulled from the book.

One is that if you’re worried, do as much of your business as possible in real time conversations on land line telephones.  The government still needs specific search warrants to get a seat in the old school where the law understands the tech.

The other is achieving “privacy by obscurity” by accepting all friends, all Linked-In invitations, and essentially “burying good data (real friends) under bad data (people not known).” 

Yeah, it’s counter intuitive, but it works and what the heck, if you can’t beat ‘em, you might as well join ‘em, and embrace people and the public sphere, since there’s no way of escaping anyway.

Facebooktwittergoogle_plusredditpinterestlinkedinmail