Encrypted instant messaging
Wednesday, January 9th, 2013Do you IM?
Do you use Windows?
Okay, then, this is for you. Thanks to those brilliant boys at Freedom Feens, you’ve now got an EZ tutorial for encrypting your instant messages with OTR (Off-the-Record) Pidgin.
The tutorial is long. But that’s because its steps are so comprehensive. They’ve been vetted and foolproofed.
I dislike instant messaging. Life (and the ‘Net) have enough other disruptions without that. I know I’m in the minority, though. And Michael W. Dean, who wrote the tutorial, points out its privacy advantages over email when done right. Then he shows Windows users exactly how to do it right. Full-service privacy protection!
Share or Bookmark
January 9th, 2013
I can’t do IM. It’s bad enough we have phones & email. Whatever happened to solitude, lol? ;-)
But thanks for the info, I’ll pass it along to my IM friends.
January 9th, 2013
For Mac users, the open-source app Adium supports OTR. For iOS, there’s IM+ (although OTR costs extra there).
January 9th, 2013
“I can’t do IM. It’s bad enough we have phones & email. Whatever happened to solitude, lol? ;-)”
Yup. I’m totally with you, Water Lily. Even when I was a kid in my 20s with the high-pressure job and the demanding clients, the one thing I absolutely refused to do was carry around any sort of instant-communication device. And one time in those days when my office phone rang one times too many, I picked it up and pitched it at a wall. Thank heaven for voice mail (which wasn’t available then). I carry a cellphone now for personal safety and convenience, but I answer it only when I damn well please.
This whole culture of being available and interruptible 24 hours a day is madness.
January 9th, 2013
Grr. This is a nice attempt and all, but ultimately futile…if anybody has targeted you. Just as in other areas, “doing something” even if it’s ineffective is often actively harmful.
The thing is, there are lots of exploits that will (not “may”) give an attacker access to your system. Any one of them, once, can render all of the above meaningless. This is likely to matter -only- if you’ve already been specifically targeted for some other reason. Personally, though, I’m reluctant to argue the case that this sort of targeting will become more difficult or less common over time.
If you really want your communication to be secure even if somebody’s looking…don’t use a computer. I used to write security/encryption software (gave it up for writing fiction–so far), and I design systems, and if I really wanted to send something “securely” I’d probably spend several hours and at least a couple of hundred dollars each time I communicated online. And I still might screw up.
If that’s too harsh an answer, look into something like “Tails” that uses Tor for (ideally) all internet traffic. It’s an entire operating system, and not hard to use. But you still have to be very careful.
If you want to use Tails in a reasonably secure manner, do it from a bootable non-writable DVD (because your copy of Tails may be modified if it’s out of your sight). Or borrow a trick I ran across: install grub2 on a USB stick and run Tails directly from the ISO image. Periodically verify that your ISO has remained unaltered by checking its hash (ideally against both local and remote hash storage, because the hash too can be modified).
And NEVER trust anything that needs to be set up “only once” to be secure. Seriously. Don’t do that. In fact this might be a good reason to use Tails all by itself–if you’re using it as I suggest (rather than an installed version) it won’t keep any of your settings. Which is a really, really good idea.
The above will help you with the software issues relating to security. On the hardware front…has anyone had physical access to your computer? Do you use a wireless keyboard? A wired keyboard? The same one, twice, and you left it behind for hours? Sheesh.
And then there are the social engineering issues, and other problems arising from the nature of human beings. If you’re trying to have secure two-way security, the people involved multiply the potential attacks–and the likelihood of penetration–just by existing. So do their physical, software and network security decisions.
Guys, it’s a lost cause. The use of encryption alone may invite an attacker. Do whatever you want to do, but don’t think your info or communications are safe once somebody decides to look at you. They’re not.
Claire, I know you’re trying to help. But in this case I don’t think you are.
January 9th, 2013
Y’know, in spite of the above I do think encrypting stuff is a good idea. It’s a public service, really–the more people do it, the less it stands out. But “encrypted” and “secure” are only vaguely related concepts.
Along those lines I think the Tor guys are taking entirely the wrong approach with their decision to discourage BitTorrent users from using the Tor network. If BitTorrent guys were also relays for other Tor users, it’d protect lots of people…and would make Tor work a lot better/faster too.
Anyway. Be careful out there….
January 9th, 2013
One more thing: if you get past all the issues above, the fact that you’re using Tor (or NoScript, or anything else you’re doing that’s unusual) actually makes you much -easier- to identify to anyone who has access to your ISP’s data than if you were using plain-jane Windows.
Encryption, security and anonymity? Uh…possible, but really, really hard to achieve.
January 9th, 2013
Yes, from the beginning I’ve always said that encryption and other privacy measures are not mainly about secrecy (which requires a LOT of effort), but are about 1) a personal declaration of self-ownership and 2) making life more difficult for casual snoops.
IF you’re targeted … much more difficult and problematic. That goes without saying. But the vast majority of encryption users aren’t being targeted and government security apparatuses (apparati?) don’t have the resources to target everybody.
I’ll say it again for the bazillionth time: encrypt even your cookie recipes if you can find willing partners for encryption. Then if you do get targeted, you’re going to have some very disappointed snoopazoids.
January 9th, 2013
I don’t mean to be a butthead, even though my 3-year-old often says that’s what I am. I just don’t want anybody to think casual use of encryption equates in any straightforward way to security or safety. In fact I think it makes the targeting more likely than if you were to use simpler means…like email drops and steganography (because straightforward encryption is too easy to identify as such). Though those too are imperfect, they’re at least harder to distinguish from normal traffic.
A side effect of advances in computing is that it becomes less and less resource-intensive over time to target individuals. People have shown they will tolerate more and more incursions into their privacy over time, too.
Let’s just skip to the end: it’s not ever going to be trivially easy to communicate safely or securely via a device that mainly exists in order to manipulate, store, and move information. Especially not one that can be traced to you with a minimum of effort. Unless you’re a few different sorts of expert, it’s not likely you’ll even know what is or isn’t dangerous…and experts too are mostly wrong about most things.
Just…encrypt what you can, yes, but otherwise behave as if you’re posting everything on Facebook.
January 9th, 2013
“Just…encrypt what you can, yes, but otherwise behave as if you’re posting everything on Facebook.”
Which leaves us,,, where? Nowhere?
How about TruCrypt-ing a USB drive? I’m impressed with TruCrypt, from what I’ve read, but am left wondering how effective it is, also.
January 9th, 2013
I like TrueCrypt, and its plausible deniability stuff is very nice. I use the program myself.
But here’s Bruce Schneier on the topic: https://www.schneier.com/blog/archives/2012/12/breaking_hard-d.html
What I got from that was that encrypted drives are way cool, but you shouldn’t leave them mounted. Which, if you’re encrypting your system partition (makes sense to me) means you ought to turn your computer off if you are going to leave the room. And don’t allow hibernation, either.
But hardware devices still might get your passphrase, and if you use the same one elsewhere that just opens up more vulnerabilities. Plus, malware may get the data you’ve hidden on the drive. Because once your encrypted volume is mounted, it’s just as accessible to software running on your machine as if it weren’t encrypted to begin with.
And did you verify your TrueCrypt download to be sure it was what you wanted? I don’t know of any fake versions of TrueCrypt out there, but it’s always possible there are some. (Frankly I didn’t bother with this myself.)
Doing a perfect job of this security-stuff is hard, and I really think the best answer is: don’t try, unless you really have to. And then take whatever precautions you need to.
Here’s my personal guideline: if it’s not important enough to buy a laptop for cash (or at least a throwaway wireless device with a MAC address I’ll never use again) and to use an operating system I don’t have on anything else, and to drive around to find unencrypted wi-fi that can’t be traced to me, and to do whatever other tricks spring to mind…I just assume my traffic can be traced to me. After which, if anybody actually cares, future traffic/info can be read. So…I always behave as if my traffic/info is already being read.
January 9th, 2013
Oh- on the encrypted USB front, I don’t think I was very clear. You really need to encrypt all your drives if you can. Between that and turning everything off when you leave the room, you’re probably good on the drive-security front.
But there’s still malware, network security & physical security. A breach anywhere is likely to be the same as a breach anywhere.
If–and only if–somebody is actually trying to get your data, and -also- cares enough to do what it takes to get it. Which, as Claire points out, is currently unlikely.
January 9th, 2013
Anywhere is the same as everywhere. I need a nap.
January 9th, 2013
Just for fun, it actually gets worse: https://en.wikipedia.org/wiki/Tempest_(codename)
January 9th, 2013
David said, “Anywhere is the same as everywhere.”
Understood.
I never leave any USB drive on the computer. In addition, I have a smaller flash drive which I use to download stuff, then transfer (if I plan to keep it) to a computer that stays offline. And always put both [passworded] computers to Sleep or Shut Down when away from them.
I guess it’s inevitable that someone would find a way around TruCrypt (and other software) sooner or later. I did download TruCrypt’s instructions, but haven’t put it on yet.
Thanks for all your input.
January 9th, 2013
Np. Just bear in mind that (1) plugging an encrypted drive into a compromised computer–and mounting it–is functionally the same as plugging an unencrypted drive into that computer, and (2) it’s probably possible to collect whatever you type on your keyboard or view on your monitor from -outside- your house, if somebody buys the necessary hardware (that’s the Tempest link). So in addition to everything else, truly sensitive material–including passphrases–shouldn’t be typed at home or in a regular hangout. Or in a place with security cameras. If you think you’re being watched by competent people with a nice budget.
Depending, again, on what you’re doing. If you’re just robbing a bank, it’s probably no big deal. Giving info to WikiLeaks? You might want to be very careful, and not do it the same way twice. Cookie recipes? Depends on the cookie quality. {8′>
On the bright side, nearly anything (security/anonymity-wise) will likely work if you’re only doing it once. It’s the patterns that get you.
January 9th, 2013
“Just for fun, it actually gets worse: https://en.wikipedia.org/wiki/Tempest_(codename)”
Whoa, let’s not get completely carried away! There’s nothing new in Tempest; I was writing about a client’s Tempest-shielded cabinets clear back in the mid-1980s. It’s certainly nothing new to get alarmed about. It’s something old — and whether to be alarmed about it depends on a lot of factors.
You seem to be looking at worst-case scenarios — how bad it can get if the nation’s security apparatus is after you with everything it’s got. That’s not the case and is unlikely to be the case with most computer users, even most “political” ones.
I totally agree that we should not take a few EZ steps and think we’re protected from everyone and everything. But you’re making it sound as if “Resistance is futile!” and making a hard subject look so much harder that you risk driving people away from privacy protection entirely.
January 9th, 2013
Hmm. You may be right, as far as how people will take my ranting goes. I hope they’ll just understand that the degree of paranoia required depends entirely on what they’re doing.
But “privacy protection” that doesn’t work if somebody wants to look isn’t exactly protection. It’s a degree of obfuscation that is helpful precisely to the extent that it goes unnoticed–which is why I want everybody to encrypt everything. My concern is that not letting people know of the vulnerabilities might incline them to take risks without knowing they’re doing it.
I’m not trying to focus on worst-case stuff…at least I don’t think I am. But I do think knowing the limits of computer security (basically: doesn’t exist if you’ve been targeted individually) is potentially helpful. I don’t know if it matters to your readers…I don’t know what they’re up to. I don’t want to know, either. But I suspect their hearts are in the right place, so I’m–very provisionally–on their side by default.
January 9th, 2013
Not to imply that you don’t care, Claire! I know you do.
Man, I should just shut up. It’s just…this is my field, or one of them, and I think people should understand how sharp/damaging power tools can be before they pick them up. And then use them as they see fit.
January 9th, 2013
Also, it doesn’t take a nation. A tech-savvy individual can do most of the stuff I mentioned, if the idea of breaking laws is an insufficient deterrent. Chances are, that’ll just get easier over time.
January 9th, 2013
“I think people should understand how sharp/damaging power tools can be before they pick them up.”
I agree with that. And I bow to your expertise in this area.
But some of what you’re saying is equivalent to “Don’t bother enclosing anything in an envelope because ‘they’ can open it or at least waylay it at the PO and record the information on the outside of it if they’re targeting you!”
OF COURSE sophisticated tools and determined efforts can break our privacy, whether on computer or in real life. Of course we should know about the perils. But there are levels of need and levels of security. Everybody needs door locks but not everybody needs a hardened bunker. Ditto, everybody should practice some privacy awareness but not everybody is going to have the NSA, the CIA, the FBI, and Interpol trying to break their privacy protections!
January 9th, 2013
Actually at my (very isolated) cabin I don’t have a door lock anymore–when we were away, it got burglarized, and the guy who did it broke the door. So now it’s easier to get in. Plus, what if somebody needed to get out of the snow? Security decisions are always tradeoffs.
{8′>
The article you linked to, though, said things like: “it’s kind of neat to be able to install something in under an hour that the biggest governments in the world cannot crack”
Ick.
January 9th, 2013
Interesting comments David. I did a little research a while back, and again at the prompting of a Claire post, and came to a lot of the same conclusions. The abilities of counter-security are jaw-gaping supernatural.
Essentially, everything on a smartphone or average computer is public. Your word documents may as well be written in sharpie on your nearest public library wall, and email or other communications are worse yet.
Not that it matters much, after all so what if your cat photos WERE scattered on the floor of a shopping mall?
But I decided to create a half dozen or so TrueCrypt volumes and mount them only momentarily when I needed something. Different containers for different purposes. Now I know that when truecrypt is closed I have very little to be concerned with, and I can move these containers around easily and without much concern for what kind of system they reside on. I have to be more selective about the systems I mount them on obviously, but storage and transport of a closed container leaves a fairly small hard attack vector. Good enough for me.
And also, using something like Dropbox to sync copies of a closed encrypted container or three creates a nice level of redundancy/resiliency/backup for your typical cookie recipe library.
“If you’re just robbing a bank, it’s probably no big deal.” Haha, good perspective.
January 9th, 2013
I don’t mind IM at all. You just have to train yourself to ignore it when you don’t feel like conversing. No rule that says it has to be synchronous. My problem with IM is that when I bring up using Jabber, people wonder why I don’t just use Yahoo chat, AIM, or whatever.
In re. encryption, sure, there are various ways to break it that don’t involve brute-forcing it. Keyboard sniffing is probably the most likely — if you’re already a person under suspicion. But the best response, IMHO, to ever-increasing cracking capabilities is to just increase the volume of stuff that has to be cracked, and realize that it’s just one thing to do.
The other point (yes, I’m just echoing Claire) is that it’s something of a declaration that yes, privacy is important. It’s similar to what Boston T. Party said about carrying a gun — flex your freedom muscles!
January 10th, 2013
I have a friend who is a retired police detective (department redacted), who was their specialist in ‘black bag’ jobs.
If a survailance warrant was issued he was the guy that picked locks, bypassed alarm systems, and installed keyloggers, and other associated goodies.