Privacy opgeven?

(Een leerzame discussie over privacy)

maan dolfijntje


Italian Cops Attempt Infiltration of Indymedia Chat Server
by San Francisco Indymedia July 21 2001, Sat, 11:37pm

A summary of the Italian cops attempted infiltration of the IMC IRC server.

During actions in Genoa against the G8, Italian authorities have repeatedly attempted to infiltrate an internet chat server used by the Indymedia network.

IRC is an open internet standard which allows people to set up and communicate via "chat forums." Users can login with a nickname and talk back and forth in real time. Independent Media Center, an international network of indymedia journalists, has used IRC as an organizing tool for over a year, according to Espe, a member of the indymedia tech collective.

Italian police have repeatedly tried to access this chat server, presumably to listen in on plans and coverage being provided by Independent Media Center. Indymedia, which is operating a media center in Genoa, has provided in-depth coverage of international and local protests in over 40 cities across the world.

Italian police have logged onto the server under the nickname "crudelia". Indymedia tech collective members have remained vigilant, though. "We know their IP addresses and hostnames," says another anonymous tech collective member. "When we see them come on, we kick them off. Unfortunately, we are really busy during major actions and cannot spend all of our time monitoring police spies."

Italian activists have grown to anticipate this police maneuver. IRC is often used throughout Italy as an organizing tool. The activists report that police often come onto their server, pretending to be fascists or extreme leftists advocating violence. Italian activists have assembled their own form of counter-intelligence, keeping track of hostnames and other clues which can help them identify cyber-cops.

Indymedia tech collective members warn that IRC is never secure. "People can simply idle in chatrooms and log all the traffic within it," says Espe. However, snoops do not have to login or let anyone know they are there to listen in. "Conversations can be sniffed and logged," Espe continues, meaning that anyone can monitor IRC traffic secretly.

Tonight, Italian police brutally attacked the independent media center in Italy, severely injuring more than 20 people and stealing mini-discs and video.


---

cyber cops
by John July 22 2001, Sun, 9:18am

I would suggest that we continue using unencrypted communications. The things that need to be encrypted are bomb plans, assasinations plans, murder plans, theft plans, etc, etc. But if we did those things what would make us different from the very police that snoop on IRC, or brake into the IMC at midnight? My opinion is that if we start encrypting and hiding things, then the state will only assume that we are planning violence.

Besides, 128-bit encryption has been broken in just a couple of hours, and cracking passwords wouldn't be too tough for people that know what they're doing. Windows passwords can be bypassed with little or no effort, and Unix passwords (most of 'em anyway) can be gotten after 24 hours of running a password cracker.

---

Privacy is Sacred
by Aphrodite Platoon July 22 2001, Sun, 9:19am

As far as the (often heard) arguments of John's "Cyber Cop" are concerned: defending privacy is at the basis of democracy. Where will we end if you give this up? Will you accept an electronic device being implanted to prevent people from walking in different directions? Will you give up voting anonymously? Did you consider what happens if there are large databases on every person out there? What happens if the powerful keep their secrets but the less powerful have no means to prevent their plans from leaking out prematurely? What if you can not trust the integrity of the communication with your doctor, lawyer, accountant, therapist, priest? And what if I send you a sealed envelope containing a letter with my inner most emotions, would you answer on a postcard containing a copy off my letter?
I certainly won't accept that and you can not make me look bad for defending my right on anonymity either. I have the right to go out and get me my food and wine without being under surveillance and without having to legitimize myself in every shop or means of transportation. And if I want to speak my mind in public without risking repression you can not deny me this without offending democracy (freedom of speech, freedom of gathering) itself.
Digitalization from data made it possible to create and store enormous files on everyone. The only answer in regaining these most fundamental privacy rights can be found in serious digital privacy protection. And you cannot expect me to trust national governments to defend my privacy against these international and very powerful, often not even democratically controlled, organizations either. They are intentionally gathering data on all of us as well... .
So I repeat: Protect your Privacy. Without it there cannot be democracy or any other kind of civilization.

---

Reply to "Cybercops" post
by Who knows - who cares? July 22 2001, Sun, 11:27am

You make good and valid points, but there is one reason to think more about the issue.

The oppressors only have x amount of resources and the amount of them that are spent on wild goose chases means there are fewer to use in oppression of legitimate dissent.

So I would advocate an occassional encrypted e-mail about the migratory path of the Canadian Goose or the life of the Wild Hare for comic relief.

Laughter is the only thing that can get you through oppressive times so you might as well have some at the oppressor's expense.

---

Privacy is Sacred (4)
by Aphrodite_Platoon July 22 2001, Sun, 3:04pm

Good point this "exhausting resources". Spying on people is probably as old as human history itself, and with enough brute force every encryption or anonymity can be broken, but it would demand the resources and commitment from a pretty big security agency to do so with the protection from the Canadian Goose or the Wild Hare (love this analogy!). They would have to reduce spying on normal citizens and limit their efforts to fighting "heavy crime", "national security risks" and each other. But the right protection goes further than an occasional highly secured e-mail and includes almost every digital move I make on the web. It's not a matter of "teasing the enemy" but one of defending against the biggest threat for civilization. In my opinion this privacy matter goes even beyond left- or rightwing politics as it's threatening for every citizen and monk equally.

---

NOTHING is SECURE
by The way it works July 22 2001, Sun, 8:58pm

There are no fullproof ways of encryption.

It shouldn't matter, because we need to keep communication channels open so more people are informed not less. There is nothing that we are doing that is wrong.


---

Encryption
by TheRodent July 23 2001, Mon, 4:10am

Although there are no fullproof ways of protecting your privacy, there are better and worse approaches. Most modern encyption algorythms are very strong. DES and RC5 have been cracked, but 3DES, Two-Fish, Blowfist, and AES are considered strong, and should last at least for a few years.

Make a habit of encrypting all communication. If you only encrypt part of your communication, it allows traffic analysis.

The biggest reason for encryption failure is loss of physical control of a local computer. Without physical security, there is no security. If your paranoid enough, create a bootable CDRom with a fully functioning version of your OS with favorite Encryption software. Spooks can't inject a keyboard sniffer on write-only media (without a lot of work). Worried about van eck phreaking, build a faraday cage, or work on a laptop. Neither are perfect solutions, but LCD screens are far less susceptible. It's like a game of chess, for every attack, there is a countermeasure.

You can take security as far as you want. For the most part, we're just intersted in delaying message interception for a period of time... hours, days, months, or years. You take the precautions depending on how long you need it to stay private. Although many Gov't organizations, such as the NSA are extremely good at extracting information, they have limited resources. They have to triage information. If an organization of 10000 users are all using encryption, even a weak encryption can be safe. At that point, they have to rely on more traditional forms of spycraft such as traffic analysis, infiltration, and the like.

Privacy is a basic human right. Encryption helps provides that privacy. It's not a matter of whether we're "right" or "wrong", it's simply none of the gov't/corp's business to know what I'm saying to my Lover, or my associates.

---

false security from SSL
by utunga July 24 2001, Tue, 7:41am

hi all,

trust no one

ssl irc is well worth it when talking to people you know and can verify identity for, but bear in mind.

even with people you think you know, irc provides *documentary evidence* which may, one day, be used against you.

and there is no point whatsoever to use SSL irc or SILC for public IRC channels - sure, communications might be 'secure' from outside communications, but one of the people in the channel might be a cop.

the secret service regularly take on real life activist identities to infiltrate organisations like ours. they will have done this again.

the only protection against this infiltration is small autonomous cells of activity, and to say who cares what they know we will do it anyway. remember, it doesn't much help them to know there will be 100,000 protesters in the street, theres still 100,000 people there.

Finally... ssl encryption is grand, but *expect* that ECHELON (which is very real and very serious) and CARNIVORE and other signals intercept based monitoring systems lead into computers that have *very highly powered and clever* decryption/cracking methodologies. even the largest bit encryption is vulnerable to exploits, and expect that the NSA will know them all..

---

echelon and co
by bastien July 24 2001, Tue, 11:16am

yope, echelon is bad. but they've got a nice little software (carnivore) used to monitore all traffick in a website. even the swiss has an echelon system (satos3/onyx), great-britain, new-zealand, germanz, australia, perhaps more.

if ya wanna talk about this mail me but with pgp please.
(you don't want that big bro reads your mail, no?)
-mooe-

---

I don't get it...
by Loree Thomas July 24 2001, Tue, 3:26pm

Police spies? Why would anyone worry about spies unless they were engaged in illegal activities?

Peaceful protesters coordinating their efforts via IRC have no reason to fear spies.

Media personel reporting events have even less to worry about from spies.

None of this makes sense to me.

Loree

---

Privacy is Sacred (6)
by Aphrodite Platoon July 24 2001, Tue, 8:04pm

Regarding SSL: as far as I know this is purely based on (strong) encryption and defends the integrity from your data during the transport between modem and Provider. Directly implemented this doesn't offer you anonymity (doesn't really defend against the "Big Brother nightmare") because the data still contain the computer address from the "sender". Besides that, SSL has two weak points. The data can be read by the provider you use and SSL produces logs that are being kept by the provider so this provider has to be trustworthy and can be subpoenaed to present these log files.

Regarding the use of anonymous IRC: the Canadian Goose made it possible, but I haven't figured out how to get it up and running yet so feel free to offer me advise (I'm not that technical or clever).

I do agree with several previous speakers that it's important to keep in mind that even the most efficient Privacy Protection is one-way traffic only. You still have to be careful about what you say and who you're talking to. As always.

And to offer an answer to Loree and others who are wondering if it's really a jungle out there, I'd like to quote the EFF ( www.eff.com )

"(...) Last but certainly not least, there are other privacy threats besides abusive marketers, nosy bosses, spammers and scammers. Some of the threats include industrial espionage, government surveillance, identity theft, disgruntled former associates, and system crackers. (...)"

---

Encryption only delays, does not protect
by The Urban Monk July 24 2001, Tue, 11:43pm

Most private encryption softwares (even the Swiss ones) have given the first bits of their decryption keys to the NSA. In consequence, encrypting will prevent realtime monitoring of your activities but it will still be picked up by Echelon-like systems and can be traced back as needed after the events. See www.cryptome.org

---

 

 


woedend

INTERNET PRIVACY TODAY -- WHAT ARE THE ISSUES

(Op ware voorvallen gebaseerde probleemsituaties t.g.v. verloren privacy)


* Bob's father has just been diagnosed with cancer. In an effort to learn more about it, Bob visits cancer websites and posts several inquiries to a discussion group. A month later, Bob's insurance company informs him that he is no longer eligible for a certain rate given his "condition".

* Mary is in the final stages of the interview process for a big job. Her employer decides to search the newsgroup archives using her name, and discovers that several years ago, she was keen on spreading her controversial political opinions. Mary is quietly passed over in favor of a less outspoken candidate.

* Kayla gets a phone call from her credit card company: Did she purchase top-of-the-line stereo equipment and a Mercedes on the same day? The police eventually catch up to the thief, who gained access to her card number by exploiting a flaw in the shopping cart software at a popular online flower shop.

* Rennie loves to chat online with other 12-year-olds. She knows she's not supposed to give out her address or phone number online, so she doesn't think anything of telling her chat friends that she's home by herself everyday from 4 to 6. Luckily, her Internet Service Provider refused to give out her parents' billing address to the man who called posing as her father.

* Jean and Mario are visiting the capital of a developing country, and are shocked at the police brutality they witness during a demonstration. They post accounts of what they saw to a human rights website, and are promptly arrested.

WHO CAN YOU TRUST?


Many companies are taking advantage of consumer concern for online privacy by providing so-called "identity and relationship management" services. They ask you (or even demand from you) to fill out forms with ALL your personal information, and then hand out pieces of it to partner merchant sites. Only you have no control over what happens to your personal info once it's been transferred to the merchant. This is the opposite of privacy!


luchtig dolfijntje

Pseudo-anonimiteit

Er zijn veel bedrijven die beweren dat ze "Anoniem surfen" mogelijk maken. In vrijwel alle gevallen is dit misleidend.

Om te beginnen zijn proxies die het zgn. "anoniem surfen" aanbieden slechts zelden anoniem. Proxies functioneren als "bemiddelaar" die het IP-adres van de gebruiker vervangen door het adres van de tussenpersoon. Wanneer ik naar zo'n bemiddelaar surf via allerlei providers/routers dan is mijn IP-adres steeds zichtbaar. Slechts de halve route, het stuk van tussenpersoon tot bestemming, is mijn ip-adres onzichtbaar.

Indien er gebruik gemaakt wordt van een SSL verbinding wordt dit nog erger want dan vindt er uitdrukkelijk authenticatie plaats van mijn IP-adres. In juridische zin betekent dit dat de "plausible deniability" geringer wordt. (meer "sicherheit" = minder "privacy".)

Wanneer er gebruik gemaakt wordt van tunneling (SSH) krijg je een andere situatie. De enige bekende privacyservice die dit momenteel biedt is de betaalversie van Anonymizer.com. Wanneer ik hier client zou zijn dan wordt de route tussen mijn computer en de proxie efficient versleuteld zodat mijn IP-adres ook in het eerste deel van de route niet voor anderen leesbaar is. Slechts het bestaan van een (tunnel)verband tussen mijn internetaansluiting en de privacyserviceaanbieder zou dan zichtbaar gemaakt kunnen worden door een grote organisatie. 

Generaliserend kun je dus stellen dat slechts privacyservices die ssh-tunneling gebruiken ook echte anonimiteit kunnen bieden. De rest is allemaal volksverlakkerij of vriendelijker geformuleerd: biedt slechts een verdediging tegen nieuwsgierige buren, script kiddies en kleine ondernemingen die info hamsteren. (ZeroKnowledgeSystems biedt sinds enige weken na 9-11 geen anonimiserende privacyservice via ssh meer aan.)

Resteert nog het probleem dat je info op de proxie zichtbaar te maken valt. Kort gezegd: In de VS geldt tegenwoordig het oorlogsrecht. Dit brengt met zich mee dat iedere op het N. Amerikaanse continent gevestigde ISP nu logboeken bijhoudt van wie/wat doet op het internet en die op verzoek aan instanties ter beschikking moet stellen. Je moet er dus van uit gaan dat het gebruiken van de betaalservice van Anonymizer.com (en andere Amerikaanse privacy services) geen enkele verdediging biedt tegen die geheime dienst. In de EU is er een wet ingevoerd die alle ISP verplicht om logboeken bij te houden van wie/wat doet op het internet en die gegevens jarenlang te bewaren, en het schijnt zelfs mogelijk te zijn om code te installeren op computers die niet op het internet aangesloten zijn. (De Israeli's schijnen er niet alleen in geslaagd te zijn Yasser Arafat via het elektriciteitsnet af te luisteren/lokaliseren maar ook om de software van Iraanse kerncentrales te wijzigen.)

terug pijltjeterug pijltjes

terug pijltje

vooruit pijltje