|By quote: (Quote) on Saturday, January 05, 2002 - 03:24 pm:|
re-printed from forestfloor.
by Uma Guma
Posted: Jan. 04 2002,7:51
I've been meaning to start a thread related to online and general computer security and privacy for a while as a resource for those who are inclined to give a damn about such issues.
Way back when I posted a version of Dr. Who's Security and Encryption FAQ @ DD. Below is a more recent version of the same. This is more than most folks care to know...but it is fairly comprehensive, accurate, and a handy resource for information that is organized into sections on achieving various levels of protection...depending on ones needs. There is more than one way to skin a cat...but these techniques are sound, well explained and or organized.
I'll start another thread for other related information to allow this jumbo post to stand alone.
Formating this was a chore...hope it comes out right.
(Note: this FAQ is ~ a year old now...some of the referenced links are no longer available.)
Security and Encryption FAQ Revision 15
by Doctor Who
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
Article 12 Universal Declaration of Human Rights
Disclaimer and justification for this FAQ.
Many countries operate a legal system designed to suppress individual freedom. Such countries often do not obey basic human rights. The law in these countries may be based on guilty until proven innocent. My intention in offering this FAQ, is to legally challenge these threats to our freedom. It is not my intention to promote any illegal act, but to offer people the option of freedom of choice. How they use that freedom is entirely down to the individual.
Revisions in this version of the FAQ include BestCrypt version 6. BestCrypt has been included because the latest version 6 has a particularly useful undocumented feature that offers a form of plausible deniability that is all but undefeatable, so far as I know. More about this later in the FAQ.
The FAQ has 2 main Sections.
Part 1 concentrates on passive security. It is intended to be useful to both posters and lurkers.
Part 2 is to maximize your privacy whilst online, particularly for Email and Usenet posting.
I have assumed three security levels:
Level 1. For those who wish to protect their files from unauthorized access. These users are not too concerned at being found with encrypted data on their computer.
Level 2. This is for those who not only wish to hide their private data, but to hide the fact that they have such data. This might be an essential requirement for anyone who lives in an inquisitorial police state where human rights are dubious, or where there is no equivalent to the United States 5th Amendment.
Level 3. This is for those who not only need all that is offered by level 2, but additionally wish to protect their computer from unauthorized access. Protecting themselves from hackers whilst online and snoopers who may try and compromize either their software or add substitute software that could reveal their secret passphrases.
Part 1 explains the 3 security levels and offers help in achieving them.
1. How does encryption work?
In its simplest sense, the plaintext is combined with a mathematical algorithm (a set of rules for processing data) such that the original text cannot be deduced from the output file, hence the data is now in encrypted form. To enable the process to be secure, a key (called the passphrase) is combined with this algorithm. Obviously the process must be reversible, but only with the aid of the correct key. Without the key, the process should be extremely difficult. The mathematics of the encryption should be openly available for peer review. At first sight this may appear to compromize the encryption, but this is far from the case. Peer review ensures that there are no "back doors" or crypto weaknesses within the program. Although the algorithm is understood, it is the combination of its use with the passphrase that ensures secrecy. Thus the passphrase is critical to the security of the data.
2. I want my Hard Drive and my Email to be secure, how can I achieve this?
You need Pretty Good Privacy (PGP) for your Email and either Scramdisk or BestCrypt for your private files on your computer.
PGP is here: http://members.tripod.com/cyberkt/
Scramdisk is here: http://www.scramdisk.clara.net/
BestCrypt is here: http://www.jetico.com/
Both PGP and Scramdisk version 3.01R3c are free. The newer version of Scramdisk, version 3.02A is not free. BestCrypt is commercial ware. The source code has been published for PGP and for Scramdisk version 3.01R3c. The source code for version 3.02A has not yet been published. The souure code for the encryption side of BestCrypt has been published, but not the proprietary Windows interface. Scramdisk version3.02A, BestCrypt and PGP support Win95/98/2000 and NT.
3. What is the difference between these Programs?
PGP uses a system of encryption called public key cryptography. Two different keys are used. One key is secret and the other is made public. Anybody sending you mail simply encrypts their message to you with your public key. They can get this key either directly from you or from a public key server. It is analogous to ssomeone sending you a box and a self locking padlock for you to send them secret papers. Only they have the key to open the box.
The public key is obviously not secret - in fact it should be spread far and wide so that anybody can find it if they wish to send you encrypted Email. The easiest way to ensure this, is by submitting it to a public key server.
The only way to decrypt this incoming message is with your secret key. It is impossible to decrypt using the same key as was used to encrypt the message, your public key. Thus it is called asymmetrical encryption. It is a one way system of encryption, requiring the corresponding (secret) key to decrypt. PGP is simplicity itself to install and use. I recommend you use one of the Cyber-Knights versions.
For your normal hard drive encryption, you will need a symmetrical type of encryption program. The same key is used for both encryption and decryption. Scramdisk and BestCrypt are especially good because they are "On-The-Fly" (OTF) programs. This means that the program will only decrypt on an as needed basis into RAM memory. More about this later in the FAQ.
One question often asked by newbies is whether the passphrase is stored somewhere within the encrypted file. No. The passphrase is passed through a hash, such as SHA1. This is a one-way encryption. This output hash is what is stored within the encrypted container. The program will
look for this hash and compare it with the hash it produces from the passphrase that you type in to mount the container. If they are identical, the container will be decipherable and will be mounted.
4. I have Windows 95/98, am I safe?
Windows is definitely not a security orientated program. One simple method of improving your computer security is to disable the Windows swapfile. To ensure reliable operation and dependant on what programs you run, you may need several hundred megabytes of RAM. If you are serious
about your privacy, I would recommend investing in as much RAM as you can afford and turn off the swapfile. I suggest a minimum of 128 Megs and preferably double or even quadruple that.
5. Apart from the Swapfile, what else can Windows reveal to a snooper?
User.dat can reveal all sorts of interesting things about your computer habits. Take a peek by opening in Notepad or Wordpad. Press CTRL-F (i.e. the Control key and the F key together). Type in the box, X:\ (or whatever drive letter you use to store any critical data). Press "Find" and continue throughout the file. Alternatively, you could input .jpg, or .avi, etc - you get the idea. You cannot edit this file in Notepad or Wordpad. The only way to edit user.dat is by using regedit.exe. My experience suggests you will not be able to easily remove embarrassing entries.
If you find information that you would rather not be there, you will either need to restore from an earlier backup of these files, or simply bite on the bullet and re-format your hard drive. This is extreme, but may be the only alternative. At least you then start with a clean slate.
Remember the format command: Format c: /s (it is vitally important that you include the /s to install the system files). Obviously back up your data, Email address book, etc., etc., before proceeding.
Dependant on how paranoid you are, after formatting you may choose to first install "Zapempty" or another Dos based free space wipe utility and run it a few times before you start installing Windows, etc. Formatting your drive does not clean out any old data. It is still there and can be
recovered with specialist software.
Zapempty is here: http://www.sky.net/~voyageur/wipeutil.htm
If you have not previously used encryption and/or you have contentious material lying around in plaintext form in all sorts of supposedly hidden places on your system, my strong recommendation is to re-format your hard drive and then run Zapempty before you install Windows and all your program. Assuming you have a clean system to start with, you can then proceed with creating all your encrypted drives and sub-folders within those drives and finally installing all the programs you intend using.
Later in the FAQ I will show you a system which keeps your registry files (system.dat and user.dat) sanitized.
6. Are there other OTF programs, apart from Scramdisk and BestCrypt?
Yes, there are several. But to keep this FAQ manageable I mention only those I can recommend from personal experience.
For level 1 security, it is difficult to fault Scramdisk. If you require level 2 security then I would recommend BestCrypt. More about this later in the FAQ.
7. Which Algorithm is best, particularly as Scramdisk offers 8?
Scramdisk offers a choice of eight different encryption algorithms. I recommend Blowfiish. BestCrypt offers Twofish or GOST. GOST is an older Soviet Union program and rather slow. Twofish is one of several programs being evaluated for the Advanced Encryption Standard. So far it has withstood over 1,000 hours of intense crypto-analysis scrutiny without even approaching its limits.
To ensure maximum security, you must take care over your choice of passphrase. This is the most likely weakness with most people. Always make search for the right phrase twice as long. Both Scramdisk and BestCrypt ultimately limit the strength of the algorithm to 160 bits. This is because the hash program they use, SHA1, outputs a maximum of 160 bits. You will find that the passphrase input page for Scramdisk shows 4 lines for inputting your passphrase. Each line can hold a maximum of 40 characters. Thus a maximum of a 160 character passphrase is possible. A character is equal to slightly more than 1 bit. Most people will use a somewhat shorter passphrase, but I would recommend that you at the least spread your passphrase across the four lines, even if you do not fill each line.
Because any passphrase cracker cannot find the correct key until it has exhausted a key search as wide as the last character you enter. A strong hint that you should make sure the last character of your passphrase is well along the bottom line! For higher security you should spread it
around on all four lines, that is why they are there.
Be sure that if any serious snooper wants to view your secret data, they will find a way without wasting their time attempting a brute force attack upon your Scramdisk container. In some countries rubber hose cryptography may be the rule. Anybody living in such a country needs level 2 security at the very least. In some "civilized" countries there are more sinister methods, such as tempest or the use of a trojan which require level 3 security (see later in FAQ).
9. I have heard that there are programs that HIDE and Encrypt, are these any good?
Snake oil! They are not even worth considering for level 1 security. Keep to the recommended programs if you are seriously in need of privacy.
10. What about simple file by file encryption?
You could use the Windows version of PGP. It comes with PGP Tools, which will allow you to encrypt any file on your computer. Only encrypt these single files on the assumption of a level 1 security.
11. Do I need to wipe as opposed to simply deleting files within the Scramdisk or BestCrypt drives?
If the encrypted container is sufficiently secure for your normal files, it must obviously be secure for deleted files. Therefore, it is unnecessary to wipe files within the encrypted drive.
12. Do I need to wipe an unwanted encrypted container?
Depends. I used to say, yes. But if you are truly confident of the strength of your passphrase, then just delete it. However, if you created the container with a weak passphrase and it contains critical data, definitely wipe it. Wiping will ensure that the encrypted keyfile material at the head of the file is over-written. It is only strictly necessary to wipe the first 10K of the file to ensure this.
13. Can I use Disk compression to increase the apparent size of the drive?
Not with Scramdisk. BestCrypt allows this and will compress and encrypt on the fly.
14. Can I encrypt a floppy with Scramdisk and BestCrypt?
Yes, both allow floppies to be encrypted. In fact they also support encryption on Jaz and CD-RW drives. You can even run Scramdisk off a floppie in what is called "Traveller" mode. In this mode there are no Scramdisk related VxD or INI files on your hard drive to worry about. But you do have the problem of where to hide your Scramdisk floppy.
15. Does using Encryption slow things up?
There is a small speed penalty because your computer has to encrypt to write to disk and decrypt to read from it. In practice on a modern machine, using the Blowfish (or Twofish with BestCrypt) cipher, the encryption is totally transparent in normal use.
16. Do I need a PGP passphrase if I store my keyrings within my encrypted drive?
It is good security practice to use a passphrase, but for level 3 security it is essential because level 3 security is intended to ensure your secret data are safe if attempts are made to hack into your computer whilst online or if your computer is compromized in your absence.
17. I use Mac, OS2, Linux, (fill in your choice), what about me?
Scramdisk is now available for Win95/98 and NT/Win2000. I believe a Linux version has been promised... BestCrypt supports Win95/98/ME/NT/2000 and Linux.
Meanwhile you could look here if you're a Mac user:
18. How can I ensure I do not leave traces of unwanted plaintext files on my system?
Try Evidence Eliminator. Apart from its unfortunate name, it is remarkably efficient at finding lost temp files and info. But I am concerned at its registry cleaning. I found it unconvincing with old entries.
Get it here: www.evidence-eliminator.com (30 day trial period on offer).
In addition to using Evidence Eliminator, I suggest you also clean up your registry after each session. To do this you should first run Evidence Eliminator to remove backups of the registry. Create a folder called C:\registry. Now copy System.dat and User.dat to C:\registry. Highlight both files, right mouse click and select "properties". Uncheck "hidden", click "apply" and "OK".
Using Notepad, write the following batch file, call it W.bat. After every session you should close Windows and restart in Dos mode and run it in Dos to be effective. If used in combination with Evidence Eliminator, it should ensure a clean hard drive.
attrib -r -s -h user.dat
copy c:\registry\user.dat c:\Windows
attrib +r +s +h user.dat
attrib -r -s -h system.dat
copy c:\registry\system.dat c:\Windows
attrib +r +s +h system.dat
Read the accompanying documentation for these utilities before using them.
Scorch and scour are available here:
Note: Scour can take for ages if you have lots of files and a large drive. A possibly more practical solution is to use Scour once to ensure both your file ends and your free space on your drive are clean and then substitute "Zapempty" for future wipes.
After finishing a session, and running the above batch, always shut down completely. This means a cold re-boot for the next session. This ensures that your RAM memory is wiped clean, otherwise with a warm boot it may write back user.dat with the data you had sanitized. A simple check is to watch whether your system tests its RAM memory. If it does, it has been flushed.
Remember, pressing Ctrl-Alt-Del will not flush the RAM memory.
The above may seem rather irksome. It is. Blame Bill Gates, not me! If you are really seriously in need of privacy, I strongly recommend you bother to do this housekeeping.
It is still theoretically possible to recover such over-written data, but it must necessarily involve a lot of bother and expense. Only likely to be used in very serious circumstances. Even then, whatever is recovered will only hint at what may be hidden elsewhere.
19. What programs do I put in my newly created Encrypted Drive?
You need to take care over which programs to choose. Some news readers and image Viewers and Emailers can write critical information to your Registry.
For what it's worth, here are my choices for these critical programs:
(A) Freedom from Zero Knowledge available here: http://www.freedom.net/
Freedom is an excellent way to ensure your online activities are screened from prying eyes. It works seamlessly with the following programs to ensure your Email, News posting and Web browsing are secure and totally anonymous. Version 2.0 has just been released. This is slightly more secure than the original version.
Freedom is not compatible with some services, e.g. AOL. See their web page for full details of incompatible services.
(B) Agent (or FreeAgent) for the newsreader, and basic Emailing.
Agent is here: http://www.forteinc.com
© For your Email I have 3 different recommendations:
i. Agent, as mentioned above
ii. Quicksilver, available here: http://quicksilver.skuz.net/
111. JBN2, here: Http://members.tripod.com/~l4795/jbn/index.html
Agent is simple and very easy to use. It can only be used for plaintext Emails on its own, but will work seamlessly with Freedom to decrypt incoming Emails. It also works with both Freedom and a remote host server for posting anonymously.
Quicksilver is recommended for secure Email and Usenet posting. It does not yet support Nym creation, but is otherwise an excellent program to send mail and post anonymously to Usenet. Most importantly, Quicksilver is very easy to learn to use. It uses the Mixmaster remailers for posting. These are considered far more secure than the earlier Cypherpunk remailers.
Like Agent, Quicksilver is fully compatible with Freedom Email and can download and transparently allow decryption of Freedom incoming Emails.
JBN2 is an excellent stand alone program for Nym creation and decryption of Email and news postings sent via the anonymous remailer network. It does not appear to work with Freedom to decrypt incoming Freedom encrypted Email.
This is not a big disadvantage as Agent is easily configured to receive both News and Email if necessary.
All three of these programs will also work with PGP. Agent will require you to copy and paste, but the other two have built-in support and work seamlessly with PGP.
(D) For browsing I like Netscape Gold the best. This is an early version of the Netscape browser, but all the better for that. You can direct it to locate its Bookmarks file on the encrypted drive. Later versions of both Netscape and Microsoft Explorer want to create user profiles and worse can write data in unwanted and exposed folders. They are also very dependant on Java and ActiveX. These are bad news as far as security is concerned.
Therefore, be sure to disable Java with Netscape.
I most strongly urge you NOT to use MS Internet Explorer. It will insist on keeping things within Windows in many hidden folders. This is especially the case for MS Mail and MS News and Outlook. Of course, you can always use MSIE as a normal browser on your desktop for non-critical
browsing and Email, should you wish.
(E) Use ACDSee as your viewer. If you use the cache facility, make certain that you set it up within your encrypted drive. This allows easy previewing of thumbprints and click and zoom to examine image quality.
ACDSee is here: http://go.acdnet.com
Two alternatives are:
Thumbs Plus, at http://www.cerious.com and
VuePro, at: http://www.hamrick.com
Each of these 3 programs has some advantage over the others. Choose whichever best suits your needs.
(F) Many files are compressed. The most popular is Zip. I recommend obtaining a copy of WinZip from here: http://www.winzip.com. Or, do a search for PKzip which is freeware, I believe.
(G) Any person who browses the Net should ensure they have a good virus detector. There are many to choose from, some are freeware, others are shareware or commercial ware. I use Norton's only because it allows me to update the virus list online. Useful and so easy.
(H) Get a firewall. I recommend Zonealarm Pro which costs around 40 US Dollars.
Note: The freebie version 2 of ZoneAlarm appears to be only partially compatible with Freedom. The one big drawback to this freebie version is that it leaves port 113 Ident open when its protection is necessarily crippled to allow it to cohabit with Freedom. Bad, very bad. I strongly recommend you buy Zonealarm Pro. This will work seamlessly with Freedom on its maximum security settings and ensures that all ports are in stealth mode.
If you already have the freebie version installed, after installing ZoneAlarm Pro, click on the taskbar and open the new version. Go to Security and ensure it is set to High. Now go to Programs to view the list of previously acceptable programs you had allowed to access the Net. Right click on each program and remove it from the list. This will ensure that when each program is next started you can again allow acces, but with full firewall protection. This is especially necessary with Freedom or it will not run.
Get both versions here: www.zonelabs.com/zonealarmnews.htm
20. How can I ensure my temporary files do not give away info?
My earnest advice is to invest in more RAM memory and turn off the swapfile. If this is not possible then at least take the bother to wipe it after every session. Do not attempt to do this from within Windows. It is impossible to reliably clean out the swapfile when Windows is still running. I have
experimented with various wipe utilities, including the one with PGP. The best I have found is Scorch. To use this utility, you will need to make the swapfile permanent. I like Scorch because it generates random garbage when over-writing; it does not simply use strings of 111's or 000's.
21. How do I make the swapfile permanent?
In Windows, go to My Computer -> Control panel -> System -> Performance -> Virtual memory. Click "Let me specify my own virtual memory settings". Enter identical settings in both boxes. I suggest 150 Mbytes. Click OK. Windows will tell you what you've done and complain and ask you if you are sure you wish to continue, click YES. Windows will then want to re-boot. Allow it to do so. After re-booting you can see the file in Windows Explorer as Win386.SWP.
22. Is there really much difference security-wise between using RAM memory instead of a permanent swapfile?
Definitely. No matter how many times you wipe the swapfile, it is still possible to recover the over-written data, if enough effort is put into it. Whereas, using the RAM memory ensures that nothing is written to disk at all. This totally circumvents this problem because once the computer is switched off all data in RAM memory is lost forever.
It also has the merit of safe crash close if you are raided.
All of the above is sufficient for a level 1 security.
Level 2. This is for those who not only wish to hide their private data, but wish to hide the fact that they have such data. This might be an essential requirement for anyone who lives in an inquisitorial police state where human rights are dubious, or where there is no equivalent to the United States 5th Amendment.
23. What more must I do to achieve level 2 Security?
For level 2, it is essential that you can show plausible deniability for all files that might contain encrypted data. The purpose is to be able to justify every file on your system. This section will help you to achieve this higher level of security.
24. Which encryption program do you recommend and why?
BestCrypt version 6. The latest version 6 has an undocumneted feature which allows a hidden (or secret) encrypted container to be created within the existing one. First, a normal encrypted container (or file if you wish) is created with BestCrypt in the usual way. Some private but legal data is put into the container to justify its existence. Thenceforth it is never again opened except to prove its contents are legal. In fact, no further data should ever be written to the container or the second hidden container will be destroyed.
25. How is this hidden container created?
Firstly, create a BestCrypt container in the normal way, the maximum size is 4 Gigabytes. Then drop into a Dos box - do not restart your computer in MsDos, it must be a Dos window. Then change directory to wherever the BestCrypt executable is stored. Default is Program Files\Jetico\BestCrypt.
To go there from your C: drive in a Dos box type:
You will then see:
The BestCrypt screen opens. Click on the drive letter where the BestCrypt container resides that you intend using to create the hidden container. Now right click on the encrypted file. From the drop down list click on Properties. You will be asked to enter your existing passphrase for that
container. A box opens titled "Change Container Properties". Beneath "Change Algorithm and Password" there will be a box titled "Create hidden part"
Click on the button and then click on OK. You will then be taken to a new screen where you will be asked to confirm you understand what you are doing. Click on yes and next, then the next screen invites you to choose the size of the hidden container and to enter a new (must be entirely different) passphrase for your new secret container. You can make the hidden container as large as you wish, up to 100 per cent of the available space.
The reason for this option is that because the offset of the hidden part is not hard coded, then it cannot be calculated from the container's size. The position of the hidden container's hash is dependant on its size and thus its position could be anywhere. Thus it may give additional security against dictionary attacks on the password of the hidden part. A small but significant effort to further protect your data from snoops.
For maximum security, the internal hidden container should be a small fraction of the total container size, say 5 to 10 percent. However, it is impossible for an attacker to reliably predict this size, (or even if it truly exists) so it is not possible for them to know where the password hash is located.
Note: If you click on properties without entering the debug program, you will not see the option to create a hidden container. Better yet, if after creating the hidden container and filling it with secret data, you go back and enter debug mode again, the option to create a hidden container is still there. It is not greyed out which might alert a snoop that such a container already exists. This is a crucial advantage of the whole concept of plausible deniability. Forensic examination of the BestCrypt file will not reveal anything to suggest that a hidden encrypted container exists.
There is no data or information available to view or check on if the normal container is opened.
This is because the keyfile hash of the passphrase is not marked out, it appears as just more random hash filling empty space within the container.
The only possible way for anyone to prove that a hidden container exists is by guessing the correct passphrase. There is absolutely no other way to prove its existence. Neat.
Everything is identical to normal usage. You can enter either passphrase. The normal one will mount the BestCrypt container, but not show any of the data within the hidden container. The hidden passphrase will only mount the hidden container and again will not show the normal data. Under duress, it is therefore easy to show the ostensible contents of your BestCrypt file.
The more data you load into the normal container, the smaller will be the available space left for the hidden container, obviously.
A message appears after inputting the hidden container passphrase that you have mounted the hidden container. It is imperative to check this. If you absentmindedly mount the normal container and write data to it, you will never again be able to mount your hidden container and you will lose all of its data! Of course this is an easy way to destroy the hidden container with all its data if the need ever arises.
26. Can I create a hidden encrypted container on a floppy?
Yes, and on a Jaz or a CD-RW disk. The procedure is identical. I initially had a problem of formatting the hidden container on both the floppy and the Jaz. But after a hard re-boot all went smoothly. I have no idea what the problem was.
27. This all sounds too good to be true, are there any snags?
None so far as I can tell. Obviously, it assumes that the use of encryption is legal in your country.
28. What if encryption is illegal in my country?
In that case, I suggest using the steganographic feature of Scramdisk. But ensure you create your own WAV file, by making your own recording. Once the steganographically encrypted file is created within the WAV file, make sure to wipe the original recording to prevent forensic analysis showing their low level data are not identical. Of course, you will need to install Scramdisk in traveller mode. This means running it off a floppy. But you will still need to hide the floppy effectively in the case of a search. I am sorry I cannot help you here. It must be down to your own initiative.
29. Are there any other precautions I should take?
Make copies of all your PGP keys, a text file of all your passwords and program registration codes, copies of INI files for critical programs, secret Bank Account numbers and anything else that is so critical your life would be inconvenienced if it were lost. These individual files should all be stored in a folder called "Safe" on your encrypted drive.
Create a hidden container on a floppy or a CD-RW. Copy "Safe" onto the hidden container on the floppy or CD. You could do this on your hard drive and burn the BestCrypt file onto a CD-R. Cheaper, but once only usage.
I used to say give this floppy to a trusted friend. But now with BestCrypt this is unncessary.
The above is sufficient for Level 2 security.
30. I need Level 3 Security, how do I achieve this?
This is for those who wish to protect their computer from unauthorized access. Protecting themselves from hackers whilst online and snoopers who may try and compromize either their software or add substitute software that could reveal their secret passphrases.
31. What are these threats?
They are known as Tempest and Trojan attacks.
32. What is a Tempest attack?
Tempest is an acronym for Transient ElectroMagnetic Pulse Emanation Surveillance. This is the science of monitoring at a distance electronic signals carried on wires or displayed on a monitor. Although of only slight significance to the average user, it is of enormous significance to serious cryptography snoopers. To minimize a tempest attack you should screen all the cables between your computer and your accessories, particularly your monitor. A non CRT monitor screen such as those used by laptops offers a
considerable reduction in radiated emissions and is strongly recommended.
I have heard that in the United Kingdom where people have to pay a licence to watch TV, the powers that be cannot detect the radiation from the new gas plasma TV's when they do their street by street patrols. This suggests that they might be excellent from a privacy point of view.
33. What can Scramdisk offer to help minimize a Tempest attack?
Use its Red Screen mode. Also, once a container is mounted, click on the middle icon to clear all cached passphrases. This is my only serious criticism of Scramdisk - it does not by default immediately clear the cache.
34. Tell me about Scramdisk's "Red Screen" mode?
This is a very useful feature of Scramdisk version 3.01R3c. The newer version 3.02A which supports NT/Win2000, does not support the Red Screen option.
The "Red Screen" mode inputs the passphrase at a very low level which helps defeat a tempest or trojan attack to capture your on screen passphrase. This is only available if you have a standard Qwerty keyboard. Europeans or Asiatics with non-standard keyboards cannot use this facility because the character layout at low level is not the same as displayed by the keyboard.
A possible solution with only partially non-standard keyboards might be to try it using only figures and letters. An easy method to test this is to create a test Scramdisk volume using the normal passphrase screen, then attempt to open it in Red Screen mode. Most of the differences between European keyboards are in the shifted characters above the figures. In which case a compromize might be reached if you use a figures and letters only passphrase. If this works, I would choose a figures and letters only
passphrase of at least 40 characters in length. Of course the longer the better.
35. What is a Trojan?
A trojan (from the Greek Trojan Horse), is a hidden program that monitors your key-strokes and then either copies them to a secret folder for later recovery or ftp's them to a server when you next go online. This may be done without your knowledge. Such a trojan may be secretly placed on your computer or picked up on your travels on the Net. It might be sent by someone hacking into your computer whilst you are online.
36. How do I protect myself from a Trojan?
You must have a truly effective firewall. It is not sufficient for a firewall to simply monitor downloaded data, but to also monitor all attempts by programs within your computer that may try and send data out. The only firewall that I know of that ensures total protection against such programs is Zonealarm. This firewall very cleverly makes an encrypted hash of each program to ensure that a re-named or modified version of a previously acceptable program cannot squeeze through and "phone home". For maximum secuity you will need Zonealarm Pro to work with Freedom. If you decide not to bother with Freedom, then the freebie version is sufficient, so far as I can tell.
ZoneAlarm is here: www.zonelabs.com/zonealarmnews.htm
To understand how important this firewall is, visit Steve Gibson's site.
Steve's site: http://grc.com/
Go to the "Test my Shields" and "Probe my Ports" pages.
You can test ZoneAlarm and Freedom for yourself.
37. How will I know when a trojan has modified an acceptable program?
Zonealarm will pop up a screen asking if this program is allowed to access the Net. If it is one of your regular programs, be very wary and always initially say NO until you can check why this program is not now acceptable to Zonealarm. If it is a strange program, then obviously say, NO and investigate.
38. What can BestCrypt offer to help minimize a Trojan attack?
Go to Options -> Key Generators -> ShA1 and click on Keyboard filters. This filter helps prevent a keyboard logger from copying your key strokes as you input your passphrases.
39. How important is the passphrase?
Critically important. It is almost certainly the weakest link in the encryption chain with most home/amateur users. I provide links at the end of the FAQ, some of these should either help directly or give further links about how to create an effective passphrase.
For the newbies: never choose a single word, no matter how unusual you think it is. A passphrase must be that, a phrase, a series of words, characters and punctuation intermixed.
40. How can I prevent someone using my computer when I am away?
Unless you have a removable C: drive which you can lock away in a secure place, a wall safe or whatever, your only hope is by securely locking up your computer so that access is extremely difficult. This may involve some sort of strap and lock. There is no simple and easy answer. But one way that can help thwart someone actually depositing a trojan on your machine is by PGP signing ZoneAlarm.
41. How do I do this?
The easiest way is by using the Windows version of PGP to check the validity of Zonealarm.exe and Zoneband.dll and if you have Zonealarm Pro, Zapro.exe.
You do this by digitally signing each of these files.
PGP offers you by default the option of a detached signature, use that option. It surely goes without saying that you do not use any of your secret Nym keys for signing these files. You should have generated a key pair for general use, which is for just this sort of purpose. This key is to level 1 security only, so use a different passphrase to the one you use for your secret BestCrypt container. It could be the same as your open BestCrypt container, of course. There is no reason to choose a simple one, the more complex it is, the more plausible and value you appear to place in the security of your open BestCrypt container. Anyway, it must be complex if it is to protect your sig files.
After signing these files, you will see a new file appear with the identical file name but with the tag ".sig" attached. If you click on this new file, it will display the signature validity of the file it is checking. If the signed file has been tampered with in any way, it will display "bad signature".
Copy both of the above files, including their detached digital sigs into C:\registry.
After copying across highlight all these files, right mouse click and select "properties". Uncheck "hidden", click "apply" and "OK". These are your backups for future use, it will do no harm to keep copies of all these files together with their detached sigs within your (secret) encrypted drive.
Next, make shortcuts of both detached sigs that applies to the original files (not the backup copies) and place these shortcuts in the Windows\Start Menu\Programs\Start Up folder.
When you next start Windows it will then automatically display boxes showing the result of testing these sigs against the original files. You now have a reasonable chance of catching out any snooper who has actually physically tampered with your machine in your absence.
For this system to be truly effective, you must trust PGP and investigate any warning of a bad signature.
42. Can you suggest any other precautions I should take to preserve my privacy?
Always proceed on the assumption that you are about to be raided! This means you should take the bother to run W.bat at the end of each session. Always bother to check the firewall signatures on boot. If any are bad, check your backups and immediately copy across. Then close down and
If, however, the signature(s) are still bad, it suggests that Zonealarm has been compromized. I would uninstall and then re-install from a clean backup. Re-boot and see if this clears the problem. If there is still a bad sig, I would restore the whole of your hard drive C: from a secure backup. It is essential that you maintain a backup of this drive off site.
In some countries this may literally be a life or death situation. If you are not prepared to trust PGP to do its job properly, it is totally pointless going to all this bother.
Part 2 of 2.
This second part concentrates on security whilst online.
There are countless reasons why someone may need the reassurance of anonymity. The most obvious is as a protection against an over-bearing Government. Many people reside in countries where human rights are dubious and they need anonymity to raise public awareness and publish these abuses to the world at large. This part 2 is for those people and for the many others who can help by creating smoke.
43. I subscribe to various news groups and receive Email that I want to keep private, am I safe?
Whilst you are online anyone could be monitoring your account. If you live in the British Isles be aware that all ISP's are required to keep logs of your online activities, including which Web sites you visit. Shortly this will be reinforced by MI5 who will be monitoring all Net activity 24 hours per day! The information will be archived eventually for up to seven years!
The British Labour Government claim this Act is misunderstood and that it will only be used against serious criminals.
Do you trust them? If you do, then you probably believe in fairies too.
44. Can anything be done to prevent my ISP (or the authorities) doing this?
There are several things you can do. First of all subscribe anonymously to an independent News Provider. Avoid using the default news provided by your ISP. Apart from usually only containing a small fraction of all the newsgroups and articles that are posted daily, your ISP is probably logging
all the groups you subscribe to.
You also need to protect yourself from snoopers whilst online. To do this you need to encrypt your data-stream between your desktop and a remote host.
This host should preferably be sited in a different State or country to your own.
You also need to ensure this remote host server cannot log your true IP address.
45. I live in the United States why do I need to bother?
You don't need to. But your privacy and security is enhanced if you do, particularly if you wish to ensure best possible privacy of posting to Usenet. Also, it is quite likely that many routes around the globe, even across the States may be routed through London. The Web is literally just that, a web. Thus American Email, news postings, etc are just as liable to be read by MI5 and who knows what they will do with this information. As many businesses exchange Email with total ignorance about security, I guess the Brits are going to go ape over all that juicy business data they will
46. Ok, you've convinced me, how do I go about this?
You must use two programs. The first is to ensure you have an encrypted link from your desktop to the distant (remote) server and the second wraps a further layer of encryption around your data and additionally screens you and your IP address from the remote server.
The two programs are SecureCRT and Freedom from Zeroknowledge.
SecureCRT is available here: www.vandyke.com/
It costs 99.00 USD. There is a 30 day trial.
In case you are confused by the choice of software on their page, you need SecureCRT 3.1.1
SecureCRT uses several encryption algorithms within the SSH format. I recommend Twofish or Blowfish. These are considerably faster than 3DES.
Freedom from Zero Knowledge is here: http://www.freedom.net/
Freedom will cost around 50 US Dollars per year. You can purchase anonymously (recommended).
47. How do these two programs function?
Freedom offers you up to 5 Nyms. Each is entirely separate from the others, even Zero Knowledge do not know to whom each belongs. Whilst a Nym is selected, all data leaving your desktop is encrypted to the Freedom server. This server need not be in your own country.
This is stage one. Stage two uses SecureCRT. This is the program that allows you to have an encrypted connection to a remote host.
Either program can operate independently of the other. Together, they ensure your data is double encrypted to military grade. On its own, Freedom supports private and anonymous Email and private and anonymous posting to Usenet. It does not support private nor anonymous downloading from Usenet.
But if you combine Freedom usage with SecureCRT, you will then also enjoy private and anonymous downloading as well because Freedom detects you have a telnet connection (which is true) and then protects you accordingly. So a further justification for using both together.
It is not essential to buy these two programs anonymously. But a good idea if you can.
To use them, just start Freedom and then start SecureCRT. Freedom will detect SecureCRT and will then automatically act as if there is a telnet connection for all net traffic.
48. Where do I find a remote host server that supports SSH Encryption?
Regrettably the two that I know of, Cyberpass and Minder, are both closing down.
I have found that by registering a domain name and then having it hosted on a remote server, I have been able to use SecureCRT to log in using SSH. I can even set up port forwarding for Email and Usenet. I regret I cannot disclose my domain name or the server where it is being hosted. But a simple Email inquiry about encrypted logins to a range of companies offering domain name hosting should illicit a positive response from several. It took me 5 minutes.
Subscibe anonymously, if at all possible.
49. So how do these two programs work?
You simply start Freedom and choose a Nym. Then start SecureCRT and log into the remote host.
Freedom uses a chain of servers which each allow encrypted connections between them. The first server need not be your ISP. You set the security level which can use 1, 2 or 3 hops. The more hops the greater the security but the slower the connection. These can be independently set for each Nym. They can be changed at any time after the Nym is created should you choose. Unless your threat model is very high, a single hop should suffice for normal usage when used with SecureCRT.
Importantly, each Nym requires a new key to be generated. Once created the key is constant for that Nym. Thus by changing to another Nym during a session (after closing down SecureCRT), a new key will be used to encrypt the data. This ensures disassociation between the Nyms. This offers greater security and encourages you to change Nyms often if you are online for a long period. Even more importantly, each time you select a Nym a fresh Active Route is created. This is vitally important because it allows many combinations, literally hundreds of routes to the remote host.
Full details of the protocols are freely published on the Freedom.net site. Also, the source code is available for downloading and inspection.
I urge anyone contemplating using Freedom to first familiarize themselves with these FAQ's.
SecureCRT is a dedicated encryption program using high grade encryption from your desktop to a remote host server that supports the SSH format. As already emphasized, but I repeat it yet again, it is necessary to subscribe anonymously to this remote host server to derive maximum benefit from its use.
Because the whole purpose of using Freedom is to screen yourself from this server. If they already know who you are, Freedom is totally redundant.
51. Doesn't the use of Freedom and SSH mean several layers of encryption?
Yes. Freedom call it telescopic encryption. The data from your desktop computer is first encrypted by SSH using Blowfish or 3DES (your choice), then it is wrapped with other layers of encryption to the first Freedom server. If you wish, you can choose your route with Freedom version 2. Better reliability is achieved if you allow Freedom to choose its own route. But superior security is achieved by choosing your own route using three hops.
52. Why is this important if it is multi-encrypted?
Because if the exit Freedom server is within the UK, it will be a possible target with just one layer of encryption. It would be possible for the snoops to determine the next hop was into the remote host. This would make that host a possible target. Whereas if it leaves the UK multi-encrypted it is a much more involved process to crack. It would be impossible to know its next hop as all data between Freedom servers are encrypted. Of course this equally applies to whichever country from which it exits the Freedom Network, but only the UK has openly declared it will soon be deploying black boxes to monitor and record all data passing through its ISP's servers. Worse the 3 letter agencies of the UK and Uncle Sam exchange juicy bits of info about each others citizens. So beware!
53. Where does the data go after passing through the remote host?
It then goes out onto the Web totally anonymously, or to the News Provider. All your postings and downloads will always be totally private. If you wish you can run Quicksilver through this system and add Mixmaster chained remailers to route through after the data exits the remote host. You can add as many remailers as you choose, up to 20 maximum. Be aware that the reliability will fall away as more are added. As the message is further encrypted to each remailer in the chain, this represents an exceptionally
robust method of achieving anonymous posting.
54. Is the data encrypted after it leaves the remote server?
Not unless you are using a remailer client such as Quicksilver. Otherwise it is in plaintext. This does not really matter because by the time the data exits the remote server it is entirely disassociated with you. Nobody can do a trace without enormous resources and time. If you are careful and limit your time online to say, a 1 hour limit, breaking off and re-connecting using a different Nym via an entirely different circuit, any hacking attempts will be frustrated and made enormously more difficult.
Incidentally, Freedom use 1 hour session keys whilst you are online. At the end of each hour they are discarded and new ones negotiated. This is done transparently to the user. So even if the data were recorded, unless they get the key within an hour, it is irrecoverable except by a brute force
attack. Likewise, you cannot legally be forced to hand over what you do not possess.
55. How do I get onto Usenet?
As already stated, do not use your own freebie news service offered by your ISP. You must subscribe anonymously to a dedicated and independent News provider such as Newscene or Newsfeeds. Regrettably, the best news provider, Altopia does not support anonymous sign ups.
56. Freedom say they do not support encrypted downloading from a dedicated news provider, they also claim it is not necessary. Do you agree?
No, I do not. Freedom are justifying what is a necessity with their present version of their program. However, this only applies if you try and log onto the news provider directly using Freedom alone. If you subscribe anonymously to a remote serve, you gain not only the benefit of being totally screened from the remote server, but also all your News Provider's uploads and downloads are also totally private. This is because as far as Freedom is concerned, you are making a telnet connection to the Web and all telnet activity is always encrypted and anonymous.
57. Are there any precautions I should take before choosing a News Provider?
Before subscribing to any news provider, even anonymously, make absolutely sure that it does not reveal your NNTP posting host in the headers. Even with the anonymity provided by a remote host plus Freedom, you still need the extra layer of anonymity provided by the news provider stripping away your anonymous posting host header. This frustrates any attempts to back track to your chosen remote server. Some News Providers claim to never keep logs. I never believe them. It is in their commercial interest to know which groups are the most popular to ensure the optimum balance of disk space and retention times. It is possible that they destroy these logs after, say, 7 days. But never assume this. The main criteria of choice for your potential News Provider must be its stripping away your NNTP posting host IP address from the headers.
58. Couldn't I use the remote host as my local ISP?
No, definitely not.
59. Why not?
Because otherwise you can be traced instantly by the phone company. It totally defeats the whole purpose of using Freedom to be anonymous.
60. What is the difference between a dialup and a shell account?
The dialup is what it says. It is your normal account with your Internet Service Provider (ISP). With a shell account you connect to your ISP then use the Net to make a telnet connection to a remote server. All your Net activities, Email, Usenet, Web browsing are then done through this remote
It is the multi layering of the encryption, plus the total anonymity of using Freedom together with the remote host to an anonymous account at the News Provider that almost guarantees your safe anonymity.
61. Why do you say "almost"?
According to Freedom it would take the combined efforts of a Government security agency to hack into Freedom. They claim it would be extremely time consuming, but nevertheless, it could be done.
That is with using Freedom alone. Factor in the extra layer of SSH encryption together with anonymous signups to the remote server and the News Provider and it means an awful lot of bother just to catch someone. That is why I recommend all to use this technique as it will be of real benefit to those unfortunates in countries with tyrant Governments. Makes their job very much more difficult, if not downright impossible. If you additionally use a remailer client configured to route the message via the Mixmaster remailers, it would be horrendously difficult and truly doubtful if it would be economic to even attempt to hack back to you.
62. Should I run these encrypted programs from within my encrypted drive?
For level 1 security you could run it from your C: drive. But for better security you will need to run it from your encrypted container. This means both SSH and Freedom should be installed on and run from your encrypted drive. This is essential for level 3 security because it insures against anyone accessing your computer in your absence and substituting a cracked version of your programs or keys. If hacked, anybody could be monitoring your traffic.
The addition of Freedom also helps to protect you if the remote server key has been hacked. It would require an awful lot of effort to trace you.
63. Are there any problems using what is in effect quintriplicate encryption (SSH, up to 3 layers of Freedom plus Scramdisk) together?
On a modern fast computer, these multiple layers of encryption are totally innocuous. If you have added copious extra RAM, as recommended to obviate using the Swapfile, you will find your computer runs much faster which will most likely compensate for the encryption overhead. However, the data transit speed is considerably slowed up due to the many nodes in transit.
I have had odd problems which seem to be caused by the chosen route taken through the Freedom network. Occasionally I get a "host unknown" error as I attempt to log in to the remote host server. If I change my Nym with Freedom and re-try, so far it has always worked on the second attempt.
64. How do I configure Freedom?
It is very easy, but do read the fine manual before you generate a Nym. Anyway, always assume your first Nym is compromised.
Because you may generate it within minutes of installing the program and you may later regret some of the config settings after you learn more about it. Each Nym is isolated from the others, so it gives you the chance to learn a little about the program before using it seriously.
66. How do I configure SecureCRT to work with a remote host?
Read the FAQ at http://anonymizer.com/ssh
You simply log into the remote server with your password and minimize the SecureCRT screen once connected. That's it!
To use Agent or Netscape you need to specify "localhost" in the settings of these programs.
Warning! Do not give your remote host Email address to Freedom as a contact when buying Freedom. Far, far better to give your true Email.
Because there is no worry that someone at Freedom knows you have bought the program. But it is imperative that they do NOT know any of your Nyms on route. This particularly applies to your remote host username. Many people lose sight of the fact, that it is vital to distance yourself from your Nyms. This means you never use any of your Freedom generated Nyms openly on Usenet. Their greatest benefit is to screen you; by openly publishing them you have immediately given away half your anonymity that you have so carefully built up.
Of course, you may choose to deliberately use one Nym for light anonymity, just as I have for anyone wishing to contact me about this FAQ.
Your Nyms are hidden whilst you surf the Net or whenever you are using Telnet, such as when you are logged into a remote server. Only when you send Email or post to Usenet do you need to be concerned at your exposing them. Of course this is why you have bought them, but I would not use them openly, if only to avoid spam.
I am talking here about extreme anonymity. This does not apply to the casual poster. But if your liberty depends upon your anonymity, then be very careful about how you use them.
68. What happens if I forget to start Freedom?
Your ISP address may (possibly) be logged by the remote server. If it does happen, simply close down the connection and restart using Freedom. But wait a few minutes to avoid anyone monitoring the remote from sussing that the two log-ins were from the same person.
Always check the "TLNT" green light is lit on the Freedom box before posting. This ensures that your traffic is being routed via the remote host server and not directly out from your ISP.
Also, most important, Freedom will only function as intended if a Nym has been selected.
No Nym, no anonymity. Period.
69. Is there an alternative way, something simpler?
Yes. You can post via a proxy such as Yahoo or Hotmail. But I treat these as soft anonymous. Don't use them for anything critical.
70. How about Email with Freedom and SecureCRT?
You can set up Agent to be your Email and Newsreader client. I would recommend using it to download from Usenet and to receive your Email from Freedom.
Freedom has a basic spam filter, I recommend you use it
However, using Agent to send Email and to post directly to Usenet is not nearly as hard anonymous as Quicksilver. Fine for most activities, but if you need absolute security it would be wiser to use Quicksilver. Quicksilver is intended to be used for Email or posting using the Mixmaster anonymous remailer network. This ensures the strongest possible anonymity.
Far stronger than the older Cypherpunk remailers.
71. How do I configure Agent as a news reader using the telnet connection through a remote server?
Firstly, you should change your assigned password for the remote server. Type "passwd" (without the quotes) at the command line in SecureCRT after logging in. Follow the on screen instructions.
In Agent, open Options -> User and System Profile -> User
Under "News Server Login", ensure Login with a Username and Password is checked. Type in your username exactly as given to you by the news provider. Enter your password. Check "Remember Password between sessions". Both are case sensitive. Uncheck "Login with Secure Password
Now go to Options -> User and System Profile -> System. Put "localhost" without the quotes into the News server box. Check Server creates Messages out of order.
This ensures that all Usenet downloads are via your remote server.
72. How do I ensure Freedom decrypts incoming Email automatically with Agent?
Assuming you have a regular Email client for your non-anonymous mail, such as Outlook Express, I would recommend you configure Agent for your Freedom Email. Zero Knowledge now have their own POP server for Email, which can be accessed directly using Freedom version 2.
In Agent go to Options -> User and System Profile -> System. Click on "Send Email messages with SMTP", enter mail.freedom.net in the Email server box.
Ensure that "Send Email messages with MAPI" is unchecked.
This ensures your sendmail is routed via the Freedom network.
Now, Options -> Inbound Email -> Check "Receieve Email with POP", Enter "mail.freedom.net" in the POP server box.
Check "login with a username and password",
Check "Use APOP if supported by the server"
Enter "freedom" for both the username and the password.
Check "Remember password between sessions".
Uncheck "Login with secure password authentication"
Uncheck "receive Email with SMTP"
This ensures your incoming Email is from the Freedom server.
To set up Quicksilver for Freedom Email do the following:
Click on tools -> POP accounts -> new ->
Type freedom into login ID and mail.freedom.net into the POP3 host box and freedom as the password. Click OK and OK again to close the pane.
73. I prefer to use Eudora/Anawave Gravity/Xnews, etc as my Email client, how do I set them up?
Sorry, I don't know. You will have to experiment for yourself. Although I have used several other Email clients/newsreaders, I like and use only Agent for receiving News and Email and Quicksilver for all postings of News and Email.
74. Why particularly Agent?
Because Agent allows me to personalize each news group with a different Nym and/or signature. This might be possible with other news readers, but I have gotten used to Agent.
75. How is this done?
Set your default settings by opening Options -> System and User Profile -> User. Enter whatever Email address you wish, it might be a spoof if you wish. Its only critical value is it must have the "@" sign in it. In factthat is all you need enter if you choose. The remaining lines can be left blank if you wish.
Open Options -> Posting Preferences -> Signatures. You should create whatever sigs you may wish to use. Create as many as you wish. You can have one per news group if you like. Take your time to browse through the other options and set up your preferences.
These are your default settings.
Choose a News Group. Open Group -> Properties -> Post, click on "override default settings" Now choose a signature from the list of those you have previously created. Next browse through the list of options from "Bcc" through "From" to "Summary". Each of these can (your choice) be selected in turn. As each title is highlighted, click on "Override default value" for that title.
Now enter whatever you wish in the space below it. Now uncheck the "override default value" and whatever you have typed will appear next to the highlighted title.
This information will apply to just the news group you have chosen. You will need to repeat this for each group for which you wish to set a different value.
These options mean every single group can, if you wish, have unique "Sender" and "Reply-to" and unique signatures.
76. Can I post graphics anonymously to Usenet with this system?
Absolutely. Just make certain that you use Freedom with an active Nym and then your remote server with SecureCRT. Freedom will always ensure that all outgoing traffic is via the remote server (provided you have set up Agent to use "localhost" as described above).
Agent will always use your News Provider as the posting host. This is why I recommended you subscribe anonymously to this news provider. Nothing can then be traced back.
Quicksilver will always use one of the mail2news gateways. These are intended to be hard anonymous and when used together with these other recommendations should ensure extreme anonymity. But the remailer network does not readily accept large files, such as graphics. This need not be a significant problem as you can use Agent, provided all the other measures have been strictly adhered to.
77. Why, particularly Quicksilver, what about Private Idaho or Jack B. Nymble?
I found Private Idaho far too buggy and not as intuitive as Quicksilver. JBN2 is very sophisticated, but appears to need more maintenance to keep it working. Quicksilver on the other hand, appears to be so easy to configure and is far more intuitive to use.
78. Which Email address should I use?
Your choice. Use Freedom or you could use you remote host as an Email address. Personally, I would not do that. I would prefer to give out one of my Freedom Nym's.
Because if you regret your choice, you can abandon that Freedom Nym. It is far more difficult and bothersome to change your remote host username.
For even stronger security create a Nym at one of the Nym servers, such as nym.alias.net, or at anon.efga.org and point your reply block to a news group such as newslt.anonymous.messages.
80. How do I do that?
You will need a remailer client such as JBN2. This is a very sophisticated program and will take some time to learn to use correctly. But once learnt, it offers you the opportunity to create as many Nym's as you wish.
81. Are there any other suggestions?
Immediately you finish a posting session, break the connection. Close SecureCRT and change your Freedom Nym. This ensures new session keys are generated. Log in again over the new link. It is not quite so necessary to close Freedom, but I would certainly change your Freedom Nym before commencing posting again. This ensures a different route is created to the remote host. Anybody attempting to hack in along the way is foiled.
Never stay online whilst posting for longer than 1 hour maximum with any particular Nym.
Always post at different times, do not create a regular pattern of postings at specific times and days of the week.
82. Surely all this is totally over the top for the majority of users?
It is certainly over the top for 99 per cent of users for 99 per cent of the time. If, however, you are the one in a hundredth and you do not much like the idea of being at risk for 1 per cent of the time, then no, it is not over the top at all. Using these tactics helps create smoke which in turn helps protect those who really do need all the protection and security they can get.
Remember this FAQ is intended to help many different people. Some may be living in deprived conditions, in countries where human rights abuses are a daily fact of life.
I must emphasize again, the more that take up these suggestions the easier it is for those people to hide themselves amongst the smoke.
83. Can I use IRC in this way?
Freedom boasts that you can be anonymous on IRC. But I am very dubious of this. Take your chances, but do not blame me if it all ends in tears.
84. Can I be anonymous as far as other Web sites are concerned?
Yes. Freedom alone is sufficient for this.
85. What about spammers who offer "totally anonymous Web-surfing", etc?
I don't want to harm anyone's commercial enterprise, but ask yourself, do you really believe anybody with a vested interest in their business cares two hoots about your safety?
These people always charge you money, usually requesting a Credit Card, which means they can identify you. If you are going to pay out your hard earned cash at least use it to buy true anonymity.
86. Lastly, what do you say to the charge that this FAQ may be useful to criminals?
As someone once said, the sun shines on the righteous and the wrong-doer with impartiality.
We might as well ban cars, kitchen knives, guns, etc., because of their potential to aid criminals. We must balance the benefits against the bruises.
There will always be those who seek to control others lives, using whatever scare tactic they can. Ask yourself, could there be a hidden agenda behind their concerns?
Who benefits the most if Governments are allowed to reduce our freedom of choice? The Government or us?
1. always, always, lurk before leaking.
2. always use encryption, whatever else you do.
3. always start Freedom with an active Nym, before logging into your remote host.
4. always post via your encrypted and anonymous remote host to your anonymouly subscribed News Provider.
5. never ask of anyone nor give anyone online, your true Email address.
6. never DL any file with .exe, .com or .bat extension from a dubious source. If you do, don't run it.
7. for your own protection, never offer to trade any illegal material, nor ever respond to those seeking it, even anonymously.
This ends the FAQ. What follows are some links which might prove helpful.
Programs specifically recommended in the FAQ:
Freedom from Zero Knowledge: http://www.freedom.net/
SecureCRT is available here: www.vandyke.com/
PGP and PGPDisk: http://members.tripod.com/cyberkt/
or here: http://www.pgpi.com/download/
Evidence Eliminator: www.evidence-eliminator.com
Scorch and Scour: http://www.bonaventura.free-online.co.uk/
Jack B. Nymble: http://www.skuz.net/potatoware/jbn/index.html
Also here: http://members.tripod.com/~l4795/jbn/index.html
Quicksilver, available here: http://quicksilver.skuz.net/
Thumbs Plus: http://www.cerious.com
VuePro, at: http://www.hamrick.com
Mixmaster download site: http://www.thur.de/ulf/mix/
nym.alias.net, home page: http://www.cs.berkeley.edu/~raph/n.a.n.html
Anon.efga.org, home page: http://anon.efga.org/
Anon.xg.nu, home page: http://anon.xg.nu/
In case you need convincing: http://www.gn.apc.org/duncan/stoa_cover.htm
A directory of Stateside free servers: http://www.nzlist.org/user/freeisp/
Partition Magic: http://www.powerquest.com/
Some anonymity sites:
Other additional useful sites:
Test your shields: http://grc.com/
Beginner's Guide to PGP:
PGP for beginners: http://axion.physics.ubc.ca/pgp-begin.html#index
PGP FAQ: http://www.uk.pgp.net/pgpnet/pgp-faq/
Also worth a visit: http://home.earthlink.net/~rjswan/pgp/
FAQ for PGP Dummies: http://www.skuz.net/pgp4dummies/
The PGP FAQ: http://www.cryptography.org/getpgp.txt
With links to free download sites
The SSH home page: http://www.cs.hut.fi/ssh/#other
Web based Anon E-mail https://www.replay.com/remailer/anon.html
More about remailers: http://replay.com/remailer/replay.html
Simple Anonymity: http://members.tripod.com/~bbop/SimpleAnonymity.html
Reference Guide: http://members.tripod.com/~l4795/reli/UserMan.htm
Remailer Link: http://members.tripod.com/~l4795/links.html
Privacy Links: http://anon.efga.org:8080/Privacy
Anonymous Posting: http://www.skuz.net/Thanatop/contents.htm
Anonymity Info: http://www.dnai.com/~wussery/pgp.html
Nym Instructions: http://www.publius.net/n.a.n.help.html
Nym Creation: http://www.stack.nl/~galactus/remailers/nym.html
General info: http://www.stack.nl/~galactus/remailers/index-pgp.html
(Good for links)
General help: http://www.io.com/~ritter/GLOSSARY.HTM
Edited by Uma Guma on Jan. 04 2002,11:00
|By quote: (Quote) on Saturday, January 05, 2002 - 03:30 pm:|
Surfing the web thru proxies is a technique that allows you to maximize your online privacy. Here are some sites for further information:
Here is a link to the Stealther site:
This is a proxy program which you use together with your web browser to ensure your anonymity when you surf the Internet and download files. It allows you to hide your real identity from the websites you visit, block cookies and modify any information about your computer that is sent out by your web browser.
Absolute anonymous Internet surfing
No trace-back possible
Automatically updated proxy-database
Possibility to check proxies for availability
LAN-Gateway with Content Control
New identity on every website you open
Protects you from data-spying
->> Absolutely protected privacy <<-
I've been useing this app for a couple of weeks and it's definantly got potential. Their is a free version and a "paid" version. The registered version **cough Altalavista cough** is particularly interesting...it offers the "Super-Stealth Mode" which, best I can tell, not only offers random chaining of anonymous proxies but operates thru SSL (therefore there's not much chance anyone will know what your doing...your ISP included).
The developers are a German company. The doc's are a bit sketchy within the app...more information available on the website (if your interested in this app I recomend you read over all the links at the site first).
I searched for independant product reviews and the only one I could find was from this German site:
Here is what it says about this app:
The app is a bit quirky and is in need of further refinement...but there are tweaks within the app that allows some user optimization and quite a bit of customization...if you understand what it/you are doing.
Here are some sites that allow you to load your own proxy lists within the app (note: these need to be formated correctly...this is explained on the site and can easily be done from within notepad and then loaded into the app and then checked to see which ones are working from your location) :
Here are some sites that will check the integrity of your proxy connection:
There's a checker on the Stealther site also.
Once you understand what's going on, this app is easy to use and tweak. I wouldn't want to use the proxy mode for all my surfing for various reasons...no need, slow connections, etc...but it has a setting for direct conections bypassing the proxy chaining...so this isn't a problem...and you can always shut it off and reconfigure your browser connection to no longer use it.
This app isn't for those who don't understand what's going on in relation to the app and to proxies in general. But there really isn't much to figuring out what it's all about. All things considered I like it and look forward to further software developement. There are other similar apps out there but this one has unique functions and is easier to use than many of the others.
This can be demonstrated by checking your proxy's integrity with Java enabeled here:
The way around this is to either shut off these features in your browser (not a good option imo since these allow for many usefull features on websites and limit your surfing abilities on some sites) or to block the use of these when you REEEALLY want to be sure you are surfing anonymously.