[AktiviX-discuss] Practical Security Advice for Campaigns and Activists

[Max Gastone]

>
>  > I cant recall if it is in the ActivistSecurity booklet
>>  or not, but it was recommended as an alternative to
>>  disk encryption to keep everything in one folder and
>>  essentially tarball it, and then encrypt the tarball
>  > with PGP. Worked a treat for me the last time I got
>>  raided.
>
>Another aproach might be to use the cypto loopback
>driver to automate this . This is not ppc specific AFAICT.
>http://www.ppcnerds.org/displayarticle186.html

Not simple enough for the average user. If the front end is not 
properly designed then you end up with users making mistakes and thus 
having a false sense of security.

>  > > 2. Tor (http://tor.eff.org/) seems to be the best
>  > > way of anomomising web browsing these days.
>
>gaurdster.com is a bit easier to use , you just go
>to the site and give it the url you want to browse.
>No setup but it does have adverts.
>No idea how secure it really is.

Proxies and similar tools are redundant if there is an intercept on 
your phone line to watch what is going in and out. The only way 
around this is to have SSL proxies. However, these suffer from three 
flaws:

1. Slow everything, so many people end up turning them off.

2. In most cases you have to pay to have SSL browsing - sorry it 
would be as easy and cheap to go to an internet cafe and I will not 
be giving my credit card details out and marking out which proxy I am 
using, and hence giving up some the anonymity which is sure part of 
the point of using a proxy in the first place.

3. How do we know the proxies are doing what they say they are and 
not logging stuff or otherwise acting as a honeypot? What an ideal 
way to gather details of dodgy stuff going on - anyone remember 
Safe-Web, sponsored with CIA money... What we need are more activist 
community anonymizers, remailers, etc.

Proxies are useful in some situations, but I think they are often 
over-estimated as a tool. Something worth nothing though is that many 
of the bigger ISPs have their own proxies which you can use.

Tor looks quite interesting and sounds like it is adapting some of 
the interesting parts of Publius and P2P, but unless it too is 
encrypted right from the client end then it to will not protect 
against a direct line tap.


>  > Also, it marks you out to some degree, like in the
>>  days when it was said that using PGP marked you out as
>>  some sort of subversive.
>
>also if you are just signing your emails with PGP and not
>encrypting them you are making it worse for you self.
>This makes you much more obvious.

Not as much as it would have once done. This is far more common - for 
example you see it on a lot of the lists dedicated to computer 
security issues in general.

Personally, as an activist, I dont like the idea of signing anything 
on general principle.

However, as I would always avoid saying anything dubious in an 
unencrypted email verifying the accuracy of what I say is not that 
important, but I do like have that extra option of deniability built 
in that signing would take away.

More important that who is encrypting or signing emails to whom, is 
the fact of who is talking each other, analogous to when FIT teams 
photograph people on demos. Email allows them to build up networks 
which can be analysed for clearer pictures on the dynamics of the 
various protest movements.

BTW, for people interested in secure communciation, WhisperIM is 
currently in development to provide an open source secure method of 
encrypted communicating across IM which can be used in internet 
cafe's, etc. It is trying to do for IM what PGP does for email. For 
more details see whisperim.dev.java.net

Max