Nowhere to Hide

Originally posted at:

Last week we delved into the topic of Internet and data security. In my post, I've Got Nothing to Hide we were introduced to "John", a data-security, networking and cryptography expert.

Then, Chris interviewed the CEO of Lockbox, a startup we helped fund, with a post entitled Why I Love PRISM. Lockbox is bringing secure, encrypted cloud storage to the masses.

Today our focus is nowhere to hide, which is probably how most people are feeling right about now. We'll be talking about things like Tor, honeypots, Silk Road, ECC and Darknet.

For the average Joe, knowing anything about the above might be a bit unnecessary, and definitely scary. But, if we are to truly understand what's going on in the war against our privacy and rights to freedom, it's worth at least a cursory review.

We came back to "John" with some questions on how we can protect ourselves online, in the hopes of getting back just a little of our privacy.

Just to be VERY CLEAR. We don't endorse criminal activity. That's soon to be a government monopoly anyway - criminal activity that is. We understand that the definition of "criminal" is somewhat open to interpretation, but let's not split hairs. If your motives or intent for trying to remain under the radar are criminal then you deserve to get caught, no argument from us.

Now that we've gotten that out, let's move on.


Mark: John, with the skin of the onion being peeled back more and more on a daily basis, terms like "honeypot", Tor, Darknet, etc. are being tossed about. Most people have NO idea what any of that refers to. Can you "edumicate" us a bit?

John: (Laughs) Sure, I can give you some basics. It's very important to understand there is a war being fought behind the scenes between those that would protect your rights and those that would violate them. On one side are government agencies the world over, but notably the NSA, heavily engaged in attacking freedom-oriented anonymity projects and working hard to compromise or otherwise shut down businesses that help defend peoples' inherent right to privacy.

Recently for example, the NSA and/or the FBI attacked Tor, the anonymity network software, under the guise of defending against child pornography utilizing a Javascript vulnerability found in some versions of the TorBrowser.

Tor is used by journalists, political dissidents, etc. It's also used by "bad guys" including drug dealers (Silk Road is an onion site), child pornographers, the Mafia, etc. But the point here is that there wasn't a sting on a child porn ring. There was an attack on software used by many people the world over - some in desperate need of the anonymity it provides as they fight corruption throughout the world.

They left a calling card, too, in a very traceable IP address that was collecting the IP addresses of Tor users visiting select sites. It wasn't as if they were after some select group of bad guys - they were targeting everyone trying to protect their identity. It was a message - a warning for people that Big Brother can see you. Fortunately, the technical issue has since been resolved. Nevertheless, the government is overtly engaged in scare tactics against anyone that tries to maintain some privacy.

Privacy is a human right, and ultimately this simply makes the government the obvious villian. This is arguably the biggest attack on the privacy community ever and it was clearly to send a message of fear to people that prefer their privacy and anonymity. It's a crime.

Mark: That's a bit for most people to digest.

John: It is, but it's really important to understand what's happening. I'm sure most everyone reading this has by now heard that Lavabit has shut down. That is the mail service that Snowden used to communicate with his journalism contact. The NSA obviously wants to know what was in those emails. This has prompted SilentCircle, Phil Zimmerman's outfit, to shut down its email service preventively.

In my opinion, the next obvious targets are the online markets like Silk Road and Atlantis which trade in items that the government has deemed inappropriate, primarily drugs. These markets use Bitcoins as their medium of exchange, so the government is now heavily involved in trying to regulate bitcoins.

It's clear that governments think they own people and have a right to dictate how much privacy a person may have, what money they can use, how they can use it, and what they buy with it. Your life is not your own, it's theirs to dictate - or so they want you to believe.

There are raids in Germany on Silk Road suppliers now, and it appears the "war" is in full swing. I suspect it's going to get ugly. And most people have NO idea that a handful of cryptoanarchists are trying to save everyone's ass against the nefarious grasp of the NSA and its crony foreign LEO partners.

Mark: So what do you think is really prompting this? We touched on it before, but I think it bears repeating.

John: Sure. The war against privacy is to make sure that you don't keep anything hidden when the global government funding crises hit a head. They are going to need ALL the money they can get their hands on, and make no mistake, you will be "bailed in". That goes for Americans as well as Europeans. What happened in Cyprus was a test run.

Mark: I agree 100%. People have to wake up. Your financial survival, your ability to put food in your children's mouths and a roof over their head is ultimately what is at stake. If everyone just sits back and ignores this government criminality we are all going to pay the price. When is enough, enough?

What people don't realize is that if governments continue to run amock, spending, regulating, "spying", they WILL destroy the global economy. Forget the dramatic scenarios of locking everyone up, that's sensationalist stuff. The real deal here is economic destruction as a result of this "war" against - everything.

Back on topic. Security is your area of expertise. There has been a lot of noise around the breach in confidentiality with respect to ISP's and telecoms. NSA backdoors, etc. When you start looking into securing this area you'll discover something called a VPN. Can you tell us what a VPN is, what it does, and more importanly what it won't do for us? And, are there alternatives or ways to make using VPNs even more secure?

John: A VPN is a virtual private network. On a network like your home or office network, your machine is connected to a network of machines through wires or wireless connections, typically through a router which manages all of the communication among the machines in the network. A VPN is the same concept - only in the "virtual" realm. With a VPN, you connect to another network over the internet, but instead of your connection to that network being direct, it's through encrypted software tunnels. The encryption is necessary because on the internet, there are litererally hundreds of millions of machines that may have access to the data you're transmitting if there wasn't any encryption.

There are many different benefits to a VPN. First, all websites and email that are sent act as if they're coming from the virtual network you're connected to. So if you are connecting to a VPN in Germany, for example, anyone tracking your location thinks you're coming from Germany instead of the reality that you're mailing for Hoboken, New Jersey. Also, all of your data is encrypted between you and the VPN server. This means your ISP (internet service provider) cannot intercept the data you're sending. If you're not using a VPN and you're Googl'ing information on buying a new Ferrari, your ISP sees what you're looking at, Google sees what you're looking at, and now we know that the NSA sees what you're looking at.

That data is collected, stored forever, and frequently sold. Businesses buy this data so they can market goods to you. The IRS is checking to see if you can afford a Ferrari, and marketing companies are using this data to mark up the price of goods you're searching for over the guy that's looking for a 1986 Honda. In essence, your data is being stolen from you and used against you - whether you're doing something wrong or not - and that's wrong.

A good VPN protects against this by separating the data from being identified with you. There are several great commercial services out there, and there are
semi-VPN services like Tor and I2P that eliminate the weakness of a particular company running the service being accosted like Lavabit was recently.

When shopping for a VPN service, look for companies that separate their billing and operational characteristics. You'd ideally like to create a separation between your credit card purchase and your customer account with the company. Alternatively, use VPN services that accept bitcoins to preserve your anonymity. Look for VPN services that operate one or more of their servers outside of the country you're in - you want not just technical protection, but some measure of jurisdictional protection. Make sure the VPN service uses OpenVPN or PPTP because these are industry standards. Security by obscurity is a recipe for
disaster. Their Term of Service should indicate they don't store or log traffic records or IP addresses. Remember, you're paying for protection - make sure you're getting it.

Mark: Are they easy to use? Are they really that secure?

John: VPNs are as secure as is feasible today. There is no way to guarantee their security indefinitely - at some point, current technology will be broken.  It's inevitable. The NSA has spent billions of taxpayer funds on facilities like the one in Utah to store things forever so that if and when the encryption is broken, they can read back data. You never know what the law will be years in the future, and we have seen that the idea of ex post facto laws, laws that cannot be retroactive, is dead. So even if you're not breaking laws today, who knows what could be held against you in the next decade or so.

We see recently that the IRS has been used as a weapon against individuals. The risk of something like this being abused is not just high - history says it's
inevitable. If it doesn't stop, and there are only signs that the war against privacy is escalating, then the future is bleak, indeed.

Quantum computers, more efficient mathematical algorithms, and other technical improvements mean that today's encryption will be obsolete at some point. So remember, whatever you send out there today exists FOREVER. Even if it's unreadable now doesn't mean it will be unreadable in a decade.

When encrypting email with something like GPG, use maximum bit sizes like 4096 bits. Make sure you're connecting to all websites and email servers with encryption like SSL/TLS.  Use VPNs religiously - it only takes one mistake to be traceable because records exist eternally. Encrypt, encrypt, encrypt - be diligent.  It's not a game.

Mark: Thanks John.

John: You're welcome.


We haven't been forcing this security stuff down your throat the last two weeks for nothing. There's been a lot of great information released, from many different sources, that can help you understand and protect yourself, but it's still a hard slog.

We aren't suggesting herein, although it might seem that way, that the ONLY threats to your security come from government snoops. There are other nefarious individuals at work out there who profit greatly from stealing your private information.

There are a lot of very practical reasons to be concerned about your privacy and security, and you'd be surprised where the threats come from! This recent article will give you an idea just how many of the items you use every day and take for granted are eavesdropping on you. Even your coffee machine sends data to the manufacturer! We can't make this shit up folks!

In our next post we'll get more specific on how to change your current habits, and suggest some specific ways to stay safe and secure online.

- Mark

"If you want total security, go to prison. There you're fed, clothed, given medical care and so on. The only thing lacking... is freedom." - Dwight D. Eisenhower