Bypass Data Retention

It looks as if Labor has caved and will pass the proposed data retention bill. You are now under suspicion. You are now under surveillance. You are no longer a citizen, you are a suspect, so it is time to start acting like one. Learn the tools which enable you bypass data retention, to communicate privately with your colleagues, friends and loved ones.

The most troublesome metadata collected by the proposed scheme is not your internet traffic, which has some exclusions; it is your phone, sms and location records. Switch to calling and messaging your contacts using the data connection of a smart phone, computer or tablet. Some of the best tools for this are:

  • RedPhone, for encrypted calls on Android.
  • TextSecure, for encrypted messages on Android.
  • Signal, for encrypted messages on iOS (compatible with TextSecure).

Don’t take my word for it, listen to the NSA. They describe the difficulty of decrypting the communications of these apps as “catastrophic” (I highly recommend watching the video that is based on). These tools also offer good protection in terms of metadata.

Some other tools also listed in as “catastrophic” by the NSA include:

  • xmpp with off the record messaging, for encrypted instant messaging on windows / linux / OSX / Android.
  • Tor for anonymised web browsing on windows / linux / OSX.
  • GnuPG for encrypted emails (not very user friendly).

The purpose of mass surveillance is not to catch criminals, evidence shows that is ineffective. The true purpose of mass surveillance is to ensure conformity. Don’t conform. Don’t give people your phone number, give them your xmpp address. When your friends call, ask them to install the RedPhone app and call you back. Head to the protest on Monday.

The dot com bubble and the bitcoin boom

In the 90s the internet boom happened. It was two things: a revolution in the way we create, organise and share information, and a speculative investment mania dubbed the dot com bubble. One of those things survived and grew, the other popped.

Right now the bitcoin boom is happening. It is two things: a revolution in the way we transfer and store money, and a speculative investment mania yet to be dubbed. Predicting the long term value of a bitcoin is a mug’s game. If/when the bubble pops it won’t be the end though, just like with the dot com bubble.

The more interesting part of bitcoin is the part that will endure no matter what happens to the price. Bitcoin is a decentralised system of transferring money. No central authority is in control, no one can arbitrarily decide that an organisation is illegal and cut off payments. This is both a good and a bad thing depending on the organisation and your personal politics; for example I think that bypassing the financial blockade on wikileaks is great, but that bypassing local gambling regulations and making money off of problem gamblers is bad. Either way it’s certainly interesting, because it’s very hard to stop it. Regulation and illegality could make using bitcoin inconvenient, but it’d probably still be more convenient than using cash for the same purposes. Bitcoins are like cash you can send overseas as quickly and easily as an email.

Bitcoin also cuts out the financial middle-men to a degree. There are no banks, paypal, or visa networks to take their cut. There are some small fees to keep the network going (currently less than 10c per transaction) which get paid to the distributed network of people verifying all these transactions to make sure no one double spends their bitcoin balance. There are payment processors like bitpay which take their cut in return for making it easy for merchants to accept bitcoin, but using them is entirely optional.

In addition to just cheaper transactions, there are some applications where I would find bitcoin more useful than traditional currency/payment processors. Sending money to relatives overseas? Want to buy stuff from overseas to avoid the ridiculous regional pricing, but don’t have a US based credit card? The other day I paid for a couple of coffees at a nearby cafe with bitcoin, and was surprised at how quick and easy it was. Visa paywave still beats it, but it’s comparable to counting coins or pin/sign credit card transactions and given that bitcoin point of sale systems are still in their infancy this will no doubt improve. I’d be sceptical when people say that bitcoin is going take over a good proportion of the payment processing / money sending market, but I think it will at least get a tiny slice of something. Until an even better alternative is invented of course.

Finally the USA style libertarians jumping on the bitcoin bandwagon will tell you that all governments will eventually print so much fiat money that it will be devalued, or just go the way of Cyprus and freeze everyone’s bank accounts. By contrast they say that bitcoin is deflationary (there can only ever be 21 million of them “printed”) and they can’t be seized as long as you keep the password to yourself. Sure bitcoin is deflationary in the sense that supply is limited, but that doesn’t mean the value can never drop; the other side of that equation, demand, is completely untethered. And while no one can seize your bitcoins, the downside of no centrally trusted bank / government is that you might lose your bitcoins to hackers, hard drive failure, forgetfulness, death or the dust bin and you’ll never get them back.

Full disk encryption chaining with dm-crypt, cryptsetup and luks

In a fit of either curiosity or tinfoil induced paranoia, you decide to set up full disk encryption on your machine. But it’s really annoying because you have multiple physical disks, and you can’t be arsed entering passwords for each one separately at boot up. So what do you do? You stick a keyfile on the first encrypted disk, and decrypt the others with that instead of a password. That way they are “chained” together – the password decrypts the first disk, which unlocks the file to decrypt the secondary disks.

Here’s how you do it (works on debian wheezy):

  1. Encrypt all disks normally using luks/cryptsetup/disk utility
  2. Set them all up to be mounted at boot by fiddling with crypttab and fstab (arch wiki should have you covered)
  3. reboot and go through the tedium of entering multiple passwords
  4. generate yourself a new keyfile for the secondary drives: # dd if=/dev/urandom of=mykeyfile bs=512 count=8
  5. stick that keyfile somewhere safe on the primary encrypted disk (with admin read only access)
  6. add the keyfile to a luks keyslot on the secondary drives: # cryptsetup luksAddKey /dev/[volume] /path/to/mykeyfile
  7. fiddle with crypttab to make it use the keyfile on boot: [volume]_crypt UUID=deadbeef-dead-beef-dead-beefdeafbeef /path/to/mykeyfile luks
  8. reboot and test it

Be sure not to store the keyfile somewhere stupid where it will be unencrypted, like in /boot for instance. Bonus points for being patient and using a better source of randomness than /dev/urandom. The usual disclaimers apply, I don’t really know what I’m talking about, so don’t use this method to secure your nuclear launch codes, blame me if someone steals your data, or blame me if you can’t decrypt the drive and lose all your data.

Computer security for the lazy

I’ve been writing a guide to all things computer security and privacy. Given the news recently, I might as well promote it. I’m not an expert and the guide hasn’t been reviewed by anyone else to make sure I’m not giving you bad advice, but it’s at least worth a read to start understanding some of the issues.

Here’s the full guide, just the intro is pasted below. Please give me criticism and contributions on the github page.

Computer security for the lazy

This is a draft still being written, so you might want to wait until it’s completed and reviewed by a third party to make sure I’m not giving any bad advice. It’s a guide for the lazy. If you are living under an opressive government (like Syria or Iran), or if you are a whistleblower, activist, or a journalist wanting to protect your sources, you can’t afford to be slack.

For the rest of us lazy bastards, here’s the shit you need to worry about (in order of importance):

  • losing your files
  • losing your accounts
  • losing your privacy

Losing your files

All your photos of family and friends. All your financial records. All your university homework. All that porn you’ve been stashing. The biggest computer security threat you’ll ever have to worry about is losing them. Every hard drive is a ticking time bomb, just waiting to fail. You could accidentally leave your laptop in the back of a taxi and never see it again. Recently there has been a spate of attacks where criminals will gain remote access to your computer, encrypt everything on it, and then demand ransom payment to decrypt it. However it happens the results are the same – you’ve lost your shit.

Thankfully preventing these problems is easy; I’ll show you how to back your shit up.

Losing your accounts

Your email. Your internet banking. Your Facebook, Twitter and World of Warcraft character. These are all “accounts” and you can lose them. If you choose a shitty password someone can just guess or “brute force” it. If you’re tricked into installing malicious software it can log every keystroke you press, recording your passwords. If you are directed to a spoofed version of a trusted website and you try to log in, you’ve just given the bad guys your password. If you use the same password everywhere you’re truly fucked.

Unfortunately there isn’t a single easy solution to these threats. Having a well calibrated “bullshit” detector is essential. Using a password manager and keeping your computer up to date with security patches will also help. Don’t get hacked, keep reading and I’ll show you how.

Losing your privacy

Take any private photos of you and your partner? Do you write a pseudonymous blog like “Belle de Jour” or at the other end of the sexual activity spectrum, “Nice Jewish Girl”? Don’t want someone going through the soppy love poems emailed to your partner? Want to complain about work to a friend over chat / IM without getting fired?

Remember that laptop you left in the back of a taxi? Someone could go through all the files on it. Browsing on an insecure wifi network could give you away to anyone within range. Depending on which country you live in, your ISP could be obliged to log your browsing history, where criminals will undoubtedly hack in and get access to it at some point.

The threat to privacy is a bit more esoteric than losing your files or accounts, because it isn’t obvious when it happens. When you lose your hard drive, you know about it. When someone steals money out of your bank account, you know about it. When Facebook gathers information about the websites you visit and sells it to other companies, you’re left in the dark.

To stop this, I’m going to teach you how to keep that shit private.

Newspaper ownership in Australia

Today I spent some time hacking together an ownership graph of Australian newspapers. Spoiler: it’s all owned by News Limited and Fairfax, but click on the pretty picture below and you can see exactly how stuffed it is in an ugly interactive physics based format where you can click and drag stuff around.

Preview of newspaper ownership in australia

Arrows indicate ownership of course, with X–>Y meaning that X owns Y. You can see the code if you want. I might make it less ugly in the future but for now, it is what it is.