(navigation image)
Home American Libraries | Canadian Libraries | Universal Library | Community Texts | Project Gutenberg | Children's Library | Biodiversity Heritage Library | Additional Collections
Search: Advanced Search
Anonymous User (login or join us)
Upload
See other formats

Full text of "basic-internet-security"

Basic Internet Security 



Published : 2011-05-01 
License : GPLv2+ 



Table of Contents 



Introduction 

1 Introduction 2 

2 Why use a manual on Internet security? 7 

3 Understanding basic Internet security ll 

General Safety 

4 Secure your computer 15 

5 Internet Cafes 19 

6 Software on USB or CD 21 

Protecting your passwords 

7 Keeping passwords safe 27 

8 Installing KeePass 30 

9 Encrypting Passwords with a Password Manager 37 

Safe Browsing 

10 Introduction to safe browsing 53 

11 Installing Firefox on Ubuntu 55 

12 Installing on Mac OS X 57 

13 Installing Firefox on Windows 62 

14 Protecting your internet passwords 68 

15 Extending Firefox 69 

16 Proxy Settings and FoxyProxy 85 

17 What is Tor? 92 

Basic E-mail Security 

18 Introduction to e-mail safety 103 

19 Using Thunderbird 106 

20 Setting up Thunderbird to use secure connections 115 

21 Some Additional Security Settings 121 

Email Encryption 

22 Introducing mail encryption (PGP) 130 

23 Installing PGP on Windows 132 

24 Installing PGP on OSX 139 



25 Installing PGP on Ubuntu 148 

26 Creating your PGP keys 150 

27 Daily PGP usage 159 

28 Webmail and PGP 182 

Securing personal data 

29 Introduction to securing personal data 191 

30 Installing TrueCrypt 192 

31 Using TrueCrypt 201 

32 Setting up a hidden volume 216 

33 Securely destroying data 226 

Securing remote connections 

34 Introduction securing remote connection: VPN 240 

35 Getting and testing a VPN account 244 

36 VPN on Ubuntu 248 

37 VPN on MacOSX 265 

38 VPN on Windows 275 

Mobile security 8c VOIP 

39 Introduction to Mobile Phone Security 289 

40 Secure Text messaging 291 

41 Secure voice communication 305 

42 VPN on Android phones 307 

43 Email security on Android 324 

Background information 

44 FAQ 326 

45 How the Net Works 332 

46 Glossary 341 



INTRODUCTION 



Introduction 




The digital world is changing at a tremendous speed. New 
communication technologies open up new possibilities, 
but by using them you can also expose yourself, and 
others, to risks. Many people have trouble assessing these 
risks especially with regard to the subject of safe digital 
communication. This is particularly true for people working 
in regimes with high levels of censorship. However, also in 
countries considered to be relatively free and uncensored, 
your data can be used or misused by others - governments, 
companies, or other persons (sometimes even 
unintended). 

How to protect yourself, your sources or your friends? What are safe routes 
to take? How do you secure after your personal data? This manual aims to 
address these issues to help you choose your own 'level' of safety. 

f Governments and other parties are very interested in your communication 




f* DATA J|t QATA ~ 



How to trust technology? 

When verbally passing a message you usually need to know 
your contact persons to know if you can trust them, but 
you also have to know your technology a little to know if 
you can trust it. Technologies can leak or distort your 
message just as humans can. Technologies are invested in 
types of trust relations: some devices are safer than others, 
some can be modified, and some are better avoided. 



o 



This book tries to address these different layers by giving hands-on 
explanations on how to make your digital communication and data more 
secure and by providing the reader with a basic understanding of the 
concepts of digital communication and data security. It derives from the 
following principles: 

1. No method is entirely secure; 

2. You need to have a basic understanding on how and why technology 
works to make it work for you; 



3. You need technology for safer communication: either some basic tools, 
or more sophisticated equipment, depending on where you're at and 
where you go. 



Keeping up to date 

Publications about the digital world become outdated fast 
and a viable solution today could be serious threat 
tomorrow. Therefore we created this book as open source, 
so it can be easily updated and will be free for others to 
update, extend and redistribute. The focus in this book is 
also on free and open source tools. 



ED 



There is a wide range of books dealing with different aspects of secure 
communication in a digital age. We have combined our knowledge with 
existing publications and our contributions can be re-used and revised as well. 
This is the advantage of having a growing pool of excellent reusable content at 
FLOSS Manuals - its becoming easier in this field to make books quickly by 
combining existing materials using this resource. 



Different users, different tools 

The handbook aims to provide everyone an understanding 
about how they can protect themselves and the persons 
they communicate with. It also aims to provide insights 
into the limits of protective measures, so people can make 
an informed trade-off. 



•4 



The manual was a direct response to a workshop given by Greenhost 
(http://www.greenhost.nl) to the people from Free Press Unlimited 
(http://www.freepressunlimited.org). The workshop made clear that 
journalists face many problems with regard to security. This manual therefore 
addresses the concerns and needs expressed in that workshop. However, the 
manual provides information on different layers of protection and therefore is 
valuable for other audiences as well. Using the manual does require some 
basic knowledge on how to operate a computer with a keyboard, mouse or 
any other pointing device. 

In the chapter on 'Why to use this manual' you can read more about the 
reasons for taking more security measures and how the manual addresses 
these issues. 



How was this book made? 

This book was written in a Book Sprint. FLOSS Manuals has developed this 
methodology for the rapid development of books in amazingly short periods 
(2-5 days). FLOSS Manuals is an entirely open and voluntary organisation of 
some 3000 members. FM has manuals on free software available in over 30 
languages and all for free. You can read more about free software at the 
website. 



http://www.flossmanuals.net 

The idea for the book came from ISP Greenhost from Amsterdam. Besides 
providing sustainable hosting solutions they strongly adhere to a free, open 
and safe web. They bring this in practice by not logging user information, 
providing secure options for communication and helping users to make their 
computers and usage of the internet safer. For this book they gave a 
workshop at the NCO Free Press Unlimited from Hilversum, The 
Netherlands. Free Press Unlimited promotes Press Freedom all over the 
world, educates journalists and helps them securing their communication. A 
big part of this book is based on the workshop and the concerns of the 
journalists present. For more information check their websites. 

https://greenhost.nl 

http://www.freepressunlimited.org 

Many thanks to Buro 2.0 for providing the space for this Book Sprint. Buro 2.0 
is a co-working space for open source developers and experts. They were 
extremely generous to offer their Berlin venue to us for 5 days and made us 
feel very welcome and well looked after. Check them out their website. 

http://buero20.org/. 

The Book Sprint was 4 days long and the full list of onsite participants 
included: 



Adam Hyde (facilitator), Jan Gerber, Dan Hassan, Erik Stein, Sacha van Geffen, 
Mart van Santen, Lonneke van der Velden, Emile den Tex and Douwe Schmidt 



Why use a manual on Internet 
security? 

In the eighties when the Internet was in its infancy, its main usage came from 
university students and professors in an atmosphere of implicit trust. This 
means that security was not the first thing in mind when the basic uses and 
functions of the Internet were first developed. 

Nowadays the Internet is everywhere both in public and in private life. It has 
become a vital means for professional and personal - often confidential - 
communication. This has required security enhancements to be added to the 
various communication methods used on the internet after it became widely 
used. A lot of these enhancements are not implemented by default or require 
additional configuration. 

In addition, most people do not have the appropriate knowledge or skills to 
secure their internet usage enough or they might simply feel it they don't 
need it. Also vendors and providers are to blame for not pushing more secure 
technology and methods by default. But maybe you worry about your login 
codes being accessed when using wireless networks on a trip, or you want to 
securely lock your laptop when leaving it in a hotel. Possibly you need to 
encrypt your e-mails, because you have contacts in countries with a high level 
of internet censorship. 

This manual tries to fill that gap by providing some basic knowledge, and also 
more sophisticated techniques for those who need them, to make sure that 
your data is not easily accessed by others. As a matter of fact, internet 
security is not that difficult. 

What is security? 

Absolute security does not exist, security is always related to who your 
adversaries might be. Security is therefore about informing yourself and 
assessing the possible risks you, and others you communicate with, are 
facing. Make sure you reserve some time to choose the right tools, install 
everything properly, and test if it works. Compare it with driving a car: it takes 
a little bit of practice, and some judgement on others' behaviour, but as soon 
you are in control it can safely get you where you want. 



To make a choice between the types of tools you need, it helps to make a 
distinction between two basic types of 'threats': undirected threats and 
directed threats. 



Most of the threats we are facing are automated undirected threats and 
luckily these are also the easiest to defend against. Unfortunately, we are 
sometimes also subjected to directed threats, for which we need some extra 
safety measures. We will shortly go into these issues and refer to the 
appropriate chapters so you can start your way. 



Undirected and directed threats 

Undirected threats are threats that are not directed at you personally, but 
might still affect you. Examples include phishing emails and computer virus 
infections. These methods are always automated and are just looking to get 
new victims, that can be everyone. Some schemes can evolve into a directed 
threat (for example when responding to e-mails telling you you won the 
"Spanish online lottery"). Also unprotected websites, or networks, can be 
dangerous if you fill in your login codes or credit card information. 



These threats can be compared to walking around in an unknown city, ending 
up in the wrong neighborhood and getting mugged. This book aims to be your 
city guide helping to prevent you to be at the wrong place at the wrong time. 
To protect yourself from this type of threats we recommend you to read at 
least the sections on General Computer Security, Secure E-mailing and Secure 
Browsing. Next to that it is key to keep your wits about you, keep your eyes 
and ears open and don't loose your common sense. 

Directed threats are the most dangerous ones. A long known wisdom amongst 
security specialists is the notion that "Only amateurs attack machines, 
professionals attack people." Directed threats are aimed at you personally or 
your organization and might involve a lot of different techniques. Attackers 
will use a mix of social engineering, sophisticated tools, luck and hard work. 
Directed attacks are a lot more expensive to undertake than undirected ones, 
as mostly they require more skills and work hours. 

One source for directed attacks can be people you know, for example co- 
workers, your boss, your spouse or friends. They might do so out of curiosity 
or for worse purposes. Small measurements might be enough to counter 
these attacks, like using a password on your computer and locking your 
screen when leaving your computer unattended. 

Also thieves that gained access to your bank account, for example through 
phishing or spying on unprotected networks, are considered a serious threat 
to the internet user. 

Another source of directed threats are (repressive) societies. Governments 
have a range of motivations for monitoring or restricting different kinds of 
people's online activity. 



Who might need this manual? 

Of course, there are several reasons why you might need some guidance for 
internet security. Who are possible users that can have personal or 
professional reasons to take extra safety measures. 



journalists probably face directed threats. Organized crime, corruption, and 
government brutality are dangerous subjects to cover. You may need to 
protect yourself and your sources of information. 

Bloggers can encounter similar problems. You may want to write about 
everyday life, but issues are silenced or unpopular because of ethnicity or 
gender. You might prefer anonymity or need it to connect with a support 
group. 

Diplomats are also under heavy surveillance, as we know from the Wikileaks 
affair. You'd rather communicate in a safe way with your colleagues because 
the the content of your e-mails could have damaging effects. 

Activists may want to improve your government or are seeking a new one. You 
may want to expose environmental issues, labor abuses, fraud, or corruption 
at your place of work. Your government and employers are not going to be 
happy about this no matter the time of year, but they may put more effort 
into monitoring you if they suspect that there will be protests in the streets 
soon. 

Internet users-. You might want to increase your security while browsing or 
mailing so you are better defended against undirected attack, or you might be 
just fed up with companies storing all your data for financial purposes, or 
suggesting you all sorts of things about yourself and your friends. 



How to use this manual? 

If you think you need to secure your internet use, we'd be happy to give you a 
hand with this manual and helping counter-attacking some of the problems 
you face. The chapters encompass general introductions that indicate which 
are the more basic steps to be taken for internet security, and what are the 
more complex operations to be handled. Even if those techniques of 
assurance may sound more demanding, they are explained step by step with 
illustrations and turn out to be not so difficult to implement. 



In the end you are the only one who can best asses the risks you are taking 
and to which threats you are exposing yourself and your peers. If you are in 
need of more in depth information aimed at human rights defenders, there is 
an excellent one called "Security in-a-box"created by the Tactical Technology 
Collective and Frontline. It is freely available online and as a download at 
https://security.ngoinabox.org. Additionally, if you live in a country that 
actively restricts access to parts of the Internet you might find the Floss 
Manual on bypassing censorship to be of interest to you, it is located at 
http://en.flossmanuals.net/bypassing-censorship. Know that manuals in 
general can't guarantee total security and that it is by no means a 
replacement for a professional risk assessment and an organization wide 
security (and travel) policy. 

This manual is also to be used in an interactive way. In order to work, it needs 
to be kept reflected upon and updated. Do get in touch if we missed 
something, if you want to contribute, or if you just want to get in touch! 



10 



Understanding basic Internet security 

To understand basic internet security we should have a basic understanding 
of how the Internet is organised and which path our information travels. With 
this knowledge we can easier assess which measures we can take to protect 
ourselves. 



The mail game 

To have a notion of how the Internet works you can 
compare it with the normal world wide mail network. If 
you want to communicate with a friend you can send her a 
letter and post it to the nearest mailbox; it then travels 
through an extensive network to (hopefully) reach the 
person the information is intended for. Internet is just like 
that, however, the message is sent in an open envelope and 
every postman on the way can read the message, alter its 
content and/or the destination without you knowing. 




Unencrypted mail looks like this: 




To counter this, people have long used secret languages to communicate 
safely. In this chapter we will explain two methods of encryption. The first 
method explains an end-to-end encryption, encrypting the whole way from 
sender to receiver. The second method partly encrypts the route. 



End-to-end encryption 

If you encrypt your message and only the recipient can read it, it will be 
meaningless to all the postmen in between, and if they alter it you will notice 
it directly. In order to make such an encryption work, you still have to be sure 
to trust the recipient and be sure that you are really exchanging information 
with her and not with someone pretending to be her. This method is called 
end-to-end encryption and is the safest way of communication. You also have 
to be sure that no one is watching over your shoulder while you write your 
message. Some of the end-to-end encryption methods that we cover in this 
book are HTTPS for browsing and PGP for e-mailing. 



11 




Encrypted mail looks like this: 
• • • 

▲•▲ ▲'▲ AA 

ill 




Unfortunately for end-to-end encryption to work, both you and your friend 
(source, co-worker) need to have the tools to use it and have to agree on the 
secret language used. On the internet this means the website you are visiting 
or the people you are e-mailing. This not always the case, still, we can 
considerably increase our online safety by encrypting a part of the route. 



Partly encrypted mail through a proxy 

To get back to the mail analogy you might be on a field trip in a repressive 
country and want to send a message to your friend at home. You don't trust 
the post offices and the postmen in this country. So before you left, you asked 
your local post office to act as an intermediary (the proxy) and agreed to use 
a secret language. Now you can just write a message to your friend in the 
secret language of your post office. You will send this to your post office and 
they will take care of the delivery of the message to your friend. In this 
scenario you have to trust your local post office, all the postmen after that, 
and of course your friend. 




Partly encrypted mail using a proxy looks like this: 

w" Pro«yW "5§P 



m rf^3 




Visiting websites is communicating 

Because in this example an analogy was drawn with mail messages, you 
probably thought of e-mails when reading this. While this is true, the example 
also counts for all other internet communications. Visiting a website is just 
like sending the message to your friend "please mail me your copy of the book 
1984", after which she sends it to you. 

Let's follow the example of visiting a website from your home computer: 
1. You type in http://freepressunlimited.org/. 



12 



2. The request goes through a series of routers, each one forwarding a 
copy of the request to a router closer to the destination, until it reaches 
a router that finds the specific computer needed. 

3. This computer sends information back to you, allowing your browser to 
display the page. 

The message that is transmitted from the website to you travels through 
other devices (computers or routers). The amount of devices your message 
comes in contact with along its way is often between 5 and 30. 

f What would the internet look like if you draw it in a really small picture? ^ 

m lj^s a b a □ — 



• prf (C|» j ^ U( ^.-g- 



= tha request 

< - the answer 



<3 <-■ <m i 



By default, information travels on the internet in an insecure way. This means 
that your message can be eavesdropped or tampered with on every device. If 
you are connecting wirelessly, people can also just "tune in" to the 
information send through the air. 

To keep information from being compromised you have to be careful to make 
sure of the following: 

• Can you trust the entry point (your internet connection) to the internet? 
If this is an insecure wireless connection anyone can eavesdrop on it, if 
it is a physical (cable connection) it can be eavesdropped by the 
operator. 

• Can you trust the exit point (the site you will be visiting) of your 
information? 

• Are you really communicating to the right destination? Or did your 
request end up on a server trying to appear like the server you were 
looking for, but really isn't. 

At the end of the book there is a more in depth and technical explanation on 
how the net works. You can read that if you like to know more about it. 



13 



GENERAL SAFETY 



14 



Secure your computer 



There are steps that everyone with a computer should take to keep it secure. 
This may involve protecting information about your network of activists, your 
credit card number or your human-biology collection; but some of the tools 
you need are the same. Your computer holds valuable information and this 
need to be protected. 

Beware of programs or people that promise perfect security: online safety is a 
combination of good software and human behavior. Knowing what should be 
kept offline, who to trust, and other security questions cannot be answered 
by technology alone. Look for programs that list risks on their Web sites or 
have been peer reviewed. 



Keep your OS updated 

Keep your operating system up-to-date: the developers of operating systems 
provide updates that you should install from time to time. These may be 
automatic or you may have to request them by entering a command or 
adjusting your system settings. Some of these updates make your computer 
more efficient and easier to use, and others fix security holes. Attackers learn 
about these security holes rapidly, sometimes even before they're fixed, so 
fixing them promptly is crucial. Luckily most operating systems do a quite 
good job in keeping the system updated and safe, if at least you allow them to 
do so. 



Installing new updates on a new computer is very important. A new computer 
you buy in the shop, can be there for some months already. This means the 
computer is often behind with the security updates. So when buying a new 
computer, please take some time to update your Operating System. 



User account and password 

Every computer needs an account to login. This account is needed to access 
your data and use the functions of your computer. Please be sure to setup a 
password for every account. 



Use good passwords: no password selection system can guard against being 
threatened with violence, but you can improve your security by making it 
harder to guess. Use combinations of letters, punctuation, and numbers. 
Combine lower and upper case letters. Do not use birth dates, telephone 
numbers, or words that can be guessed by going through public information 
about you. More information about this can be found in the chapter on 
passwords. 



15 



Modern operating systems separate normal tasks from administrative tasks 
like installing software. This division is very important, as administrative tasks 
need extra privileges and have total access to your hardware and software. Be 
sure to create a normal user account for day to day usage and never use the 
administrative account for this. 

Last but not least: Never store your password on a post-it on you computer 
or underneath your keyboard. 



Physical protection 

A lot of people do not realize the information on your computer can be very 
valuable for others. If you are working in an unknown/uncontrolled 
environment or area, always keep a good look on your belongings and never 
leave them unattended. Take some time to think over what the risks are if the 
data on your computers fall in the wrong hands. Ask yourself, "which 
information is actually stored on my computer and what can other people do 
with this information?". Please realize, a password on your computer will 
maybe protect against quick access, but it doesn't protect your data once the 
whole system is lost. With physical access to a computer it's very simple to 
access the data on your harddisk (with the use of an other computer) without 
knowing even the first character of your password. If the information on your 
laptop is very valuable, have special attention to the section about securing 
personal data. The above is also true when you lend your equipment to 
someone else. Although you might completely trust the person you lend to, 
you don't have control on how secure they may handle your equipment. 

Smoking a cigarette 

It is very well possible you are working in a cafe or other (semi) public place 
on your laptop. Maybe you have opened some password protected websites 
(webmail) and maybe even have opened some encrypted files or emails. Once 
you go out for a quick break and a cigarette, please be sure at least your 
screen is locked. All mainstream operating systems can be used to lock your 
screen automatically if you close your lid or after a few minutes of inactivity. 
Be sure to enable these options, failing to do so will certainly at least 
sometimes result in good opportunity for attackers to access your private 
data. U nfortunately this habit is still not very common with users but very 
important. 



16 



* 



Use anti-virus software 

If you're still using Microsoft Windows, use anti-virus 

software and keep it updated. Malware is software written 

in order to steal information or to use your computer for 

other purposes. Viruses and malware can gain access to 

your system, make changes and hide themselves. They 

could be sent to you in an e-mail, be on a Web page you 

visit, or be part of a file that does not appear to be 

suspicious. Anti-virus software providers constantly 

research emerging threats and add them to lists of things that your computer 

will block. In order to allow the software to recognize new threats, you must 

install updates as they are released. 



Be aware of scareware. Scareware is software which advertises itself as anti- 
virus software, but is in fact a virus or spyware itself. If you install (free or 
commercial) anti-virus software, please be sure it's not scareware. A quick 
search of the name of the vendor/product in combination of the term 
"scareware" on Google will be enough to find out if you've just downloaded 
scareware. Scareware can be often found in "advertisements" on dodgy 
websites with warnings about "found viruses" 



External data (USB-sticks, E-mail attachments) 

Transferring virusses with USB-sticks or with E-mail 
attachments is very easy and often done by the virus itself 
rather then the owner/sender, especially under Microsoft 
Windows. Be careful when inserting USB-sticks or lent out 
your stick to others. It's just recently Microsoft changed 
it's policy regarding automatically opening USB-sticks. This 
should make Windows a little safer, but still watch out 
suspicious programs on USB-sticks. Never open any file 

you do not trust, regardless to if it was distributed via E-mail, USB or other 

methods. 

Only use trusted and Open Source Software 

Be sure you can trust the vendor of the applications you use. A lot of 
companies are offering applications on the internet. Between these 
companies there are several with other intentions then they will tell you. 




17 



Use Free and Open Source Software (FOSS). Open source software is made 
available both as a working product and as a work in progress to users and 
software engineers. This offers several security advantages over closed 
source, for-profit software that may only be available in your country through 
illegal channels due to export restrictions or expense. You may not be able to 
download official updates for pirated software and often pirated versions 
already includes viruses. With Open Source software there is no need to 
search through several suspicious sites for a copy free of spyware and 
security glitches. Any legitimate copy will be free and is available from the 
creators. If security flaws emerge, they can be spotted by volunteers or 
interested users. A community of software engineers will then work on a 
solution, often very quickly. 

Another problem that has occurred in some countries with regards to illegally 
installed closed source software is that equipment of NGOs or journalists 
were confiscated by the government based on copyright regulations as a 
measure to gain access to the information that was on the devices. 



Be updated 

Keep yourself updated on the latest security threats: the 
effort put into harming you may change. Methods to 
protect yourself that works today may stop working or 
even become a threat themselves tomorrow. Even if you 
don't need it now, know where to find information and use 
different sources of information. 



m 



And if you do find some essential piece of information we didn't cover in this 
book, please update the book at booki.flossmanual.net or tell us so we can 
update the book. 



18 



Internet Cafes 



The fact that you access the Internet in a public space does 
not make it anonymous or safe for you. It is quite often the 
very opposite. Some of the main threats are: 




The owner of the computer, or even a person who used the computer 

before you, could easily program the computer to spy on everything you 

do, including recording all of your passwords. The computer can also be 

programmed to circumvent or nullify the protections of any privacy and 

security software you use on it. 

In some countries, such as Burma, Cuba and Italy, Internet cafe clients 

are required to show their ID or passport before using the service. This 

ID information can be stored and filed together with the clients' Web 

browsing history. 

Any data you leave on the computeryou have used may be logged 

(browsing history, cookies, downloaded files, etc). 

Software or hardware keyloggers installed in the client's computer may 

record every keystroke during your session, including your passwords, 

even before this information is sent over the Internet. In Vietnam, an 

apparently innocuous virtual keyboard for typing Vietnamese characters 

was being used by the government to monitor user activity at Internet 

cafes and other public access spots. 

Your screen activity may be recorded by special software that takes 

screenshots at frequent intervals, monitored through CCTV cameras, or 

simply observed by a person (e.g. the Internet cafe manager) looking 

overyour shoulder. 

In some countries, such as Burma, Internet cafe owners have to display 
posters about banned Web content and are responsible for the 
enforcement censorship law inside their business. 
Computers are often configured so that users are prevented from 
installing any software, including circumvention tools, or connecting 
any kind of devices to the USB port (such as USB flash drives). In Cuba, 
authorities have begun deploying a controlling software for Internet 
cafes named AvilaLink that prevents users from installing or executing 
specific software or running applications from a USB flash drive. 
Users may be prevented from using any other browser but Internet 
Explorer, to prevent the use of privacy or security Add-ons or settings 
for browsers such as Mozilla Firefox or Google Chrome. 



19 



Best practices 

Depending on the environment in which you use your 
shared computer, you can try the following: 



* 



Identify the surveillance measures implemented based on the list 
mentioned above (CCTV, human surveillance, keyloggers, etc.) and 
behave accordingly. 

Run portable software from a USB flash drive if possible. 

Keep your data on your own USB flash drive and do not copy it to the 

shared computer. 

Encrypt any data you are sending. 

Use an operating system on which you have control through the use of 

a Live CD. 

Change Internet cafes often if you fear recurring surveillance, or stick to 

one where you trust it is safe to connect. 

Take your own laptop to the Internet cafe and use it instead of the 

public computers. 



20 




Software on USB or CD 

It is possible to install applications on a CD-ROM or USB- 

drive. This will enable you to bring your favourite settings, 

extensions and bookmarks with you anywhere you go. It 

will also limit the amount of data and traces you leave on 

the computer you are using. This could prove to be 

exceptionally useful when you have to use untrusted 

computers or internet cafs. The latter is almost always a 

Windows environment. We will describe a handy tool in 

this chapter called 'Portable Apps'. With this tool you can easily prepare a 

USB-drive with Windows application. 

The most easy and by far most secure way to do this is at home, or in your 
office or any other save environment, with a high speed internet connection 
as it requires you to download a special package of software including all the 
programs you might need. You want to make sure that the computer you use 
to do this is protected by a firewall and has no viruses (so use your own 
computer of from somebody you trust). 

If you need only Firefox, which can be used on any platform, install Firefox on 
a CD or USB. If you need other programs to mail, chat, use ftp etc. you can 
install a whole bunch of programs with the help from the installer available 
from the website Portable Apps. The installer and the resulting removable drive 
with application will only work on the Windows platform. 

Another option is to install an entire OS on a flash drive, external hard-drive or 
iPod and start the computer from that. 



Portable Apps for Windows 

For Windows users there exist a handy tool called Portable Apps. For this 
method we are going to use a package from Portable Apps. This website 
allows you to download packages with software that you can install on a 
USB-drive or any other removable medium like an iPod or SD Card. 

Things you will need for this method: 

• A save, clean and secure Windows computer; 

• A portable drive of at least 256Mb but preferably bigger then 1GB; 

• An internet connection. (You will need to download files between 2Mb 
to 137Mb). 

Direct your browser to http://portableapps.com/download and look at the 
different columns to see what is included in which download. For this manual 
we are using the 'Suite Light' of 52mb download. At the time of writing the 
version number is 1.6.1. 



21 



1. Download your desired suite by clicking the download button. You will be 
redirected to the download page and asked if you want to 'save' or 'run' the 
program. Choose to save it to your desktop (or any other place you might find 
convenient). 



\e\ £3 



\^J Download PortableApp^.corn Suite and ,,, + 
| ^J http://portableapps.coin/download 



ft ' \<S SI- GccgU 



^Jt*J[D: 



The PortableApps.com Platform is 1.00% Free. Free to use. Free to share. And f u My open source. 
Please make a donation to help support our development and hosting. 



tjSJSLEISSi 



Get everything you need at 
once or add only what you 
want. Pick what's right for you : 

Version 
Download Size 
Free Space Needed 
Recommended Device 
Supported Language 



Platform Only Suite Light Suite Standard 



Download I Download II Download 



1.6.1 

2MB download 

2MB installed 

All devices 

Multilingual 



1.6.1 

52MB download 

150MB installed 

256MB+ devices 

English 



1.6.1 

137MB download 

400MB installed 

1GB+ devices 

English 



PortableApps.com Platform 



P PQrtflbleADD5.com Menu 
* PortableApps.com Backup 

L Custom Folders, Icons & Auto run 



Bundled Apps 



'■■ft; Mozilla Firefox. Portable Edition 

(web browser) 



2. Insert you USB-Drive into your computer and locate the PortableApps file 
on your computer and double click to open it. 



22 



Organize T ||j] Open Share with T Burn New folder 



K ' a ® 



1^" Favorites 
■ Desktop 
£ Downloads 
:.- RecentPlaces 

jjj Libraries 
3 Documents 
gf Music 
t^ Pictures 
H Videos 

;*■ Computer 

*^ Network 



Libraries 
System Folder 



Computer 
System Folder 






Administrator 
System Folder 



Network 
System Folder 



31 Control Panel 
|J&d System Folder 

J^^ Mozilla Firefox 
tBjfj Shortcut 
\*JKf 1.06 KB 



^ Recycle Bin 

V*« System Folder 



Parallels Shared Folders 
jjhfl Shortcut 
(?jj ' 1.35 KB 



Po rta b leAp p s, c o rn_Su ite_Li ght_Set 
up_l,6.1_English 
PortableApps.com Suite 



r -j& PortableApps.corn_Suite_Light_Setup_1.6.,.. Date modified: 4/28/2011 9:07 PM 
^^pj Application Size: 50.7 MB 



4. It will ask you if you want to run the software. Choose 'Run 1 . 



FI3 



Open File - Security Warning 



Do- you wart to run this file? 



Name 

Publisher 

Type 

From 



... leApp s. co m_Suite_Light_Setup_l. 6. L_English.exe 
Rare Ideas, LLC 
Application 
C:\Users ,, 'Administrator\Desktop\PortableApps.c... 




Run 



Cancel 



F71 Always ask before opening this file 



While files from the Internet can be useful, this file type can 
potentially harm your computer. Only run software from publishers 
you trust. What's the risk? 



5. It will now open the installer allowing you to install the programs on your 
removable drive. 



23 



^ PortableApps.com Suite | PcirtableApps.cam Installer 




PortableApps.com Suite 1.6.1 



This wizard will guide you through the installation of 
PortableApps.com SuitE. 

If you are upgrading an existing installation of 
P0rt3bleApp3.com Suite r please dose it before proceeding, 

Click Nest to continue. 




Next> ""] } [ Cancel 



6. It is best practice to install the software on a clean formatted drive at the 
first level, (i.e. not in a folder.) In our case that is directly on the E: partition. 



-^ Browse For Folder 



Select the folder to install PortableApps.com Suite in: 



n 



X Desktop 
t> j=i Libraries 
t> jft Administrator 
A ;V Computer 
■> t^ Floppy Disk Drive (A:] 

Local Disk (CM 
[> ii% DVD Drive [D:) Windows 7 Ultimate - ~il Bit (Aut 
_ GREEN HO ST (E:) 
t>Sp Network 



Make New Folder 



OK Cancel 



24 



7. The installation will take some time and afterwards you can set some 
options and then start using the drive. 

Make sure to test on at least one computer if it works and if you understand 
how to operate it before taking it with you. You can modify the programs on 
the drive, by changing preferences or adding extensions, like you would with 
any other program. 

Especially for Firefox and Thunderbird this means that any extensions you 
might want to use can be and should be installed up-front on the USB drive. 



Caveats 

Deploying this technique doesn't guard you from many 
other threats such as key-loggers, malicious programs that 
intercept your keystrokes. See the chapter on Internet cafs 
for an explanation of the dangers of accessing your private 
information from a public environment. 



A 



25 



PROTECTING YOUR PASSWORDS 



26 




• 



Keeping passwords safe 

Passwords are for the computer world basically what keys 
are in the physical world. If you loose a password you will 
not be able to get in, and if others copy or steal it they can 
use it to enter. As a minimum measure a good password 
should not be easy to guess by people and not easy to 
crack by computers, while still easy enough for you to 
remember. 



Password length and complexity 

To protect your passwords from being guessed, length and complexity are the 
key factors. Passwords like the name of your pet or a birth date are very 
unsafe; also any word that appears in a dictionary is easily guessed by a 
computer. You should also never use a password containing only numbers. 
You should use a password containing a combination of lower case letters, 
capitals, numbers and special characters and it should have a minimum 
length of 8 characters for basic security. 

Minimizing damage 

If your password is leaked or guessed, it is very important to minimize the 
damage as much as possible. To this end there are two measures you can 
take. Firstly, be sure to keep different passwords for different sites, otherwise 
if your password for one site is compromised it is very easy for the attacker to 
gain access to your other accounts. You can for example do this by choosing a 
few basic passwords to which you add a unique suffix per site. Secondly, 
change your password from time to time, at least for things you consider to 
be sensitive. In that way, if an attacker has got access to your account 
without you noticing, you effectively block him out. 

Physical protection 

Especially if you are traveling and using internet cafes, or 
■■■■^^B other untrusted computers, you have to be aware that 
[■■■■■1 there are other ways for people to obtain your passwords. 
I ?ii^J I Firstly there is "over the shoulder" surveillance, where 
^^H ^^J someone, or a camera, watches your actions and might see 
the password you are typing (or where you are browsing). 
A second typical threat is the presence of key loggers. Key 
loggers are software or hardware devices that record 
keystrokes, they can be hidden inside a computer or keyboard and hence 
totally invisible to you. Be very careful what you do in those places and which 
sites you visit there. If you really have to use such a place be sure to change 
your passwords as soon as possible. For more tips on Internet Cafes read the 
chapter on them. 

27 



Easy-to-remember and secure passwords 

One way to create strong and easy-to-remember 
passwords is to start with a sentence you can easily 
remember, like: 



Q 



"this book really helps for securing my digital life!" 

Take for instance the first letter of every word: "tbrhfsmdl" and now add 
some more substitutions, the "f" can be the 4 (for "for") and we can add some 
capitals and special characters. The end result might be something like 
"TbRh4$mdU" Which is secure and easy to remember. Just try to think of a 
system that works for you to remember the passwords. Alternatively you 
might want to use one strong password that is easy to remember and keep all 
your other secure (less easy to remember) passwords by using a tool that 
keeps them securely on your computer or phone. 

Using an application to keep your passwords 

Even easy-to-remember passwords might be difficult to manage. One solution 
is to use a dedicated application to manage most of your passwords. The 
application we will discuss is Keepass which is a free and open password 
manager that is considered to be secure (given that you chose a sane and 
secure "master password" for the keepass application). 



For website passwords a more convenient solution that is probably safe 
enough for most of your passwords is to use the built-in password manager 
of the Firefox browser. Be sure to set a master password as is explained in the 
chapter on safe browsing, otherwise this is very insecure! Other browsers 
might also come with built-in password managers, but remember that if you 
don't have to unlock them with a master password they are mostly unsafe 
and easily retrievable by attackers having access to your computer. 



Protect your Website Passwords 

Browsers offer to save the login information and passwords for websites you 
use. If you choose to save the passwords, you should make sure that the 
passwords are stored in a safe way. See the chapter about Keeping your 
internet passwords safe in Firefox. 



28 



Caveats 



A 



If an application on your computer, like a chat or mail program, stores 

the password it uses, and you are not asked for it after reopening the 

program, it often means that it can be easily retrieved from your 

computer by someone having access (physical or otherwise) to it. 

If your login information is sent over an insecure connection or channel, 

it might fall into the wrong hands, (see the chapters on secure browsing 

for more information) 

Over the shoulder surveillance or key logging might compromise your 

passwords. 



29 



Installing KeePass 



We will cover installing KeePass on Ubuntu and Windows. 



Mac OSX comes with an excellent built-in password 
manager called Keychain that is just as save. Downsides 
are that it isn't Open Source and doesn't work on other 
systems. If you'd need to take your passwords from one 
Operating System to another it is better to stick with 
Keepass after all. How to use Keychain is covered in the 
next chapter. 




Installing KeePassX on Ubuntu 

To install on Ubuntu we will use the Ubuntu Software Center from 
Applications->Ubuntu Software Center. 



File Edit View Help 
D Installed Software 



Hi— IWMM 



Ubuntu Software Center 



atured Applications > 



Departments 



Graphics 



32731 items available 



te © 



Office Science t 

Eneineerir 



Type KeePass in the search field at the top right and the application KeePassX 
should automatically appear in the listing. 



30 



1 matching it^n 



Highlight the item (it may already be highlighted by default) and then press 
'Install'. You will be asked to Authorise the installation process: 



Authentication is required to 
install software packages 

An application is attempting to perform an action that 
requires privileges. Authentication is required to perform this 
action. 



Password: 



+ Details 



Cancel 



Authenticate 



Enter your password and press 'Authenticate' the installation process will 
then begin. 



31 



File Edit View Help 

D Installed Software 
f*f In Progress (1) 




1 matching it^ir 



Ubuntu does not offer very good feedback to show the software is installed. 
If the green progress indicator on the left has gone and the progress bar on 
the right has gone then you can assumed the software is installed. To check 
you can open the program from the menu Applications->Accessories- 
>KeyPassX 




G In Progress (1) 



1 matching it^rr 



32 



Installing KeePass on Windows 

First visit the KeePass download webpage 

(http://keepass.info/download.html) and choose the appropriate installer. For 
this chapter we are using the current installer (KeePass-2.i5-Setup.exe which 
can also be directly downloaded from here 
http://downloads.sourceforge.net/keepass/KeePass-2.i5-Setup.exe). 



Download this to your computer then double click on the installer. You will 
firt be asked to select a language, we will choose English: 



'' 


SefecrSerup Language ) 


< 


■ 


Select the language to use during the 
installation: 




\WEWKKKKKKKKKKKKKKKKtMz\ 










OK | Cancel 


1 




■ 



Press 'OK' and you will be shown the following screen: 



It is recommended that you close all other applications before 
continuing, 




Next > 



Cancel 



Just press 'Next >' and go to the next screen : 



33 



. - ffeePas; Password Safe 



License Agreement 

Please read the following important information before continuing. 




Please read the following License Agreement. You must accept the terms of this 
agreement before continuing with the installation, 



|<eePass: Copyright (c) 2003-2011 Dominik Peichl <dominik.reichl@t-online.de>. ^J 

The software is distributed under the terms of the GNU General Public 
License version 2 or later. 

GNU GENERAL PUBLIC LICENSE 
Version 2, June 1991 



Copyright (C) 1989, 1991 Free Software Foundation, Inc. 

51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 
Everyone is permitted to copy and distribute verbatim copies 

<" I accept the agreement 

(• I do not accept the agreement 



zl 



<Back 



L 



] 



Cancel 



In the screen shown above we must select 'I accept the agreement' 
otherwise we will not be able to install the software. Choose this option and 
then press 'Next >'. In the next screen you will be asked to determine the 
installation location. You can leave this with the defaults unless you have 
good reason to change them. 



Select Destination Location 

Where should KeePass Password Safe be installed? 






B 


1 Setup will install KeePass Password Safe into the following folder, 
To continue, click Next. If you would like to select a different folder, click Browse. 






At least 2.8 MB of free disk space is required, 












<Back 


| Next > 


1 


Cancel 











34 



Click on 'Next >' and continue. 



Setup - ffeePo;; Password Sa/e 



Select Components 

Which components should be installed? 




Select the components you want to install; clear the components you do not want to 
install. Click Next when you are ready to continue. 



3 '"ore KeePass Application Files 


2.1 MB 1 


Help Manual 


0.6 MB 


Native Support Library (KeePass 1.x) 


1 . 1 MB 


XSL Stylesheets for KDB4 XML Files 


0.1 MB 


M Optimize KeePass Performance 


1.0 MB 


M Optimize KeePass On-Demand Start-Up Performance 


0.1 MB 



Current selection requires at least 5,4 MB of disk space, 



< Back Next > 



Cancel 



The above image shows the KeePass components you can choose from. Just 
leave the defaults as they are and press 'Next >'. You will come to a new 
screen: 



35 



, - KeePass Password Safe 



Ready to Install 



5etup is now ready to begin installing KeePass Password 5afe on your computer. 



£■ 



Click Install to continue with the installation, or click Back if you want to review or 
change any settings, 



Destination location: 




^ 


C:\Prograrn Files\KeePass Password Safe 2 






Setup type: 






Full installation 






Selected components: 






Core KeePass Application Files 






Help Manual 






Native Support Library (KeePass 1.x) 


' 


XSL Stylesheets for KDB4 XML Files 




Optimize KeePass Performance 




Optimize KeePass On-Dernand Start-Up Performance 


J 



< Back | Install | Cancel 



This doesn't do anything but give you a summary of your options. Press 
'Install' and the installation process will begin. 



Setup - KeePass Password Safe 

Installing 

Please wait while Setup installs KeePass Password Safe on your computer, 




Finishing installation. 



Cancel 



36 



Encrypting Passwords with a 
Password Manager 

To encrypt password we use KeePass on Windows and KeePassX Ubuntu, and 
Keychain on OSX. The basic principle is the same; you have a file on your 
computer which is encrypted with one single very secure password. This is 
sometimes referred to as a 'Master Password', 'Admin-Password', 'Root- 
Password' etc. but they are all the ultimate key to all your other keys and 
secure data. For this reason you can't and shouldn't think to light about 
creating this password. 

If a password manager is part of your OS (like it is with OSX) it unlocks 
automatically for you after you login to your account and so opening secure 
information like passwords. For this, and other, reasons you should disable 
'Automatically Login'. When you start-up your computer you should always 
have to login and, even better, set your computer to automatically logout or 
lock the screen after a set amount of time. 



Encrypting Passwords with KeePassX on Ubuntu 

First open KeePassX from the Applications->Accessories -> KeePassX menu. 



File Entries Groups View Extras Help 

a bj a it f 4 <3£ 



Groups 


Title ^lUsername URL Password Comments 











Ready 



The first time you use KeePassX you need to set up a new database to store 
your passwords. Click on File->New Database 



37 



Entries Groups View Extras Help 



Open Database- 
Bookmarks 



Ctrl+O 



y Title v | Username | URL 



Close Database 


Ctrl+W 


Save Database 
Save Database As... 


Ctrl +5 


Database Settings... 
Change Master Key... 


Import from.. . 

Export to... 


> 
> 



Lock Workspace 
Quit 



Ctrl+L 
Ctrl+Q 



I tJ I 



Password Comments 



Ready 



You will be asked to set a master key (password). 



New Database 



^ Set Master Key 



Enter a Password and/or choose a key file. 
Key 



H Password: 
Key File: 



Browse... 



Generate Key File.. 



Cancel 



OK 



Choose a strong password for this field - refer to the chapter about 
passwords if you would like some tips on how to do this. Enter the password 
and press 'OK'. You then are asked to enter the password again. Do so and 
press 'OK'. If the passwords are the same you will see a new KeePassX 
'database' ready foryou to use. 



38 



File Entries Groups View Extras Help 



a u h : es <4. <$ i ji t\ i a i 



Groups 


Title v | Username URL Password Comments 


^Internet 




& eMail 







Ready 



Now you have a place to store all your passwords and protect them by the 
'master' password you just set. You will see two default categories 'Internet' 
and 'Email' - you can store passwords just under these two categories, you 
can delete categories, add sub-groups, or create new categories. For now we 
just want to stay with these two and add a password for our email to the 
email group. Right click on the email category and choose 'Add New Entry...': 



File Entries Groups View Extras Help 
QBJ B 



<* <3 , jl Ej I Q I 



Groups 


Title v Username URL Password Comments 


@ Internee 














Add New Subgroup... 
Edit Group... 
Delete Group 
Sort groups 






Add New Entry... Ctrl+Y 


Search in this Group... 





















Ready 



39 



r 


f Unfit/ 


d Entry) 






r x~| 


^ New Entry 


















Icon: (gi| 


Group: 


CieMail 




V 










Title: 




























Username: 




























URL: 




























Password: 




























Repeat: 












Gen. | 














Quality: 


1 










Bit 
















Comment: 












B Never 


m 


§| 


Expires: 


1/1/00 12:00 AM 




: loju 










Attachment: 


































Tool 5 v 


C an eel 


OK 











So now fill this form out with the details so you can correctly identify which 
email account the passwords are associated with. You need to fill out the 
fields 'Title' and the password fields. All else is optional. 



40 



r 




my 


zmail 






[x 1 


^ New Entry 










GroLp: 

Title: 

Username: 

URL: 

Password: 

Repeat: 
Quality: 

Comment: 

Expires: 
Attachment: 






Icon: |^j 


CieMail 


V 






my email 












adam 
























******* 




























I Ge O- 1 




















56 Bit 


















H Never 


SI" 


in 


1/1/00 12:00 AM 


: LoJW 


























Tools v 


Cancel 


OK 















KeePassX gives some indication if the passwords you are using are 'strong' or 
'weak'. ..you should try and make passwords stronger and for advice on this 
read the chapter about creating good passwords. Press 'OK' when you are 
done and you will see something like this: 



41 



File Entries Groups View Extras Help 



Quai^of^iiCIQI 



Groups 



@J Internet 




Password 



my email 



Group: 
Usemame: 
Password: 
Attachment: 

i "* i ■ 



Creation: 05/01/2011 
Access: 05/01/2011 

Modification: 05/01/2011 
Expiration: Meyer [-] 



I] 



Ready 



To recover the passwords (see them) you must double click on the enter and 
you will see the same window you used for recording the information. If you 
click on the 'eye' icon to the right of the passwords they will be converted 
from stars (***) to the plain text so you can read it. 

Now you you can use KeePassX to store your passwords. However before 
getting too excited you must do one last thing. When you close KeePassX 
(choose File->Quit) it asks you if you would like to save the changes you have 
made. 



© 



Save modified file? 



The current file was modified. 
Do you wart to save the changes? 



Can eel 



No 



Yes 



Press 'Yes'. If it is the first time you used KeePassX (oryou have just created a 
new database) you must choose a place to store your passwords. Otherwise 
it will save the updated information in the file you have previously created. 

When you want to access the passwords you must then open KeePassX and 
you will be asked for the master key. After typing this in you can add all your 
passwords to the database and see all your entries. It is not a good idea to 
open KeePassX and have it open permanently as then anyone could see your 
passwords if they can access your computer. Instead get into the practice of 
just opening it when you need it and then closing it again. 



42 



Encrypting Passwords with KeePass on Windows 

Afteryou installed KeePass on Windows you can find it in the application 
menu. Launch the application and the following window should appear. 



I@|-^3»| 



(a) KeePass Password Safe 



File Edit View Tools Help 



User Name Password URL 



of selected 



| Ready. 



You start by making a database, the file which will contain your key. From the 
menu select File > New. You have to chose the name and the location of the 
file in the dialog window below. In this example we call our database 
'my_password_database'. 



43 




) Create New Password Database 



Zoeken in Private 



3« 



Qrgani&eren T Nieuwe map 



^ Recente locaties 

*^i Bibliotheken 
Ifcl Afb eel ding en 
|3 Documenten 
|j Mijn docurnen 
AE.uE.WebSto 
Bluetooth Exi 
EBI 

Private 
Openbare doci 
■J* Muziek 



Documenten 

Private 



Gewijzigd op 
Geen zoekresultaten. 



Rangschikken op: Map T 
Type 



- <\m 



B esta n d sn a a m : my_p a 5swo rd_d ata b a se 



Opslaan als: KeePass KDBX Files (*.kdbx) 



^ Mappen verbergen 



Opslaan Annuleren 



The next screen will ask you for the master password. Enter the password and 
click on 'OK'. You will not need to select anything else. 



44 



(fl] Create Composite Master Key 






Create Composite Master Key 

C: ,| .Users ,| .dentc>ir\DocuiTients ,| ,PrivateliTiy_password_database.kdbx 



Specify the composite master key, which will be used to encrypt the database. 

A composite master key consists of one or more of the following key sources. All sources you specify will 
be required to open the database. If you lose one source, you will not be able to open the database. 



[7] Master password: 

Repeat password: 
Estimated quality: 



[""*] 



54 Bits 



:.H*|y..!fi!e../. R.rov.iderJ 



Create.. 



[jj? Browse... 

Create a new key file or browse your disks for an existing one. If you have installed a key provider 
plugin, it is also listed in this combo box. 

Windows user account 

This source uses data of the current Windows user. This data does not change when the Windows 
account password changes. 

ff the Windows account is lost, it will not be enough to create a new account with the same user 
name and password. A complete backup of the user account is required. Creating and restoring 
such a backup is not a simple task . If you don t know how to do this , don t enable this option . 



Help 



OK 



Cancel 



The next window allows you to add special configuration settings foryour 
new database. We do not need to edit anything. Just click on 'OK'. 



45 



(.ft] Create New Password Database - Step 2 



abase Settings 

Here you can configure various database settings. 



General Security | Protection | Compression | Recycle Bin | Advanced | 



Database name: Enter a name for the database or leave it empty. 

Database description: 

Enter a short description of the database or leave it empty. 



Default user name for new entries: 
Custom database color: 



Help 



OK 



Cancel 



Now the main window appears again and we see some default password 
categories on the left side. Lets add a new password in the category 'Internet'. 

First click on the word 'Internet', then click on the add entry icon ' * under 
the menu bar. 



46 



(ft.) my_password_database.kdbK* - KeePass Password Safe 



^ 



if. 



File Edit View Tools Help 



&■ my_password_database 

O General 
3 Windows 
Q Network 
^ Internet 
& eMail 
4>t) Hornebanking 



Title User Name Password 

$? Sample En... User Name 



URL Notes 

http ://www. ... N otes 



of 1 selected 



| Ready. 



A widow will appear like below. Use the fields to give a description of this 
particular password, and of course, enter the password itself. When done, 
click on 'OK 1 . 



47 



(3) Add Entn 



t^ 



Add Entry 

Create a new password entr> 



Entry Advanced | Properties | Auto-Type | History | 



Title: 



MyGmail password 



Icon: 




□ Expir. 



1- 5-2011 13:54:41 



■- [o] 



lii$ Tools 



c 



OK 



] 



Cancel 



Encrypting Passwords with Keychain on Mac OSX 

Mac OSX comes pre-installed with the build in password manager 'Keychain'. 
Because of it's tight integration with the OS most of the time you will hardly 
know it exists. But every now and then you will have a pop-up window in 
almost any application asking 'do you want to store this password in your 
keychain?'. This happens when you add new email accounts to your mail 
client, login to a protected wireless network, enter your details in your chat 
client etc. etc. etc. 



Basically what happens is that Mac OSX offers you to store all that login data 
and different passwords in an encrypted file which it unlocks as soon as you 
login to your account. You can then check your mail, logon to your WiFi and 
use your chat client without having to enter your login data all the time over 
and over again. This is a fully automated process, but if you want to see what 
is stored where and alter passwords, or lookup a password you will have to 
open the Keychain program. 

You can find the Keychain program in the Utilities folder which lives in the 
Applications folder. 



48 



Utilities 




Keychain Access 



When you open it you will see that your 'Login' keychain is unlocked and see 
all the items contained in it on the right bottom side of the window. 

(note: the window here is empty because it seemed to be deceiving the 
purpose of this manual to make a screenshot of my personal keychain items 
and share it here with you) 



ft n o 

| Click to lock the login keychain. 



Keychain Access 




Keychains 


tf login 


S System 


Q System Roots 


Category 


,1 All Items 



/„ Passwords 

Secure Notes 
□ My Certificates 
t Keys 
'j Certificates 



H0S 



49 



You can double click any of the items in the Keychain to view it's details and 
tick 'Show password:' to see the password associated with the item. 



a ^ o 



Greenhost Clients 



I Attributes Access Control 



A 



Name: Creenhost Clients 



Kind: AirPort network password 



Account: Creenhost Clients 



Where: DEE954S7-B706-4ZC5-9E3r-uD9F"2Q6C33EA 
Comments: 



® 5how password: 



a 

f Save Changes ) 



You will note that it will ask you for your master or login password to view 
the item. 




Type an administrator's name and password 
to allow Keychain Access to make changes. 



Name: John 
Password: 



IK Details 

® 



( Cancel ) ( OK ) 



You can access modify any of the items and also use the Keychain to securely 
save any bits and pieces of text using the notes. To do this click on notes and 
than choose 'New secure Note item' from the file menu. 



50 



That's it 



51 



SAFE BROWSING 



52 




Introduction to safe browsing 

Web browsing is one of the key activities we engage in while using the 
internet. Our browsing histories, the things we search for, the sites we visit 
and the things we might post might be of interest to others, it is valuable to 
them either for commercial or political reasons. The following chapter deals 
with securing the way you browse the internet and makes you more familiar 
with threats you are facing so you can recognize them and act appropriately. 

The first thing to consider is which web browser to use. 
Windows comes pre-installed with Internet Explorer while 
Apple computers come shipped with Safari. In this book 
' we will exclusively look at the excellent and freely available 
Firefox browser. 



Firefox runs on all the major operating systems Windows, MacOS and Linux 
and it has been translated into more than 75 languages. When concerned 
about securing your browsing activities there it is the only viable option when 
choosing a browser. Therefore this section only deals with Firefox and its add- 
ons. Know that you can also install Firefox on a CD or USB, so you can take it 
with you where ever you go, so you know you have it installed from a trusted 
source (see also the chapter on portable software). 

Why browsing is unsafe 

The Hypertext Transfer Protocol (HTTP) is the networking protocol used by 
browsers that allows communication between you and a site you are visiting. 
Because communication is transmitted in plain text it is unsafe, especially 
when using wireless networks. It is like transmitting a message with personal 
information on a postcard. Data, such as user names and passwords, sent to 
and received by Web sites, are easy to read by third parties. 

To solve this problem the Hypertext Transfer Protocol Secure (HTTPS) was 
invented to provide encrypted communication and secure identification of a 
network web server. Most major Web sites, including Google, Wikipedia, and 
popular social networking platforms such as Facebook and Twitter, can also 
be reached via a secure connection, but not necessarily by default. Note that 
most sites do not provide encryption. 



53 



What is the difference between HTTP and HTTPS? Meet Sacha and John: 



Sacha uses HTTP 
to browse the web 
His data isn't 
protected end to 
end and can be 
recorded and 
accesed any- 
where between 
his computer 
and the web. 



A'A 




John uses HTTPS to 

browse the web 

His data is protected 

end to end and can 

also be recorded 

but appears as 

garble to any 

eavesdropper 

between his 

computer and 

the web. 



In this section will discuss several safety measures: how to install Firefox, 
how to extend Firefox with add-ons to ensure safer browsing, and how to 
finder safer routes through TOR, proxy settings and FoxyProxy. 



54 



Installing Firefoxon Ubuntu 



Firefox is already installed on Ubuntu as part of the normal installation. If you 
want to install a different (most commonly newer) version of Firefox on your 
Ubuntu system (or other GNU/Linux systems) that is also possible and is 
explained below. 

Accessing it is easy. If you are using an installation of Ubuntu with no changes 
to the default Desktop, select Applications > Internet > Firefox Web Browser. 



"£J Applications Places 


System 


HJL Accessories ► 
\M Games ► 
^^ Graphics ► 




5 Internet ► 


B3 Ekiga Softphone 


V Office ► 
H Sound & Video ► 


^| Evolution Mail 
i&, Firefox Web Browser 




[jvi Add/Remove,., 


-' Gaim Internet Messenger 

E" gFTP 

■ft Terminal Server Client 



Firefox starts and a welcome window opens: 



flaliaw jr stay ?-/..! - flualila PHaJu.! 

Elle Edit yiew History Bookmarks I00I5 Help 

J 1 I Lj fileMisr/sharWubuntu-artworiiftvome ' - | ► | ■] 
• Getting starter} b.4 Latest BBC Headlines 



3 



43 ubuntu 




Welcome to Ubuntu 7.04, Feisty 
Fawn! 

The Ubuntu project is built on the ideas enshrined in the 
Ubuntu philosophy : that software should be available free 
of charge, that software tools should be usable by people 



55 



If you want to upgrade the version of Firefox included with Ubuntu to the 
latest version, such as a beta version or a new stable version, replacing your 
existing version, a detailed guide is available on the Ubuntu wiki at 
https://help.ubuntu.com/community/FirefoxNewVersion 



56 



Installing on Mac OS X 



1. To download Firefox, visit http://www.mozilla.com/ and click on the big 
green button labeled "Firefox Free Download.", and the download starts. 
If it does not start automattically, click the link on the page. 



03- ©O® « 



Mozilla | Firefox web browser & Thunderbird email cli 




57 



2. When prompted, click OK. 



IQj 



Opening Firefox 4.0.1, drng 



You have chosen to open 
■ Firefox 4.0.1.dmg 

which is a: DMC file 

from: http://www.mirrorservice.org 

What should Firefox do with this file? 



O Open with f Choose., .J 
© Save File 

Q Do this automatically for files like this from now on. 



( Cancel ^ ( OK ) 



Once the download is complete a window similar to this appears: 

i Firefox 



eoo 




3. Click and hold the Firefox icon, then drag it on top of the Applications 
icon. When it is on top of the Applications icon, release the mouse 
button. This starts copying the program files to the Applications 
directory on your computer. 

4. When the installation step is finished, close the two small Firefox 
windows. 

5. Eject the Firefox disk image. If this does not work by normal means, 
select the disk image icon and then, in the Finder menu, select File > 
Eject Firefox. 



58 



6. Now, open the Applications directory and drag the Firefox icon to the 
dock: 




7. Click either icon (in the Dock or the Applications folder) to start Firefox. 
The Import Wizard dialog box appears: 



_«. 



Import Wizard 



_ 



Import Settings and Data 



$ 



Import Preferences, Bookmarks, Historf, Passwords and other data 
from: 



Safari 



Cancel \ 



Co Back ^Continue j 



To import your bookmarks, passwords and other data from Safari, click 
Continue. If you don't want to import anything, just select Cancel. 



59 



9. Click Continue. Now you see the Welcome to Firefox page. 



Welcome to Firefox 4 



4 I | ® htt[.:.'.'V,7V, mci U cor ■cn-l.S/'-retox.M.O.lf'cvhs 



n?l ( if- Googfc 



3BE 



«i mozilla 
i Firefox 



Made by a global non-profit dedicated to shaping the 
future of the Web for the public good. Learn more » 



Stepi: 
MEET FIREFOX 4 

o 



Step 2: 

KNOW YOUR BROWSER 

© 









KEEP IN TOUCH 



*Jt Join the party » 



Go Mobile. Play Spark! » 



To learn basic information about Firefox, click Getting 

Started. 

For assistance, click Visit Support. 

To customize your new installation using the addons 

wizard, click Customize Now! 

In the upper right of the Welcome page is a button 

labeled Know your rights. Click this button to display 

the following screen, which tells you about your rights 

under the Mozilla Public License and provides links to 

Mozilla's privacy policies and service terms, as well as 

trademark information. 



About Your Rights 

Mozilla ftrcfnx is Free and open source inFtwart, built by a 



if of thouiandi from all over the world. There ire a few things. you % 



■ Firefox <i made 4vill*We ro vow \t«at< the wnrs ;■! the 'A-.^ .-, Public Ucor^e -. Thij meim *ou may u&e. copy and d ^tribute Firefox io when. 
You vt alio wflcom* to modihr (hia mum cods of F\rtfvt a you warnr w mm your nttds. th: Moziiin Public Hcan^t aUc fl>ieei you tfif 

fight to dlftnbure your modified vci.ic*if . 
• Moz N* <HXi not gram y om any rlghn to the Moz II* and Firefox tradf-marKs or log<f5 AjJd'Tipial information on TradernaiKi mj^ w f(j,,nd 

» Privacy policies, lor MozHla's fKaducri n*ay be found here . 



10. Close the Welcome to Firefox page (click the x in the tab at the top of 
the page). Now you see the Firefox Start page. 

Congratulations, you are now ready to use Firefox! 
60 




<: 



Dayeu k^* atM-o*a? Shan* wmi 1 favorite* and ifawafna^oiTafi w*h Collecticr*. 



If you have permission problems when trying to copy Firefox from the disk 
image to your Applications folder, first try deleting your old Firefox copy, then 
proceeding. 

If you're installing a beta and that you want to keep your former Firefox copy, 
first rename your old Firefox copy to something like "Firefox old" and then 
copy the beta to your Applications folder. 



61 



Installing Firefox on Windows 




Firefox requires a computer with a minimum of a 233 MHz processor, running 
Windows 2000 or later. To check system requirements for Firefox, go to: 
http://www.mozilla.com/firefox/system-requirements.html 



62 



Download and Install Firefox 

1. Visit the Firefox Download Page at http://www.mozilla.com/firefox/ in 
any browser (such as Microsoft Internet Explorer). The download page 
automatically detects the operating system and language on your 
computer and recommends the best edition(s) of Firefox foryou. If you 
want to download Firefox for a different language or for a different 
operating system than the one detected, click "Other Systems and 
Languages" to see a list of all the others available. 



$ 



mozilla 

Firefox 



DESKTOP 



MOBIL 



Made to make the 
Web a better place. 

a new super even more 

look speed awesomeness 




M Systems & Languages Privacy Policy 
Get Firefox on your phone! 



2. Click the download button and the setup file will begin to download to 
your computer. Once the download completes, it is recommended that 
you exit all your running programs before running the installation. 



63 



3. Double-click the file to start the Firefox install wizard. 

o If you are running Windows Vista, you may get a User 

Account Control prompt. In this case, allow the setup 

to run by clicking Continue. 
o If you are running Windows 7, you will be asked 

whether to allow Firefox to make changes to your 

computer. Click on Yes. 

A welcome screen appears. 

4. Click Next to continue. The Setup Type screen appears. A "Standard" 
setup is selected by default (using the custom option is only 
recommended for experienced users). 



^) Mozill.a Firefox Setup 



Setup Type 

Choose setup options 



£' 



Choose the type of setup you prefer r then dick Nest. 

(<8>> Standard 

Firefox will be installed with the most common options, 

Q Custom 

You may choose individual options to be installed, Recommended for experienced 



<Back 




Next > 



Cancel 



64 



5. Firefox installs itself as your default browser. If you do not want Firefox 
to be your default browser, clear the check box Use Firefox as my 
default web browser. 



ii Mozilta Firefox Setup 








[ i=i | |»£3™| 




Sunmary 9L Jh 

Ready to start installing Firefox 


Firefox will be installed to the following location: 


CiV^rogram FilesV^ozilla Firefox 


[71 Use Firefox as nny default web browser 
Click Install to continue. 


c 










<Badt 


11 


Install 


Cancel 











6. Click Next. 



65 



Firefox asks whether to import the settings, like bookmarks, from other 
browsers. Select the browseryou are currently using, then click on 
Next. 



Import Wizard I I 


Import Settings and Data j^t^ 1 

w 


Import Options, Bookmarks, History, Passwords and other data from: 


a ! Microsoft Internet Explorer! 
© Don't import anything 
















< Back 


Next> 




Cancel 















66 



Firefox will confirm you have imported the setting and continue the 
installation. Click on Continue. Once Firefox has been installed, click 
Finish to close the setup wizard. 



Jj Mozilla Firefox Setup 




Completing the Mozilla Firefox 
Setup Wizard 

Mozilla Firefox has been installed on your computer, 
Click Finish to dose this wizard, 

[71 Launch Firefox now 



<Back 



^^^ | 



Cancel 



If the Launch Firefox now check box is checked, Firefox will start afteryou 
click Finish. 



Windows Vista Users: 

If at any time throughout the installation process you are prompted with a 
User Account Control (UAC) window, press Continue, Allow, or Accept. 



Troubleshooting 

If you have problems starting Firefox, see 
http://support. mozilla. com/kb/Firefox+will+not+start 



67 



Protecting your internet passwords 

Firefox can rememberyour internet passwords. This can be a very convenient 
option to use with all those different sites requiring passwords nowadays. 
However, if you use this function you have to set a master password, 
otherwise this feature is a real security threat. To enable a master password 
open your Firefox preferences and select the security icon. Check the "use a 
master password" box. 



eo 


n 








Security 




General 


Tabs 


■a - 

Conte nt 


Applications 


m 

Privacy 


Security 


Advanced 



M Warn me when sites try to install add-ons ' Exceptions...^ 

M Block reported attack sites 
W Block reported web forgeries 

Passwords 

Remember passwords for sites 'Exceptions... ' 



M Use a master password [Change Master Password...^ 

(Saved Passwords... 

Warning Messages 

Choose which warning messages you want to see while browsing the web ^Settings.. .^ 



After launching Firefox is will ask you once for the master password, after that 
the internet password keyring will be unlocked. If the internet password 
keyring is unlocked, you can inspect all saved passwords in the Preferences -> 
Security -> "Saved Passwords ..." dialog. If you browse to a known website 
with a login form, the password is entered automatically. 



A 



Please note that at the time of this writing the 
implementation of Firefox' internet password keyring is not 
complete, as it is not locked automatically after a certain 
time of inactivity or before closing your laptop lid. If you 
want Firefox to lock your internet password keyring 
automatically after a certain time of you not using your 
computer, you might install the "Master Password 
Timeout" Plugin. 



68 




Extending Firefox 

When you first download and install Firefox, it can handle 
basic browser tasks immediately. You can also add extra 
capabilities or change the way Firefox behaves by installing 
add-ons, small additions that extend Firefox's power. 



Firefox extensions can pimp your browser, but they can also collect and 
transmit information about you. Before you install any add-on, keep in mind 
to choose add-ons from trusted sources. Otherwise, an add-on might share 
information about you without your knowing, keep a record on the sites you 
have visited, or even harm your computer. 

There are several kinds of add-ons: 

• Extensions add functionality to Firefox 

• Themes change the appearance of Firefox. 

• Plugins help Firefox handle things it normally can't process (i.e. Flash 
movies, Java applications). 

For the topics covered in this book we are only going to need extensions. We 
will look at some add-ons that are particularly relevant for dealing with 
Internet security. The variety of available extensions is enormous. You can add 
dictionaries for different languages, track the weather in other countries, get 
suggestions for Web sites that are similar to the one you are currently 
viewing, and much more. Firefox keeps a list of current extensions on its site 
(https://addons.mozilla.org/firefox), or you can browse them by category at 
https://addons.mozilla.org/firefox/browse. 



A 



Caution: We recommend that you never install an add-on 
for Firefox unless it is available from the Firefox add-on 
pages. You should also never install Firefox unless you get 
the installation files from a trusted source. It is important 
to note that using Firefox on someone else's computer or 
in an Internet caf increases your potential vulnerability. 
Know that you can take Firefox on a CD or USB-stick 
(check our chapter on that issue). 



While no tool can protect you completely against all threats to your online 
privacy and security, the Firefox extensions described in this chapter can 
significantly reduce your exposure to the most common ones, and increase 
your chances of remaining anonymous. 



69 



HTTPS Everywhere 

HTTP is considered unsafe, because communication is transmitted in plain 
text. Many sites on the Web offer some support for encryption over HTTPS, 
but make it difficult to use. For instance, they may connect you to HTTP by 
default, even when HTTPS is available, or they may fill encrypted pages with 
links that go back to the unencrypted site. The HTTPS Everywhere extension 
fixes these problems by rewriting all requests to these sites to HTTPS. 
Although the extension is called "HTTPS Everywhere", it only activates HTTPS 
on a particular list of sites and can only use HTTPS on sites that have chosen 
to support it. It cannot make your connection to a site secure if that site does 
not offer HTTPS as an option. 



What is the difference between HTTP and HTTPS? Meet Sacha and John- 



Sacha uses HTTP 
to browse the web 
His data isn't 
protected end to 
end and can be 
recorded and 
accesed any- 
where between 
his computer 
and the web. 



A'A 




John uses HTTPS to 

browse the web 

His data is protected 

end to end and can 

also be recorded 

but appears as 

garble to any 

eavesdropper 

between his 

computer and 

the web 



Please note that some of those sites still include a lot of content, such as 
images or icons, from third party domains that is not available over HTTPS. As 
always, if the browser's lock icon is broken or carries an exclamation mark, 
you may remain vulnerable to some adversaries that use active attacks or 
traffic analysis. However, the effort required to monitor your browsing 
should still be usefully increased. 

Some Web sites (such as Gmail) provide HTTPS support automatically, but 
using HTTPS Everywhere will also protect you from SSL-stripping attacks, in 
which an attacker hides the HTTPS version of the site from your computer if 
you initially try to access the HTTP version. 

Additional information can be found at: https://www.eff.org/https- 
everywhere. 



70 



Installation 

First, download the HTTPS Everywhere extension from the official Web site: 
https://www.eff.org/https-everywhere. 



Select the newest release. In the example below, version 0.9.4 of HTTPS 
Everywhere was used. (A newer version may be available now.) 



CeDQIDS 



I ^ HTTPS Everywhere | Electronic Frontier ... || + | 

1 «lt L^©£i ±J httpsi/./www, eff.org/http s- everywhere 



implemei 



^ 



- C a- Google vP I # E' 



HTTPS E 
services 
https:// p 

In an ide 
from req 



Firefox prevented this site (www.eff.org] from 
asking you to install software on your 
computer. 



Allow 



J 



loScript, and to support cm 
TPS without breaking anyth 



Unfortunately, there's no \t 
you get from requesting hi 
the only way to switch every page to https is to fetch the page insecurely fi rst. There is a Chrc 
Enforcer which attempts to take that approach, but it does not appear to be implemented sec 
seemed to always use http before https. which means that your surfing habits and authentica 
(this may be a limitation of the Chrome Extensions framework}. 

License 



HTTPS Everywhere is licensed under the GNU General Public License, version 2 or later. To 1 
development page . 



Attachment 
https-everwhere-0.9.2.xpi 



Size 
55.S2 KB 



https-evervwhere-0.9.9 


development 


3.xpi 


1 88 9 KB 


https-everwhere-0.9.4 


xpi 




56 1 8 KB 


Chanaeloa.txt 






5 66 KB 





Click on "Allow". You will then have to restart Firefox by clicking on the 
"Restart Now" button. HTTPS Everywhere is now installed. 



71 



HTTPSI 
services 
https:// p | 

In an ide; 



I * HTTPS Everywhere | Electronic Frontier ... |L^J 



^f^S 




impleme 



HTTPS-Everywhere will Deinstalled after you 
restart Firefox, 



Restart Now t 



JoScript, and to support cor 
TPS without breaking anyth 



Unfortunately, there's no \t 



from requesting h"ps -■;■;■;■:;■; domain lonvpaje is the same as what you get from requesting hi 
the only way to switch every page to https is to fetch the page insecurely fi rst. There is a Chrc 
Enforcer which attempts to take that approach, but it does not appear to be implemented sec 



seemed to always use http before https. which means that your surfing habits and authentica 
(this may be a limitation of the Chrome Extensions framework}. 

License 



HTTPS Everywhere is licensed under the GNU General Public License, version 2 or later. To i 
development page . 



Attachment 
https-evervwhere-0.9.2.xpi 



https-evervwhere-0. 9. 9. development. 3. xpi 



https-evervwhere-0.g.4.xpi 



Chanaelog.txt 



Size 

55.82 KB 
188 9 KB 
56.18 KB 

5.66 KB 



' 



Configuration 

To access the HTTPS Everywhere settings panel in Firefox 4 (Linux), click on 
the Firefox menu at the top left on your screen and then select Add-ons 
Manager. (Note that in different versions of Firefox and different operating 
systems, the Add-ons Manager may be located in different places in the 
interface.) 



72 



I -(( Add-ons Manager 



1 + 1 



SE^ 



♦ ♦ 



#^ 



Searth ait add-ons 



HTTPS-Everywhere 0.9.4 

En crypt the Web! ... More Options Disable Remove 



/ 



Click on the Options button. 



HTTPS Everywhere Preferences 






*2j 










Which HUMS redirection rule^ should apply' 








Amazon (buggy) El Amazon £3 


El brtiy 


E| CDT 


□ Cisco (testing) 


Dropbox DuckDuckGo 


m EFF 


El Evernote 


H Facebook 


Facebookt (may break apps) V. Gentoo 


El GitHub 


El GMX 


El Google APIs 


El Google Search GoogleServices 


El Hotmail /Live 


Identic a 


El Ixquick 


H Mail.com El Meebo 


Microsoft 


Mozilla 


E NLOverheid 


[7| Noisebridge £1 NYTirnes 


El PayPal 


El Scroogle 


[71 Torproject 


E| Twitter El Washington Post 


Wikipedia 


WordPress.com 


E Zoho 


You can learn how to write your own rulesets (to add support! 


orotherweb sites) h_ 


ere , 




| Disable All | 


1 « || 


EnableAII | | Cancel 









A list of all supported Web sites where HTTPS redirection rules should be 
applied will be displayed. If you have problems with a specific redirection 
rule, you can uncheck it here. In that case, HTTPS Everywhere will no longer 
modify your connections to that specific site. 



73 



Usage 

Once enabled and configured, HTTPS Everywhere is very easy and transparent 
to use. Type an insecure HTTP URL (for example, http://www.google.com). 




Sf^S 



Mozilla Firefox Start Page j + | 

http ://www, g o o g I e, c o rn/ 



e1 [a-G°ogfe^] l#llB-| 




Google 



Search AdvancEd ^ arch 

PrefErEnces 



If 5 easy to customize your Firefox exactly the way 
you want it. Choosefrom thousands of add-ons. 



^y* Restore Previous Session 



About Mozilla 



Press Enter. You will be automatically redirected to the secure HTTPS 
encrypted Web site (in this example: https://encrypted.google.com). No other 
action is needed. 



74 













SS^ 


1 *% Google 






~ 


<-,* liffEH 


^ajHnps://encrypted,google,corn./^* i \ 7 ' T CM £*■ 


r Gaagts 


P] * D- 










' a ssl 

e 

>eta 




r-: Jd 


GooqI 

Ot 

Go to classic Google. 






| 


Advanced sea 
Language tcclE 


Advertising Prograr 






Google 






Google Search 


I'm Feeling Lucky 




Deutschland 


Learn more about searching on Google 

is Business Solutions About Google 
©2011 -Privacy 


with SSL. 
Goto 




* 











If networks block HTTPS 

Your network operator may decide to block the secure versions of Web sites 
in order to increase its ability to spy on what you do. In such cases, HTTPS 
Everywhere could prevent you from using these sites because it forces your 
browser to use only the secure version of these sites, never the insecure 
version. (For example, we heard about an airport Wi-Fi network where all 
HTTP connections were permitted, but not HTTPS connections. Perhaps the 
Wi-Fi operators were interested in watching what users did. At that airport, 
users with HTTPS Everywhere were not able to use certain Web sites unless 
they temporarily disabled HTTPS Everywhere.) 



In this scenario, you might choose to use HTTPS Everywhere together with a 
circumvention technology such as Tor or a VPN in order to bypass the 
network's blocking of secure access to Web sites. 



75 



Adding support for additional sites in HTTPS Everywhere 

You can add your own rules to the HTTPS Everywhere add-on for your favorite 
Web sites. You can find out how to do that at: https://www.eff.org/https- 
everywhere/rulesets. The benefit of adding rules is that they teach HTTPS 
Everywhere how to ensure that your access to these sites is secure. But 
remember: HTTPS Everywhere does not allow you to access sites securely 
unless the site operators have already chosen to make their sites available 
through HTTPS. If a site does not support HTTPS, there is no benefit to adding 
a ruleset for it. 



If you are managing a Web site and have made an HTTPS version of the site 
available, a good practice would be to submit your Web site to the official 
HTTPS Everywhere release. 



Adblock Plus 

Adblock Plus (http://www.adblockplus.org) is mainly known for blocking 
advertisements on websites. But it also can be used to block other content 
that may try to track you. To keep current with the latest threats, Adblock 
Plus relies on blacklists maintained by volunteers. 

Extra Geek info: How does Adblock Plus block addresses? 

^^^^ The hard work here is actually done by Gecko, the engine 

^k |^ on top of which Firefox, Thunderbird and other 
■ H applications are built. It allows something called "content 

V V policies". A content policy is simply a JavaScript (or C++) 
^^^^ object that gets called whenever the browser needs to load 

something. It can then look at the address that should be 
loaded and some other data and decide whether it should 
be allowed. There is a number of built-in content policies 
(when you define which sites shouldn't be allowed to load images in Firefox 
or SeaMonkey, you are actually configuring one of these built-in content 
policies) and any extension can register one. So all that Adblock Plus has to do 
is to register its content policy, other than that there is only application logic 
to decide which addresses to block and user interface code to allow 
configuration of filters. 

Getting started with Adblock Plus 

Once you have Firefox installed: 

l. Download the latest version of Adblock Plus from the Add-On database 
of Firefox 

76 



2. Confirm that your want Adblock Plus by clicking "Install Now". 

3. After Adblock Plus has been installed, Firefox will ask to restart. 



Choosing a filter subscription 

Adblock Plus by itself doesn't do anything. It can see each element that a Web 
site attempts to load, but it doesn't know which ones should be blocked. This 
is what Adblock's filters are for. After restarting Firefox, you will be asked to 
choose a filter subscription (free). 




| G chrome://adblockplus/cpntent/ui/subscriptionSe '''; T ' C |£1 T Google P I -ft C" 



Adblock Pluswill be most effective if you add a filter subscription. Filter subscriptions are provided by other 
Adblock Plus users free of charge. The most suitable subscription for your language is already selected. 

Please choose a filter subscription from the list: 



irminiirmnM 



'. ■ : -cme page 



Add a different subscription 



Add subscription 



O' 



Which filter subscription should you choose? Adblock Plus offers a few in its 
dropdown menu and you may wish to learn about the strengths of each. A 
good filter to start protecting your privacy is EasyList (also available at 
http://easylist.adblockplus.org/en). 

As tempting as it may seem, don't add as many subscriptions as you can get, 
since some may overlap, resulting in unexpected outcomes. EasyList (mainly 
targeted at English-language sites) works well with other EasyList extensions 
(such as region-specific lists like RuAdList or thematic lists like EasyPrivacy). 
But it collides with Fanboy's List (another list with main focus on English- 
language sites). 

You can always change your filter subscriptions at any time within 
preferences. Once you've made your changes, click OK. 



77 



Creating personalized filters 

AdBlock Plus also lets you create your own filters, if you are so inclined. To 
add a filter, start with Adblock Plus preferences and click on "Add Filter" at the 
bottom left corner of the window. Personalized filters may not replace the 
benefits of well-maintained blacklists like EasyList, but they're very useful for 
blocking specific content that isn't covered in the public lists. For example, if 
you wanted to prevent interaction with Facebook from other Web sites, you 
could add the following filter: 



| | facebook. *$domain=~f acebook.com | ~127. 0.0. 1 

The first part (||facebook.*) will initially block everything coming from 
Facebooks domain. The second part ($domain=~facebook.com|~l27.0.0.l) is 
an exception that tells the filter to allow Facebook requests only when you 
are in Facebook or if the Facebook requests come from 127. 0.0.1 (your own 
computer) in order to keep certain features of Facebook working. 

A guide on how to create your own Adblock Plus filters can be found at 
http://adblockplus.org/en/filters. 



Enabling and disabling AdBlock Plus for specific elements or 
Web sites 

You can see the elements identified by AdBlock Plus by clicking on the ABP 
icon in your browser (usually next to the search bar) and selecting "Open ^m, 
blockable items". A window at the bottom of your browser will let you ^i** 
enable or disable each element on a case-by-case basis. Alternatively, 
you can disable AdBlock Plus for a specific domain or page by clicking on the 
ABP icon and ticking the option "Disable on [domain name]" or "Disable on 
this page only". 



NoScript 

The NoScript extension takes browser protection further by globally blocking 
all JavaScript, Java and other executable content that could load from a Web 
site and run on your computer. To tell NoScript to ignore specific sites, you 
need to add them to a whitelist. This may sound tedious, but NoScript does a 
good job in protecting Internet users from several threats such as cross-site 
scripting (when attackers place malicious code from one site in another site) 
and clickjacking (when clicking on an innocuous object on a page reveals 
confidential information or allows the attacker to take control of your 
computer). To get NoScript, visit http://addons.mozilla.org or 
http://noscript.net/getit. 



78 



The same method by which NoScript protects you can alter the appearance 
and functionality of good Web pages, too. Luckily, you can adjust how 
NoScript treats individual pages or Web sites manually - it is up to you to find 
the right balance between convenience and security. 



79 



Getting started with NoScript 

1. Co to the NoScript download section at http://noscript.net/getit. Click 
on the green "INSTALL" button. 

2. Confirm that you want NoScript by clicking "Install Now". 



, -fC Add-ons Manager 



l + l 



r^r^i^i 






3$ ' |noscript 



Name Last Updated Best match T 

(fS\ NoScript 2.0.9.8 


> 


^ff* Downloading 





6j? 





iMacros for Fire... 7.1.1.2 *"*»"»* **»-*». » 

Automate FirefoK, Record and replay repetition. More Install 

Shareaholic - Share ... 2.2.0 Fr day December "■ mo 

Shareaholic: i^. the easiestway to share interes... More Install 

BeefTaCOtTargete... 1.3.3 Monday, February 07 20U 
Sets permanent opt-out cookies to stop beha... More Install 

Integrated Gmail 2.6.11 Wednesday, January 26 mi 

Hhviail 4. rinnnle T^lonHar 4. Hnnnlo R«Her 4. Mnrp Install 



80 



3. Restart your browser when asked. 



|@Mozilla Firefcm Start Page 



LL @j 



I*,* 



uf( Add-ons Manager 



Last Updated 






Search: My Add-ons MMIBIBJBBH 

j NoScriptwill be installed after vou restart 
•/ r . , Restart now Undo 

^ NoScript 2.0.9.8 WM« a ta lt Fa.™ aV 23.2im 

Extra protection for your Firefox: No Script allows JavaScript, Jav... More 

iMacros for Fire... 7.1.1.2 wrf « sda * w™-/«. ™ 

Automate Firefox. Record and replay repetiti... More Install 



G 



Shareaholic - Share ... 2.2.0 M**» M j«,tt,aHi 

Shareaholic is the easiest way to share interes... More Install 

Beef Taco CTargete... 1.3.3 Monday, February ".an 

Sets permanent opt-out cookies to stop beh... More Install 

Intearated Gmail 2.6.11 w e dn«d ay . Ja nu a ry26,20ii , 



NoScript notifications and adding Web sites to your whitelist 

Once restarted, your browser will have a NoScript icon at the bottom right 
corner, where the status bar is, indicating what level of permission the 
current Web site has to execute content on your PC. 



® Full protection: scripts are blocked for the current site and its 

subframes. Even if some of the script sources imported by the page are 

in your whitelist, code won't run (the hosting documents are not 

enabled). 

©Very restricted: the main site is still forbidden, but some pieces (such 

as frames) are allowed. In this case, some code may be running, but the 

page is unlikely to work correctly because its main script source is still 

blocked. 

S Limited permissions: scripts are allowed for the main document, but 

other active elements, or script sources imported by the page, are not 

allowed. This happens when there are multiple frames on a page or 

script elements that link to code hosted on other platforms. 

~d Mostly trusted: all the script sources for the page are allowed, but 

some embedded content (such as frames) are blocked. 

9 Selective protection: scripts are allowed for some U RLs. All the others 

are marked as untrusted. 



81 



• §J All scripts are allowed for the current site. 

• SJ Scripts are allowed globally, however content marked as untrusted 
will not be loaded. 

To add a site that you trust to your whitelist, click on the NoScript icon and 
select: 

• "Allow [domain name]" to allow all scripts that are hosted under a 
specific domain name, or 

• "Allow all this page" to allow complete script execution - including third 
party scripts that may be hosted elsewhere, but are imported by the 
main Web site. 

(You can also use the "Temporarily allow" options to allow content loading 
only for the current browsing session. This is useful for people who intend to 
visit a site just once, and who want to keep their whitelist at a manageable 
size.) 




Facebook helps you connect and share with 
the people in your life. 



A 



.^±,.-±:r- 

- A '".. 



^r:^ ! 



About NoScript,,, 

Options.., 

Allow Scripts Globally (clangercj; 

Allow all this page 

Temporarily allow all this page 

Untrusted 

Allowfbcdn.net 

Temporarily allow fbcdr.net 

Allow facebaok.com 

Temporarily allow face 



Alternatively, you can add domain names directly to the whitelist by clicking 
on the NoScript button, selecting Options and then clicking on the Whitelist 
tab. 



82 



NoScript Options 



General | Whitelist | Embeddings Appearance Notifications Advanced 



You can specify which web sites are allowed to execute scripts, Type the address or the 
domain (e.g. " http ://www. : ite. c o m " cr ": ite.com") of the :iteycu want to allow and then 
click Allow. 

Address of web site: 



addons.mozilla.org 

flashgot.net 

google.com 

googleapis.com 

googlesyndication.com 

gstatic.com 

hotmail.com 

informaction.com 

js.wlxrs.com 

live.com 

maone.net 

mozilla.net 

men rnm 



Remove Selected Site! 



Revo ke Tern p o ra ry P erm i :: i c n: 



Import 



Export 



Import 



Export 



Marking content as untrusted 

If you want to permanently prevent scripts from loading on a particular Web 
site, you can mark it as untrusted: just click the NoScript icon, open the 
"Untrusted" menu and select "Mark [domain name] as Untrusted". NoScript 
will rememberyour choice, even if the "Allow Scripts Globally" option is 
enabled. 



Other extensions that can improve your security 

Below is a short list of extensions that are not covered in this book but are 
helpful to further protect you. 



$3ijL Flagfox - puts a flag in the location bar telling you where the server you 
(rTJare visiting is most probably located, https://addons.mozilla.org/en- 
U S/fn refox/addon/flagfox/ 

j BetterPrivacy - manages "cookies" used to track you while visiting 
websites. Cookies are small bits of information stored in your browser. 
Some of them are used to track the sites you are visiting by advertisers. 
https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ 



83 



,-.<- GoogleSharing- If you are worried that google knows your search 

history, this extension will help you prevent that. 
https://addons.mozilla.org/en-us/firefox/addon/googlesharing/ 



84 




Proxy Settings and Foxy Proxy 

A proxy server allows you to reach a Web site or other 
Internet location even when direct access is blocked in 
your country or by your ISP. There are many different kinds 
of proxies, including: 



• Web proxies, which only require that you know the proxy Web site's 
address. A Web proxy URL may look like http://www.example.com/cgi- 
bin/nph-proxy.cgi 

• HTTP proxies, which require that you modify your Browser settings. 
HTTP proxies only work for Web content. You may get the information 
about a HTTP proxy in the format "proxy.example.com:3l28" or 
"192.168.0.1:8080". 

• SOCKS proxies, which also require that you modify your Browser 
settings. SOCKS proxies work for many different Internet applications, 
including e-mail and instant messaging tools. The SOCKS proxy 
information looks just like HTTP proxy information. 

You can use a Web proxy directly without any configuration by typing in the 
URL The HTTP and SOCKS proxies, however, have to be configured in your 
Web browser. 



Default Firefox proxy configuration 

In Firefox 4 you can change the settings for using a proxy you'll have to open 
the Options or Preferences window of Firefox. You can find this in the menu, 
by clicking on the upper left corner of the Window and selecting Options > 
Options. See below. 



85 



T i ; i Mn...nft-^pf nritv/pdit/ x 



fC Add-ons Manager 



NewTab ► 


I Bookmarks 


K 





^ Start Private Browsing 


History ► 
Downloads 


net- security/edit/ 




Edit tS ► 


ting and FoxyPro* 


Find,.. 


4t Add-ons 


Save and mntiniifi < 


Save Page As.,, 


Options 


K 


Options 


Send Link.., 


Help ► 


Menu Bar 


igs Print,,. ► 




•/ Navigation Toolbar '. 


Web Developer ► 




Bookmarks Toolbar 
Add-on Bar Ctrf-n/ 


Full Screen 


Set Up Sync, 




V Tabs on Top 


M bit 




Toolbar Layout... 



Go to the Advanced section and open the Network tab. 



Options 

D a 



fv A 



General Tabs Content Applications Privacy Security Advanced Sync 



General Network Update | Encryption | 



Connection 

Configure how Firefox connects to thelnternet 



Offline Storage 






Your cache is currently using 7.6 MB of disk space 


Gear Now 




^ Override automatic cache management 
Limit cacheto 1024, MB of space 






F71 Tell me when a website asks to store data for offline use 


Exceptions.,, 




The following websites have stored data for offline use: 












Remove,,. 











OK 



Cancel 



Help 



86 



Select Settings, click on "Manual proxy configuration" and enter the 
information of the proxy server you want to use. Please remember that HTTP 
proxies and SOCKS proxies work differently and have to be entered in the 
corresponding fields. If there is a colon (:) in your proxy information, that is 
the separator between the proxy address and the port number. Your screen 
should look like this: 



Connection Setting 

Configure Proxies to Access the Internet 
O No proxy 

Auto -detect proxy settings for this network 
;") Use system proxy settings 
■'&! M anua ' proxy configuration: 



HTTP Proxy: 


rny-proxy.server.provider.org Port: 
Use this proxy server for all protocols 


8080 C 


SSL Proxy: 


Port: 


°B 


FTP Proxy: 


Port: 


°n 


SOCKS Host: 


Port: 
:;. SOCKS v4 (»;. SOCKS y5 


»B 



No Proxy for: localhost, 127.0.0.1 

Example: .mozilla.org, .net.nz, 192.168,1.0/24 
Automatic proxy configuration URL: 



Reload 



OK 



Cancel 



Help 



Afteryou click OK, your configuration will be saved and your Web browser 
will automatically connect through that proxy on all future connections. If 
you get an error message such as, "The proxy server is refusing connections" 
or "Unable to find the proxy server", there is a problem with your proxy 
configuration. In that case, repeat the steps above and select "No proxy" in 
the last screen to deactivate the proxy. 



Foxy Proxy 

FoxyProxy is a freeware add-on for the Firefox Web browser which makes it 
easy to manage many different proxy servers and change between them. For 
details about FoxyProxy, visit http://getfoxyproxy.org/. 



87 



Installation 

In Firefox 4 open the Add-ons window. In the pop-up window, type the name 
of the add-on you want to install (in this case "FoxyProxy") in the search box 
on the top right and click Enter. In the search results, you will see two 
different versions of FoxyProxy: Standard and Basic. For a full comparison of 
the two free editions, visit http://getfoxyproxy.Org/downloads.html#editions, 
but the Basic edition is sufficient for basic circumvention needs. After 
deciding which edition you want, click Install. 



1 gjgteg | 




SS^ 


J ® Mozilla Firefox Start Page 


] fC Add-ons Manager >■ | + i 




!*!♦] 








1 © * | |foxyprtmy P 




Name Last Updated Best match T 




* 

j 

m 


Sea re 




W Available Add-ons M 


FoxyProxy Standard 2.22.5 Thursday, January 20, 2011 
FojiyPror/ is an advanced proi:y manaqementto,,, More Install 


# 




tf 


FoxyProxy Rrisir 1.8.S 




Downloading 








cJ 


iMacros for Firefox 7.1.1.2 Wedne ^ February 09, 2011 

Automate Firefox, Record and replay repetitious ,,, More Install 














X 





After installation, Firefox should restart and open the Help site of FoxyProxy. 
You want to enable the FoxyProxy quick-start button on Firefox. Head to the 
Firefox menu in the upperleft corner and select Options > Add-on bar. If the 
option is enabled you should see a marker left to the text Add-on bar'. Look at 
the example below. 



Mew Tab 
1* Start Private Bro 

Edit 

Find... 

Save Page As... 
Send Link... 



Full Screen 

Set Up Sync. 



i.flnrrm...rf+-':pfiiritv/Mit/ | -ft Add-ons Manager I :-'" : Foi^Proxy 

Bookmark?. 

izi 1 1 a , o rg/en - U S/thu n d erb i rd/a d d o n/foxy proxy- ba si t/ 



•ft Add-o 



IIC 



Optior 

Help 





Options 




Menu Bar 


</ 


Navigation Toolbar 




BookmarksToolbar 


V 


Add-on Bar Ctrl+/ 


■/ 


Tabs on Top 




Toolbar Layout.., 




| Add to collection 
] Share this Add-on 



Fo&yProxy Basic is a simple on/off proxy switcher. 

Continue to Download > 



The developer of this add-on asks that you help support its cont 
development by making a small contribution. 







Suggested Comribut 
1ft 


Updated 




January 19, 2011 




Website 




http://getfoxyproxy.org 




Works with 


Ti.rdcsrd 3.0a1pre - 3.3a3p" 




Rating 




15 reviews 




„ 









Configuration 

For FoxyProxy to do its job, it needs to know what proxy settings to use. Open 
the configuration window by clicking the icon ®at the bottom right of the 
Firefox window. The configuration window looks like this: 



89 



-" FoxyProxy Basic 
File Help 



Mode: Completely disable Foxy Proxy 



| #■ Proxies | ^ Global Settings 



Enabled 



Color 



Proxy Name 
I Default 



Proxy Notes 



^ M ove Up 
' Move Down 



*jjj Add New Proxy 



'Edit Selection 



§i Copy Selection 



1 Delete Selection 



*0 Please Donate Jj) Get FoxyProxy Plus _ Buy Proxy Service 



Click on 'Add New Proxy 1 . In the following window, enter the proxy details in a 
similar way to the default Firefox proxy configuration: 



ft 



FoxyProxy Basic - Proxy Settings 



. General | H Proxy Details | 

Direct internet connection (no proxy] 



'• 



Manual Proxy Configuration 

Help! Where are settings for HTTP. SSL FTP. Gopher and SOCKS? 



Host or IP Address rny-proxy.server.provider.org 
□ SOCKS proxy? ■"■ SOCKSv4/4a fl SOCKS v5 

Automatic proxy configuration URL http(s)q// ftpc// fiiey 1 / relative// 

I IB 

□ Reload the PAC every 60 minutes 

Notifications 

[7] Notify me about proxy auto-configuration fije loads 

[J Notify me about proxy auto-configuration file errors 



lest | @ 



90 



Select "Manual Proxy Configuration", enter the host or IP address and the 
port of your proxy in the appropriate fields. Check "SOCKS proxy?" if 
applicable, then click OK. You can add more proxies by repeating the steps 
above. 



Usage 

You can switch among your proxies (or choose not to use a proxy) by right- 
clicking on the fox icon on the bottom right of your Firefox window: 




Use proxy "114,127,246.36" for all URLs 



• j Use proxy "Default" for all URLs 
Completely disable FoxyProxy 

Options 

Use Advanced Menus 



To select a proxy server, simply left-click on the proxy you want to use. 



91 



What is Tor? 




Tor is a system intended to enable online anonymity, 
composed of client software and a network of servers 
which can hide information about users' locations and 
other factors which might identify them. Imagine a 
message being wrapped in several layers of protection: 
every server needs to take off one layer, thereby 
immediately deleting the sender information of the 
previous server. 

Use of this system makes it more difficult to trace internet traffic to the user, 
including visits to Web sites, online posts, instant messages, and other 
communication forms. It is intended to protect users' personal freedom, 
privacy, and ability to conduct confidential business, by keeping their internet 
activities from being monitored. The software is open-source and the network 
is free of charge to use. 

Like all current low latency anonymity networks, Tor cannot and does not 
attempt to protect against monitoring of traffic at the boundaries of the Tor 
network, i.e., the traffic entering and exiting the network. While Tor does 
provide protection against traffic analysis, it cannot prevent traffic 
confirmation (also called end-to-end correlation) 

A Caution: As Tor does not, and by design cannot, encrypt 
the traffic between an exit node and the target server, any 
exit node is in a position to capture any traffic passing 
through it which does not use end-to-end encryption such 
as TLS. (If your postman is corrupt he might still open the 
envelope and read the content). While this may or may not 
inherently violate the anonymity of the source, if users 
mistake Tor's anonymity for end-to-end encryption they 
may be subject to additional risk of data interception by third parties. So: the 
location of the user remains hidden; however, in some cases content is 
vulnerable for analysis through which also information about the user may be 
gained. 



Using Tor Browser Bundle 

The Tor Browser Bundle lets you use Tor on Windows, OSX and/or Linux 
without requiring you to configure a Web browser. Even better, it's also a 
portable application that can be run from a USB flash drive, allowing you to 
carry it to any PC without installing it on each computer's hard drive. 



92 



Downloading Tor Browser Bundle 

You can download the Tor Browser Bundle from the torproject.org Web site 
(https://www.torproject.org), either as a single file (13MB) or a split version 
that is multiple files of 1.4 MB each which may proof easier to download on 
slow connections. 



If the torproject.org Web site is filtered from where you are, type "tor 
mirrors" in your favorite Web search engine: The results probably include 
some alternative addresses to download the Tor Browser Bundle. 



A 



Caution: When you download Tor Bundle (plain or 
split versions), you should check the signatures of the 
files, especially if you are downloading the files from 
a mirror site. This step ensures that the files have not 
been tampered with. To learn more about signature 
files and how to check them, 

read https://wiki.torproject.org/noreply/TheOnionRou 
ter/VerifyingSignatures 



(You can also download the GnuPG software that you will need to 
check the signature here: 
http://www.gnupg.0rg/download/index.en.html#auto-ref-2) 

The instructions below refer to installing Tor Browser on Microsoft Windows. 
If you are using a different operating system, refer to the torproject.org 
website for download links and instructions. 



93 



Installing from a single file 

l. In your Web browser, enter the download URL for Tor Browser: 
https://www.torproject.org/torbrowser/ 



« 

File 


Edit 


Vie* 


History Bookmarks Tools Help 


sis 


London: Fri 03:13 » 


Am &t 


srdam: 


<Sa 


t 1 ;. 


- 


6 * t@ 












[(4j http&:/^wrw 


torproject.org^torbrowser/ 

















Tor Browser Bundle for Windows with Firefox 
(version 1.1.4, 13 MB) 

• English (en-USl ( signature ) 

• swj* 8 far) (signature) 

• Dsutsch (de) ( signature ) 

• Espanol fes-ES) ( signature ) 

• lf jjliffa-IR) ( signature ) 

• Francais (1r) ( signature ) 

• Nederlands (nl) ( signature ) 

• Portuques (pt-PTl ( signature ) 

• Pyccmii (ru) ( signature ) 

• JPrj-ft;^ (zh-CN) ( signature ) 



2. Click the link foryour language to download the installation file. 

3. On windows double-click the .EXE file you just downloaded. A "7-Zip 
self-extracting archive" window appears. 




94 



4. Choose a folder into which you want to extract the files and click 
"Extract". 

Note: You can choose to extract the files directly onto a USB 
key or memory stick if you want to use Tor Browser on 
different computers (for instance on public computers in 
Internet cafs). 

5. When the extraction is completed, open the folder and check that the 
contents match the image below: 




6. To clean up, delete the .EXE file you originally downloaded. 



95 



Installing from split files 

1. In your Web browser, enter the URL for the split version of the Tor 
Browser Bundle (https://www.torproject.org/torbrowser/split.html), 
then click the link for your language to get to a page that looks like the 
one for English below: 



t 








Index of /torbrcrw 


File Edit View History 


Bookmarks Xools Help sHJ London: Fri 03: 


19 « Amsterdam: Fri 04:1 


^ - 6 IS 








LwJ http&://www.torproject.or^torbrow&er/di&t/tor-brow&er-l. 1.4 e 








Index of /torbrowser/dist/tor-bro 


Name 




Last modifis 


;d 


Size Description 


4** Parent Di recto rv 










LJ siqnatures/ 




D-oct-2aaB 


13:49 




ll^J tor-browser-l. 1.4 
L^J tor-browser-l. 1.4 
L^J tor-browser-l. 1.4 
L^J tor-browser-l. 1.4 
L^J tor-browser-l. 1.4 
L^J tor-browser-l. 1.4 
L^J tor-browser-l. 1.4 
L^J tor-browser-l. 1.4 
L^J tor-browser-l. 1.4 
L^J tor-browser-l. 1.4 


en -US 


split.part01.exe 13-Oct-2008 


13:49 


1.4M 


en -US 


split. part02. rar 13-Oct-2008 


13:49 


1.4M 


en -US 


split. pa rt03. rar 13 -Oct -2008 


13:50 


1.4M 


en -US 


split. part04. rar 13-Oct-2008 


13:50 


1.4M 


en -US 


split. pa rt05. rar 13 -Oct- 2008 


13:49 


1.4M 


en -US 


split. part06. rar 13-Oct-2008 


13:50 


1.4M 


en -US 


split. pa rt07. rar 13 -Oct- 2008 


13:49 


1.4M 


en -US 


split. part08. rar 13-Oct-2008 


13:50 


1.4M 


en -US 


split. part09. rar 13-Oct-2008 


13:50 


1.4M 


en -US 


split. partlO. rar 13-Oct-2008 


13:49 


1.4M 



2. Click each file to download it (one ending in ".exe" and nine others 
ending in ".rar"), one after the other, and save them all in one folder on 
your hard- or USB-drive. 



96 



3. Double-click the first part (the file whose name ends in ".exe"). This runs 
a program to gather all the parts together. 



Sit WinRAR sidf-extracthg archhfe 



Jn]*l 




• Press Install button to start extraction. 

• Use Browse button to select the destination folder 
Irom the folders tree. II. tail be also enleied manually. 

• If the destination folder does not exist, it will be 
created automatically before extraction. 



~H 



d 



rjestinatiori folder 



I C:\Users\Public\Downloads 
Installation progress 



^] 



_ 



4. Choose a folder where you want to install the files, and click "Install". 
The program displays messages about its progress while it's running, 
and then quits. 

5. When the extraction is completed, open the folder and check that the 
contents match the image below: 




6. To clean up, delete all the files you originally downloaded. 

Using Tor Browser 

Before you start: 



97 



• Close Firefox. If Firefox is installed on your computer, make sure it is 
not currently running. 

• Close Tor. If Tor is already installed on your computer, make sure it is 
not currently running. 

Launch Tor Browser: 

• In the "Tor Browser" folder, double-click "Start Tor Browser". The Tor 
control panel ("Vidalia") opens and Tor starts to connect to the Tor 
network. 




When a connection is established, Firefox automatically connects to the 
TorCheck page and then confirms if you are connected to the Tor network. 
This may take some time, depending on the quality of your Internet 
connection. 



98 



■ Tort M-ff'illd. Fireta 



(Tills: 






4 AtojtTif a TurMdHinH (|T«<Ji«tf«t:*i*tr.. 



^ 




Congratulations, You are using Tor 



Please refer to the Tot website for BLtrthfcj irttoiWLAltofl abovrt using Tot safely. 



Ihi.3 3nal ] vcxlpb L3 poicicd bv ~ r i --*t ~ - 
Ttl My III* W ilWtttifH In *Ti* Tflr Tm.iv F« >t r, isc rm^tttt 

rk.i r 3 tivLi d?» n-5* Lr-g- out Lnfpinifriui ib-iib vlii^qep. 



IQQDDSyilil 



chetktofltf cfject ,crg £ Tw Enabled 



If you are connected to the Tor network, a green onion icon appears in the 
System Tray on the lower-right-hand corner of your screen: 




Browsing the Web using Tor Browser 

Try viewing a few Web sites, and see whether they display. The sites are likely 
to load more slowly than usual because your connection is being routed 
through several relays. 

If this does not work 

If the onion in the Vidalia Control Panel never turns green or if Firefox opened, 
but displayed a page saying "Sorry. You are not using Tor", as in the image 
below, then you are not using Tor. 



99 



nine Tor? MuMk Firrioi 



Ffc Edl V«w riitaiv Bo»nr»ti Tout 



o 



^ - ^ - © ._ 1 K.p.::;,h^.tn w rv - ... ■ 

4 AtvutTir J IdtWJkv** tjTaOiMk«tK!rot«... 



Sorry. You are not using Tor. 



If you art attemptirig tG use a Tor cUtm; please refer to the Tor web she and sp-ecific-ally 
the irvtriirti-fltiri rbi ^ril^u-ine y-Ti-i ""■■■• rli^rr 



hu IP aAfeaia W ri.» *a be: 7S . IS . S* . *i 

aln bi Ln.T-iiii.ptid. iii. c:h* T->[ E'-i. fc ■:::■- L i:r 



rh.lr iiini Jo- 



■■g -" ." Lnfaiiijcda 



iscBnnsBBii 



dwA.twr^olect.ofB A To*l>eabled 



If you see this message, close Firefox and Tor Browser and then repeat the 
steps above. You can perform this check to ensure that you are using tor, at 
any time by clicking the bookmark button labelled "TorCheck at Xenobite..." in 
the Firefox toolbar. 

If Firefox browser does not launch, another instance of the browser may be 
interfering with Tor Browser. To fix this: 

1. Open the Windows Task Manager. How you do this depends on how 
your computer is set up. On most systems, you can right-click in the 
Task Bar and then click "Task Manager". 

2. Click the "Processes" tab. 

3. Look for a process in the list named "firefox.exe". 

4. If you find one, select the entry and click "End Process". 

5. Repeat the steps above to launch Tor Browser. 

If Tor Browser still doesn't work after two or three tries, Tor may be partly 
blocked by your ISP and you should try using the bridge feature of Tor. 



100 



Alternatives 

There are two other projects that bundle Tor and a 
browser: 



ED 



• XeroBank, a bundle of Tor with Firefox 
(http://xerobank.com/xB_Browser.php) 

• OperaTor, a bundle of Tor with Opera 
(http://archetwist.com/en/opera/operator) 



101 



BASIC E-MAIL SECURITY 



102 



Introduction to e-mail safety 



E-mail is one of the oldest forms of communication on the 
Internet. We often use it to communicate very personal or 
otherwise sensitive information. It is very important to 
understand why e-mail in its common usage is not safe. In 
the following chapters we will describe the different 
methods necessary to secure your e-mail against known 
threats. We will also provide you with basic knowledge to 
assess the risks involved in sending and receiving e-mail. 

This section will start by describing the security considerations when using e- 

mail. 




No sender verification: you cannot trust the 'from' address 

Most people do not realize how trivial it is for any person 

on the Internet to forge an e-mail by simply changing the 

identity profile of there own e-mail program. This makes it 

possibly for anyone to send you an e-mail from some 

known e-mail address, pretending to be someone else. This 

can be compared with normal mail; you can write anything 

on the envelope as the return address, and it will still get 

delivered to the recipient (given that the destination 

address is correct). We will describe a method for signing e-mail messages, 

which prevents the possibility of forgery. Signing of e-mail messages will be 

explained in the chapter about PGP (Pretty Good Privacy). 




E-mail communications can be tapped, just like telephones 

An e-mail message travels across many Internet servers before it reaches its 
final recipient. Every one of these servers can look into the content of your 
messages, including subject, text and attachments. Even if these servers are 
run by trusted infrastructure providers, they may been compromised by 
hackers or by a rogue employee, or a government agency may seize its 
equipment and retrieve your personal communication. 




Unencrypted mail looks like this: 

9 9 9 
A* ▲<▲ ▲* 




44 



103 




There are two levels of security to pretend against such e-mail interception. 
The first one is making sure the connection to your e-mail server is secured by 
an encryption mechanism. The second is by encrypting the message itself, to 
prevent anyone other than the recipient to understand the content. 
Connection security is covered extensively in this book in this section and in 
the sections about VPN, e-mail encryption is also covered in detail in the 
chapters about the usage of PGP. 



Mail hoaxes, viruses and spam 

More than 80% of all the traffic coming through a typical e- 
mail server on the Internet contains either spam messages, 
viruses or attachments which intend to harm your 
computer. Protection against such hostile e-mails requires 
keeping your software up-to-date and an attitude of 
distrust toward any e-mail which cannot be properly 
authenticated. In the final chapter of this section, we will 
describe some ways to protect against hostile e-mail. 

Fraudulent mails requesting 'personal information' 

Your internet service provider, your phone company, your bank or any 
institution will never ask you to supply them with your usemame or 
password. They will also never send you an email or even telephone you to 
provide confidential information regarding your account or setup. And they 
will never require you to visit some website in order to 'fix' something with 
your computer. Whenever you receive such a request, you can be certain that 
this is a malicious attempt by a third-party to retrieve your account 
information. Such attempts are called 'Phishing attacks' in internet slang, and 
are very common. Remember, above mentioned companies are hostingyour 
data, they should not require any such information from you. 

Unverified mails from organizations or individuals offering you 
a 'service' 

Phishing attacks can come from a wide angle of sources. You may receive 
mails from an organization or an individual who offers to assist you with 
some problem or provide you with some service. For instance: McAffee, the 
anti-virus program you happen to use, will send you an email regarding an 
important update to their software. They have attached a handy .exe file to 
automatically fix your software. Because the sender of the message cannot be 
verified, such mail should be immediately discarded, as it will be sure to 
contain a virus or hostile program. It will even be possibly that such requests 
can come from a close friend, whose email address has inadvertently fallen in 
the hands of a hostile party. 



104 




Mails with attachments 

Only open attachments when you have verified the 
sender's address. Please note this applies to attachments 
of any type, not just executables. Viruses can be contained 
in virtually every type of content: videos, images, audio, 
office documents. Running an anti-virus program or a 
spam filter will provide some protection against these 
hostile mails, as they will be able to warn you whenever 
you download an infected file or a trojan. 



Compromised by malware 

Even if you have verified all your email and have only opened those 
attachments you have deemed safe, there may still be a possibility your 
computer has been injected by a virus. Your friend may have inadvertently 
send you a document containing such a virus. Detection of malware may be 
difficult. Signs of active malware could be: a sudden slowdown of your 
computer or internet connection, strange pop-up messages appearing while 
using your computer, your internet service provider complaining about some 
abuse of your account (claimingyou have sent spam mail for example). 



105 



Using Thunderbird 




Throughout this section we will be using Thunderbird as 
the application of choice for sending and receiving mails. 
Just like her bigger brother Firefox, Thunderbird has many 
advantages over it's counterparts like Apple Mail and 
Outlook and is the only option when concerned about 
communicating securely through email. 



Thunderbird is a so called 'mail user agent' (MUA). This is different from 
webmail services like gmail. You will have to install Thunderbird onto your 
computer. It has a nice interface and you will be able to manage multiple 
mailboxes, manage folders, search through mails easily. 

Using Thunderbird has a lot of advantages above using webmail. These will be 
discussed in the following chapter. To put it bluntly: it allows for much greater 
privacy and security than webmail services. We recommend you start using 
Thunderbird so here's comprehensive information on how to install it on 
Windows, OSX, and Ubuntu. 



Installing Thunderbird on Windows 

Installing Thunderbird involves two steps: first, downloading the software 
and then running the installation program. Here is how to do that: 



106 



1. Use your web browser to visit the Thunderbird download page at 
http://www.mozillamessaging.com/en-US/thunderbird/. This page 
detects your computer's operating system and language, and it 
recommends the best version of Thunderbird foryou to use. 



mozilla messaging 



Thunderbird 3.1 

Now with tabs, better search, and email archiving. 
It's easy to upgrade to Thunderbird 3,1 



Thunderbird 3.1 

Free Download O 



Thunderbird 



Ortlf 5|Ht4T>« * L>r-eu»p*I ..-;■ 




If you want to use Thunderbird in a different language or with a 
different operating system, click the Other Systems and Languages link on 
the right side of the page and select the version that you need. 

2. Click the download button to save the installation program to your 
computer. 



Opening Thunderbird Setup 3.1.1.eKe 




i '■ i 


You have chosen to open 






* ' Thunderbird Setup 3.Ll.exe 






which is a: Binary File 






from: http://download-cdnetworkE.rnozilla.net 






Would you like to save this-file? 1 






Save File 

' 


11 


Cancel j 



Click the Save button to save the Thunderbird Setup file to your 
computer. 

3. Close all applications running on your computer. 



107 



Find the setup file on your computer (it's usually in the Downloads 
folder or on your desktop) and then double-click it to start the 
installation. The first thing that the installer does is display the 
Welcome to the Mozilla Thunderbird Setup Wizard screen. 



'^ Mozilla Thunderbird 


Setup 


[-1 M3H 




M A 


i 


Welcome to the Mozilla Thunderbird 


a e 


7 


Setup Wizard 


^o r -^^ 




This wizard will guide you through the installation of Mozilla 


\J^\ 




Thunderbird. 


\ 




It is recommended that you dose all other applications 
before starting Setup, This will make it possible to update 


^ ^^ 




relevant system files without having to reboot your 
computer. 

Click Next to continue, 






| Next> | | Cancel 





Click the Next button to start the installation. If you want to cancel it, 
click the Cancel button. 



108 



The next thing that you see is the Setup Type screen. For most users the 
Standard setup option is good enough for their needs. The Custom 
setup option is recommended for experienced users only. Note that 
Thunderbird installs itself as your default mail application. If you do not 
want this, clear the checkbox labeled Use Thunderbird as my default 
mail application. 



ii Mozilla Thunderbird Setup 






[ 1=1 | !■ ££^| 




Setup Type W^k 
Choose setup options 


Choose the type of setup you prefer 


then dick Next, 

A'ith the most common options. 

utions to be installed. Recommended for experienced 

1 application 


a ^isndard 

Thunderbird will be installed 

O Custom 

You may choose individual o 
users, 

[7] Use Thunderbird as my default ma 










<Back 


Next> 


Cancel 









Click the Next button to continue the installation. 



109 



6. After Thunderbird has been installed, click the Finish button to close the 
setup wizard. 



^p Mozilla Thundenbird Setup 




Completing the Mozilla Thunderbird 
Setup Wizard 

Mozilla Thunderbird has been installed on your computer. 
Click Finish to dose this wizard. 



jL^^::"- v oz = -".nce-D.;d nov:l 



< Back Finish Cancel 



] c 



If the Launch Mozilla Thunderbird now checkbox is selected, 
Thunderbird starts after it has been installed. 



Installing Thunderbird on Ubuntu 

There are two procedures for installing Thunderbird on Ubuntu: one for 
version 10.04 or later, and one for earlier versions of Ubuntu. We take a look at 
both below: 



Thunderbird will not run without the following libraries or packages installed 
on your computer: 

• GTK+ 2.10 or higher 

• CLib 2.12 or higher 

• Pango 1.14 or higher 

• X.Org 1.0 or higher 

Mozilla recommends that a Linux system also has the following libraries or 
packages installed: 

• NetworkManager 0.7 or higher 

• DBus 1.0 or higher 

• HAL 0.5.8 or higher 



110 



• GNOME 2.16 or higher 

Installing Thunderbird on Ubuntu 10.04 or newer 

If you're using Ubuntu 10.04 or newer, the easiest way to install Thunderbird 
is through the Ubuntu Software Center. 

1. Click Ubuntu Software Center under the Applications menu. 



File Edit View Help 

°5 Provided by Ubuntu 
(S) Canonical Partners 
■ I Partner archive 
!_ , The Opera web bro... 
■ Installed Software 



< Get Software 



Ubuntu Software Center 



Departments 



Accessories Education 



Internet Office 



32475 items available 



Graphics 



Science & Sound & Video Themes & 

Engineering Tweaks 



2. Type "Thunderbird" in the search box and press the Enter on your 
keyboard. The Ubuntu Software Center finds Thunderbird in its list of 
available software. 

3. Click the Install button. If Thunderbird needs any additional libraries, 
the Ubuntu Software Center alerts you and installs them along with 
Thunderbird. 

You can find the shortcut to start Thunderbird in the Internet option under 
the Applications menu: 



ill 



*V Accessories ► 




j| Graphics ► 




™ Office ► 

S . Sound & Video ► 
4y| System Tools ► 
§ Ubuntu Software Center 


^ Chromium Web Browser 
Q Ekiga Softphone 
•"• Empathy IM Client 

g Firefox Web Browser 
T£f Google Chrome 
€} Gwibber Social Client 




o 




^ Skype 



Installing Thunderbird on Mac OS X 

To install Thunderbird on your Mac, follow these steps: 



1. Use your web browser to visit the Thunderbird download page at 
http://www.mozillamessaging.com/en-US/thunderbird/. This page 
detects your computer's operating system and language, and it 
recommends the best version of Thunderbird foryou to use. 



mozilla messaging 



Thunderbird 3.1 

Now with tabs, better search, and email archiving, 

It's easy to upgrade to Thunderbird 3-i 



g$meSfHtatm*u 




112 



2. Download the Thunderbird disk image. When the download is complete, 
the disk image may automatically open and mount a new volume called 
Thunderbird. 

If the volume did not mount automatically, open the Download folder 
and double-click the disk image to mount it. A Finder window appears: 



r.i.n ..!i i.inil 







3. 



4. 



Drag the Thunderbird icon into your Applications folder. You've installed 

Thunderbird! 

Optionally, drag the Thunderbird icon from the Applications folder into 

the Dock. Choosing the Thunderbird icon from the Dock lets you quickly 

open Thunderbird from there. 




Thunderbird 




Note: When you run Thunderbird for the first time, newer versions of Mac OS 
X (10.5 or later) will warn you that the application Thunderbird. app was 
downloaded from the Internet. 

If you downloaded Thunderbird from the Mozilla site, click the Open button. 



113 




"ThLinderbird.app" is an application which 
was downloaded from the Internet. Are 
you sure you want to open it? 

rirefox.app downloaded tills file today at 9:20 AM. 
(?) ( Cancel ") ( Open ) 



Starting Thunderbird for the first time 

After you have setup Thunderbird for the first time you will be guided through 
the creation of a mail account. These settings are dependent on where your 
email is hosted. It is important to make sure you have at least an encrypted 
connection to your own mail server. We will describe how to set this up in 
the next chapter. 



114 



Setting up Thunderbird to use secure 
connections 

There is a right way to configure your connection to your 

provider's mail servers, and a wrong (unsecured) way. You 

should always make a connection to your servers using SSL 

(Secure Socket Layer) and TLS (Transport Layer Security). It 

prevents your immediate environment from intercepting 

and obtaining your password and prevents eavesdroppers 

from reading your mails, although it does not secure the 

information channel all the way to the recipient (this is 

where PGP comes in). Email security is useless without first establishing a 

secure connection to mail servers. This chapter describes how to set up your 

mail accounts the right way. 

Configuration requirements 

To configure your mail accounts you will need to have some information from 
your email hosting provider. The following information is required: 




• name of the outgoing (SMTP) mail server. 

• name of the incoming (IMAP) mail server. 

• username foryour mail 

• password foryour mail 

You should have received this information from your hosting provider. You 
can usually find the names of the servers on the support pages on the website 
of your hosting provider. In our example we will be using the gmail server 
names. You can use Thunderbird to access your existing gmail account, and 
this is a good idea. To do so, you must change a configuration setting in your 
account. You can skip the next paragraph, if you are not using a gmail 
account. 



Preparing a gmail account for use with Thunderbird 

Please logon to your gmail webmail account, using your browser. Go to the 
personal settings page. Then go to the tab 'Forwarding and POP/IMAP'. Click 
on the 'Enable IMAP' and then 'Save Changes'. 



115 



General Labels 

Forwarding: 



IMAP Access: 



Filters Forwarding and POPJIMAP Chat Web Clips Labs Priority Inbox Offlirn 



Add a forwarding address 
Tip: You can also forward only si 



B Pi W 



il by oreatinq a filter! 



1. Status: POP is enaOled for all mall that has arrived since 3/1*09 
O Enable POP for all mail (even mail (Mars already Been downloadec 
Q Enable POP for mall that arrives from now on 
8 Disable POP 



2. When message; 



e accessed with POP keep Google Mail's copy in '^ e ' 
k, Eudora, Netscape Mail) 



Configuring Thunderbird to use SSL/TLS 

When you start up Thunderbird for the first time, you will enter a step-by- 
step configuration procedure for setting up your first account. On the first 
screen, you will be asked for a real name (can be anything, also a pseudonym), 
your email-address and your password. Enter the information and click on 
continue. 



^GetMail • Lifwrite [§ Address Book 



search all messages... «ctrl+K> 



Email 

rT 1 Read messages 

[_£ Write a new message 











Nev 


Your name: Johnny Cash 


Your name, as shown to others 






5*1 


Email address: 'johrny@gmail.com 


J 








B" Remember password 




Fee 


Cancel 


| Continue 



Q Manage subscriptions 

Accounts 

•^ View settings For this account 



116 



On the next screen, Thunderbird will attempt to auto-detect the server 
names. This may or may not work and may take some time. In either case you 
will be presented with a window where you can modify the settings. In the 
example below, Thunderbird has detected the settings automatically. You can 
see the protocol at the right side of the server names. This should be either 
SSL/TLS or STARTTLS. Otherwise your connection is insecure and you should 
attempt manual setup. 



^GetMail • ufwrite [^AddressBook 



search all messages... *ctrl+K> 



* Local Folders 

All Folders 
•® Local Folders 



Thunderbird Mail - Local Folders 
Accounts 

^ View settings for this account 



s 


Your name: My Name Your name, as shown to others 
Email address: test@xs4all.nl 




Adv 


Password: ■— 






1 ' Remember password 


5tart over 


H 


The following settings were found from: Mozilla ISP database 

User-name: test 
t§ incoming pops.xs4all.nl POP 995 SSL/TLS 




<*> 


Edit 






Outgoing 5ITltps.X54all.Pjl SMTP 465 SSL/TLS 






Manual Setup... , Cancel \ 


Create Accountj 







When you are convinced the settings are correct, click on 'Create account'. 
You may not have been so lucky with the auto-detection. Click on 'Manual 
setup' to configure the server names yourself. 



Manual setup 

When you are configuring accounts under Thunderbird, you will see a menu 
like in the image below. Here we are only interested in the incoming and 
outgoing mail server names, and the protocol we use to connect with them. 
As you can see in the examples below, we enter the Gmail server names and 
we force them to use SSL, a secure method to connect to the servers. 



117 



'johnry@gmail.com 

Server Settings 

Copies & Folders 

Composition & Addressing 

Junk Settings 

Synchronization & Storage 

Return Receipts 

Security 
'Local Folders 

Junk Settings 

Disk Space 
Outgoing Server (SMTP) 



Account Actions 



Server Settings 





Server Name: [mail.gmail.com 




User Name: johnnyl@gmail.com 





993 C Default: 993 



S ecurity Se ttings 



Connection security: 



SSL/TLS 



Authentication method: | Normal password 

Server Settings 
BT Check For new messages at startup 

■ Check For new messages every I 
When I delete a message: 

® Move it to this Folder: | Trash 

O Just mark it as deleted 

O Remove it immediately 
O Clean up ("Expunge") Inbox on Exit 
G Empty Trash on Exit 

Local directory: 



10 „ minutes 



Advanced.. 



/home/dentoir/.thunderbird/2039whs9.deFault/lmapMail/mail.gree | Browse.. 



fcjiCancel 



Under 'Server Settings', we will find only the incoming (IMAP) server and its 
settings for that specific account. 



118 



T emile@greenhost.nl 

Server Settings 

Copies & Folders 

Composition & Addressing 

Junk Settings 

Synchronization & Storage 

Return Receipts 

Security 
T l_ocal Folders 

Junk Settings 

Disk Space 
Outgoing Server (SMTP) 



Account Actions 



Server Settings 



Server Type: IMAP Mail Server 


Server Name: mail.gmail.com 


UserName: johnnycash 



993 1 Default: 993 



Security Settings 

I Connection security: 



SSL/TLS 



Authentication method: I Normal password 



Server Settings 

& Check for new messages at startup 

& Check for new messages every | 

When I delete a message: 

9 Move it to this folder: | Trash 
O Just mark it as deleted 
O Remove it immediately 

D Clean up ("Expunge") Inbox on Exit 

□ Empty Trashon Exit 



10 * minutes 



Advanced.. 



Local directory: 
/home/dentoir/.thunderbird/2039whs9.deFaiilt/lmapMail/mail.gree | growse.. 



I ©Cancel 



^OK 



After 'Server Name: 1 we should put the name of our IMAP server, in this case 
mail.gmail.com 

As you can see we have selected 'SSL/TLS' under the connection security setting. 
This enforces encryption. Do not be scared by the authentication method 
'Normal password' The password will be automatically encrypted due to our 
secured connections to the server. 

Finally lets configure the outgoing server for our mail and we should be done. 
Click on 'Outgoing Server (SMTP)' in the left panel. 



119 



^ Get Mail • Li 



johnnyifflgmaiLi 
All Folders 
► John nytQig mail 
►S Local Folders 



T johnny(aig ma il.com 

Server Settings 

Copies & Folders 

Composition & Addressing 

Junk Settings 

Synchronization S Storage 

Return Receipts 

Security 
T Local Folders 

Junk Settings 

Disk Space 
Outgoing server (SMTP) 



^^^Z^^^Z 



3* 



Although you can specify more than one outgoing server (SMTP), this is o 
recommended for advanced users. Setting up multiple SMTP servers can 
errors when sending messages. 

gmail server - smtp.gmail.com (Default) 



Settings 
Description: 
Server Name: Msmtp. gmail.com 



gmail server 



Security arid Authentication 
Connection security: , SSL/TLS 



Authentication method: | Normal password 
User Name: 



johnny@gmail.com 

| ©Cancel | ^OK ] 



1 **d- j 



Account Actions 



©Cancel 



V'OK ) 



Again, we have selected SSL/TLS under 'Connection security'. The port will 
default to 465 and this should generally not have to be changed. 



Finishing the setup, different encryption methods 

OThe best way to test your Thunderbird setup is by trying to 
send and receive mails. Some email hosting providers may 
not support the SSL/TLS protocol, which is the preferred 
choice. You will get an error message saying the 
authentication protocol is not supported by the server. You 
may then switch to using STARTTLS instead. In the above 
two screens, select 'STARTTLS' under 'Connection security'. 
If this method also fails it's time to contact your email 
hosting provider and ask them if they provide another way to securely 
connect to their servers. If they do not allow you to securely connect to their 
servers, then you should complain and seriously consider switching to a 
different provider. 

Returning to the configuration screens 

At any time you can reconfigure your email accounts be going to the 
Thunderbird menu bar on the upper screen and clicking on Edit, and then 
Account Settings. 



120 



Some Additional Security Settings 

Thunderbird provides additional security measures to 
protect you from junk mail, identity theft, viruses (with the 
help of your anti-virus software, of course), intellectual 
property theft, and malicious web sites. 




We will look at the following Thunderbird security features. First a little 
background on why you need to consider some of these measures: 

• Adaptive junk mail controls 

Adaptive junk mail controls allow you to train Thunderbird to identify 
junk email (SPAM) and remove it from your inbox. You can also mark 
messages as junk mail manually if your email provider's system misses 
the junk mail and lets it go through. 

• Integration with anti-virus software 

If your anti-virus software supports Thunderbird, you can use that 
software to quarantine messages that contain viruses or other 
malicious content. If you're wondering what anti-virus software works 
with Thunderbird, you can find a list here: 
http://kb.mozillazine.org/Antivirus_software. 

• Master password 

Foryour convenience, you can have Thunderbird remember each of 
your individual passwords of your e-mail accounts. You can specify a 
master password that you enter each time you start Thunderbird. This 
will enable Thunderbird to open all your email accounts with your saved 
passwords. 

• Restrictions on cookies 

Some blogs and websites attempt to send cookies (a piece of text that 
stores information from Web sites on your computer) with their RSS 
feeds. These cookies are often used by content providers to provide 
targeted advertising. Thunderbird rejects cookies by default, but you 
can configure Thunderbird to accept some or all cookies. 

In the Security Preferences section of Thunderbird's Options/Preferences 
dialog box you can set up the preferences for these features. 

• In Windows and Mac OS X, go to the 'Tools' menu and click 'Options'. 

• On Ubuntu or other versions of Linux, go to the 'Edit' menu and click 
'Preferences'. 



121 



Junk mail settings 

1. In the Preferences/Options dialog box, click 'Security' and then click the 
'Junk' tab. 



Options 



Display 



Composition 



Security Attachments Advanced 



Junk E-mail Scams Anti-Virus Passwords Web Content 



Set your default junk mail settings. Account-specific junk mail settings can be configured in 
Account Settings. 

I I When I mark messages, a&junk:: 

faj Move them to the account's "Junk" folder 
Delete them 

M?! 1 ! 1 me::?"jE: ;i stemmed to beJunk as. read 
l~| Enablejunkfilter logging 



Re^et Training Data 



Do the following: 

o To tell Thunderbird that it should handle messages marked as junk, 

select the check box labelled 'When 1 mark message as junk', 
o To have Thunderbird move these messages to a junk folder, select 

the 'Move them to account's 'Junk' folder' radio button, 
o To have Thunderbird delete junk mail upon receiving it, select the 
'Delete them'radio button. 
Thunderbird will mark junk message as read if you select the check box 
labeled 'Mark messages determined to be Junk as read'. 
If you want to keep a log of junk mail received, select the 'Enable junk 
filter logging' check box. 
Click the 'OK' button to close the 'Options/Preferences' dialog box. 



122 



Scam detection and warning system 

l. In the Preferences/Options dialog box, click 'Security' and then click 
the 'E-mail Scams' tab. 



Options I^ShI 


fe a t* 

General Display Composition Security Attachments Advanced 










Junk E-mail Scams j Anti-Virus Passwords /Jet] Content 




Thunderbird can analyze messages for suspected email scams by looting for common techniques 
used to deceive you. 




\J_ le mer lie-r e^-ae Vi r^<; n-j iw suspected err rtiU. -m 












OK | Cancel 













2. To have Thunderbird warn you about possible email scams, select the 
check box labelled 'Tell me if the message I'm read is a suspected email 
scam'. To turn off this feature, deselect this check box. 

3. Click the 'OK' button to close the 'Options/Preferences' dialog box. 



123 



Anti-virus integration 

1. In the Preferences/Options dialog box, click 'Security' and then click the 
'Anti-Virus' tab. 



Options l_^ 1 


D fe M A 9 

General Display Composition Security Attachments Advanced 








Junlc E-mail Scams Anti-Virus Passwords Web Content 


Thundertiird can make it easy for anti-vim: software to analyze incoming mail messages for viruses 
before they are stored locally, 

□ Allow anti-virus clients to quarantine individual incoming messages 




1 




DK | Cancel | 







2. To turn on anti-virus integration, select the check box labeled 'Allow 
anti-virus clients to quarantine individual incoming messages'. To turn 
off this feature, deselect this check box. 

3. Click the 'OK' button to close the 'Options/Preferences' dialog box. 



124 



Set a master password 

1. In the Preferences/Options dialog box, click 'Security' and then click the 
'Passwords' tab. 



Tn 



Options 



General Display Composition Security Attachments Advanced 



Junlc|E-mail Scams Anti-Virus Passwords 


Web Content] 




Thunderbird can remember passwords fa 

A Master Password protects all your passv 
: : Use a master password 


allofyouracco 


unts. 


1 Saved Passwords.,, ! 
ust enter it once per session. 


1 Change Master Password.,, 





2. Select the check box labeled 'Use a master password'. 

3. Enteryour password into the 'Enter new password' and 'Re-enter 
password' fields. 



I _l 



Change Master Password 



A Master Password is used to protect sensitive information like site 
passwords. If you create a Master Password you will be asked to enter it 
once per session when Thunderbird retrieves saved information protected 
by the password. 



Current password; I (not set] 
Enter new password: I 
Re-enter password: 



Password quality meter 



I 



Please make su re you rem em ber the Master Password you have set. If 
you forget your Master Password, you will be unable to access any of 
the in formation protected by it. 



OK 



Cancel 



4. Click the 'OK' button to close the Change Master Password dialog box. 



125 



If you want to see the passwords that you have saved in Thunderbird, 
click the 'Saved Passwords' button. This will open the 'Saved Passwords' 
dialog box. 



r 
Q Saved Passwords 
r- 



LmJ_aJl 



Search: fi 

Passwords for the following sites are stored on your computer: 



Site * Username 

imap://imap. gmx.com [imap://ima.., flo5s.readerl©gmx.c... 
imap://imap. googlernail.com (ima... flos5.reader2©gmail... 
smtp://m ail.gmx.com (smtp://mail.... floss.readerl©gmx.c... 
smtp://smtp.gQogleiTiail.cotTi (srnt... floss.reader2©grmail... 



Remove Remove All 



Show Passwords 



6. To see the passwords, click the 'Show Passwords' button. 



Search: P 

Passwords for the following sites are stored on your computer: 



imap://imap. gmx.com... floss.readerl^g... thunderbirdl 

imap://imap.googlem... floss.reader2©g... thunderbirdl 

smtp://mail. gmx.com ... floss.readerl^g... thunderbirdl 

smtp://smtp.googlem... flc^.rea[ler2'3g... thunderbirdl 



Remove Remove All 



I Hide Password: . 



7. Click the 'Close' button to close 'Saved Passwords' dialog box. 

8. Click the 'OK' button to close the 'Options/Preferences' dialog box. 



126 



Adaptive junk mail controls 

You need to first open Account Settings window. Note that settings 
configured in the Account Settings window apply only to the account that 
you select in the Folders pane. You must configure local folders separately. 

1. In the Folders pane right-click on an account name and select 'Settings' 

Ujjj^ Get Mail - \jrf Write jjllj Address Bo 
1 i'^) ftoss.reader-@nct.com.org 



GD 



■>JJAI1J JUJ>!BB«BM 
- inbi Get Messages 
E Tr^ Open 

► g Local i Open in New Tab 
Search... 



New Fol der.. , 

Settings.,. 



Thui 



Em a: 




2. In Windows or Mac go to the 'Tools' menu and select 'Account Settings'. 
In Linux, go to the 'Edit menu' and select 'Account Settings'. 



127 



1. To set adaptive junk mail controls for a specific account, pick an 
account and click 'Junk Settings'. 



-f 


oss.reader2@grn 
Server Settings 

Copies Si Folde 










c 


Junk Settings 


1 

ta Storage 




lyncnromzation 




Return Receipts 






Security 




di 


oss,readerl©grn 
Server Settings 
Copies & Folde 






Composition & Addressing 




Junk Settings 






Synchronization 


& Storage 




Return Receipts 






Security 




J Local Folders 






Junk Settings 






Disk Space 




C 


utgoing Server (SMTP) 


Account Actions 



If enabled, you must first train Thunderbird to identifyjunk mail by using the 
Junktoolbar button to marl messages ?s sink or not, ■ cu need to identify 
both junk and nonjunk messages 

y; Enable adaptivejunk mail controlsforthis account 

Do not mark mail as junk if the sender is in 




: : Trust junk mail headers set by: | SpamAssa 
[J Move newjunk messages to 

@ "Junk" folder on: floss.reader2©gmail.c 



; 



-: : o;:is: 



□ Automatically deletejunk mail olderthan 14 days 



| Cancel | 



2. To turn on the controls, select the check box labeled 'Enable adaptive 
junk mail controls for this account'. To turn them off, deselect this 
check box. 

3. If you want the controls to ignore mail from senders in your Address 
Book, select the check boxes next to any of the listed address books. 

4. To use a mail filter such as SpamAssassin or SpamPal, select the check 
box labelled 'Trust junk mail headers sent by:' and pick a filter from the 
menu. 

5. Select the check box labeled 'Move new junk messages to' if you want 
to move junk mail to a specified folder. Then select the destination 
folder to be either at your email provider or a local folder on your 
computer. 

6. Select the 'Automatically delete junk mail other 14 days' check box to 
have Thunderbird regularly remove junk mail. To change the time period 
for this process, enter a different number (in days) in the text box. 

7. Click 'OK' to save your changes. 



128 



EMAIL ENCRYPTION 



129 



Introducing mail encryption (PGP) 

This chapter will introduce you to some basic concepts 
behind mail encryption. It is important to read to get some 
feeling of how mail encryption actually works and what its 
caveats and limitations are. PGP (Pretty Good Privacy) is 
the protocol we shall use for e-mail encryption. This 
protocol allows us to digitally sign and encrypt mail 
messages. It works on an end-to-end basis: messages will 
be encrypted on your own computer and will only be 
decrypted by the recipient of the message. There is no possibility fo 
in-the-middle' to decipher the contents of your encrypted message 
excludes the subject lines and the 'from' and 'to' addresses, which 
unfortunately are not encrypted in this protocol. 

After having introduced these basic concepts, the next chapters will give you 
a hands-on guide to install the necessary tools on your operating system and 
get encryption up and running. We will focus on using Enigmail which is an 
extension forThunderbird that helps you manage PGP encryption foryour 
email. The installation process for Engimail / PG P is different for Mac OSX, 
Windows and Ubuntu so please see the appropriate chapters in this section 
for instructions. 




r a man- 
This 



How does GPG work? Meet Sacha and John . J^ j^ 



Sacha writes 
a message 



( 







and encrypts with 
John's public key 



He sends the 
message encrypted 
on tottie evil world 
wide web ,,- ~-v 



-i it 



a 



John decrypts the 
^rnessagewilh his 
^5^ private ie/ 



' Hello 



John reads 
the message 



) 



Uk 



Using a key-pair to encrypt your mail 

A crucial concept in mail encryption is the usage of so-called key-pairs. A key- 
pair is just two separate files sitting on your harddisk or USB stick. Whenever 
you want to encrypt mails for a certain mail-account, you will need to have 
these files available to yourself in some form. If they are sitting at home on 
your computer, you will not be able to decrypt mail at the office. Putting 
them on a USB stick should provide a solution to this problem. 



130 




A key-pair consists of the two different keys: a public key 
and a secret key. 



The public key: you can give this key to other people, so they can send you 
encrypted mails. This file does not have to be kept secret. 

The secret key: this basically is your secret file to decrypt emails people send 
to you. It should never be given to someone else. 



Sending encrypted mails to other people: you need their 
public key 

I have five colleagues at work and I want to send encrypted mails to them. I 
need to have public keys for each of their addresses. They can sent me these 
keys using ordinary mail, or they can give them to me in person, or put them 
on a USB stick, or they can have their keys on a website. It doesn't matter, as 
long as I can trust those keys really belong to the person I want to correspond 
with. My software puts the keys on my "keyring', so my mail application 
knows how to send them encrypted mails. 

Receiving encrypted mails from other people: they need my 
public key 

For my five (or thirty) colleagues to be able to send me encrypted mails, the 
process goes the other way around. I need to distribute my public key to each 
of them. 

Conclusion: encryption requires public key distribution! 

All the people in a network of friends or colleagues wanting to send each 
other encrypted emails, need to distribute their public keys to each other, 
while keeping their secret keys a closely guarded secret. The software 
described in this chapter will help you do this key management. 



131 



Installing PGP on Windows 

To complicate matters a little - PGP is the protocol used for encrypting e-mail 
by various softwares. To get PGP to work with Thunderbird we need to install 
GPG - a free software implementation of PGP and Enigmail - an extension of 
Thunderbird that allows you to use GPG... Confused?! Don't worry about it, all 
you have to know is how to encrypt your email with PGP and you need to 
install both GPG and Enigmail. Here is how to do it... 



Installing PGP (GPG) on Microsoft Windows 

The GNU Privacy Guard (GnuPG) is software which is required to send PGP 
encrypted or signed emails. It is necessary to install this software before 
being able to do any encryption. 



1. Head to the official website of the GnuPG project. Go to 
http://www.gnupg.org/ 

2. On the left side of the website, you will find a 'Download' link. Click on it. 

3. You will see a lot of text. Scroll down to the section 'Binaries'. You will find 
there a version of GnuPG which it says is 'compiled for MS-Windows'. This 
version will be in the 1.4. something range. Just click on the FTP link next to the 
line that says 'GnuPG 1.4 compiled for Microsoft Windows.' The screen below 
should resemble this section of the website. 

Binaries 

Packages for Detaian GNuVLinux are available at the Debian site . 

RPM packages of this software should be available from rpmfind network. 

Packages for other POSIX-like opera: n g systems might be ava abe at Unix Security . 

Packages for Mac OS X shOLi d be *:a abe a: 

Sources and precompiled binaries for RISC OS are available at Stefan Bellon's home page who ported GnuPG to this platform. 

There Is also aversion compiled for MS-Windows. Note that this is a command line version and comes with a graphical installer tool. 

GnuPG 1.4.11 compiled for Microsoft Windows. B FTP 

Signature and SHA-1 checksum for previous file. FTP 

631b5129f 918b" d.3C'24-£d.sJtcc27 30-3 SSlsesaO gnupg-w32cli-l . 4. ll.exe 



Gnu-G d str b..: ons are signed, tt is wise and more secure to check out for their integrity . 

If you intend to build GnuPG for the Win32 platform using MinGW, we suggest reading the instructions titled" Building GnuPG for Win32 
using MinGW " written by Carlo Luciano Bianco. The binary we distribute has been buiht using Debian's mingw32 cross compiler 
package . 



This will download you an .exe file. Depending on your browser, you may have 
to double-click on this downloaded file (which will be called something like 
gnupg-w32cli-L4.ll.exe) before something happens. Windows will ask you if 
you are sure you want to install this program. Answeryes. 

132 



4. The following installation window should pop-up. 

(^ GNU Privacy Guard Setup 




Welcome to the GNU Privacy Guard 
Setup Wizard 

GnuPG is GNU's tool for secure communication and data 
storage, It can be used to encrypt data and to create digital 
signatures, Itindudes an advanced key management facility 
and is compliant with the proposed OpenPGP Internet 
standard as described in RFC4880, 

Click Next to continue, 



This is GnuPG version 1.4. 11 
built on 20 10-10-18 10:04 UTC 
file version 1.4.11,29110 



Cancel 



Please click on the 'Next' button. 

5. The license agreement will be shown as below. Please click on the 'Next' 
button again. 



133 



^g^ GNU Privacy Guard Setup 



License Acpeement 

This software is licensed under the terms of the GNU General Public License (GPL) 
which guarantees your freedom to share and change Free Software. 



Press Page Down to see the rest of the agreement, 



□ 



I 

GNU GENERAL PUBLIC LICENSE 
Version 3, Z9 June 2007 

Copyright [C) 200 7 Free Software Foundation r Inc. < http:y7faf.orqJ 1 > 
Everyone is permitted to copy and distribute verbatim copies 
of this license document, but changing it is not allowed , 

Preamble 

The GNU General Public License is a ffee r copyleft license for ▼ 

In short: Vou are allowed to run this software for any purpose, You may distribute it as long 
as you give the recipients the same rights you have received. 



Nullsoft Install System v2, 06 ■ 



<Back 



Next > 



Cancel 



6. The installer will ask you which components you want to install. Just keep 
them all selected and click on the 'Next' button again. 



vj'i GNU Privacy Guard Setup 



Choose Componerts 

Choose which features of GNU Privacy Guard you want to install. 



Check the components you want to install and uncheck the components you don't want to 
install. Click Next to continue. 



Select components to install: 



Space required: 4.0MB 



Nullsoft Install System v2, 06- 




Description 
Position your mouse 
over a component to 
see its description, 



:Back 



Next > 



Cancel 



7. Choose an interface language. English should be fine. Click 'Next' again. 



134 



{'/} GNU Privacy Guard Setup 



Install Options 

GnuPG Language Selection 



en - English 



Nullsoft Install System v2. 06 - 



<Back 



Next > 



Cancel 



8. The installer will ask you where to put the application on your computer. 
The default setting should be fine in most cases. Click on 'Next' when you 
agree. 

S GNU Privacy Guard Setup 






Choose Install Location 

Choose the folder in which to install GNU Privacy Guard, 



Setup will install GNU Privacy Guard in the following folder. To install in a different folder, dick 
Browse and select another folder, Click. Next to continue. 



Destination Folder 



«U l i..!. .*'..l.,| i UWWffilll5M 



Space required: 4.9MB 
Space available: 81. 5GB 

Nullsoft Install System v2. 06 - 



Browse., 



<Back 



Cancel 



135 



9. The installer will askyou how the GnuPG application should be called in the 
start menu. The default name should be fine. Click on 'Next' again. 



{/} GNU Privacy Guard Setup 



M 



Choose fftart Menu Folder 

Choose a Start Menu folder for the GNU Privacy Guard shortcuts. 



Select the Start Menu folder in which you would like to create the program's shortcuts. Vou 
can also enter a name to create a new folder, 



Accessories 

Administrative Tools 

ASUS 

Boingo 

E-Cam 

Game Park 

Games 

Intel® Matrix Storage Manager 

Maintenance 

Microsoft Silverlight 

Mozilla Thunderbird 



~ ] Do not create shortcuts 
Nullsoft Install System V2.06 — 



<Badt 



Install 



Cancel 



10. These are all the questions you need to answer. Click 'Install' and the 
installation process will begin. After installation is finished you can click 'Next' 
in the last windows to finish up. You now have GnuPG installed. 



Installing with the Enigmail extension 

After you have successfully installed the PGP software as we described above 
you are now ready to install the Enigmail add-on. 



Enigmail is a Thunderbird add-on that lets you protect the privacy of your 
email conversations. Enigmail is simply an interface that lets you use PGP 
encryption from within Thunderbird. 

Enigmail is based on public-key cryptography. In this method, each individual 
must generate her/his own personal key pair. The first key is known as the 
private key. It is protected by a password or passphrase, guarded and never 
shared with anyone. 

The second key is known as the public key. This key can be shared with any of 
your correspondents. Once you have a correspondent's public key you can 
begin sending encrypted e-mails to this person. Only she will be able to 
decrypt and read your emails, because she is the only person who has access 
to the matching private key. 



136 



Similarly, if you send a copy of your own public key to your e-mail contacts 
and keep the matching private key secret, only you will be able to read 
encrypted messages from those contacts. 

Enigmail also lets you attach digital signatures to your messages. The 
recipient of your message who has a genuine copy of your public key will be 
able to verify that the e-mail comes from you, and that its content was not 
tampered with on the way. Similarly, if you have a correspondent's public key, 
you can verify the digital signatures on her messages. 



Installation steps 

To begin installing Enigmail, perform the following steps: 



Step l. OpenThunderbird, then Select Tools > Add-ons to activate the Add-ons 
window; the Add-ons window will appear with the default Get Add-ons pane 
enabled. 

Step 2. Enter enigmail in the search bar, like below, and click on the search 
icon. 



Add-ons 







i * 



GetAdd-ons Extensions Themes Plugins 



enigmail 



Browse All Add -ens 



ENIG Enigmail 
Mail . 







■i J , ;-.-^-^ J --—- , 


. _. ... 



OpenPGP message encryption and 
authentication forThunderbird and SeaMonkey 

Learn More 



-ft Extension 



Add to Thunderbird,, 



n 

1 



Leopard Mail Default-Aqua UllClCi 

Thistherne isthe skin which can changeyourThunderbird like LeopardMail. 



Install.., 



Step 3- Simply click on the 'Add to Thunderbird' button to start the 
installation. 

Step 4. Thunderbird will ask you if you are certain you want to install this add- 
on. We trust this application so we should click on the 'Install now' button. 



137 



Software Installation 



l - * - l 



Install add-ons only from authors whom you trust. 

Malicious software can darnageyour computer orviolateyour privacy. 



You have asked to install the following item: 



=NiS Enigmail (Author not verified) 
A1L https://addons, mozilla.org/thunderbird/downloads/file/92940/enigmail-ll.2-tb-win 



Install (4) Cancel 



Step 5. After some time the installation should be completed and the 
following window should appear. Please click on the 'Restart Thunderbird' 
button. 



Add-ons 



@ 



i * ;6 fi A 

GetAdd-ons Extensions Themes Plugins Installation 



'!0.» Restart Thunderbird to complete your changes, 



Restart Thunderbird x 



enigmail 



Browse All Add-ons 



Install.. 



ENIG 


E nig mail 


'J'JtTrf 


± 






OpenPGP message encryption and 
authentication forThunderbird and SeaMonkey. 

Learn More 


E7- 


» jj.j; 




ft Extension Install Complete 














_£fc_ 


Leo par 


d Mail-Default At 


iua ****& 


•r 



138 



Installing PGP on OSX 

The GNU Privacy Guard (GnuPG) is software which enables 
you to send PGP encrypted or signed emails. It is necessary 
to install this software before being able to do any 
encryption. This chapter covers the installation steps 
required to install GnuPG on Mac OSX. 

Getting started 

For this chapter we assume you have the latest version of: 

• OSX installed (10.6.7) 

• Thunderbird (3-1.10) 





Note on OSX Mail: It is possible to use PGP with the build-in mail 
program of OSX. But we do not recommend this because this option 
relies on a hack of the program which is neither open or supported by 
its developer and breaks with every update of the mail program. So 
unless you really have no other option we advice you to switch to 
Mozilla Thunderbird as your default mail program if you want to use 
PGP. 



Downloading and installing the Software 

For OSX there is a bundle available which will install everythingyou need in 
one installation. You can get it by directing your browser to 
http://www.gpgtools.org/ and clicking on the big blue disk with "Download 
GPGTools Installer" written under it. It will redirect you to another page on 
http://www.gpgtools.org/installer/index.html where you can actually 
download the software. 



(nb. We are using the latest version Firefox for this manual, so the screens might 
look a little bit different if you are using a different browser) 



139 



eee 

( A )*_\ 10 http://www.gpgtool5.org/ 



Official Homepage | CPGTools (OpenPCP Tools for Apple OS X) 



^T 



1 ^ Official Homepage 



I GPGToc[& (.. 



: 




About 

GPCToo'ls is an open source initiative to bring OpenPCP to Apple OS X in t hie form of an easy installer 

package. This allows you to sign, verify, encrypt, and decrypt files and e-mails. Read the introduction 
to get a detailed idea of how PGP works. 

The project section provides more information about the included applications and related projects. 
And if you have any further questions that are not listed in the FAQ or if you want to get the latest 
news, please do not hesitate to open the contact section. Finally, if you like you can make a donation. 




fa rami &n." 



2. Download the software by choosing 'Save File' and clicking 'OK' in the 
dialogue. 



140 



.a. 



Opening GPGTools-20110322.dmg 



You have chosen to open 
GPGTools-20UD322.dmg 
which is a: dmg File 
from: http://cloud.github.com 

What should Firefox do with this file? 



^ Open with ( Choose.. .J 
(5 Save File 

!_! Do this automatically for files like this from now on. 



(_ Cancel ) ff 




OK 



3. Navigate to the folder where you normally store your downloads (Mostly 
the desktop or the downloads folder surprisingly) en double click the '.DMC 
file to open the virtual disk containing the installer. 

n Q n [5] Downloads CD 




CPCTools-20:i0322.dmg 



4. Open the installer by double-clicking on the icon. 



141 




U n install 



5. The program will check your computer to see if it can run on the computer. 

(Note, if you're Mac is bought before 2006 it will not have an Intel 
processor required to run this software and the installation will fail. 
Sadly it is beyond the scope op this manual to also take into account 
computers over five year old) 



„ Install CPCTools 



6 Introduct 

■ Destinatic 

• Installation 

• InstaliatiG 

• Summary 





This package will run a program to 
determine if the software can be installed. 

To keep your computer secure, you should only run 
programs or install software from a trusted source. If 
you're not sure about this software's source, click 
Cancel to stop the program and ttie ini 




: v Cancel j (( Continue : 



fix only) 



This will allow you to use DpenPGPon DSX, 

Note: please close Mail.app first and have a look at http^/gpgtools.org for 
further information. 



( Go Back J : v Continue ) 



142 



You will be guided by the program through the next steps like accepting the 
license agreement. But stop pressing all the OK's and Agrees as soon as you 
come to the 'Installation Type' screen: 

«. Install CPCTools 
Standard Install on "Macintosh HD" 



u Introduction 

Destination Select 

u Installation Type 

■ Installation 

■ Summary 




M 



This will take 48,7 ME of space on your computer. 

Click Instill to perform a standard installation of 

this software on the disk ''Macintosh HD". 




( Go Back ) ( Install ) 



6. Clicking 'Customize' will open this screen where you several options of 
programs and software to install. You can click on each one of them to get a 
little bit of information on what is is, what it does and why you might need it. 



143 



», Install CPCTnols 



Custom Install on "Macintosh HD" 



u Introduction 
Destination Select 
<J Installation Type 
• Installation 
O Summary 




Package Name 
& MacGPGZ 

GGPGMail -4 

|3 GPGKeychainAccess 
|3 GPGServkes 

GPGPreferences 

1 Enigmall ^ 



Space Required: 36,4 MB 



Install 


24,1 MB 


Skip 


12,3 MB 


Install 


5,1 MB 


Install 


7 MB 


Install 


203 KB 


Skip 


1,4 MB 



Remaining: 42,93 CB 



( Go Back ) ( Install ) 



As said in the intra; we advice against using Apple Mail in combination with 
PGP. Therefore you won't be needing 'GPGMail', as this enables PGP on Apple 
Mail, and you can uncheck it. 

'Enigmail' on the other hand is very important as it is the component that will 
enable Thunderbird to use PGP. In the screen shot here it is greyed out as the 
installer wasn't able to identify my installation of Thunderbird. Since this 
seems to be a bug. You can also install Enigmail from within Thunderbird as is 
explained in another chapter. 

If the option is not greyed out in your installation, you should tick it. 

Afteryou checked all the components you want to install click 'Install' to 
proceed. The installer will ask you for your password and after you enter that 
the installation will run and complete; Hooray! 



144 



o 



». Install CPGTnols 



The installation was completed successfully. 



u Introduction 
u Destination Select 
u Installation Type 
u Installation 
u Summary 




© 



The installation was successful. 



The software was installed, 



{ Go Back ^ ( Close N 



Installing up Engimail 

Step l. OpenThunderbird, then Select Tools > Add-ons to activate the Add-ons 
window; the Add-ons window will appear with the default Get Add-ons pane 
enabled. 



In the Add-On window, you can search for 'Enigmail' and install the extension 
by clicking Add to Thunderbird ...' 

2. After you open the Add-On window, you can search for 'Enigmail' and install 
the extension by clicking Add to Thunderbird ...' 



145 




Add-ons 



Get Add-ons 




En ig mail 



1 




- 


-^ 


_ _ _ _ 


S I 


: 




_-._ 


~ J^ Ji 






■'_ ■ 


--■-■_ 






^fT=™_=r- 


it-~ 


* 










" 



















Bro-wse All Add-ons 



***** 

en PGP message encryption and authentication 

for Thunder bird and SeaMonkey. 



Leopard Mail-Default-Aqua 

This theme is the skin wnich can change your Tin underbird like LeopardMail. 







i Leopard Mail 

It is a Theme of the Mac Leopard-style which did iLeopard in a model. 



0® Display Mail User Agent 

'tM^M Displays icon for user agent of received mails. 






Leopard Mail-Defau It-Graphite 

This theme is the skin which can change yourThunderbird |j|( e LeopardMail. 



See r.l ■■es.it; :3i 



( Gear Results '; 



( Install... ) 



3. Click on 'Install Now' to download and install the extension. 



146 



Be aware that you will have to restart Thunderbird to use the functionality 
of this extension! 

Now that you have successfully downloaded and installed Enigmail and PGP 
you can go on to the Chapter that deals with setting up the software for use. 



147 



Installing PGP on Ubuntu 

We will use the Ubuntu Software Centre for installing PGP (Enigmail and 
accessories). First open the Ubuntu Software Center through Applications -> 
Ubuntu Software Center: 



File Edit View Help 
D Installed Software 



Hi— MUM 



< : Get Software 



Ubuntu Software Center 



atured Applications > 



Departments 



Graphics 



32731 items available 



«• M © 



Office Science t 

Eneineerir 



Type into the search field 'Enigmail' and search results should be returned 
automatically: 



< > 



CetS 



oftware 



Search Results 



C^ enigmail| 



£,. Enigmail extension for Thunderbird 
*"" CPC support for Thunderbird 



More Info 

French language package for Enigmail (transitional package) 
enigm ail-local e-fr 

Finnish language package for Enigmail (transitional package) 
enigm ail-local e-fi 

Norwegian Bokmal language package for Enigmail (transitional package) 
enigmail-locale-nb 

Swedish language package for Enigmail (transitional package) 
enigmail-locale-^ 



Install 



Highlight the Enigmail item (it should be highlighted by default) and click 
'Install' and you will be asked to authenticate the installation process. 



148 



Authentication is required to 
install software packages 

An application is attempting to perform an action that 
requires privileges. Authentication is required to perform this 
action. 



Password: 



+ Details 



Cancel 



Authenticate 



Enteryour password and click 'Authenticate 1 . The installation process will 
begin. 



File Edit View Help 

D Installed Software 
^ In Progress (1) 




a. 



French language package for Enigmail (transitional package) 
enigmail-locale-fr 

Finnish language package for Enigmail (transitional package) 
enjgmajl-hcak-fi 

Norwegian Bokmal language package for Enigmail (transitional package) 
eniemail-bcak-nb 

Swedish language package for Enigmail (transitional package) 

Slovenian language package for Enigmail (transitional package) 

Czech language package for Enigmail (transitional package) 

Polish language package for Enigmail (transitional package) 
enigmail-locak-pl 

Portuguese (BR) language package for Enigmail (transitional package) 
enigmail-locak-pt-br 

Hungarian language package for Enigmail (transitional package) 

20 matching items 






When the process is completed you get very little feedback from Ubuntu. The 
progress bar at the top left disappears. The 'In Progress' text on the right also 
disappears. Enigmail should now be installed. 



149 



Creating your PGP keys 

You are now ready to start encryption your mails with PGP. You can do this by 
using Enigmail within Thunderbird. Enigmail comes with a nice wizard to help 
you with the initial setup and the important aspect of creating a 
public/private key pair (see the chapter introducing PGP for an explanation). 
You can start the wizard at any time within Thunderbird by selecting 
OpenPGP > Setup Wizard from the menu on top. 

Step 1. This is what the wizard looks like. Please read the text on every 
window carefully. It provides useful information and helps you setup PGP to 
your personal preferences. In the first screen, click on Next to start the 
configuration. 



OpenPGP Setup Wizard 



Welcome to the OpenPGP Setup Wizard 



This wizard helps you to start using OpenPGP right away. Over the next Few 
screens we'll ask you some questions to get everything setup. 

To keep everything simple, we make some assumptions about 
configuration. These assumptions try to provide a high level of security for 
the average user without creating confusion. Of course, you can change all 
of these settings after you finish the wizard. You can find out more about 
the OpenPGP features in the Help menu or on the Enigmail website. 

If you have any trouble using this wizard, please let us know by emailing us. 

This wizard is automatically invoked when you first install Enigmail. You can 
also launch it manually from the OpenPGP menu. 

Thank you for choosing Enigmail OpenPGP! 



Would you like to use the wizard now? 



t| Yes, I would like the wizard to get me started 



O No, thanks. I prefer to configure things manually 



©Cancel 



^Next 



Step 2. The wizard asks you whetheryou want to sign all your outgoing mail 
messages. If you do not chose to sign all your messages, you will have to 
specify per recipient if you want to sign your e-mail. Signing all your messages 
is a good choice. Click on the 'Next' button afteryou have made a decision. 



150 



) OpenPGP Setup Wizard 



Signing 

Digitally Sign Your Outgoing Emails 



OpenPGP allows you to digitally sign your emails. This is like the electronic 
version of signing a letter, and it allows people to be sure that an email is 
really From you. It's good security practice to sign all outgoing email. 

To verify your signed email, people need an OpenPGP-aware mail program. 
If they don't have an OpenPGP-aware mail program they will be able to 
read your email, but the signature will be displayed as an attachment or as 
text around the email message. This might annoy some people. You need to 
choose if you want to sign all outgoing email, or if you want to avoid 
sending signed email to some people. 

Do you want to sign all your outgoing email by deFault? 

>| Yes, I want to sign all oF my email ] 

O No, I want to create per-recipient rules For emails that need to be signed 



©Cancel 



■CBack 



Step 3. On the following screen, the wizard asks you whether you want to 
encrypt all your outgoing mail messages. Unlike signing of mails, encryption 
requires the recipient to have PGP software installed. Therefore you should 
answer 'no' to this question, to make sure you can still send normal mails. 
Only answer 'yes' here if you never want to prevent Thunderbird from sending 
unencrypted mails. Afteryou have made your decision, click on the 'Next' 
button. 



151 



OpenPGP Setup Wizard 



Encryption 

Encrypt Your Outgoing Emails 



OpenPGP allows you to encrypt your email messages and any attachments. 
Encryption is like putting a letter in an envelope. It makes things private. 
It's notjust for "secret" messages, but For everything thatyou would not 
send on a postcard. 

On a technical level, encryption works like a padlock that only the recipient 
has the key for. Unlike signing, to use encryption all the recipients oF an 
email need to use OpenPGP. People need to give you their public key 
before you can send them encrypted email (the public key is the pad lock 
we were talking about). 

Unless most of your communication partners have public keys, you should 
not enable encryption by default. 

Shall your outgoing email be encrypted by default? 
G Yes, I have public keys for most of my contacts 



No, I will create per-recipient rules for those that sent me their public 
key 



©Cancel 



■^ Back 



Step 4: On the following screen the wizard asks if he can change some of your 
mail formatting settings to better work with PG P. It is a good choice to 
answer 'Yes' here. The only serious thing is that it will prevent you from doing 
is sending HTML mail messages. Click on the 'Next' button afteryou have 
made your decision. 



152 



) OpenPGP Setup Wizard 



Preferences 

Change Your Email Settings To Make OpenPGP Work More Reliably 



This wizard can change your email settings to make sure there are no 
problems with signing and encrypting email on your machine. These setting 
changes are mostly technical stuff you will not notice, though one 
important thing is that email will be composed in plain text by default. 

Do you want to change a few default settings to make OpenPGP work 
better on your machine? 

© Yes 



Details ... 



O No, thanks 



©Cancel 



■CBack 



2>Next 



Step 5: Now it is time to start creating the keys. In the following screen you 
can select one of your mail accounts, or the default one is selected foryou if 
you have only one mail account. In the 'Passphrase' text box you have to give 
a password. This is a new password which is used to protect your private key. 
It is very important both to remember this password, because you cannot 
read your own encrypted emails any more when you lose it, and to make it a 
strong password. It should be at least 8 characters long, not contain any 
dictionary words and it should preferably be a unique password. Using the 
same password for multiple purposes severely increases the chance of it 
being intercepted at some point. After you have selected your account and 
created a passphrase, click on the 'Next' button. 



153 



OpenPGP Setup Wizard 



Create Key 

Create A Key To Sign And Encrypt Email 



You need to have a 'key pair' to sign and encrypt email, or to read emails 
that are encrypted. A key pair has two keys, one public and one private. 

You need to give your public key to everyone in your contact list who will 
want to verify your signature, or to encrypt email to you. Meanwhile, you 
need to keep your private key secret. You must not give it away, or leave it 
unprotected. It can read all the email people encrypt and send to you. It can 
also encrypt email in your name. Because it's secret, it's protected by a 
passphrase. 

Account /User ID: 

Johnny Cash <maildemo@greenhost.nl> -maildemo@greenhost.nl 

Passphrase 



Please confirm your passphrase by typing it again 



©Cancel 



■C Back 



Next 



Step 6: In the following screen the wizard basically wraps up what actions it 
will take to enable PGP encryption foryour account. If you are satisfied with 
the options you chose in the previous windows, click on the 'Next' button. 



154 



) OpenPGP Setup Wizard 



Summary 

Confirm that the wizard shall row commit these charges 



You are almost complete! IFyou click on the 'Next' button, the wizard will 
perform the Following actions: 

-Create a new 2048-bit OpenPGP key, valid for S years 
-Activate OpenPGP For your email account 

- Sign all emails by deFault 

- Do not encrypt emails by deFault 

-Adjust all recommended application settings 



©Cancel 



■CBack 



Step 7: Your keys are being created by the wizard. Have some patience. The 
progress bar should slowly fill up to the right. The wizard will tell you when 
the keys have been successfully created, then you can click on the 'Next' 
button again. 



155 



OpenPCP Setup Wizard 



Key Creation 

Your key is now being generated 



Key Generation Console 
NOTE: Key generation may take up to several minutes to complete. 
Do not exit the application while key generation is in progress. Actively 
browsing or performing disk-intensive operations during key generation 
will replenish the 'randomness pool' and speed-up the process. You will 
be alerted when key generation is completed. 



EI 



IB 



©Cancel 



■C Back 



Next 



Step 8: You now have your own PGP key-pair. The wizard will ask you if you 
also want to create a special file, called a 'Revocation certificate'. This file 
allows you to inform others that your key-pair should no longer be considered 
valid. Think of it as a 'kill switch' foryour PGP identity. You can use this 
certificate in case you have generated a new set of keys, or in case your old 
key-pair has been compromised. It is a good idea to create the file and keep it 
somewhere in a safe place. Click on the 'Generate Certificate' button if you 
want to create the file, otherwise 'Skip'. 



OpenPGP Confirm 



© 



Key generation completed! Identity <maildemo(a>greenhost.ni> will be used for signing. 

We highly recommend to create a revocation certificate foryour key. This certificate can be used 
to invalidate your key, e.g. in caseyour secret key gets lost or compromised. Do you want to 
create such a revocation certificate now? 



©Skip | ^/Generate Certificate! 



Step 9: Assuming you have decided to generate a revocation certificate, the 
wizard will askyou where the file should be saved. The dialog may appear a 
bit different on your particular operating system. It is a good idea to rename 
the file to something sensible like my_revocation_certificate. Click on 'Save' 
when you you have decided on a location. 



156 



©@ Create & Save Revocation Certificate 








Name: 


maildemo@greenhost.nl (0xSB8S5D26) rev.asc 










Save in Folder: 


jsdentoir ; 




► Browse for other Folders 






Cancel Save 











Step 10: Assuming you have decided to generate a revocation certificate, the 
wizard informs you it has been successfully stored. 



Open PGP Alert 



The revocation certificate has been successfully created. You can use it to invalidate your public 
key, e.g. in caseyou would loseyour secret key. 

Please transfer it to a medium which can be stored away safely such as a CD or Floppy Disk. If 
somebody gains access to this certificate they can use it to render your key unusable. 



^?OK 



Step 11: The wizard will inform you it has completed its setup. 



157 



OpenPGP Setup Wizard 



Thank you 



OpenPGP is now ready to use. 
Thank you for using Enigmail. 





' ©Cancel 


ack 


Finish 



Congratulations, you now have a fully PGP-configured mail client. In the next 
chapter we will explain how to manage your keys, sign messages and do 
encryption. Thunderbird can help you do a lot of these things automatically. 



158 



Daily PGP usage 



In the previous chapters we have have explained how to set up a secure mail 
environment using Thunderbird, PGP and Enigmail. We assume you have 
installed the software and have successfully followed the wizard instructions 
to generate an encryption key-pair as described in the previous chapter. This 
chapter will describe how to use your secured Thunderbird in daily life to 
protect your e-mail communication. In particular we will focus on: 

1. Encrypting Attachments 

2. Entering your pass-phrase 

3. Receiving Encrypted Email 

4. Sending and receiving public keys 

5. Receiving public keys and adding them to your key ring 

6. Signing e-mails to an individual 

7. Sending encrypted e-mails to an individual 

8. Automating encryption to certain recipients 

9. Verifying incoming e-mails 

10. Revoking your PGP key pair 

11. What to do when you have lost your secret key, or forgot your 
passphrase 

12. What to do when your secret key has been stolen, or compromised 

13. Backing up your keys 

First we shall explain two dialog windows that will inevitably appear after you 
start using Thunderbird to encrypt your emails. 



Encrypting attachments 

The dialog window below will pop-up whenever you are sending an encrypted 
email with attachments for the first time. Thunderbird asks a technical 
question on how to encrypt attachments to your mail. The second (default) 
option is the best choice, because it combines security with the highest 
compatibility. You should also select the 'Use the selected method for all 
future attachments' option. Then click 'OK' and your mail should be sent with 
no further delay. 



159 



Open PGP Prompt 



£3 



This message contains attachments, How would you like encryption them? 
Q Just encrypVsign the message text, but not the attachments 
(Of) EncrypVsign each attachment separately and send the message using inline PGP 
j Encrypfr'sign the message as a whole and send it using PGP/MIME 

NOTE: PGP/MIME is only supported by a limited number of mail clients! On Windows only 
Mozilla/Thunderbird, Sylpheed, Pegasus and Mulberry are known to support this standard; on 
Linuw'UNIXand Mac OSX most popular mail clients support it, If you are unsure, select the 
second option. 

[71 Use the selected method for all future attachments 



OK 



Cancel 



Enteringyour pass-phrase 

For security reasons, the pass-phrase to your secret key is stored temporarily 
in memory. Every now and then the dialog window below will pop-up. 
Thunderbird asks you for the pass-phrase to your secret key. This should be 
different from your normal email password. It was the pass-phrase you have 
entered when creating your key-pair in the previous chapter. Enter the pass- 
phrase in the text-box and click on 'OK' 



Open PGP Prompt 



h^d 



C\ Please type in your QpenPGP passphrase oryour SrnartCard PIN 


1 


Rememb 


erforS idle min 


jtes 






OK 




Cancel 















Receiving encrypted mails 

The decryption of emails is handled automatically by Enigmail, the only action 
that may be needed on your behalf is to enter the pass-phrase to your secret 
key. However, in order to have any kind of encrypted correspondence with 
somebody, you will first need to exchange public keys. 



160 



Sending and receiving public keys 

There are multiple ways to distribute your public key to friends or colleagues. 
By far the simplest way is to attach the key to a mail. In order for your friend 
to be able to trust that the message actually came from you, you should 
inform them in person (if possible) and also require them to reply to your 
mail. This should at least prevent easy forgeries. You have to decide for 
yourself what level of validation is necessary. This is also true when receiving 
emails from third-parties containing public keys. Contact your correspondent 
through some means of communication other than e-mail. You can use a 
telephone, text messages, Voice over Internet Protocol (VoIP) or any other 
method, but you must be absolutely certain that you are really talking to the 
right person. As a result, telephone conversations and face-to-face meetings 
work best, if they are convenient and if they can be arranged safely. 

Sending your public key is easy. 



1. In Thunderbird, click on the 



VI 



Write 



icon. 



2. Compose a mail to your friend or colleague and tell them you are sending 
them your PGP public key. If your friend does not know what that means, you 
may have to explain them and point them to this documentation. 

3. Before actually sending the mail, click to OpenPGP > Attach My Public Key 

option on the menu bar of the mail compose window. Next to this option a 

marked sign ^ will appear. See the example below. 



161 



Write: SpnHmfj ynu mu puhlir tpv 1 n M^^H 


File Edit View Options 
{■jSend a ]j Spell - ( 


OpenPGP] loots Help 




■/ Sign Message Ctrl+Shift+S 
Encrypt Message Ctrl+Shift+E 
UsePGP/MIMEfor This Message 
Undo Encryption 


- H Save - 


From: Johnny Cash ^mai 


ni 






To: | H fri 






V Attach My Public Key 


Help 








Subject: Sending you my public key 




Hi there, 

As we discussed, i hereby am sending you my PGP public key. Please 
confirm that you have received this message. 

Cheers, 

Johnny 


k- J &$> 



4. Send your mail by clicking on the 



Send 



button. 



Receiving public keys and adding them to your keyring 

Lets say we receive a public key from a friend by mail. The key will show up in 
Thunderbird as an attached file. Scroll down the message and below you will 
find tabs with one or two file names. The extension of this public key file will 
be .asc, different from the extension of an attached PG P signature, which 
ends with .asc.sig 



Look at the example email in the next image, which is a received, signed PGP 
message containing an attached public key. We notice a yellow bar with a 
warning message: 'OpenPGP: Unverified signature, click on 'Details' button 
for more information'.Thunderbird warns us that the sender is not known yet, 
which is correct. This will change once we have accepted the public key. 

What are all those strange characters doing in the mail message? Because 
Thunderbird does not recognize the signature as valid, it prints out the entire 
raw signature, just as it has received it. This is how digitally signed PGP 
messages will appear to those recipients who do not have your public key. 



162 



The most important thing in this example is to find the attached PGP public 
key. We mentioned it is a file that ends with an .asc. In this example it's the 
first attachment on the left, which is in the red circle. Double-clicking on this 
attachment would make Thunderbird recognize the key. 



1 = I a . 



(5 Inbo>:-iv1osilla Thunderbird 
File Edit View Go Message OpenPGP Tools Help 
^GetMai - /Write ||J Address Boot Tag- ^Decrypt 



P 



-.ilnbo, 

Drafts 

TjT Trash 
■ Local Folders 



11 OpenPGP Unverified signature; click on 'Details' button for rr 



■^ Quick Fife, 

* i; @ Subjet 



Johnny Cash 



. Date 
17:14 



I l»3>i reply ' I "iff forward 



from You 
ubje-:t PGPmailt 



In this example I have sent myself a new key! Look at the attachment at 
the lower end o-F this window. It is the left one you will want. 
Double-click on it! 

BEGIN PGP SIGNATURE 

Version: GnuPG ul.4.11 (MingW32) 

Cci?ifer-: Using GnuPG with Hoiilla - i~tj:. . ^•l?- , ;L_ .■•■ , o;dey .org/ 

iQEcBAEBA§AGBQ]NutXCAAQ3EI2tfFdCaCCvwBYIAIznV2T3LYG01aL7feautEph 
aqfXhVfspGh6BIe3IjAzE4-VxtFzZ5LFFB9y3PzYSvweSKfRRlmclNqNoxQeGHl'JDW 



L^ 



A. 



In the example image above, we should double-click on the attached .asc file 
to import the PGP public key. 

After we have clicked on the attachment, the following pop-up will appear. 

OpenPGP Confirm 



C\ The attachment '0x426"820AF.asc' you are opening appears to be an OpenPGP key file. 

Click 'Import' to import the keys contained or 'View' to view the file contents in a browser window 



Import 



View 



Thunderbird has recognized the PGP public key file. Click on 'Import' to add 
this key to your keyring. The following pop-up should appear. Thunderbird 
says the operation was successful. Click on 'OK' and you are done. You now 
have the ability to send this friend encrypted messages. 



163 



Open PGP Alert 



fc_8^ 



The key(s] were successfully imported 

gpg: key 42 6820 AF: "Johnny Cash <rnailderno@greenhost.nl>" not changed 
gpg: Total number processed: 1 
gpg: unchanged: 1 



OK 



We are back in the main Thunderbird screen and we refresh the view on this 
particular example message, by clicking on some other message and back for 
example. Now the body of the message looks different (see below). This time 
Thunderbird does recognize the signature, because we have added the public 
key of the sender. 



(3 InboK - Mozilla Thunderbird 



File ii- vie.-. 5c Message i;:e E : 5? Tools Help 



^ Get Mail - |=yfwrrt 



Tag- ^Decrypt 



J^L 



1 m.ailde1no@igree11ho5t.nl 

-Alnbox 

lj Drafts 

■ Sent 

TST Trash 

■ Local Folders 



fc * & Subject 

® PGP mail test 



Johnny Ca:h 



from Vouii 

PGP mail test 



| Uffl reply | - | tp. forward | | ijy archive | | q junk | | X delete 



In this example I ha' 
the lower end of thi: 
Double-click or it! 



LJ Dri26aZ)AF.a- 



There is still one that remains. While Thunderbird now recognizes the 
signature, we should explicitly trust that the public key really belongs to the 
sender in real life. We realise this when we take a closer look at the green bar 
(see below). While the signature is good, it is still UNTRUSTED. 



g - p-p UNTRUSTED Good signaturefrom Johnny Cash <maildemo©greenhost.n 
Key ID; Ox426820AF/ Signed on: 29-4-2011 17:14 



We will now decide to trust this particular public key and the signatures 
made by it. We can do this immediately by clicking on 'Details'. A small menu 
will appear (see below). From this menu we should click on the option 'Sign 
Sender's Key ...'. 



164 



Key ID: 0x4268 20AF 

ficm Vou- 
;uh\^a PGP mail test 

to Vou 


griatu re from Johnny Cas 
Signed on: 29-4-2011 17: 




no@>gtee 






■^ re p'y 


fc 






Det.ils ■ 


QpenPGPSecmitylr 
Copy Qpen.P&P Sec 
View OpenPGP Phot 


3 ID 


,„ 


Sign Sender's Key... 
Set Owner Trust ofS 


»* 




In this example I hav 
the lower end of this 
Double-click on it! 


sent myself a ne 
window. It is the 


left 


ne yo 


t the attachm 
will want. 


r^ a^ 
















jj 0x426820AF.asc 


l_l Oa426820AF,asc,ag 





















After we have selected 'Sign Sender's Key ...' we will get another selection 
window (see below). We are requested to state how carefully we have 
checked this key. The explanation of levels of trust and trust networks in PG P 
falls outside the scope of this document. We will not use this information, 
therefore we will just select the option 'I will not answer'. Also select the 
option 'Local signature (cannot be exported)'. Click on the 'OK' button to 
finishing signing this key. This finishes accepting the public key. 



OpenPGP - Sign Key l ^ ' 




Key to be signed: Johnny Cash <rnailderno@greenhost.nl> - 0x426820AF 
Fingerprint: 6DE6 7493 0697 00BF3ED2 90C0 3DAD 7C57 4263 20AF 






Key for signing: Ernile < ernile@greenhost.nl> - 0x03181112 t 






How carefully have you verified that the key you are about to sign actually belongsto the person(s] named above? 






(»);I will not answer 




O I have not checked at all 

■ ■ I have done casual checking 

O I have donevery careful checking 




-J Local signature (cannot be exported] 






OK | Cancel 











Using public key servers 

Another method of distributing public keys is by putting them on a public key 
server. This allows anyone to check whetheryour email address has PGP 
support, and then download your public key. 

To put your own key on a keyserver, take the following steps. 

1. Head to the key manager by using the Thunderbird menu and click on 
OpenPGP > Key Management 



165 




Jgi, m.ailderTKi#g reenhost.nl 
J^Jnb™ 

Draft: 

Trash 

j eitiile@greerlit>5t,rl 

(Aj Inbox (675) 

Drafts 

a- 



2. The key management window will be displayed and looks like this: 



u P 



i QpenPGP Key Management 



File Edit View Keyserver Generate 
Search for: 



\7\ Display All Keys, by Default 






Key ID 
BFD1247E 



3. You need to have selected the 'Display All Keys by Default' option to get a 
list of all your keys. Lookup your own email address in the list and right click 
on the address. A selection window will appear with some options. Select the 
option 'Upload Public Keys to Keyserver'. 



166 



C^ QpenPGP Key Management 






■ i-=.|.@ i„£s-r 


File Edit View Keyserver Generate 


Keys by Default 




Search for: 


Display A 






Name 




Key ID m 


• 


Copy Public Keys to Clipboard 
Export Keys to File 






Send Public Keys by Email 


Upload Public Keys to Keyserver 




Refresh Public Keys From Keyserver 








Sign Key 








Set OwnerTrust 








Disable Key 








Revoke Key 








Delete Key 








Manage User IDs 








Change Pa^sphra^e 

Generate & Save Revocation Certificate 











4. You will see a small dialog window like below. The default server to 
distribute your keys to is good. Press 'OK" and distribute your public key to 
the world. 



Select Keyserver 



t_»J 



Send public key 0i96DF66FD - Emile 
<ernile©greenhost.nl> to keyserver: 



Keyserver | 



OK 



Cancel 



To look up whether some email address has a public key available on a server, 
take the following steps. 

1. Head to the key manager by using the Thunderbird menu and click on 
OpenPGP > Key Management 

2. In the key manager window menu bar, select Keyserver > Search for Keys 



167 



Q QpenPGP Key Management 



i (h) |- is T 



File Edit View 

Search for: 



Name 

> Emile -cemilei 



Keyserver| Generate 



Refresh Selected Public Keys 
Search for Keys 



Upload Public Keys 
Refresh All Public Keys 



\7\ Display All Keys by Default 



Key ID .JZ 

96DF66FD 



3. In this example we will look-up up the key for the creator of PGP software, 
Philip Zimmermann. After we have entered the email address, we click on 
'OK 1 . 



Select Keyserver 


1 1 


Search for key 
Keyserver 






|ff^3!ffi1H?T 




pool.sks-lceyserverc.net » 
















OK 




Cancel 















4, The next window displays the result of our search. We have found the 
public key. It is automatically selected. Just click on 'OK' to import the key. 



168 



Download OpenPGP Keys 



L^_J 



Found Keys - Select to Import 



Account/ User ID 



5. Importing the key will take some time. On completion you should see a 
pop-up window like below. 



OpenPGP Alert 



fc_SJ 



gpg 
gpg 
gpg 
gpg 
gpg 
gpg 

gpg: 



requesting key B2 D7795 E f ro m hkp server p 1 , sks- keyservers, n et 
key B2D77g5E: public key "Philip R. Zimmerman n <prz@mit.edu>" imported 
3 marginal(s) needed, 1 cornplete(s) needed, PGP trust model 
depth: valid: 1 signed: trust: 0-, Oq, On, Om, Of, lu 
nexttrustdb check due at 2016-04-29 
Total number processed: 1 
imported: 1 



6. The final step is to locally sign this key, to indicate that we trust it. When 
you are back in the key manager, make sure you have selected the 'Display All 
Keys by Default' option. You should now see the newly imported key in the 
list. Right-click on the address and select the option 'Sign Key' from the list. 



169 



Cj 1 OpenPGP Key Management 



(h) I- IS T 



File Edit View Keyserver Generate 
Search for: 



\7\ Display All Keys by Default 



Name 

I? Emile «i ile@greenhost.nl> 



BBB 1 



Key ID m 

96DF66FD 



Copy Public Key: tc Clipboard 
Export Keys to File 
Send Public Keys by Email 
Upload Public Keys to Keyserver 
Refresh Public Keys From Keyserver 

Sign Key 

Set Owner Trust 

Disable Key 

Revoke Key 

Delete Key 

Manage User IDs 

Change Passphrase 

Generate Si Save Revocation Certificate 



7. Select the options 'I will not answer' and 'Local signature (cannot be 
exported)', then click on 'OK'. You are now finished and can send Philip 
Zimmermann encrypted mail. 



T^T 



OpenPGP - Sign Key 



Key to be signed: Philip R. Zimmermann <prz©rnit.edu> - 0xB2D7795E 
Fingerprint: 055F C73F1121 9349 2C4F37AF C746 3639 B2D7 795E 



Key for signing: Ernile <ernile©greenhost.nl> -0j36DF66FD 



How carefully have you verified that the key you are about to sign actually belongsto the person(s] named above? 
(*) I will not answer 



Q I have not checked at all 

■ ■ I have done casual checking 

Q I have donevery careful checking 



F71 ; Local signature (cannot be exported] 



Signing emails to an individual 

Digitally signing email messages is a way to prove to recipients that you are 
the actual sender of a mail message. Those recipients who have received your 
public key will be able to verify that your message is authentic. 



1. Offeryour friend your public key, using the method described earlier in this 
chapter. 



170 



2. In Thunderbird, click on the 



Write 



3. Before actually sending the mail, enable the OpenPGP > Sign Message 
option via the menu bar of the mail compose window, if it is not enable 
already. Once you have enabled this option, by clicking on it, a marked sign 

* will appear. Clicking again should disable encryption again. See the 
example below. 



Write: What ; up? 
File Edit View Ogtn 

[BjSend | a !^ Spell - [ ■> Sign M= 

Encrypt Me? 



■ [ OpenPGP ] look Help 



age 



CtrkShift+5 
Ctrl+Shift+E 



UE.ePGP/MIMEforThi E Me- 
Undo Encryption 
Attach My Public Key 
Help 



- [^Save - 



Subject: What's up? 



I have signed this message with PGP to proof that it is really me. 
Emile 



\i>p 



Click on the 



Send 



button and your signed mail will be sent. 



Sending encrypted mails to an individual 

1. You should have received the public key from the friend or colleague you 
want to email and you should have accepted their public key, using the 
method describe earlier in this chapter. 



2. In Thunderbird, click on the 



Write 



icon. 



171 



3. Compose a mail to the friend or colleague, from who you have previously 
received their public key. Remember the subject line of the message will not 
be encrypted, only the message body itself, and any attachments. 

4. Before actually sending the mail, enable the OpenPGP > Encrypt Message 
option via the menu bar of the mail compose window, if it is not enabled 
already. Once you have enabled this option, by clicking on it, a marked sign 

* will appear. Clicking again should disable encryption again. See the 
example below. 



"'1 (3 \- 



I: contains private content 



File Edit View Option* [ OpenPGP ] Tools Help 



From: Johnny Cash < 



V Sign Menage Ctrl+Shift+S 

■/ Encrypt Message Ctrl+Shift+E 

Use PGP/MIMEfor This Message 

Undo Encryption 

Attach My Public Key 

Help 



- jTJSave - 



Subject: BfiR mail: contains private content 



Hello Johnny, 



glad to finally have private correspondence with you. 
This mail will be encrypted with PGP. 



5. 



Click on the 



Send 



button and your encrypted mail will be sent. 



Automating encryption to certain recipients 

You will often want to make sure all your messages to a certain colleague or 
friend are signed and encrypted. This is good practice, because you may 
forget to enable the encryption manually. You can do this by editing the per- 
recipient rules. To do this we access the OpenPGP per-recipient rule editor. 



Select OpenPGP > Preferences from the Thunderbird menu bar. 
172 



I InboK - maildemo@gneenhost.nl - Mozilta Thundenbird 



File Edit View Go Menage 
* Get Mail - /Write | 



,-.T--| Inbox - maildercio@greenh< 



All Folders 



4 I 



Jgljmaildemo-@greerhost.nl 

Drafts 
Hi Sent 
Tjs> Trash 
4 gi, em ile@g reenhost.nl 
(Aj Inbox (875) 
,__, Drafts 
iHi Sent 
TT77T> a =h 



OperiPGPj lools Help 



Save Decrypted Message 



Preferences 

Key Management 

Help 

Setup Wizard 

About OpenPQP 



ifcate - Inbox - 



rypt 



^ 



fcate 
ficate 



The preferences window will appear like below. We need to click on 'Display 
Expert Settings'. 



OpenPGP Preferences 



13JI 



Basic 



Basic Settings 

Files and Directories 

GnuPG was found in C:\Prograrn Files\GNU\GnuPGVgpg.exe 

Oi Override with! I 

Passphrase settings 

Remember passphrase for 5@ minutes of idletime 

^\ Never ask for any passphrase 



Browse,, 



Display Expert Settings 



Reset 



OK 



Cancel 



New menu tabs will appear in the window. Go to the tab 'Key Selection' and 
then click on the button labeled 'Edit Rules ...' 



173 



Open PGP Preferences 



Basic | Sending Key Selection Advanced | Keyserver | Debugging] 



How should we choose the keys? 

\ By pre-set rules only 
i$ By rules and email addresses 

~ ■ By email addresses 
Manually 

") No manual key selection 



Edit Rules,,. 



OK 



Cancel 



We are now shown the per-recipient rules editor (see below). This editor can 
be used to specify the way how messages to certain recipients are sent. We 
will now add a rule saying we want to encrypt and sign all mail messages to 
maildemo@greenhost.nl 

First click on the 'Add' button. 



oo 



OpenPGP - Per-Recipient Rules Editor 



View rules with email addresses containing: | 
Email OpenPGP Key(s] 



Sign 



Encrypt PGP/MIME B 



Modify 



Move Up 



Move Down 



Help 



Now the window to add a new rule will be shown. 

The first thing we should enter is the email address of the recipient. In the 
example below we have entered maildemo@greenhost.nl 



174 



Open PGP - Recipient Settings 



Set OpenPGP Rules for mailderno@greenhost.nl 



(Separate several email 
addresses with spaces) 



Apply rule if recipient Is exactly ▼ one of the above addresses 



Action 

Continue with next ruleforthe matching address 
Do not check further rules for the matching address 
(») Usethefollowing OpenPGP keys: 



(none - no encryption] 









Signing 


Yes, if selected in Message Composition 


- 








Encryption 


Yes, if selected in Message Composition 


- 








PGP/MIME 


Yes, if selected in Message Composition 


- 



(Note: in case of conflicts, 'Never' overrules 'Always') 



OK 



Select Key[s].., 



Cancel 



Help 



Now we will set the encryption defaults by using the drop-downs below. For 
Signing select 'Always'. For Encryption also select 'Always'. 



175 



Open PGP - Recipient Settings 



Set OpenPGP Rules for mailderno@greenhoEt.nl 



(Separate several email 
addresses with spaces) 



Apply rule if recipient Is exactly ▼ one of the above addresses 



Action 

Continue with next ruleforthe matching address 
~) Do not check further rules for the matching address 
(*) Usethefollowing OpenPGP keys: 








(none - no encryption] 




Select Key[s)... 

















OK 



Defaults for . 






Signing 


Always ▼ 










Encryption 






iAIways i t 










PGP/MIME 


Yes, if selected in Message Composition ■»■ 




(Note: in cas 


t of conflicts, 'Never' overrules 'Always') 





Cancel 



Help 



Finally we have to select our secret key, with which to encrypt our messages. 
Do not forget this important step. Click on the button labeled 'Select Key(s)...'. 
The key selection window shows up. In this example below, we only have one 
secret key. We select this key by clicking on the small box next to the address. 
Then we click 'OK' and all relevant windows and we are finished. 



176 



CcsnPGP Key Selection 



l^U 



Select OpenPGP Key(5.) to u^efor inaildeino©greenho*.t.nl 



Account/ User ID 



Expiry Key ID 



Refresh Key List Download missing keys 



Verifying incoming emails 

Decrypting email messages sent to you will be fully automatic and 
transparent. But it is obviously important to see whether or not a message to 
you has in fact been encrypted or signed. This information is available by 
looking at the special bar above the message body. 



A valid signature will be recognized by a green bar above the mail message 
like the example image below. 

\(ri Good siqnaturefrom .-: — ~ = :- ■: "r :ie ■-:--:: ::':;: - > „_, -, 

Key ID: Qx426820AF/ Signed on: 29-4-201117:14 

The last example message was signed but not encrypted. If the message had 
been encrypted, it would show like this: 

g n nrp Deciypted message; Good signaturefrom Emile^emile@greenhost.nl> n . 

KeyID:0jD31D3159/Signedon;30-4-201116;01 ' ""'" 

When a message which has been encrypted, but not signed, it could have 
been a forgery by someone. The status bar will become gray like in the image 
below and tells you that while the message was sent securely (encrypted), the 
sender could have been someone else than the person behind the email 
address you will see in the 'From' header. The signature is neccessaty to verify 
the real sender of the message. Ofcourse it is perfectly possible that you have 
published your public key on the Internet and you allow people to send you 
emails anonymously. But is it also possible that someone is trying to 
impersonate one of your friends. 



177 



OpenPGP Decrypted message 



Similarly if you receive a signed email from somebody you know, and you have 
this persons public key, but still the status bar becomes yellow and displays a 
warning message, it is likely that someone is attempting to send you forged 
emails! 



OpEnPGP Unverified signature; click on 'Details' button for more information 



Sometimes secret keys get stolen or lost. The owner of the key will inform his 
friends and send them a so-called revocation certificate (more explanation of 
this in the next paragraph). Revocation means that we no longer trust the old 
key. The thief may afterwards still try his luck and send you a falsely signed 
mail message. The status bar will now look like this: 



n pfp REVOKED KEY Good signaturefrom Emile^emile^greenhost.nl* 
KeyID:0xD3181112/Signed on: 30-4-2011 16:29 



Strangely enough Thunderbird in this situation will still display a green status 
bar! It is important to look at the contents of the status bar in order to 
understand the encryption aspects of a message. PGP allows for strong 
security and privacy, but only if you are familiar with its use and concepts. 
Pay attention to warnings in the status bar. 



Revoking your PGP key-pair 

Your secret key has been stolen by somebody. Your harddisk crashed and you 
have lost all your data. If your key is lost, you can no longer decrypt 
messages. If your key has been stolen, somebody else can decrypt your 
communication. You need to make a new set of keys. The process of creating 
keys, using the OpenPGP wizard in Thunderbird, has been described in this 
manual. But first you want to tell the world that your old public key is now 
worthless, or even dangerous to use. 

What to do when you have lost your secret key, or forgot 
your passphrase 

During the creation of your key-pair, the OpenPGP wizard offered you the 
possibility to create a so-called revocation certificate. This is a special file you 
send to others in the advent you have to disable your key. If you have a copy 
of this file, sending the revocation key is simply sending the file as an 
attachment to all your friends. You can no longer send signed mails 
(obviously, because you have lost your secret key). That doesn't matter. Send 
it as a normal mail. The revocation certificate file could only have been 
created by the owner of the secret key and proofs he or she wants to revoke 
it. That's why it should normally be kept hidden from others. 



178 



If you do not have the revocation certificate, there exists no other option 
than foryou to contact your friends personally and convince them your key is 
lost and that they should no longer trust it. 



What to do when your secret key has been stolen, or 
compromised 

If you have reason to believe your secret key has been compromised, or 
worse your secret key and passphrase, it is very important to contact others 
that they should stop sending you encrypted messages. With your secret key, 
other persons will be able to break the encryption of your e-mail messages if 
they also have your passphrase. This is also true for those messages you have 
send in the past. Cracking the passphrase is not trivial, but it may be possible 
if the party has lots of resources, like a state or a big organization for example, 
or if your passphrase is too weak. In any case you should assume the worst 
and assume your passphrase may have been compromised. Send a revocation 
certificate file to all your friends or contact them personally and inform them 
of the situation. 



Even after you have revoked your old key pair, the stolen key may still be used 
to decrypt your previous correspondence. You should consider other ways to 
protect that old correspondence, for instance by re-encrypting it with a new 
key. The latter operation will not be discussed in this manual. The chapter on 
'Securing personal data' may be of some help. If you are uncertain you should 
seek assistance from experts or lookup more information on the web. 



Receiving a revocation certificate 

If one of your friends sends you a revocation certificate, he asks you to 
distrust his public key from now on. You should always accept such a request 
and 'import' the certificate to disable his key. The process of accepting a 
revocation certificate is exactly the same as accepting a public key, as has 
already been described in the chapter. Thunderbird will askyou if you want to 
import the 'OpenPGP key file'. Once you have done so, a confirmation pop-up 
should be displayed like below. 



OpenPGP Alert I u I 



The key(s) were successfully imported 



gpg 

9P3 
9P3 
9P9 
9P9 

9FJ 



keyBFD1247E: "Emile <etnile©greenhost.nl>" revocation certificate imported 
Total number processed: 1 

new key revocations: 1 
3 marginal(s) needed, 1 complete(s) needed, PGP trust model 
depth: valid: 1 signed: trust: 0-, Oq, On, Om, Of, lu 
nexttrustdb check due at 2016-04-28 



179 



Preparing for the worst: backup your keys 

Your keys are usually stored on your harddisk as normal files. They may get 
lost if your computer gets damaged. It is strongly advised to keep a backup of 
your keys in a safe place, like a vault. Making a a backup of your secret key 
has another security advantage as well. Wheneveryou fearyour laptop or 
computer is in immediate danger of being confiscated, you can safely delete 
your key-pair. Your email will be rendered unreadable immediately. At a later 
stage, you can retrieve your keys from the vault and re-import them in 
Thunderbird. 



To make a backup of your key-pair, first head to the key manager by using the 
Thunderbird menu and click on 
OpenPGP > Key Management. 

You need to have selected the 'Display All Keys by Default' option to get a list 
of all your keys. Lookup your own email address in the list and right click on 
the address. A selection window will appear with some options. Select the 
option 'Export Keys to File'. 



. B i- a - r 



C^ OpenPGP Key Managerr 



File Edit View Keyserver Generate 
Search for: 



\7\ Display All Keys by Default 



Ccpy Public Keys to Clipboard 

Export Keys to File 

Send Public Keys by Email 

Upload Public Keys to Keyserver 

Refresh Public Keys From Keyserver 

Sign Key 

Set OwnerTrust 

Disable Key 

Revoke Key 

Delete Key 

Manage User IDs 

Change Passphrase 

Generate & Save Revocation Certificate 



Key ID m 



Now we will save the key-pair to a file. Thunderbird asks us if we want to 
include the secret key as well. We do want to include the secret key, therefore 
we select 'Export Secret Keys'. 



OpenPGP Alert 



l_MJ 



Do you want to include the secret key in the saved OpenPGP key file? 



p Export Public Keys- Only 



Export Secret Keys 



180 



Finally Thunderbird asks us for the location of the key file. You can store the 
file anywhere you like, network disk, USB-stick. Just remember to hide it 
away from other people. 



Further reading 

More documentation on using PGP with Thunderbird can be found on the 
website of the Enigmail plugin. The Enigmail handbook is the guide you will 
want to use. 

http://enigmail.mozdev.org/documentation/handbook.php.html 



181 



Webmail and PGP 



The current browsers on the market unfortunately do not come bundled with 
PGP support. When you are using PGP to send e-mail, your encrypted e-mail 
messages cannot automatically be decyphered by your browser. You will see 
garbled text instead of messages. Nevertheless there exists a Firefox plugin 
called FireGPG which does add PGP support to the browser. 

In this chapter we will describe how to use FireGPG to be able to combine the 
use of PGP with webmail. We will use a gmail account as an example. FireGPG 
has extra uses as well. In fact, using FireGPG you can encrypt just about any 
plain text communication one the web (like forum post, blog messages etc.) 
with PGP. 



Caveats with using webmail 

In general it is best to use a mail program like Thunderbird in stead of using 
Webmail. Accessing your webmail from an untrusted environment like an 
Internet cafe is discouraged, because you cannot guarantee your password or 
traffic will not be intercepted. Using PGP in that situation may even make 
matters worse. Your secret key and passphrase, which you carry around on an 
USB-stick, may be read by a malicious program on the computer. In short, 
only use FireGPG to access your webmail in an environment you trust. 

Installing FireGPG 

NOTE: The latest official version of FireGPG supports only Firefox 3.6. During 
the creation of this manual we also worked on making an updated version of 
the plugin for Firefox 4.0. It should hopefully become available on the website 
of the developer soon. If you are keen on using FireGPG now, you will have to 
stick to Firefox 3.6 



Please also note that using gmail with FireGPG is problematic at best. There 
used to be special support for gmail in FireGPG, but it is no longer up-to-date. 

These are the steps necessary to install FireGPG. 

1. Go to the website http://getfiregpg.org 

2. On the upper side of the website, click on Install > Install FireGPG. 

3. Download the extension by clicking on 



Download 
FireGPG 



182 



4. Firefox will ask you whether you want to allow to install the extension. 
Click on Allow. 

5. Firefox will ask you whether you want to begin installing the extension. 
Click on Install now. 

5. The installation window should appear like below. Click on Next to begin. 



FireGPG Assistant - Welcome 

FireGPG Assistant ^ 

Welcome! This- assistant will help you to configure FireGPG. If you're a new user it's recommended to follow it to get a working configuration, 
What ever you choose to do r you will be able to usethecpticn Mnclc^ to change any cpti en later. 



Here is some information about icons and color used: 

9 This suggest asoluti on or something you should do 

© This is something good 

W Thisisa problem 
This is for advanced users. If you den't understand it. don't worry and don't change it, 
This means help is available. Mouse over the icon for the tooltip. 



Skip 



6. You should have GnuPG installed, as has been described in the chapters 
about Installing PGP. In the next window of the FireGPG installer, it tells us it 
has found GnuGPG. Click on Next. 



183 



: '-eo- j -s: ;t3n! - Gi-,„ : G 



GruPG 



I -•• I 



FireGPG u&es- GnuPG to handle any pgp operation. This- means- GnuPG must be installed for FireGPG to work, 
Q GnuPG seemsto be accessible and working, 

5? Do you want to set a custom homedir for GnuPG ? 

Seta home dir 



Stop 



7. In the next window FireGPG asks you whetheryou want to enable special 
gmail functions. Alas, those functions are broken. Click on 'Enable gmail 
support' to disable the option. Click Next. 



FireGPG Assistant - Gmail 



Cmail support 



FireGPG can be integrated with gmail: additional buttons to encrypt and/or sign mails are added and you will be 
able to decrypt and verify signatures of any email that contains them. 



Enable gmail support 



Stop 



184 



8. In the next window FireGPG asks you foryour default secret key to decrypt 
messages with. If you have more than one e-mail address with PGP, you can 
select the preferred one. If you select 'Ask for private key 1 FireGPG will ask 
you for the key every time you sign a message. In the example below we have 
selected the single secret PGP key we will use. Afteryou have made a 
decision, click Next. 



Private key 



The PGP system works with a private key and a public key. You sign merges with ycur private key and an other user verifies your signature with 
your public key, If they want to send to you a message, they use ycur public key, and you, and only you, can decrypt it with your private key, 



© You have at least one private key in you r keyrin 

V Seta default key 



Jame Id Created Expire S 

Ask for private key 

■ d..mu...nu .wm xmt^^^^^^^^^^^^^^^^^^^^^^ 



9. FireG PC asks you for installation components. The default components are 
fine. Click on Next. 



185 



FireGPG Assistant - Options 



Options 



Here you tan set global options for some FireGPG features; 

l7l Enablelnlinedetection 
O Disable GPG-Agenl 

|7] Enable FireGPG API 
F1 Enable gpgAuth 



Stop 



10. The installation should now be finished. Click on Close. 

FireGPG Assistanl - Done ! I & I 



Done! & 

Assistant is now done, Now you should be able to use FireGPG. 

W Read the documentation 
You will find seme link: en this page 

O Translate FireGPG 

Horrible mistake in your language for FireGPG? Here is the website! 

O Help FireGPG 

How to contribute to FireGPG 
Report a bug or ask for a new feature 



186 



Working with FireGPG 

FireGPG works by selecting blocks of plain text in text boxes and doing 
actions on the them, like decryption, encryption, signing, etc. You can actually 
also use FireGPG to do basic key management like importing a public key. 



The keyring FireG PG works with is the same one that you use with 
Thunderbird, so your PGP actions will be compatible and synchronized. 



Example of decrypting an e-mail or text 

A PG P encrypted message directed to yourself should automatically be 
detected by FireGPG. You can recognize a decrypted message by the following 
icon. 



PGP ENCRYPTED MESSAGE 



Display original | Decrypt | Switch 
direction 



Click on 'Decrypt' to display the message. 

Example of encrypting an e-mail or text 

When you have the public key of the recipient on your keyring, select the 
piece of text you want to encrypt by mouse, then right-click on it. You will a 
sub-menu called FirePGP. Select FirePGP > Encrypt. See the example below. 



187 



green host 



§ E-Mail fll) Address Book gj] Settings (?) Help @ LubouI 



«if r.ffls 



Attachments 


Sender mailclemoiragreenliost.nl * 






Recipient 1 | on nel(ev@<j mail, con 


Add Cc | Add Bcc | Add Reply-To 


Subject EQB na '' - 13 1 1 a : £■ denvpt the bodv 




SUB 


3H 




+ 


| Sendnow Cancel ^Hcheck spelling -| Editortypel Plain text * | 




■i^^Qj^l 



A window will appear. Select the recipient from the list of available public 
keys. Then press 'Ok.' 



188 



default title 



Select the public keys: 



Name 



ID 



Created Expires 



Lon <lonnekev@gmaii.com> CD069DCEFB7F094A 2011-5-1 



Filter 



Cancel 



OK 



You will now see the encrypted message in the mail window. A PGP encrypted 
message is nothing but a bunch of characters delimited by special lines with 
dashes. Selecting the entire body of the PGP message, including the lines with 
BEGIN and END, and then going to the FireGPG menu, will allow you to 
manually decrypt, or do other actions. 



189 



SECURING PERSONAL DATA 



190 



Introduction to securing personal 
data 

You may find it necessary or perhaps re-assuring to encrypt some data on 
your computer. Hard drives are not very well protected by the Operating 
Systems password mechanism - it is pretty easy to remove a hard disk from a 
laptop and access it from another computer, similar to how you would access 
any hard disk you use for back-up or storage. So if you want to avoid this 
possibility you should encrypt the data on your hard disk or, better still, 
encrypt your entire hard disk. 

You can also take this protection another level and encrypt the data and store 
it on another device like a USB stick or small hard disk. This means the data 
can also be very easily physically hidden and its also very portable. If you 
want to be really really sneaky you can also create hidden encrypted volumes 
which means if someone accesses your hard disk they must know quite a bit 
about computers to know how to find it - of course if you have the software 
installed to do this kind of thing that might not look so friendly to someone 
prepared to go to these measures. 

'Encrypting your data' like this means locking away your data in a very secure 
'container'. If you do not know the passwords then that data will look like a 
mess of letters, numbers and other characters. If you know the password you 
can easily open and access the files. 

We will look mainly at TrueCrypt - a free/open source solution to this issue. 
TrueCrypt is a very nice software that can be used on MaxOSX, Linux or 
Windows for establishing and maintaining an on-the-fly-encrypted container 
('volume'). On-the-fly encryption means that your data is encrypted when you 
save it and then also de-crypted when you open (access) it without you 
needing to do anything. You can continue to use your computer like you 
normally would - you can drag and drop files to an encrypting data etc. When 
you turn off the computer the data is encrypted automatically - the same 
thing happens if your computer's power supply is interrupted or if the disk is 
removed from your computer. The only way to access the data is to start your 
computer in the normal fashion and entering the necessary passwords. It's 
actually pretty easy to use and in a sensible world all data would be stored in 
this fashion. The only issue you really need to consider is that the data is not 
encrypted automatically if you put your machine 'to sleep'. If you want this 
type of security you need to get used to waiting a while and do a real 
shutdown of your computer and a real start-up each time you you use it. This 
is not the way people are usually working with laptops but this little extra 
attention and pause for a few moments is a small price to pay for good data 
security. 



191 



Installing TrueCrypt 



TrueCrypt can be installed on Windows, Linux, or MacOSX. The installation 
files are available here: http://www.truecrypt.org/downloads 

The following gives complete detail on how to install TrueCrypt on your 
computer for each of these Operating Systems, starting with Ubuntu. 



Installing on Ubuntu 

TrueCrypt is not available in the standard Ubuntu repositories. This means 
you cannot use the Ubuntu Software Center or apt-get (a command line 
method for installing software on Ubuntu) to install it. Instead you must first 
visit the TrueCrypt downloads page (http://www.truecrypt.org/downloads). 

You will see a drop-down menu under the heading Linux. 



[Select a package) 



Download .tar.gz containing an executable setup file PGP Signature 



From the '(Select a package)' drop down menu you can choose from four 
options: 




Standard - 32-bit (x85) 
Standard - 64-bit (k64) 
Console-only - 32-bit (x86) 
Console-only - 64-bit [x64] 



This is a little technical - the console version is the one you choose if you are 
either very technical and don't like Graphical User Interfaces oryou wish to 
run this on a machine that you have only a terminal (command line or 'shell') 
access to (like a remote server for example). 

Assuming you are running this in your laptop its best to choose the easy 
'standard' option - this will give you a nice user interface to use. From these 
two options you need to choose the one most suitable for the architecture of 
your machine. Don't know what this means? Well, it basically comes down to 
the type of hardware (processor) running on your computer, the options are 
32-bit or 64-bit. Unfortunately Ubuntu does not make it easy foryou to find 
this information if you don't already know it. You need to open a 'terminal' 
from the Applications->Accessories menu and type the following, followed by 
the [enter] key 



192 



The output will be something like 'Linux bigsy 2.6.32-30-generic #59-Ubuntu 
SMPTue Mar 121:30:46 UTC 20llx86_64 GNU/ Linux'. In this instance you can 
see the architecture is 64-bit ('x86_64'). In this example 1 would choose the 
'Standard - 64-bit (x64)' option. If you see 'i686' somewhere in the output of 
the uname command then you would choose the other standard option to 
download. 

Once selected press the 'download' button and save the file to somewhere on 
your computer. 

So the installation process is still not over. The file you downloaded is a 
compressed file (to make downloading it is faster) and you need to first de- 
compress the file before you install it. Fortunately Ubuntu makes this easy - 
simply browse to the file on your computer and right click on it and choose 
'Extract Here'. 















S§ Open with Archive Manager 




truecrypt-7. 
xS4.tar 


<0> Open with Archive Mounter 
Open with Other Application... 








Cut 
Copy 


Make Link 

Rename... 

Copy to > 

Move to > 


Move to Trash 


En crypt- 
Sign 
Send To... 


Eroperties 









You will see a new file appear next to the compressed file: 



193 



truecrypt-7.0a-linux- truecrypt-7.Qa-setup- 
x64.tar.gz x64 



Nearly done! Now right click on the new file and choose 'open' : 



truecrypt- 




Open with OpenOffice.org Word Processor 
Open with Other Application... 



Cut 
Copy 



Make Link 
Rename... 
Copy to 
Move to 



Move to Trash 

Compress... 
Encrypt... 
Sign 
Send To... 



.Properties 



If all is well you will see a window open like this: 



O 



© 



Do you want to run M truecrypt-7.0a-setup- 
x64", or display its contents? 

"truecrypt-7.Ga-setup-x64" is an executable text file. 



Run in Terminal JJi splay 



Cancel 



Run 



E 



Choose 'run' and you see the following: 



194 



o 



xmessage 



Q0S1 



TrueCrypt 7,0a Setup 



TrueCrypt is a software systen for establishing and naintaining an 
on-the-fly-encrypted volune (data storage device) + On-the-fly encryption 
neans that data are autonatically encrypted or decrypted right before they 
are loaded or saved, uithout any user intervention. Ho data stored on an 
encrypted volune can be read (decrypted) without using the correct 
passuord/keyfile(s> or correct encryption keys. Entire file systen is 
encrypted (e.g..., file nanes, folder nanes, contents of every file, 
free space, neta data, etc). 

Please select one of the belou options: 



(EKitJ (Ewtract .tar Package FileJ ftnstall TrueCryptj 



Now we are getting somewhere. ..press 'Install TrueCrypt'. You will be 
displayed a user agreement. At the bottom press 'I accept and agree to be 
bound by the license terms' (sounds serious). You will then be shown another 
info screen tellingyou you can uninstall TrueCrypt. Press 'OK' then you will be 
asked foryour password to install software on your computer. Enteryour 
password and then you will finally see a screen like this: 



TrueCrypt Setup 


QSS 


Installing package... 

usr/b i n/truecr-ypt 

usr/b i n/truecrypt-un i nsta 1 1 . sh 

usr/share/app 1 icat i ons/truecrypt . desktop 

usr/share/p i xmaps/truecrypt . xpm 

usr/share/truecrypt/doc/L i cense . txt 

usr/share/truecrypt/doc/TrueCrypt User Guide.pdf 




Press Enter to exit... 

D 









Believe it or now your are done. ..TrueCrypt is installed and you can access it 
from the Applications->accessories menu. ..close the setup window. Now 
proceed to the chapter on Using TrueCrypt. 



195 



Installing on OSX 

1. To install TrueCrypt on OSX first visit the download page 
(http://www.truecrypt.org/downloads) and press the download button under 
the OSX section. 



Mac OS X 

( Download) .dmg package (PGP Signature^ ) 



2. Download this to your computer find the .dmg file and open it to acces the 
installation package. 

^ O f) i=i TrueCrypt 7.0a CD 




TrueCrypt 7_0a.mpkg 



r 



3. Open the installation package, and click away through the dialogues. 



196 



*. Iri5ta.ll TrueCrypt 7.0a 



Select a Destination 



u Introduction ^^L 
u Destination Select 

■ Installation 
• Installation 

■ Summ 



Select the disk where you want to install the TrueCrypt 
7.0a software. 



Macintosh HD 

36.2 5 CBfree 
499,76 GB total 




Installing this software requires 12,7 MB of space. 



You have chosen to install this software on the disk 
"Macintosh HD". 



( Co Back j (( Continue 




4. Choose the standard installation, (you can choose to do a customized 
installation and deselect FUSE, but why would you? You need it!) 



OP 



„, Install TrueCrypt 7.0a 



Standard Install on "Macintosh HD" 



(J Introduction 

t> Destination Select 

8 Installation Type 

■ Installation ^ 



I Summ 




n»|iui| ,n, l' 



This will take 12,7 MB of space on your computer. 

Click Install to perform a standard installation of 

this software on the disk "Macintosh HD". 



f Change Install Location... ) 



f Customize ^ 



{ Co Back ^: C Install 



6. After the installation finishes you can find the program in your Applications 
folder 



197 



Q n £j\ Applications ' 




. 



TrueCrypt 



Installing on Windows 

To install TrueCrypt on Windows first visit the download page 
(http://www.truecrypt.org/downloads) and press the download button under 
the Windows section. 



Windows 7/V!sha/XP/2000 


| Download TrueCrypt Setup 7_0a_eKe {3.3 MB) 


| PGP Signature | 





Download this to your computer and then double click on the file. You wil 
see a license agreement. 



True Cryp t Se tup 7. Oa 



License 

You must accept these license terms before you can use, extract, or install TrueCrypt, 



IMPORTANT: By checking the checkbox below and clicking Accept, you accept these license terms and 
agree to be bound by and to comply with them. Click the 'arrow down' icon to see the rest of the license. 



TrueCrypt License Version 5.0 ^| 

Software de&iouted under tins itense s dis&tfiuted on an "AS IS" BASIS WITHOUT WARRANTIES OF ANY 
KIND. THE AUTHORS AND DISTRIBUTORS OF THE SOFTWARE DISCLAIM ANY LIABILITY. ANYONE WHO 
USES, COPIES, MODIFIES, OR {REDISTRIBUTES ANY PART OF THE SOFTWARE IS, BYSUCH ACTI0N{S), 
ACCEPTING AND AGREEING TO BE BOUND BY ALL TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO 
NOT ACCEPT THEM, DO NOT USE, COPY, MODIFY, NOR {RE) DISTRIBUTE THE SOFTWARE, NOR ANY 
PART{5) THEREOF. 

I . Definitions I 

l . Tii & Pi oduer means fie work {^eluding, but not Irmrted to. sou rte code, graphics, texts, and 

accompanying files) made available under and governed by flis version of ais bcense {"License"), as may Lie _▼] 

~ I accept and agree to be bound by the license terms 

TrueCrypt Installer 



Help 



<Back 



Accept 



Cancel 



198 



Click on 'I accept and agree to be bound by the license terms' and then click 
'Accept 1 . 



Wizard Mode 

Select one of the modes, If you are not sure which to select., use the default mode. 



ff Install 



Select this option if you want to install TrueCrypt on this system. 



f Extract 



If you select this option, all files will be extracted from this package but nothing will be 
installed on the system, Do not select it if you intend to encrypt the system partition or 
system drive. Selecting this option can be useful, for example, if you want to run 
TrueCrypt in so-called portable mode. TrueCrypt does not have to be installed on the 
operating system under which it is run, After all files are extracted, you can directly run 
the extracted file 'TrueCrypt, exe' (then TrueCrypt will run in portable mode), 



TrueCrypt Installer ■ 



Help 



<Back I: Next > 



Cancel 



Leave the above screen with the defaults and press 'Next >' and you will be 
taken to the Setup Options window: 



""*** 



Setup Options 

Here you can set various options to control the installation process. 



i 



Please select or type the location where you want to install the TrueCrypt program files. If the 
specified folder does not exist, it will be automatically created, 



I C:\Program Files\TrueCrypt\ 



W Install for all users 

W Add TrueCrypt to Start menu 

W Add TrueCrypt icon to desktop 

W Associate the .tc file extension with TrueCrypt 

\ Create System Restore point 



TrueCrypt Installer ■ 



Help 



<Back 



Install 



Cancel 



199 



You can leave this with the defaults. If you want to set up TrueCrypt just for 
yourself then consider not selecting the 'Install for all users'. However if you 
are installing this on your own machine and no one else uses the computer 
then this is not necessary. You may also wish to consider installing TrueCrypt 
in a folder other than the default. In which case click 'Browse' and choose 
another location. When you are done click 'Install' and the process will 
proceed: 



, rue Crypt Setup 7.0a 



Installing 

Please wait while TrueCrypt is being installed, 



a 



-3 



Installing C:\Program Files\TrueCrypt\TrueCrypt User Guide.pdf 

Installing C:\Program Files\TrueCrypt\License.txt 

Installing C:\Program Files\TrueCrypt\TrueCrypt.exe 

Installing C:\Program Files\TrueCrypt\TrueCrypt Format.exe 

Installing C:\Program Files\TrueCrypt\truei:rypt.sys 

Installing C:\Program Files\TrueCrypt\truei:rypt-x64.5ys 

Installing C:\windows\system32\Drivers\truecrypt.5ys 

Installing C:\Program Files\TrueCrypt\TrueCrypt 5etup.exe 

Adding registry entry 5oFtware\Clas5es\TrueCryptVolurne 

Adding registry entry SoFtware^lasses^rueQyptVolume^efaultlcon 

Adding registry entry 5oFtware\Classes\TrueQyptVolume\Shell\open\corrimand 

Adding registry entry 5oFtware\Classes\.h: 

Adding registry entry 5oFtware\MicrosoFt\Windows\CurrentVersion\Uninstall\TrueCrypt 

Installing TrueCrypt device driver 

Starting TrueCrypt device driver 



TrueCrypt Installer ■ 



Help 



<Back 



I 



] 



d 



Cancel 



When the installation is complete you will get a verification popup that it was 
successful. Close this window and click 'Finish' and all is done. Now proceed 
to the chapter on Using TrueCrypt. 



200 



Using TrueCrypt 



The following are step-by-step instructions on how to create, mount, and use 
a TrueCrypt volume. 



Creating a TrueCrypt Container 
Step 1: 



Install TrueCrypt. Then launch TrueCrypt by 

• double-clicking the file TrueCrypt.exe in Windows 

• opening Applications->Accessories->TrueCrypt in Ubuntu 

• on MacOSX open it by clicking Go > Applications. Find TrueCrypt in the 
Applications folder and double click on it. 



Step 2: 

When the main TrueCrypt window appears. Click Create Volume. 



201 



Volumes Favorites Tools Settings Help 



Slot Volume 


Size Mount Directory 


Type 




4*2 






«*3 






U 


<<* 4 








- 5 








4*6 








4->7 








<*S 








4>9 








s* ID 








4*11 








4*12 






- 



Create Volume 
Volui 




H Never save history 



Select File- 



Volume Tools... Select Device... 



Mount Auto-Mount Devices DismountAII 



Exit 



Step 3: 

You should see the TrueCrypt Volume Creation Wizard window appear on 
screen. 



202 



TrusCrypt Volume Creation Wizard C=Dlj*D 


^^| 




TrueCrypt Volume Creation Wizard 

O Create an encrypted file container 

Creates a virtual encrypted disk within a file. 
Recommended for inexperienced users. 

More information 

Create a volume within a partition/drive 

Formats and encrypts a non-system partition, entire 
external or secondary drive, entire USB stick, etc. 












Help Next > Cancel 









Where do you want to create the TrueCrypt volume? You need to choose now. 
This can be in a file, which is also called a container, in a partition or drive. 
The following steps will take you through the first option creating a TrueCrypt 
volume within a file. 



You can just click Next, as the option is selected by default, 



Step 4: 

Next you need to choose whether to create a standard or hidden TrueCrypt 
volume. We will walk you through the former option and create a standard 
TrueCrypt volume. 



203 



Q® 




TrueCrypt Volume Creation Wizard 

Volume Type 

O Standard TrueCrypt volume 



Select this option if you want to create a normal 
TrueCrypt volume. 

Hidden TrueCrypt volume 

It may happen that you are forced by somebody to reveal 
the password to an encrypted volume. There are many 
situations where you cannot refuse to reveal the 
password (for example, due to extortion). Using a 
so-called hidden volume allows you to solve such 
situations without revealing the password to your 
volume. 

More information about hidden volumes 



Help 



< £rev Next > 



Cancel 



You can just click Next, as the option is selected by default. 



Step 5: 

Now you have to specify where to have the TrueCrypt volume (file container) 
created. Note that a TrueCrypt container behaves like any normal file. It can 
be moved or deleted as any normal file. 




TrueCrypt Volume Creation Wizard 

Volume Location 



Q® 



H Never save history 

A TrueCrypt volume can reside in a file (called TrueCrypt 
container), which can reside on a hard disk, on a USB flash 
drive, etc. A TrueCrypt container is just like any normal file 
(it can be, for example, moved or deleted as any normal 
file). Click 'Select File 1 to choose a filename for the 
container and to select the location where you wish the 
container to be created. 

WARNING: If you select an existing file, TrueCrypt will NOT 
encrypt it; the file will be deleted and replaced with the 
newly created TrueCrypt container. You will be able to 
encrypt existing files (later on) by moving them to the 
TrueCrypt container that you are about to create now. 



Help 



<.Prev 



204 



Click Select File. 

The standard file selector will now appear on screen (the TrueCrypt Volume 
Creation Wizard remains open in the background). You need to browse to the 
folder that the file should be created in and then type into the 'name' field the 
name for the file you wish to create. 



~m 



o 



Name: 



Specify a New/ TrueCrypt Volume 



myencryptedfile 



Save in folder: 



jtrue 



- .Browse for other folders 



< [§i adam 



true 



Create Folder 



Places 



Qj Search 

© Recently Used 



IS adam 
SSl Desktop 
2 File System 
258CB Filesyste... 
,/jgOGB Filesyste... 



Name 



v Modified 



Add 




.Remove 



All Files 



Cancel 



Save 



We will create our TrueCrypt volume in the folder 'adam/true' and the 
filename of the volume (container) will be 'myencryptedfile'. You may, of 
course, choose any other filename and location you like (for example, on a 
USB stick). Note that the file 'myencryptedfile' does not exist yet -TrueCrypt 
will create it. Press 'Save' when you are ready. The file selector window 
should close. 

IMPORTANT: Note that TrueCrypt will not encrypt any existing files. If an 
existing file is selected in this step, it will be overwritten and replaced by the 
newly created volume (the contents of the existing file will be lost). You will 
be able to encrypt existing files later on by moving them to the TrueCrypt 
volume that we are creating now. 



205 



Step 6: 

In the Volume Creation Wizard window (which was previously running in the 
background), click Next. 



Step 7: 

Here you can choose an encryption algorithm and a hash algorithm for the 
volume. 



TrueCrypt Volume Creation Wizard 



SB 




Encryption Options 

Encryption Algorithm 






FlPS-approved cipher (Rijndael, published in 1998) that 
may be used by U.S. government departments and 
agencies to protect classified information up to the Top 
Secret level. 256-bit key, 128-bit block, 14 rounds (AES-256). 
Mode of operation is XTS. 



More information on AES 



Hash Algorithm 



Benchmark 



RIPEMD-1S0 



Information on hash algorithms 



Help 



< £rev 



N.ext > 



Cancel 



The TrueCrypt manual suggests that if you are not sure what to select here, 
you can use the default settings and click Next (for more information about 
each setting have a look at the TrueCrypt documentation website). 



Step 8: 

Now choose the size of your container. You should be fine with 1 megabyte 
but for this example we will enter '20' into the available field. 



206 




TrueCrypt Volume Creation Wizard 

Vohune Size 



QE 



Free space available: 445 MB 

Please specify the size cf the container to create. Note that 
the minimum possible size of a volume is 292 KB. 



Help 



< £rev N.e>it > 



Cancel 



You may, of course, specify a different size. After you type the desired size in 
the input field, click Next. 



Step 9: 

This step is really important, choosing a password. 



The information displayed in the Wizard window about what is considered a 
good password, should be read carefully. 

Choose a strong password, type it in the first input field. Then re-type it in the 
input field below the first one. 



207 




TmeCrypt Volume Creation Wizard 

Volume Password 



SB 1 



Password: 



Confirm password: 



.Display password 
Use keyfiles 



Keyfile 



It is very important that you choose a good password. You 
should avoid choosing one that contains only a single word 
that can be found in a dictionary (or a combination of 2, 3, 
or 4 such words). It should not contain any names or dates 
of birth. It should not be easy to guess. A good password is 
a random combination of upper and lower case letters, 
numbers, and special characters, such as @ A = $ * + etc. We 
recommend choosing a password consisting of more than 
20 characters (the longer, the better). The maximum 
possible length is 64 characters. 



Help 



< £rev 



Next > 



Cancel 



When you are done click Next. 



Step 10: 



Now you must choose the format of your partition (this step may not be 
available for you under windows or OSX). If using Ubuntuyou can choose a 
Linux file type or FAT (Windows) for simplicity leave it at the default. 



TrusCrypt Volume Creation Wizard 



Q® 




Format Options 

Filesystem Options 
Filesystem type: FAT 



Volume Format Options 
_ Quick format 



In order to enable your operating system to mount your 
new volume, it has to be formatted with a filesystem. Please 
select a filesystem type. 

If your volume is going to be hosted on a device or 
partition, you can use 'Quick format' to skip encryption of 
free space of the volume. 



Help 



< £rev 



208 



Then press Next. 



Step 11: 

Next TrueCrypt tries to generate random information to help encrypt your 
container. For 30 seconds move your mouse as randomly as possible within 
the Volume Creation Wizard window. Move the mouse as much as possible 
for up to a minute. This significantly increases security by increasing the 
cryptographic strength of the encryption keys, security). Move your mouse 
around until you are bored. 



TrueCrypt Volume Creation Wizard 



BE 




Volume Format 



Random Pool: H"lDAD = 775C = DF7DD46gD4igD . 
Header Key: 
Master Key: 



B Sr 







Abort 




Done Speed Left 





IM PORTANT: Move your mouse as randomly as possible 
within this window. The longer you move it, the better. This 
significantly increases the cryptographic strength of the 
encryption keys. Then click Format to create the volume. 



Help 



< Erev 



Format 



Cancel 



Then Click Format. 

TrueCrypt will now create a file in the folderyou selected with the name you 
chose. This file will be a TrueCrypt container, containing the encrypted 
TrueCrypt volume. This may take some time depending on the size of the 
volume. When it finishes this should appear: 



209 



QE' 




TrueCrypt Volume Creation Wizard 

Volume Format 



Random Pool: 3BED7BA4A"BA1D31£FF2FBFA3B . . H Sf- 
Header Key: 3BS65A9B17D35BE5B6flDB::cB51 . . 
Master Key: 9Efi41E::fififi313D84D547D39408 . . 



TrueCrypt [x] 

The TrueCrypt volume has been successfully created. 



ly as possible 

it, the better. This 



significantly increases the cryptographic strength of the 
encryption keys. Then click Format to create the volume. 



Help c.P_rev Format Cancel 



Click OK to close the dialog box. 



Step 11: 



Well done! You've just successfully created a TrueCrypt volume (file 
container). 



In the TrueCrypt Volume Creation Wizard window, click Exit. 

Mounting the Encrypted Volume 
Step 1: 

Open up TrueCrypt again. 



Step 2: 

Make sure one of the 'Slots' is chosen (it doesn't matter which - you can leave 
at the default first item in the list). Click Select File. 



210 



"HEEl 



TrueCfypt 
Volumes Favorites Tools Settings Help 



Slot Volume Size Mount Directory Type 



4*2 
■» 1 

<«• ID 

4*11 

4*12 






Create Volume 



Volume 



s 



Select File... 



H Never save history vdume ^j^ sdect D£vice]]] 






Mount Auto-Mount Devices DismountAII Exit 



The standard file selector window should appear. 



Step 3: 

In the file selector, browse to the container file (which we created earlier) and 
select it. 



211 



o 



Select a TrueCrypt Volume 



~m 



< jjfiadam 



true 




© Recently Used 



IS ad ,1111 
tl3 Desktop 
O File System 
Lj5S GB Filesyste... 
90 GB Filesyste... 



z} 



Add 




.Remove 



All Files 



Cancel 



Open 



Click Open (in the file selector window). 
The file selector window should disappear. 

Step 4: 

In the main TrueCrypt window, click Mount. 



212 



o 



Select a TrueCrypt Volume 



~m 



£ < idada 



true 



.Places 

C^ Search 

© Recently Used 



Name 



v Modified 



\ myencryptedfile 



IS ad am 
U Desktop 
O File System 
OsSGB Filesyste... 
290GB Filesyste... 



Add 



Remove 



All Files 



Cancel Open 



Password prompt dialog window should appear. 

Step 5: 

Type the password in the password input field. 





Password: 


Enter password for "fnomefadamfrrue/myencryptedfil 


\xj 








OK 














Cache passwords and keyfiles in memory 


Cancel 




.Display password 










O Use keyfiles 


Keyfiles... 




Options > 















Step 6: 

Click OK in the password prompt window. 



213 



TrueCrypt will now attempt to mount the volume. If the password is correct, 
the volume will be mounted. 



TrueCrypt 
Volumes Favorites Tools Settings Help 



SB 



Slot Volume 


Size Mount Directory 


Type 


** 1 


/home/ad am/true/myencryptedfile 


19.8 MB 


/media/ truecryptl 


Normal 


n 


>. 1 










*mJ 










u 


*»4 












*»5 












<#E 












**7 












-8 












- 9 












SclO 












<w» 11 












«* 12 










v 



Create Volume 



Volume Properties.. 



Wipe Cache 



Volume 



I 





| /home/ad am/true/myencryptedfile 


- 


Select File... 








B Never save history 


Volume Tools- 


Select Device... 











Dismount 


Auto-Mount Devices 


Dismount All 


Exit 

















If the password is incorrect (for example, if you typed it incorrectly), 
TrueCrypt will notify you and you will need to repeat the previous step (type 
the password again and click OK). 



Step 7: 

We have just successfully mounted the container as a virtual disk 1. The 
container will appear on your Desktop oryou will see it in your file browser. 




214 



What does this mean? 

The disk that you have just created is completely encrypted and behaves like 
a real disk. Saving (moving, copying, etc) files to this disk will allow you to 
encrypt files on the fly. 



You'll be able to open a file which is stored on a TrueCrypt volume, which will 
automatically be decrypted to RAM while it is being read, and you won't need 
to enteryour password each time. You'll only need to enter this when your 
mounting the volume. 



Remember to dismount! 

To do this right click on the drive and select unmount. This will automatically 
happen when you turn off your computer but will not happen if you just put 
the computer on sleep. 



215 



Setting up a hidden volume 

A TrueCrypt hidden volume exists within the free space of a typical TrueCrypt 
volume. Given then the 'outervolume' is accessed it is (almost) impossible to 
determine if there is a hidden volume within it. This is because TrueCrypt 
always fills the empty space of an encrypted volume with random data. So a 
hidden volume looks the same as an empty TrueCrypt volume. 

To create and use a hidden volume you need two passwords - one each for 
the outer and inner (hidden) volumes. When you mount (open) the volume 
you can use either password and that will determine which of the two is 
opened. If you want to open just the hidden volume you use one password, 
and if you want to access just the non-hidden encrypted volume you use the 
other password. 

To create a hidden volume open TrueCrypt and press the 'Create Volume' 
button: 



Volumes Favorites Tools Settings Help 



Slot Volume 


Size Mount Directory 


Type 




4*2 






4*3 








**4 








4* 5 








4* 6 








4*7 








<*S 








4* 9 








4*10 








4*11 








4* 12 






■v 




Volume 



H Never save history 



Volume Tools... 



Select File- 



Select Device.. 



Mount Auto-Mount Devices DismountAII Exit 



216 



The options for half of this process are almost the same as for setting up a 
standard TrueCrypt volume and then the process continues for setting up the 
hidden volume but lets go through the entire process step by step anyway. In 
the screen shown below you just want to stay with the default setting 'Create 
an encrypted file container': 



TrueCrypt Volume Creation Wizard 



QE 







TrueCrypt Volume Creation Wizard 

O Create an encrypted file container 

Creates a virtual encrypted disk wi thin a file. 

Recommended for inexperienced users. 

More information 

Create a volume within a partition/drive 

Formats and encrypts a non-system partition, entire 
external or secondary drive, entire USB stick, etc. 







Help 



: £rev 



N.ext > 



Cancel 



Press 'Next >' and continue to the next screen. 




nsasaam 

Volume Type 

Standard TrueCrypt volume 

Select this option if you want to create a normal 
TrueCrypt volume. 

O Hidden TrueCrypt volume 

It may happen that you are forced by somebody to reveal 
the password to an encrypted volume. There are many 
situations where you cannot refuse to reveal the 
password (for example, due to extortion). Using a 
so-called hidden volume allows you to solve such 
situations without revealing the password to your 
volume. 

More information about hidden volumes 



Help 



* £rev 



N.ext> 



Cancel 



217 



In the above screen you want to be sure that you choose the second option 
'Hidden TrueCrypt Volume'. Select this and click on 'Next >' you will then be 
asked to choose the location and name of the TrueCrypt outer volume. 



BE' 




TrusCrypt Volume Creation Wizard 

Volume Location 



B Never save history 

A TrueCrypt volume can reside in a file (called TrueCrypt 
container), which can reside on a hard disk, on a USB flash 
drive, etc. A TrueCrypt container is just like any normal file 
(it can be, for example, moved or deleted as any normal 
file). Click 'Select File' to choose a filename for the 
container and to select the location where you wish the 
container to be created. 

WARNING: If you select an existing file, TrueCrypt will NOT 
encrypt it; the file will be deleted and replaced with the 
newly created TrueCrypt container. You will be able to 
encrypt existing files (later on) by moving them to the 
TrueCrypt container that you are about to create now. 



Help 



<£rev 



N.ext> 



Cancel 



Click 'Select File...' and browse to a location for a new TrueCrypt volume. We 
will use the name 'myencryptedfile' in this example. Its the same name as we 
used in the last example so be aware that if you have just followed those 
instructions you must now create a new volume with a new name. 



218 



o 

Name: 

Save in folder: 



Specify a New/ TrueCrypt Volume 



~m 



myencrypted.fi I e 



j true 



- .Browse for other folders 



< II IB adam 



true 



Create Folder 



.Places 


Qj Search 


© Recently Used 


j£jj adam 


U Desktop 


2 File System 


_58GB Filesyste... 


O90GB Filesyste... 



Name 



v Modified 



Add 




.Remove 



All Flies 



Cancel 



Save 



Browse to the directory where you want to put the outer volume and enter 
the name of the volume in the field named 'Name' as in the example above. 
When you are satisfied all is well click on 'Save'. The file browser will close 
and you return to the Wizard. Click 'Next >'. Here you are presented with 
some very technical choices. Don't worry about them. Leave them at the 
defaults and click 'Next >'. The next screen asks you to determine the size of 
the outer volume. Note that when you do this the maximum inner 'hidden' 
volume size is determined by TrueCrypt. This maximum size will of course be 
smaller that the size you are setting on this screen. If you are not sure what 
the ratio of outer volume size to inner (hidden) volume size is then go through 
the process now as a 'dummy' run - you can always trash the encrypted 
volume and start again (no harm done). 

So choose the size of the outervolume, 1 will choose 20MB as shown below: 



219 




TrueCrypt Volume Creation Wizard 

Volume Size 



sa 



Free space available: 445 MB 

Please specify the size of the container to create. Note that 
the minimum possible size of a volume is 292 KB. 



Help 



< £rev 



N.e>it > 



Cancel 



You cannot set the outer volume size to be larger than the amount of free 
space you have available on your disk. TrueCrypt tells you the maximum 
possible size in bold letters so create a volume size sailer than that. Then click 
'Next >' and you will be taken to a screen asking you to set a password for the 
outer (not the hidden, this comes later) volume. 




TrueCrypt Volume Creation Wizard 

Volume Password 



sa 



Password: 



Confirm password: 



.Display password 
Use keyfiles 



Keyfile 



It is very important that you choose a good password. You 
should avoid choosing one that contains only a single word 
that can be found in a dictionary (or a combination of 2, 3, 
or 4 such words). It should not contain any names or dates 
of birth. It should not be easy to guess. A good password is 
a random combination of upper and lower case letters, 
numbers, and special characters, such as @ A = $ * + etc. We 
recommend choosing a password consisting of more than 
20 characters (the longer, the better). The maximum 
possible length is 64 characters. 



Help 



< £rev 



Next > 



Cancel 



220 



Enter a password that is strong (see the chapter on creating good passwords) 
and press 'Next >'. Next TrueCrypt wants you to help it create the random 
data it will fill the volume up with. So wave your mouse around, browse the 
web, and do whatever you want for as long as you can. When you feel 
TrueCrypt should be happy then press 'Format'. You will see a progress bar zip 
by and then you will be presented with the next screen: 



--"'—•»'"— 







\?^B 




Outer Volume Contents 

Outer volume has been successfully created and mounted as 
ymedia/truecrypt2'. To this volume you should now copy 
some sensitive-looking files that you actually do NOT want 
to hide. The files will be there for anyone forcing you to 
disclose your password. You will reveal only the password 
for this outer volume, not for the hidden one. The files that 
you really care about will be stored in the hidden volume, 
which will be created later on. When you finish copying, 
click Next. Do not dismount the volume. 

Note: After you click Next, the outer volume will be 
analyzed to determine the size of uninterrupted area of free 
space whose end is aligned with the end of the volume. This 
area will accommodate the hidden volume, so itwill limit 
its maximum possible size. The procedure ensures no data 
on the outer volume are overwritten by the hidden volume. 

Open Outer Volume 







Help 



£rev 



&ext> 



Cancel 



You can open the outervolume if you like but forthis chapterwe will skip 
that and go ahead to create the hidden volume. Press 'Next >' and TrueCrypt 
will work out how the maximum possible size of the hidden volume. 



221 




Hidden Volume 



The volume cluster bitmap has been scanned and the 
maximum possible size of the hidden volume has been 
determined. In the next steps you will set the options, the 
size, and the password for the hidden volume. 



Help 



: £rev 



Next > 



Cancel 



When you see the above screen just press 'Next >'. Now you must choose the 
encryption type for the hidden volume. Leave it at the defaults and press 
'Next >'. 




DBIEHBI 

Hidden Volume Encryption Options 

Encryption Algorithm 



AES 



lest 



FlPS-approved cipher (Rijndael, published in 1998) that 
may be used by U.S. government departments and 
agencies to protect classified information up to the Top 
Secret level. 256-bit key, 128-bit block, 14 rounds (AES-256). 
Mode of operation is XTS. 



More information on AES 



Hash Algorithm 



RIPEMD-160 |0 Information on hash algorithms 



Help 



< Prev Next > 



Now you will be asked to choose the size of the hidden volume. 



222 




mmmmmmmm 
Hidden Volume Size 



N 



Maximum possible hidden volume size for this 
volume is 19.6 MB, 

Please specify the size of the hidden volume to create. The 
minimum possible size of a hidden volume is 40 KB (or 3664 
KB if it is formatted as NTFS). The maximum possible size 
you can specify for the hidden volume is displayed above. 

Please note that if your operating system does not allocate 
files from the beginning of the free space, the maximum 
possible hidden volume size may be much smaller than the 
size of the free space on the outer volume. This not a bug in 
TrueCrypt but a limitation of the operating system. 



Help 



<£rev 



Next > 



Cancel 



I have set (as you see above) the maximum size as 10MB. When you have set 
your maximum size press 'Next >' and you will be promoted to create a 
password for the hidden volume. 




Hidden Volume Password 



Confirm password: 



.Display password 
Use keyfiles 



Keyfile 



It is very important that you choose a good password. You 
should avoid choosing one that contains only a single word 
that can be found in a dictionary (or a combination of 2, 3, 
or 4 such words). It should not contain any names or dates 
of birth. It should not be easy to guess. A good password is 
a random combination of upper and lower case letters, 
numbers, and special characters, such as @ A = % * + etc. We 
recommend choosing a password consisting of more than 
20 characters (the longer, the better). The maximum 
possible length is 64 characters. 



Help 



223 



When creating the password for the hidden volume make sure you make it 
substantially different fro the password for the outer volume. If someone 
really does access your drive and finds out the password for the outer volume 
they might try variations on this password to see if there is also a hidden 
volume. So make sure the two passwords are not alike. 

Enteryour password in the two fields and press 'Next >'. 




Format Options 

Filesystem Options 
Filesystem type: FAT 



Volume Format Options 
Quick format 



In order to enable your operating system to mount your 
new volume, it has to be formatted with a filesystem. Please 
select a filesystem type. 

If your volume is going to be hosted on a device or 
partition, you can use 'Quick format' to skip encryption of 
free space of the volume. 



Help 



<. Prev Next > 



Cancel 



Leave this window at the defaults and press 'Next >' and you will be presented 
with the same screen you have seen before to generate random data for 
TrueCrypt. When you are happy click 'Format' and you should see the 
following : 



224 



© 



TrueCrypt 



The hidden TrueCrypt volume has been successfully created 
and is ready for use. If all the instructions have been followed 
and if the precautions and requirements listed in the section 
"Security Requirements and Precautions Pertaining to Hidden 
Volumes" in the TrueCrypt User's Guide are followed, it should 
be impossible to prove that the hidden volume exists, even 
when the outer volume is mounted. 

WARNING: IFYOU DO NOT PROTECTTHE HIDDEN VOLUME 
(FOR INFORMATION ON HOW TO DO SO, REFER TO THE 
SECTION "PROTECTION OF HIDDEN VOLUMES AGAINST 
DAMAGE" IN THE TRUECRYPT USER'S GUIDE), DO NOT WRITE 
TO THE OUTER VOLUM E. OTHERWISE, YOU MAY OVERWRITE 
AND DAMAGETHE HIDDEN VOLUME! 



OK 



The TrueCrypt manual it is referring to is not this manual. They mean this 
manual : http://www.truecrypt.org/docs/ 

Click 'OK' and keep and exit TrueCrypt. You can now mount the volume as 
noted in the previous chapter. 



225 



Securely destroying data 

Just hit the delete button and you are done! No it's not that easy. To 
understand how to securely delete data, we have to understand how data is 
stored. In an analogy to the real world, an explanation of how data is stored 
follows: 

Assume you have a small notebook with 10 pages and you want to write some 
data in this notebook. You just start writing on the first page up to the end of 
the notebook. Maybe you decide the information on page 5 must be 
destroyed. Probably you will just take out the page and burn it. 

Unfortunately data on a harddisk doesn't work this way. A harddisk contains 
not ten but thousands or maybe even millions of pages. Also it's impossible to 
take out a "page" of a harddisk and destroy it. To explain how a harddisk work, 
we will continue with our 10-page notebook example. But now we will work a 
little bit different with it. We will work in a way similar to how a harddisk 
works. 

This time we use the first page of our notebook as an index. Assume we write 
a piece about "WikiLeaks", then on the first page we write a line "piece about 
WikiLeaks: see page 2". The actual piece is then written on page 2. 

For the next document, a piece about "Goldman Sachs" we add a line on page 
1, "Goldman Sachs: see page 3". We can continue this way till our notebook is 
full. Let's assume the first page will look like this: 

• WikiLeaks -> see page 2 

• Goldman Sachs -> see page 3 

• Monstanto scandal -> see page 4 

• Holiday pictures -> see page 5 

• KGB Investigation -> see page 6 

• Al Jazeeraa contacts -> see page 7 

• Iran nuclear program -> see page 8 

• Sudan investigation -> see page 9 

• Infiltration in EU-politics -> see page 10 

Now, let's decide you want to wipe the "Goldman Sachs" piece, what a 
harddisk will do, it will only remove the entry on the first page, but not the 
actual data, your index will be: 

• WikiLeaks -> see page 2 

• Monstanto scandal -> see page 4 

• Holiday pictures -> see page 5 

• KGB Investigation -> see page 6 

• Al Jazeeraa contacts -> see page 7 

• Iran nuclear program -> see page 8 

• Sudan investigation -> see page 9 

• Infiltration in EU-politics -> see page 10 

226 



What we did, we removed only the reference to the article, but if we open 
page 3, we will still able to read the Goldman Sachs piece. This is exactly the 
way what a harddisk does when your "delete" a file. With specialized software 
it still able to "recover" page 3. 

To securely delete data, we should do the following: 

1. Open the "Goldman Sachs" page (page 3) 

2. Use an eraser to remove the article there, if done return to page 1 

3. Delete the reference in the index on page 1 

Well you will be surprised by the similarity between this example and the real 
world. You know when you removed the article on page 3 with an eraser, it is 
still possible to read the article slightly. The pencil leaves a track on the paper 
because of the pressure of the pencil on the paper and also you will be unable 
to erase all of the graphite. Small traces are left behind on the paper. If you 
really need this article, you can reconstruct (parts) of it, even if it's erased. 

With a harddisk this is very similar. Even if you erased every piece of data, it is 
sometimes possible with (very) specialized hardware to recover pieces of the 
data. If the data is very confidential and must be erased with the greatest 
care, you can use software to "overwrite" all pieces of data with random data. 
When this is done multiple times, this will make the data untraceable. 



Securely delete data under Windows 

For Windows there is a good open source tool called "File Shredder". This tool 
can be downloaded from http://www.fileshredder.org 



The installation is very straightforward, just download the application and 
install it by hitting the next button. After installation this application will 
automatically start. You can then start using it for shredding files. However 
the best part of the program is that you can use it from within windows itself 
by right clicking on a file. 



227 



l. Click right on the file you want to shred, and choose File Shredder -> 
Secure delete files 



mart *■ Documents •■ » Ifijl 

Views ▼ |_j Open E3 E-mail J£ 5hare 

Name ■*• | -| Date modified - Type | -*| 5i 



IQO F 



Documents 
^| Pictures 
Music 



Desktop 

AppData 
§( Application Data 
. Contacts 

Cookies 
I Desktop 
!i - Documents 
Downloads 

Green host documents 
£ httpreeon-7.3[l] 
httprecon-7.3 
config 
U eonfig_templat.es 
database 



Downloads 

Greenhost documents 
I Jhttprecon-7.3[l] 
? My Music 
ng My Pictures 

My Stationery 
v [_] My Videos 

Other documents 

Default 

desktop 
1,2 'file_shredder_setup 



Sensetive document about Facebook leaks,.. Date modified: 4/30/201 

ODTFile Size: 100 MB 

Date created: 4/30/201 




2. A pop-up asks if you really want to shred this file 




3. After confirming, there your file goes. Depending on the size of the file 
this can take awhile 



Folder: c:\u5er5\mart\doc1jrnents\ 



File: sensetive document about Facebook leaks 



1 of 1 



Wiping Method DOD 522Q-22M (pass 2) 



iCancel; 



228 



Securely delete data under MacOSX 

There are basically to build-in steps to make to securely delete your data on 
Mac OSX. 

1. Erase the free-space on your hard-drive containing all the data of items 
which are deleted in an unsecure way. 

2. Make sure that every file from then on is always securely deleted. 
We start with the first one: 



Erasing Free Space 

1. Open Disk-Utility which resides in the Utilities folder inside the Applications 
folder. 



.. Utilities 



Disk Utility 



r 




Ci 



A 



2. Select your hard drive and click on 'Erase Free Space'. 



229 



° 



98 



^ W 




Macintosh HD 



Verify Info Bum Unmount Eject Enable Journaling New Image Convert Res ze Image 





First Aid Erase RAID Restore 



To erase all data on a disk or volume: 

L Select the disk or volume in the list on fhe left. 

2 Specify a format and name. 

3 If you want to prevent the recovery of the disk's erased data, click Security Options. 

4 Click Erase,. 

To prevent the recovery of previously deleted files without erasing the volume, select a 
volume in the list on the left, and click Erase Tree Space. 



Format: Mac OS Extended IJournalecQ 



Name: Macintosh HD 




:^_ Security Options... J: (_ Erase... } 



® 



Mount Point 


Capacity 


-199,75 CB (499.763. S8S.1Z8 Bytes) 


Format 


Mac OS Extended (Joumaledj Available 


32,04 CB (32.Q4L054.2QS Bytes) 


Owners Enabled 


Yes Used 


467.72 GB {467.722. S33.9ZG Bytes) 


Number of Folders 


207.973 Number of Files, 


SS6_3SZ 



3. Three options will appear, from top to bottom more secure, but also they 
take much more time to complete. Read the descriptions on each one of 
them to get an idea from what will happen if you use them and then choose 
which one might suite your needs the best and click 'Erase free Space'. 

If time is no issue, then use the most secure method and enjoy your free time 
to get a good coffee while you Mac crunches away on this task. If the crooks 
are already knocking on your front-door you might want to use the fastest 
way. 



230 



Erase Free Space Options 

These options write over the unused space on the selected disk or volume 
to prevent disk recovery applications from recovering deleted files. 

Note: Secure Erase overwrites data accessible to Mac QSX. Certain types 
of media may retain data that Disk Utility cannot erase. 



! Zero Out Deleted Files 

This provides good security and is quick. It writes zeros over the unused 
space in the disk once. 



O 7-Pass Erase of Deleted Files 

This option provides better security and takes 7 times longer than "Zero Out 
Deleted Files,' It writes over the unused space in the disk 7 times. 



35-Pass Erase of Deleted Files 

This option provides the best security and takes 35 times longer than "Zero 
Out Deleted Files." It writes over the unused space in the disk 35 times. 



® 



(_ Cancel J Q Erase Free Space J 



Securely Erasing Files 

Now that your previously deleted data is once and for ever securely erased 
you should make sure that you don't create any new data that might be 
recovered at a later date. 



1. To do this open the finder preferences under the Finder Menu. 
File Edit View 



About Finder 



Preferences. 



Empty Trash... OSZm 
Secure Empty Trash... 



Services 



Hide Finder 
Hide Others 
Show All 



&H 
X&H 



231 



2. Go to the advanced tab and tick 'Empty trash securely'. This will make sure 
that every time you empty your trash all the items in it will be securely deleted 
and are really gone! 




_J Show all filename extensions 

0Show warning before changing an extension 

Show warning before emptying the Trash 



Empty Trash securely 



When performing a search: 



Search This Mac 



I] 



Note l: Deleting your files securely will take longer then just deleting them. If 
you have to erase big portions of unimportant data (say your movie and mp3 
collection) you may wanna untick this option before doing so. 



Securely delete data under Ubuntu/Linux 

Unfortunately currently there is no graphical user interface available for 
Ubuntu to delete files secure. There are two command-line programs 
available though. 



• shred 

• wipe 

Shred is installed in Ubuntu by default and can delete single files. Wipe is not 
installed by default but can easily be installed with using Ubuntu Software 
Center or if you understand the command line you can install it with apt-get 
install wipe. Wipe is a little more secure and has nicer options. 

It is possible make access to these program's easy by adding it as an extra 
menu option 



232 



2. Open the "Nautilus Actions Configuration" from the System -> 
Preferences menu 



Preferences 



Administration 

Help and Support 
About GNOME 

About Ubuntu 



& About Me 
jlj Appearance 
■9 Assistive Technologies 

Bluetooth 

1 _ x | Email Settings 
d!) Keyboard 

fj| Keyboard Input Methods 
^ Keyboard Shortcuts 
|^ Main Menu 

^# Messaging and VoIP Accounts 
O Monitors 
l^Vl Mouse 

--0} Nautilus Actions Configuration k I 
iEJP Network Connections 
u^ Network Proxy 

I K| OpenJDKJava 6 Policy Tool 

3. We have to add a new action. To do this, start clicking on the "create 
new action button", the first option in the toolbar 





-ti 



: fj Cf 



Actions list : Hj> 



l- 1 '"-"' 10 ' 1 "!--'^-"- |'-vV-':o^ \f-a-ir-~^_,i -,,-7< 



Action 

, Nautilus Item 



2-22 



Context label : 



Toolbar label : 



□ Display item in selection context menu 

□ Display item in location context menu 



D Display item in the toolbar 

□ Use same label for icon in the toolbar 



Tooltip : 
Icon : 



t Browse.,. 



Action properties - 



□ Enabled 

□ Read-only 



Id. : 
I/O provider : 



menu(s), action(s), profile(s) are currently loaded 



\Ua 



233 



4. Next is describing the new action. You can give the action every name 
you wish. Fill out this title in the "Context label" field. In this example 
we used "Delete file securely" 



Edit View Tools Help 



5 ^ ff m 

Actions list : ^ 

Delete file securely 



Action Command Folders Conditions Advanced conditions 



Nautilus Item 



Display item in selection context menu 
□ Display item in location context menu 



■:t label 


Delete file securely 




□ Display item in the toolbar 

Use same label for icon in the toolbar 


)r label 


[Delete file securely 






Tooltip 


1 1 






Icon 


1 t Browse... 



Action properties 

Enabled 
□ Read-only 
Id. : 399124O5-3c49-45a4-9260-71661dl09abb 
I/O provider : 



menu(s), 1 action(s), 1 profile(s) are currently loaded 



\/a 



234 



5. Click on the second tab ("Command"), here is how we specify the action 
we want. In the field "Path", type "wipe", in the field parameters type "- 
rf %M", please be sure about the capitalisation of all characters here, 
this is very important. 



a m 



id 



Actions list : I M <8> v 



Delete file securely 



Action Command Folders Conditions Advanced conditions 



Profile 



Label : ' Default profile 



Command . 


Path : 'wipe ] |flrowse...| 




Parameters : ' -rf %M | Legend | 
e.g., wipe -rf /path/to/file.txtM 



menu(s), 1 action(s), 1 profile(s) are currently loaded 



\/a 



235 



6. Next is specifying the conditions, click on the conditions tab and choose 
the option "Both" in the "Appears if selection contains..." box. With this 
option you can wipe both files and folders securely. If done, click the 
save button (second item on the icon bottom toolbar) or use the menu 
File->Save 



File Edit View Tools Help 



gj u 



Actions list : M A V 



Delete file securely 



Action Command Folders 



Conditions 



Advanced conditions 



Appears if 1 

Filenames 

Mjmetypes 


ile 


matches 


, 


~1 


Match case 


r* 


I 







Appears if selection contains 

O Only flies O Only folders ® Both 

□ Appears if selection has multiple files or folders 



menu(s), 1 action(s), 1 profile(s) are currently loaded 



\A 



7. Now close the Nautilus Actions Configuration tool. Unfortunately, after 
this, you have to re-login into your system, so ether reboot or 
logout/login. 

8. Now browse to the file you want to securely delete and right click: 



236 




Choose 'Delete File Securely'. The file will then be wiped 'quietly' - you 
do not get any feedback or notice that the process has started or 
stopped. However the process is underway. It takes some time to 
securely delete data and the bigger the file the longer it takes. When it is 
complete the icon for the file to be wiped will disappear. If you would 
like to add some feedback you can change the parameters field in 
Nautilius Actions Configuration tool to this: 

-rf %M | zenity -info -text "your wipe is underway please be patient. 
The icon of the file to be wiped will disappear shortly." 

The above line will tell you the process is underway but you will not 
know the file is deleted until the icon disappears. 



237 



238 



SECURING REMOTE CONNECTIONS 



239 



Introduction securing remote 
connection: VPN 

Everybody wants to get connected to the internet, everywhere at every 
moment. People use whatever method is available, ranging from WiFi 
networks to rolling out cables on the street. It is even possible to make an 
internet connection using satellites or mobile networks. The urge to get 
connected is more important than making sure the connection is safe. Even 
though many people know connecting to a open wireless network is unsafe, 
people still act as if there is no alternative. 

Although you can encrypt your web and email communication, this is 
unfortunately not true for all applications. There is no such encryption for 
MSN and nobody knows what kind of encryption Skype uses and whether it is 
easily to be tapped. Therefore it would be nice if you can protect your 
connection in a more general way. This is possible with a VPN, which stands 
for "Virtual Private Network". 

Understanding the communication path 

To get more security it's important to know what a VPN can and can't do for 
you. Therefore it's important to have a basic understanding of the way the 
internetworks. 



When connecting to the internet every request is going through multiple 
'hops' (often called routers). At every hop a system administrator (or 
government institution) can spy ('sniff') on your connection. Often at least 5 
to 10 hops are required before your request reaches the server. This means 
there are at least as many places where your information can be sniffed and 
leaked without your knowledge 

In general (but not always!), the networks get more secure down the road. 
For example, if you are in China at a cafe with an unencrypted wireless 
connection, requesting information about Liu Xiaobo on the site 
http://en.wikipedia.org/wiki/Liu_Xiaobo it's very possible that this piece of 
information is located on a server in Amsterdam. If so, your request will travel 
through multiple places and each hop is vulnerable: 

1. the wireless network at the bar - everybody in and around the bar will 
be able to see your request; 

2. the wireless modem/router of the bar - the bar owner, or somebody 
with physical access to this modem/router, will be able to see your 
request; 



240 



the (multiple) routers of the connection provider - in China these are 
controlled by the government (and probably blocked in this case), so 
the system administrator(s) of these networks will be able to see the 
request. Maybe some hundreds of system administrators have the 
access to 'sniff' your request. 

some routers in Europe - for example routers at the German Internet 
Exchange Denic in Frankfurt. Most of these systems are very well 
maintained and secured, but the request is still viewable by the involved 
system administrators; 

and finally your request will arrive at the server of Wikipedia in 
Amsterdam and of course the system administrator of this system will 
be able to see your request. 



Securing the weak points 

It's very important to understand that the weakest points on this path - the 
bar and in the country where you are - are also controlled by the people who 
are most interested in your requests. Therefore it's very interesting to secure 
this part of the path. It would be great if you can somehow change the path 
so it appears like your request originated in (for example) Germany instead of 
China. This is possible with VPN technology. 

Get more security by default (with a VPN) 

A VPN (Virtual Private Network) encrypts and tunnels all Internet traffic 
between yourself and another computer (VPN server). This computer might 
belong to a commercial VPN service, your organization, or a trusted contact. 



Because VPN services tunnel all Internet traffic, they can be used for e-mail, 
instant messaging, Voice over IP (VoIP) and any other Internet service in 
addition to Web browsing, making everything that travels through the tunnel 
unreadable to anyone along the way. This makes your connection more 
secure by default. 

If the tunnel starts at your laptop in China and ends at your VPN-provider in 
Germany, this can be an effective method of circumvention, since all the hops 
in China will only see encrypted data and have no way of knowing what data 
is passing through the tunnel. It has the additional effect of making all your 
different kinds of traffic look similar to an eavesdropper. 

It is important to note that the data is only encrypted until the end of the 
tunnel, and then the data travels unencrypted to its final destination. 



241 




To explain the whole journey in more detail: 

By using a VPN provider in Germany your request will once again be 
forwarded through multiple places. This time howeveryour computer will 
build a VPN connection (a "tunnel") to a server in Germany, so the traffic will 
be as follows: 



1. All the hops to the VPN server in Germany will only see some 
unreadable encoded data - this includes the network from the bar and 
the Chinese firewall; 

2. The VPN server in Germany will receive the encrypted traffic and will 
decrypt it, so it can send it to some router at Denic - the request will be 
viewable here by the system administrator; 

3. Finally your request will arrive at the server of Wikipedia in Amsterdam 
and once again the system administrator of this system will be able to 
see your request. 

So while not securing all parts of the data path the points where you might be 
most vulnerable are pretty well obscured. 

Since many international companies use VPN technology to allow employees 
who need access to sensitive financial or other information to access the 
companies' computer systems from home or other remote locations over the 
Internet, VPN technology is less likely to be blocked than the technologies 
used only for circumvention purposes. 

242 



Note: The communication is only safe on one part of the path 

Keep in mind that if you are communicating with a local website or person in 
China, your connection will be encrypted from China to Germany, but from 
Germany back to China (to this website or person) is unencrypted if this 
person is not using the proper security measures! This is important to keep in 
mind when communicating with local people. You may bring them and 
yourself in danger. 



243 



Getting and testing a VPN account 

In all the VPN systems, there is one computer set up as a server (in an 
unrestricted location), where one or more clients connect to. The set up of 
the server is out of the scope of this manual and the set up of this system is in 
general covered by your company or VPN provider. This server is one of the 
two ends of the tunnel. It is that important the company running this server 
can be trusted and is located in an area you trust. So to run a VPN, an account 
is needed at such a trusted server. 

Please keep in mind that an account can often only be used on one device 
concurrently. If you want to login on a VPN with both your mobile and laptop, 
it is very well possible you need two accounts. 



An account from your company 

A lot of companies are running local VPN servers. It is very well possible you 
can get an account there easily. Check with your system administrator if this 
is possible and ask for the technical possibilities. 

An account from a free or commercial VPN-provider 

If you don't have the possibility to get an account from your company, you 
can register for an account on the Internet, there are dozens of providers. 
Although some companies offer free accounts, they seem to be disappearing 
fast. For a stable account it seems the best to go for a paid option. For a few 
euro's a month it is possible to get an account. Always choose for a provider 
that offers a standard protocol like L2TP/IPsec, PPTP orOpenVPN. Explanation 
of the differences between these standards is up next. 



A (semi up-to-date) overview of free en commercial providers can be found at 
cship. org's wiki (http://en.cship.org/wiki/VPN). 



VPN standards 

There are a number of different standards for setting up VPN networks, 
including PPTP, LL2P/IPSec and OpenVPN that vary in terms of complexity, 
the level of security they provide, and which operating systems they are 
available for. Naturally, there are also many different implementations of each 
standard within software that have various other features. 



244 



PPTP 

PPTP is one of the older VPN technologies. While PPTP is known to use 
weaker encryption than either L2TP/IPSec or OpenVPN, it may still be useful 
for bypassing Internet blocking and give some level of encryption. The client 
software is conveniently built into most versions of Microsoft Windows, 
Apple, Linux computers and even mobile phones. It is very easy to setup. 



L2TP/IPSec 

L2TP (in combination with IPSec) is a very well-known VPN solution. A lot of 
devices support these VPN connections out of the box. This includes all 
mainstream Operating Systems like Windows, MacOSX and Linux, but also 
support is standard in both Android and iPhone phones. Unfortunately to set- 
up a good L2TP/IPSec server is complicated. Because the wide-spread 
implementations of the (complex) protocol, there are some differences 
between disparate versions. Therefore, the protocol is not always working 
flawless, so check if it works. If it is running, this is one of the best and safest 
options. 



OpenVPN 

OpenVPN is a well-respected, free, open source VPN solution. It works on 
most versions of Windows, MacOSX and Linux. OpenVPN is SSL-based, which 
means it uses the same type of encryption that is used when visiting secure 
Web sites where the U RL starts with https. Despite the open character of the 
product it is currently not very well supported by mobile phones. Also the 
configuration of this protocol under Windows en MacOSX requires additional 
software, while PPTP and L2TP/IPSec are both available by default. 



Other 

There are dozens of other implementations. We advise to stick to one of these 
three methods as these are very common en well supported. But maybe there 
is a good reason to use other methods under some circumstances. 

Testing before and after account set up 

If you decide to set up a VPN, it is important to check if it is working at all. 
The best way to do that is to check before and after the set up. Before setting 
up the connection, the "world" will see you from the location where you 
really are. This can be simply checked on: 



http://whatismyipaddress.com/ (Make sure you spell this correctly) 

245 



Although this page is a little commercial, it does do a nice job in displaying 
your external IP address and the location where you are. Please note, this 
location is not necessarily your exact location, but in most cases at least the 
country should be correct. 

After you have set up your connection, you can visit this page again. Then it 
should display a different location: the location where your VPN-provider is 
located. 



l. Before setting up a VPN, this site returns that we are in Berlin 
(Germany), which is correct: we are in Berlin. 



s= ■■% "* I IjjJ '■ " »" http://whatismyipadd.ress. com/ _rj | £1 * | what is my u|^| jg 
3 Disable t SCookiesT _jcS5.t OFormsT -i Images" OinformatioriT MiscellarieousT „-/Outlinev _. J 
'B http://booki....curity/edit/ tt | ?* What Is My IP Address?... W | ^ 

M Whatls 

jit MylPAddress 



What IS My IP Address? (Nowdetects many proxy 



11 




IP Information: 89.247.1 81 .2 

IS?: Versatel Deutschland 

GSG Asset GmbH 8 Co. Verwaltung; 



Organ izati or 



KG 



Read; GecLccatipn accuracy 

Location not accurate? Try : Browser geolo cation 





None Detected 


City 


Berlin 


Hegion 


Berlin 


Country: Germany H 



1 89.247. 181.2 | Additional IP Details | 



2. After have set up the VPN, the site tells us that we moved to the 
Netherlands, which is correct: that is where our VPN-provider is 
located. People in Berlin won't be able to sniff our connection. 



J Disable " Q. Cookie 





%". http://wha 


tismyipaddr 


ss.com/ 


' 1 SI ' 1 what is m y u i% Si ' 


. QFon™. 


| Images" 


Information w 


Miscellaneous" J Outline" JJlte 



Tj http://booki....curity/editJ X | ^ whatJs My IP Address?... K | ^ 



v. Whatls 

I' MylPAddress 



What Is My IP Address? (Nowdetects many proxy servers } 

IP Information: 195.190.28.22 

? r,.« 




BP: Samagevof 

Organization: Samagevof 

■'..- - - ^.- - ; - - ■ Rrra^rilinnri 



Rrilriir 

,™.o ''-■'■■■■■" 
. y aoo fan L|nnDBL 

RLJtn' I 260 rffl M 6 r : r 

Read: GeoLocatiort accuracy 

Locati on n ot aecu rate? Try : Browser geolocati on 



Proxy: Nome Detected 



Regioi 
Courars 



1 195.190.28.22 | Additional IP Details | 



246 



Setting up your account 

In the following chapters some examples are given for setting up an account. 
These manuals mostly cover LT2P/PPTP like connections. If you want to use 
OpenVPN on Windows or MacOSX, have look at: 

http://openvpn.se (Windows interface) 
http://code.google.eom/p/tunnelblick/ (MacOSX interface) 



247 



VPN on Ubuntu 



If you use Ubuntu as your operating system, you can connect to a VPN by 
using the built-in NetworkManager. This application is able to set up networks 
with OpenVPN and PPTP. Unfortunately at the time of writing a L2TP interface 
is not available in Ubuntu. (It can be done manually, but it goes beyond the 
scope of this document). 

The following example will explain how to connect with a PPTP-server and an 
OpenVPN-server. 

This document is divided in three parts. The first part covers the general 
installation of required elements and is necessary for both types of VPN- 
tunnels. The second and third part describe the configuration for PPTP and 
OpenVPN parts. 

Under all situations we assume you already have a VPN account as described 
earlier in this section. 



1. Preparing Network Manager for VPN networks 

For Ubuntu there is an excellent network utility: Network Manager. This is the 
same utility you use to set up your Wireless (or wired) network and is 
normally in the upper right corner of your screen (next to the clock). This 
tools is also capable of managing your VPNs, but before it can do so, it's 
necessary to install some extensions. 



248 



Installing PPTP and OpenVPN extension for Network Manager 

To install the plugins for Network Manager we will use the Ubuntu Software 
Center. 

1. Open the U buntu Software Center from the Applications menu located 
at the top left of your screen 



Applications E 






^Accessories 


^r 




[^ Games 


► 




j{^ Graphics 


► 




Q Internet 


► 




15 °ffl ce 


► 




B|U Sound & Video 


► 




{??} System Tools 


P- 




f Wine 


P- 




j^l Ubuntu Software Center 


IfiLets you choose from thousands of 


Hfree applications avail 


able for Ubuntul 





2. The Ubuntu Software Center enables you to search, install and remove 
software on your computer. Click on the search box at the top right of 
the window. 



f> ffil Get Software 
5 Installed Software 








1 i f 1 Get Software 


i* 






Ubuntu Software 


Center 


/^\ 








^Jtjf 


Departments 


fe \th 


M 






Accessories Education 


Fonts 






& A 


© 






Games Graphics 


Internet 




32616 items available 



249 



In the search box, type in "network-manager-openvpn-gnome" (which is 
the extension that will enable OpenVPN) and/or "network-manager- 
pptp-gnome" (which is the extension for PPTP). It's necessary to type 
the full names because the packages are classified as "technical" and 
don't pop-up earlier. 

These packages include all the files you need to establish a VPN 
connection successfully. You can decide to install both extensions or 
only the one you need. 



f> ffl Get Software 
H Installed Software 




< * Get Software Search Results Q, -openvpn-gnorne| i_ 

rJfa . network management framework (OpenVPN plugin, GNOME Ul) 

'■""■' network-manager-openvp-n-gnome 


More Info 1 Install 


b 


1 matching item 



4. Ubuntu may askyou for additional permissions to install the program. If 
that is the case, type in your password and click Authenticate. Once the 
package is installed, you can close the Software Center window. 




Authentication is required to 
install software packages 

An application is attempting to perform an action that 
requires privileges. Authentication is required to perform this 

action. 



1 matching item 



250 



5. To check if the extensions are correctly installed, click on the 

NetworkManager (the icon at the left of your system clock) and select 
VPN Connections > Configure VPN. 




6. Click Add under the VPN tab. 



j ' Wired ^|| Wireless t.ill Mobile Broadband gi VPN DSL 



Name 



Last Used 



VPN Connection 1 
VPN Connection 2 



2 hours ago 
never 



Add 



K 



Delete 



Import 

Export 



Close 



251 



If you see a pop-up asking for the type of VPN and the tunnel 
technology (OpenVPN or PPTP) option is available, this means that you 
have installed the VPN extension in Ubuntu correctly. If you have your 
VPN login information ready, you can continue right away, else you first 
have to get a VPN account from a VPN-provider. If this is the case, click 
cancel to close the Network Manager. 



© 



Choose a VPN Connection Type 

Select the type of VPN you wish to use for the new 
connection. If the type of VPN connection you wish to create 
does not appear in the list, you may not have the correct VPN 
plugin installed. 



OpenVPN 



- 



Compatible with the OpenVPN server. 



Cancel 



> 



Create... 



2. Configuring a PPTP network on Ubuntu 

If you want to set up OpenVPN, you skip this section and jump to "3. Set up 
OpenVPN on Ubuntu" 



Let's assume have your credentials from your VPN provider for PPTP ready. 
This information should contain the following: 



Username, ex. bill 

Password, ex. verysecretpassword 

VPN server, ex. tunnel.greenhost.nl 



Before getting started, please be sure you have read the paragraph 
"testing before and after account set up". In this way you will be able to 
validate if your connection is actually working after set up. 



252 



If you have installed all software in the previous chapter, we are now 
ready to go. Setting up PPTP is very simple in Ubuntu: first we open the 
VPN network setting, by using the NetworkManager Utility. Just next to 
your system clock (were you also set your WiFi setting), just click on it 
and the following menu pops up. Choose Configure VPN (under VPN 
Connections). 




3. A new window will pop-up, showing your VPN connection. This list is 
empty if you have not configured a VPN before. Simple choose: Add 



; ' Wired ^,|| Wireless yl Mobile Broadband VPN , ' DSL 



Name 



Last Used 



VPN connection 1 



9 minutes ago 



Add 



Edit 



Delete 



Import 



Export 



Close 



253 



4. The next window will show you the available options. In This case make 
sure you choose Point-to_point Tunneling Protocol (PPTP). If you have 
selected this protocol choose "Create ..." 



@ 



Choose a VPN Connection Type 

Select the type of VPN you wish to use for the new 
connection. If the type of VPN connection you wish to create 
does not appear in the list, you may not have the correct VPN 
plugin installed. 



Point-to-Point Tunneling Protocol (PPTP) | v 

fe 

Compatible with Microsoft and other PPTP VPN servers. 

Cancel Create,,. 



254 



5. In the next pop-up fill out the required information. The connectname is 
just the name to identify this connection with. The gateway is the server 
address of the VPN provider, in this case "tunnel.greenhost.nl" are self 
explanatory., the fields "User name" and "Password" 

Please pay special attention to the "Connect Automatically" option. If 
enabled, the VPN will be always online (if available). This setting is 
recommended if you have an unlimited dataplan with you VPN provider. 

Also it's needed to enable encryption. This can be done with the 
advanced options, so choose "Advanced..." 



Connection name: ' VPN to Greenhost 




Connect automati 
VPN 



IPv4 Settings 



icallyj 



General 



Gateway: tunnel, greenhost.nl 



Optional 

User name: 

Password: 
NT Domain: 



bill 



□ Show password 




D Available to all users 



Cancel Apply 



255 



In the advanced options screen enable: "Use Point-to-Point encryption 
(MPPE)". The utility will give you a warning that some authentication 
methods are not possible with MPPE. This is the expected behaviour. 
You can confirm the settings with "OK" to return to the previous 
window. Please "Apply" this window, and we nearly ready to go. 

Authentication 

Allow the following authentication methods: 



□ PAP 

□ CHAP 

1 MSCHAP 



I 



Security and Compression 

Use Point-to-Point encryption (MPPE) 

Sec 







□ Allow stateful encryption 
Allow BSD data compression 
Allow Deflate data compression 
Use TCP header compression 

Echo 

□ Send PPP echo packets 

Cancel 



OK 



256 



7. Now you will return to the overview. If everything went fine, you will 
have a new connection now. Here it's called "VPN to Greenhost". You 
can close this window now, your settings are complete. 



J Wired |y Wireless |i,,|| Mobile Broadband 



3 VPN \0 D 



Name 


Last Used 


VPN connection 1 




9 minutes ago 


VPN to Greenhost 




never 


k 



Add 



Edit 



Delete 



Import 



Export 



Close 



Now, let's activate the VPN. Hit the Network Utility Tool again, browse 
to "VPN Connections" and next "Click on VPN to Greenhost" 




257 



If everything went fine, look at the small change in the notification icon: 
this should now give you a "lock" icon next to the WiFi signal. 




3. Configuring an OpenVPN network 

Let's assume you received your configuration files and credentials from your 
VPN provider. This information should contain the following 

• an *.ovpn file, ex. air.ovpn 

• The file: ca.crt (this file is specific for every OpenVPN provider) 

• The file: user.crt (this file is your personal certificate, used for 
encryption of data) 

• The file: user.key (this file contains your private key. It should be 
protected in a good manner. Loosing this file will make your connection 
insecure) 

In most cases your provider will send these files to you in a zip file. 



Before getting started, please be sure you've read the paragraph "testing 
before and after account set up", this way you will be able to validate if 
your connection is actually working after set up. 



258 



2. Unzip the file you have downloaded to a folder on your hard drive (e.g.: 
"/home/[yourusemame]/.vpn"). You should now have four files. The file 
"air.ovpn" is the configuration file that you need to import into 
NetworkManager. 



EK 



■0Back 



1 SCIilll^ 10D% ^ | Icon View |t| t\ 



Places ▼ J 

d genghis 
IE Desktop 
_ File System 
Hj Network 

j. Trash 



„ Documents 

.i" Music 
41 Pictures 

y Videos 
'i£SJ Downloads 
£ MX Server 



Location: I /nome/genghis/.vpn 



HI I En 

user.key 



4 items. Free space: 397.6 GB ^ 

3. To import the configuration file, open NetworkManager and go to VPN 
Connections > Configure VPN. 




Connect to Hidden Wireless Networks 
Create New Wireless Network.. . 



259 



4. Under the VPN tab, click Import. 



,' Wired -Kill Wireless i.hI Mobile Broadband g] VPN DSL 



Name 



Last Used 



VPN Correction 1 
VPN Connection 2 



3 hours ago 
never 



Add 



Edit 



Delete 



Import 



Export 



Close 



5. Locate the file air.ovpn that you have just unzipped. Click Open. 



01 



„a genghis .vpn 



Places 


Name » | size | Modlned 


Q. Search 


air.ovpn 


434 bytes 09:35 


Q user.crt 


5.0 KB 09:35 


»i genghis 


■ Desktop 


Q laer.key 


16KB 09:35 


■ File System 






B Documents 


■ Music 






j| Pictures 






■ Videos 






^Downloads 






Add Remove 







260 



6. A new window will open. Leave everything as it is and click Apply. 















Correction name: 


air 


Con nect a utom ati ca 1 1 y 








VPN 


IPv4 Settings 




General 










Gateway: 

Authentication 

Type: 

User Certificate: 
CA Certificate: 
Private Key: 
Private Key Password: 


94.23.211.1BB 












Certificates (TLS) 




1* 












Lser.crt 




iy 












ca.crt 




iy 












l^ user. key 




iy 
















□ Show passwords 












\ Advanced... 












□ Available to all users 






Cancel 


Apply 









261 



7. Congratulations! Your VPN connection is ready to be used and should 
appear on the list of connections under the VPN tab. You can now close 
NetworkManager. 



, * Wired j.,\\ Wireless u\\ Mobile Broadband ft VPN DSL 



Name 


Last Used 


VPN Correction 1 
VPN Cor recti or 2 


3 hours ago 
never 


air 


never 





Add 



Edit 



Delete 



Import 



Export 



Close ,1 



Using your new VPN connection 

Now that you configured NetworkManager to connect to a VPN service using 
the OpenVPN client, you can use your new VPN connection to circumvent 
Internet censorship. To get started, follow these steps: 



262 



1. In the NetworkManager menu, select your new connection from VPN 
Connections. 




2. Wait for the VPN connection to be established. When connected, a 
small padlock should appear right next to your NetworkManager icon, 
indicating that you are now using a secure connection. Move your 
cursor over the icon to confirm that the VPN connection is active. 




3. Test your connection, using the described method earlier. 



263 



4. To disconnect from your VPN, select VPN Connections > Disconnect 
VPN in the NetworkManager menu. You are now using your normal 
(filtered) connection again. 




264 



VPN on MacOSX 



Setting up a VPN on MacOSX is very easy once you have your account details 
ready, Let's assume have your credentials from your VPN provider for 
L2TP/lpSec connection ready. This information should contain the following: 

• Username, ex. bill2 

• Password, ex. verysecretpassword 

• VPN server, ex. tunnel.greenhost.nl 

• A Pre-Shared-Key or Machine-certificate 

1. Before getting started, please be sure you've read the paragraph "testing 
before and after account set up", this way you will be able to validate if 
your connection is actually working after set up. 

2. A VPN is configured in the network settings, that are accessible via 
"System Preferences.." in the Apple menu. 



Finder File Edit View Go Window Help 



About This Mac 
Software Update,., 
App Store.,. 




Syste m Prefe re nc e s . . . 


Dock 


► 


Recent Items 


► 


Force Quit Finder 


Tti-^B 


Sleep 
Restart... 
Shut Down,.. 


X^i 


Log Out Douwe Schmidt., 


. OKQ 



265 



3. Next, open the Network preferences . 

System Preferences 



-, 



m 



@ 



Appearance Desktop S Dock Expose & Language & Security Spotlight 

Screen Saver Spaces Text 



a 



^ 



CDs & DVDs Disj- nv.s Energy Ink Keyboard Mouse Trackpad Print & Tax 

Saver 



& 



Internet fir Wirel 




MobiT^Me Network Blujftootri Sharing 



System 



A. 



Accounts Date £ Time Parental Software Speech Startup Disk Time Machine Universal 

Controls Update Access 



♦ 



% \M 



AppTrap Bamboo [~lip4Mac Growl M€nuMecers Perian Xmarks Zimbra 

WMV for Safari 



266 



4. OSX uses this nifty system to lock windows. To add a VPN it is necessary 
to unlock the screen: you can do this by clicking on the lock on the left 
bottom of the screen. 



Ethernet 
Not Connected 

UvA 

Not Connected 




Location: Automatic 



3 



Status: Connected ( Tjrn AirPort Off ) 

AirPort is connected to BETAHAUS GUEST 
and has the IP address L92.L6S.1.51, 



Network Name: BETAHAUS GUEST 



^ | 



5; Ask to join new networks 

Known networks will be joined automatically, 
If ro known networks are available, you will 
be asked before joining a new network. 



Click, tie lock to mike changes. 

5. Enter our user credentials 



M Show AlrPort status in menu bar :. Advanced... j Cf) 

(__ Assist me... ^ Revert j 



_ 



.o 



Type your password to allow System 
Preferences to make changes. 



► Details 



Name: John 
Password: [«»»»■ 



( Cancel ) ( OK ) 



267 



6. Now we can add a new network. Do this by clicking on the "+" sign 

© © ^ Network 



^ 



_! 



Location: Automatic 




Not Connected 



$ 



O* 



Status: Connected ( Turn AirPort Off ) 

AirPort is connected to BETAHAUS GUEST 
and has the IPaddre&s L92.16S.1.51. 



Network Name: BETAHAUS GUEST 



5! Ask to join new networks 

Known networks will be joined automatically. 
If no known networks are available, you will 
be asked before joining a new network. 



3 Show AirPort status in menu bar . Advanced... ) Cf) 

Click. Che lock to prevent further changes. f Assist me.,. J 



7. In the pop-up you need to specify the type of connection. In this case 
choose an VPN interface with L2TP over IPSec. This is the most common 
system. Also don't forget to give the connection a nice name. 



Select the interface and enter a name for the new service. 



Interface: VPN 



3 



VPN Type: L2TP over IPSec 



J} 



Service Name: Creenhost VPSJ 



. Cancel \ f Create 



268 



Next comes the connection data. Please fill in the provided server name 
and user name (called 'Account Name'). If this is done, click on the 
"Authentication Settings..." button 



Network 



Location: Automatic 



t Ai rPort 
Connected 



Not Connected 

UvA 

Not Connected 



Green host VPN 

Not Configured 



l«-l 



rf 



Status: 

Configuration: 
Server Address: 

Account Name: 

Show VPN status i 


Not Configured 




1 Default t 






tunnel.greenhost.nl 


bill2| 




{ Authentication Settings... ) 


Connect J 








t menu bar :. Advanced ... 


© 



Click, the lock to prevent further changes. 



f Assist me... j f Revert j f Apply j 



269 



In the new pop-up you can specify connection specific information. This 
is the way the user is authenticated and how the machine is 
authenticated. The user is very commonly authenticated by using a 
password, although other methods are possible. Machine 
authentication is often done by a Shared Secret (Pre-Shared-Key/PSK), 
but also quite often by using a certficate. In this case we use the Shared 
Secret method. When this is done click OK. 



User Authentication: 



© Password: 



O RSA SecurlD 

[^ Certificate Select... 
'^) Kerberos 
1) Crypto Card 



Machine Auihenticarion: 








O Certificate 




:[ Jieleci. 


• ) 


Group Name: 




c 


(Opt ion a ;■ 






Cancel ) ( OK 


) 



270 



10. Now you return back to the network screen. The next step is very 
important, so click on "Advanced..." 



88 



Network 



3 



Location: Automatic 



3 




Status: Not Configured 



Configuration: I Default 



Server Address: tunnel.greenhost.nl 



Account Name: bill? 



; I 



f Authentication Settings... j 
I Connect J 



j Show VPN status in menu bar :^ Advanced... ^ (?) 



Cliclt the lock to prevent further changes:. f Assist me... j f Revert j f Apply 



271 



11. In the new pop up you will see an option to route all traffic through the 
VPN connection. We want to enable this, so all our traffic is encrypted. 



Creenhost VPN 



Options VPN on Demand TCP/IP DNS Proxies ' 



Session 
@ Disconnect when switching user accounts 
(^Disconnect when user logs out 



V 



Send all traffic over VPN connection 
!_ Disconnect if idle for 10 minutes 

Advanced 
Q Use verbose logging 



© 



( " Cancel " ) (__OK__) 



272 



12. Well, all is done. Now hit the Connect button! 






Location: Automatic 



Connected 

Ethernet 
Not Connected 

UvA 

Not Connected 



Creenhost VPN 

Not Configured 



U 



Status: Not Configured 



Configuration: 


f Default 




: 










Server Address: 


tunnel.greenhost.nl 














Account Name: 


bill2| 




1 












j Authentication Settings. 


■) 





Show VPN status in menu bar f Advanced.. . J QO 



Click the lock to prevent further changes. 



Apply 



13. A pop-up appears. You need to confirm your changes, just hit "Apply" 



_ TTTTr __ Connecting without applying your changes will 
ci*^M use t ' le P reviolls settings. Would you like to 
lAlifj apply your changes before connecting? 



Don't Apply Cancel ) ( Apply J 



273 



14. After a few seconds, on the left side the connection should turn green. If 
so, you are connected! 



98 



Network 



, Ethernet 

Not Connected 



, UvA 
Not Connected 



1 



Location: Automatic 



3 



Status: 

Connect Time 

IP Address 

Configuration: 
Server Address: 

Account Name: 

□ Show VPN status 


Connected 

00:00:25 Sent: BE 

L92.16S.S7.9 Received: DC 


1 Default ; | 




tunnel.greenhost.nl 


bill2 


( Authentication Settings... ) 
.. Disconnect 


n menu bar [ Advanced... j (?) 



il I Click, the lock to prevent further changes. 

15. Ok, now test your connection! 



Assist rne... ^ ^ Revert 



Apply 



274 



VPN on Windows 



Setting up a VPN on Windows is very easy once you have your account details 
ready. Let's assume have your credentials from your VPN provider for 
L2TP/lpSec connection ready. This information should contain the following: 

• Username, ex. bill2 

• Password, ex. verysecretpassword 

• VPN server, ex. tunnel.greenhost.nl 

• A Pre-Shared-Key or Machine-certificate 



1. Before getting started, please be sure you've read the paragraph "testing 
before and after account set up", this way you will be able to validate if 
your connection is actually working after set up. 

2. We need to go to the "Network and Sharing Center" of Windows to 
create a new VPN connection. We can access this center easily by 
clicking on the network icon next to the systemclock en click on "open 
Network and Sharing Center" 




275 



3. The "Network and Sharing Center" will popup. You will see some 
information about your current network. Click on "Connect to a 
network" to add a VPN connection. 




Change adapter settings 

Change advanced sharing 



See a 1 50 
HomeGroup 

Internet Options 
Windows Firewall 



View your basic network information and setup connections 



(This computer) 
View your active networks- 



Network 2 

Public network 



Connect or disconnect 



Access type: Internet 

Connections: B Local Area Connectic 



Changeyour networking settings 

*u^* Set up a new connection or network 

Set up a iA-ii ele;i brc^dbsnd, dial-up, ad hcc.. cr VPN connection; or set up a router o 



^fc. Ccnnect to a network 

Connect or reccnns :t :; ■- 



wired, dial-up, or VPN network connection, 



j|l Chocs; hcmeg : .'. end sharing options 

Access files and printers located on other network computers, or change : ■ = ■' -■.:.;. :="■■■::; 

I j?1 Troubleshoct problems 

Diagnose and repair network problems, or get troubleshooting information, 



276 



4. The wizard to setup a connection will popup. Choose the option to 
"connect to a workplace", which is Microsoft's way of naming a VPN 
connection. 



s 



. ^? Set Up a Connection or Network 



Choose a connection option 



Connect to the Internet 

Set up a wireless, broadband, or dial-up connection to the Internet. 



r -ZaT | Set up a new network 

-4 Configure a new router or access point. 



Set up a dial-up connection 
1 Connect to thelnternet using a dial-up connection. 



277 



5. The next screen asks us if we want to use our Internet connection or an 
old-skool phone line to connect to the VPN. Just choose the first option 
then. 



SI 



, ..;, Connectto a Workplace 



lectto 



How do you want to connect? 



^ Use my Internet connection (VPN) 

Connect using a virtual private network (VPN] connection through thelnternet. 



9 — ■» 



+ Dial directly 

Connect directly to a phone number without going through thelnternet. 



dty — I 



What is a VPN connection? 



278 



6. The next screen asks for the connection details. Enter here the server of 
your VPN-provider (called "Internet address" in this dialog). On the 
bottom please check the box "Don't connect now; just set it up". Using 
this option the connection will be automatially saved and it's easier to 
control extra settings. If this is all done, hit the "next" button 







„ 1 ,. , 1 




1 = 1 |^W«l| 


© 


l _ 1 £ j Connect to a Workplace 




Type the Internet address to connect to 
Your network administrator can give you this address. 










Internet address; tunnel.greenhost.nl 




Destination name: GreenhostVPN| 




1 Use a smart card 

^.' [~J Allow other people to use this connection 

This option allows anyonewith access to this computer to use this connection. 






1 [7] Don't connect now; just set it up so I can connect later 
















Next | Cancel | 







279 



Next up are your username and password. Just give them like you 
received them from your VPN-provider. If the connection fails, windows 
forget's them. So keep them with you, you maybe need them later. If 
this is done. Click "create". 



■ 


Connect to a Workplace 






■ 


~ 


w 








Type your user name and password 










User name: bil13 




Password: 




1 1 Show characters 

Rem em b er th i & p a sswo rd 




Domain (optional]: 


















Create | 


Cancel | 











280 



Your connection is now available, if you click the the network icon 
again, you will see a new option in the network menu, the name of your 
VPN connection, just click it to connect. 



Currently connected to: 



*5 



Network 2 

Internet access 



Dial-up and VPN 



GreenhostVPN 



H 



Open Network and Sharing Center 




281 



9. And click "connect" 



Currently connected to: 



^ 



Network 2 

Internet access 



Dial-up and VPN 



GreenhostVPN 



Connect 



Open Network and Sharing Center 



s £ V '<■>: 



282 



10. A VPN connection dialog appears. This give us the opportunity to review 
our settings and to connect. You can try to connect, Windows will try to 
discover all other settings automatically. U nfortunately, this does not 
always work, so if this is not working for you, hit the "properties" 
button. 



* x Connect Greenhost VPN 




User name: 
Password: 


bill2 








Domain: 



□ Save this user name and password for the following users: 

Me only 

(j© jYiyone who uses this computer 



I Connect 1 1 



Cancel 



Properties 



Help 



283 



11. The properties windows appear. The most important page is the 
"Security" page, click on the Security tab to open it. 



Greenhost VPN Properties 



U*&» 



General 



Options | Security | Networking | Sharing | 



Host name or IP address of destination (such as microsoft.com or 
157.54.0.1 or 3ffe:1234::1111>: 



First connect 

Windows can first connect to a public network, such as the 
Internet, before trying to establish this virtual connection. 



I I Dial another connection first: 



See our online privacy statement for data collection and use 
information. 



OK 



Cancel 



284 



12. In the security tab you can specify VPN type, normally L2TP/IPSec or 
PPTP. For L2TP/IPSec also have a look at the Advanced settings. 



Greenhost VPN Properties 



I ' <' - 



General Options Security Networking | Sharing 



Type of VPN: 



Layer 2 Tunneling Protocol with IPsec (LZTP/IPSec) 



D at a e ncrypt io n ; 



Advanced settings 



Require encryption (disconnect if server declines) 



Authentication 

■ ' ■ Use Extensible Authentication Protocol (EAP) 



Properties 



Allow these protocols 



□ Unencrypted password (PAP) 

\j\ Challenge Handshake Authentication Protocol [CHAP) 

;/! Microsoft CHAP Version 2 (MS-CHAP v2) 

|~~| Automatically use my Windows logon name and 
password [and domain, if any) 



OK 



Cancel 



285 



13. In the Advanced Settings window, you can specify if you are using a 
preshared key or a certificate. This depends on your VPN-provider. If 
you have received a pre-shared-key, Select this option and fill in this key. 
Hit ok afterwards. You will return to the previous window, click ok there 
also 

Advanced Properties 



£ Use preshared key for authentication 



Key: secretkey 



Use certificate for authentication 

\7\ Verify the Name and Usage attributes of the server's certificate 



Cancel 



286 



14. Back in to connection window try to connect now. Please be sure your 
username and password are filled out. 




User name: bill2 
Password: •••••! 



Domain: 



I | Save this user name and password for the following users: 

Me only 
(jS) Anyone who uses this computer 



I 



Connect 



l. 



Cancel I Properties 



Help 



15. A connection popup will appear 



Connecting to Greenhosl VPN,., 



K* t Connecting to tunnel .greenhost .nl using W AN 
Miniport (LZTP) - ... 



Cancel 



16. Online! Don't forget to check if your VPN is working properly. 



287 



MOBILE SECURITY & VOIP 



288 



Introduction to Mobile Phone Security 

Most people have mobile phones today. In the past these devices were 
primarily used to call and send text messages. In addition, all mobiles have at 
least an ability to keep an address book. There is a new generation of mobile 
devices that come with Internet access, built-in video cameras and the ability 
to install additional software. These smart phones can be very convenient and 
provide you with very powerful and useful tools. These phones contain a lot 
of private data and, unfortunately, a phone can be lost easily. The following 
chapter deals with some methods to use them more secure. 



Security issues with mobile phones 

Physical security - A phone can be confiscated or stolen. If you are a 
journalist, your address book might be of special interest: it can be used just 
to gain knowledge of your network or for further social engineering. As a 
minimum safety measure you should always enable some kind of password 
protection on your phone (not just on your SIM card). 



Voice - Although the voice on a GSM (mobile phone) channel is encrypted, 
this encryption was hacked some time ago and is not considered safe any 
more. Furthermore, if you do not trust the network(s) you are using it has 
never been safe. Normal VoIP communications are very insecure as they are 
not encrypted. Some other VoIP services use some kind of encryption. 

SMS - Text messages are sent in plain text over the network, so they are also 
not considered secure, additionally they are not securely stored at your 
device, so anyone with access to it will be able to read them. If you are using 
an Android based phone read the chapter on 'Secure Text Messaging' 

Smartphones - Smartphones are quite new, and unfortunately most advanced 
(and even some basic) ways of securing that are available on normal 
computers are not available on smartphones. They pose additional risk since 
you are also using them for things like agendas, and personal note taking. Also 
not all applications in an appstore or market are safe to use, because there 
are a considerable number of malware apps on the market which are passing 
your personal data to other companies. You should always check if the app's 
you want to use can be trusted. Internet on your mobile device is subject to 
the same problems as all wireless communications. Read the chapter on VPN 
for mobile devices to improve this. 

Prepaid sim cards - In some countries you are still able to use prepaid locally 
bought SIMcards without identifying yourself. Beware that your phone also 
has a unique identifier (known as the IMEI number) so switching SIM cards 
will will not guarantee to protect your privacy. 



The following chapters will deal with different methods that are available 
today to secure your mobile communications. 



289 



290 



Secure Text messaging 

Sending SMS (text) messages is considered insecure, not only do they travel 
unencrypted through the phone network, they are also saved on your phone 
where someone might see them. 

If you are using an Android based smart phone there is a neat free tool to fix 
both issues; TextSecure. TextSecure uses a password to save all your messages 
(sent and received) encrypted to your phone, and it also enables you to 
securely SMS with other people using TextSecure. Rememberthat if you have 
sent an SMS to someone that is not using TextSecure it will still be 
unencrypted on their phone and over the network. 



Geek info on how TextSecure works 

SMS communication using TextSecure is encrypted using the Off The Record 
(OTR) encryption protocol. OTR is specifically designed for chat messaging, it 
provides session based encryption and authentication, but on top of that it 
provides deniability, something protocols like PGP do not provide. 



Installing TextSecure 

TextSecure can be installed using the Market App on your phone, either search 
for TextSecure' in the market, or use the QR code on this page with the 
Barcode Scanner. 




Afteryou have acknowledged the permissions and installed the app, you are 
ready to start it, as soon as you do so you are confronted with the "End User 
License Agreement", press accept to continue. A new pop-up telling you this is 
beta software will appear which you have to acknowledge too. 



291 



^ ."ll S t3 3:25 pm 



G) End User License Agreement 

Tumbleweed Ventures, LLC offers 
the Whisper Systems Software and 
the Whisper Systems Website (as 
defined below) solely for your non- 
commercial use in accordance with 
the following terms and conditions. 
If you do not accept this 
Agreement, you do not have 
permission to use the Whisper 
Systems Software or the Whisper 
Systems Website. Any use by you 
of the Whisper Systems Software 
or the Whisper Systems Website 
shall constitute your binding 
acceptance of this Agreement. 

1. Definitions 



292 



^SllStS 3:26 pm 



^^ End User License Agreement 



Please Note 



Thank you for helping us test this 
BETAvesion of TextSecure. 

This is BETA software, please do 
not use it in situations where 
security is critical. 

Please report any problems to 
support@whispersys.com 




TextSecure uses a password to encrypt the text messages on your phone. Be 
careful to choose a strong password you can easily remember (for more 
information look at the section on using secure passwords), if you lose it you 
will not be able to read any of your old messages. To be sure you entered it 
correctly you have to enter the password twice. 



293 



^Hll'S'O 3:27 pm 



© End 



To get started, please enter a 
passphrase that will be used 
to locally encrypt your data. 
This should be a strong 
passphrase. 



Repeat: 




The next step is to tell if you want the messages already stored on the phone 
to be copied to the TextSecure database, if you choose "Copy" here you will 
be able to secure your old messages by deleting them from the system 
database later. 



294 



Hll^Q 3:30 pm 



^^ End User License Agreement 



Tumbleweed Ventures, LLC offers 



"*\ Copy System Text Message 
' Database? 

Current versions of TextSecure use 
an encrypted database that is 
separate from the default system 
database. Would you like to copy 
your existing text messages into 
TextSecure's encrypted database? 
Your default system database will 
be unaffected. 



After this step you are ready to use TextSecure to send unencrypted 
messages. If other people also use TextSecure this is automatically detected, it 
will then present you with the option to send them your key. Exchange keys is 
needed to get full end-to-end encryption. This process is described in the next 
steps. It is also possible to manually start this process by clicking the menu 
button and choosing the option "secure session". 



295 




296 



F 
F 



Me: Test 



Sent: 3:38pm 

Mart: Hello emile 

Sent: 3:39pm 



Sent key exchange message 



Sent: 3:41pm 



Received and processed key 
exchange message. 



Sent: 3:42pm 




after these steps your communications are secure, but you have not acquired 
a trust relation, put in other words, the channel is secure but you are not 
entirely sure who you're talking to. So keeping that in mind, the next thing to 
do is to verify that you are indeed talking to the right person (a sender's 
phone number can be easily forged, so you need a more secure way to check 
the identity). In the conversation window press the menu button and select 
"Secure Session Options". In the window that appears select "Verify Recipient 
Identity". 



297 



F 
F 



Me: Test 



Sent: 3:38pm 

Mart: Hello emile 

Sent: 3:39pm 



Sent key exchange message 



Sent: 3:41pm 



Received and processed key 

exchange message. 




Add Attachment Secure Session Options 



298 




Verify Secure Session 



Verify Recipient Identity 
Abort Secure Session 




The following window shows your and theirs identity fingerprint. You can for 
instance call them and check if the keys are correct. If you happen to be close 
together to set this up, TextSecure also allows you to use your Barcode 
scanner to check the keys. To start this, select compare and follow the 
instructions. If you are done verifying using any of the other methods, select 
"Verified!" and select OK in the next screen. A Save Identity popup appears, 
usually the name is already filled in correctly and you can just push the "Ok" 
button twice to start your authenticated messaging. 



299 



Q © A $ W ^ Hll ^ ® 3:48 pm 



Verify Identity 






~ 




Their identit 


f . 01 


02 


a8 


78 


8c 


(They read) 


73 


8e 


fd 


15 


4b 




26 


36 


8f 


4e 


a1 




27 


8d 


57 


dc 


ce 




79 


ec 


93 


d 


4c 




83 


If 


44 


7a 


99 




eb 


a6 


02 


4d 




Your identity 


: 01 


03 


25 


2f 


7b 


(You read) 


aO 


d2 


54 


ae 


16 




74 


6f 


c3 


80 


20 




38 


9f 


52 


ce 


15 




86 


ad 


45 


85 


9e 




77 


a4 


2b 


6c 


71 




f7 


35 


28 


56 




1 Verified 


! 1 Abort 1 Compa 


re 1 < 


Zancel 1 



300 



® A $ « ^ Sil <=> H 4:09 pm 




You can see that this messaging has been verified because the lock icons in 
the left corner and next to the messages are not red colored. These messages 
are encrypted and authenticated. 



301 



D Mart 


£fj 


:11 pm 


Me: Test 




(j) Authenticity 

This session is verified to be 
authentic. 










OL- 




1 


^^^^™ 




P 


exchange message. 

Sent: 3:42pm 




1 [Type to compose 


Send 


fi| 







302 



H © A 4 ■ ^ .111 a 4:12 pm 




Mart: Hello emile 



Sent: 3:39pm 



Sent key exchange message 



Sent: 3:41pm 



Received and processed key 
exchange message. 

Sent: 3:42pm 

FMe: Test2 
Sent 4:12pm 



A 




This is the right moment to look at the various configuration options that 
TextSecure comes with. Most of them are self-explanatory. Securitywise it 
might be a good idea to look at the setting for the Passphrase timeout 
interval, and set it to a lower value according to your situation. If the timeout 
interval expires, and you want to few your messages again, TextSecure will ask 
for your password. 



303 



Ea 



TextSecur 

Sign Key Exchange 

Sign key exchange messages with 
identity key 

Timeout passphrase 

Forget passphrase from memory after 
some interval 

Timeout interval 

The amount of time to wait before 
forgetting passphrase from n""™" 1 ™ 

Identity Key Settings 

View My Identity Key 

View my identity key 

Export My Identity Key 

Export my identity key 



Import Contact's Key 



Import an identity key from a contact 

Manage Identity Keys 

Manage configured identity keys 



These are the basics of TextSecure. If you like the application we advice you to 
replace the messages application link on your phone's homescreen. This way 
you won't mix the TextSecure and normal Messages application 



304 



Secure voice communication 

When calling another person with your mobile phone, your communication 
can be monitored on multiple places. Governments all over the world have 
regulations which allows tapping of phone lines, this includes mobile phones. 
If you think your phone is tapped and your need a secure phone 
communication, it is worth looking into voice encryption. 

There a vendors who offer mobile phones with voice encryption, but if you 
phone's hardware or firmware does not allow you to encrypt the normal 
voice calls, you can still use your data connection to send and receive 
encrypted voice data. The standard method for this is called the "SIP"- 
protocol. SIP is built-in in business Symbian-Phones and the N900 and 
available for Android Phones. SIP calls might be encrypted, but generally are 
not; this is a decision mostly of your SIP provider who has to support it. 

Currently there are two convenient solutions for secure calling (one of them 
only on Android Phones). Both use the data connection of your (smart) phone, 
which means that you either need to be connected to a WiFi network or have 
a payable and reliable 3G connection ready. 

Skype 

Skype is a very well-known voice application. Skype uses encryption for the 
whole path of the voice communication. 



Although the encryption seems to be very tight, Skype is not open about the 
technology they use for this. It's unknown if (some) governments have access 
to it or not. It seems to be safe for most countries and at least safer then 
using normal phone communication. 

Because of the popularity of Skype and the fact mobile phone operators are 
loosing call-minutes, unfortunately some operators are blocking the use of 
Skype. 

Depending on the phone you use, Skype might consume a lot of battery 
power. Keep this in mind when using Skype and are low on energy. 



RedPhone 

RedPhone is an application available only on the Android platform. It 
establishes a voice connection by a mediation through the RedPhone vendor's 
servers, so the are able to log every call you make with the RedPhone 
software. 



RedPhone is very convenient to install on Android Phones. It's available from 
the Android Market. After installing it will use your normal phone contacts. It 
also has the ability to upgrade a phone call to an encrypted one while calling. 

305 



The main advantage of RedPhone over Skype is the way how it's integrated in 
your normal phone behaviour and the way it setups communication. It does 
not use a lot of battery power in standby. A big disadvantage is it's sound 
quality, which is not so very good, another big disadvantages that really limits 
its use is that the software is only available for android. 
RedPhone needs a data-connection (WiFi or 3G) to operate. 



Other methods 

There are some other methods using VoIP encryption. Most of these 
application need a proper setup by a VOIP provider and are therefore not 
covered by this manual. Mostly VOIP connections are insecure if not explicitly 
stated otherwise. 



306 



VPN on Android phones 

Setting up VPN with L2TP or PPTP is very simple in Android, although there 
are some ceaveats. Before starting, you need server and login information 
from your VPN provider. Normally you need at least these items: 

• username 

• password 

• vpn servername, eg. tunnel.greenhost.nl 

optional: 

• pre-shared-key (PSK), this is general password. Most providers will use a 
certificate instead 

• type of the VPN service, PPTP or L2TP/lpsec 

In this example we explain L2TP with a Pre-Shared-Key (PSK). This is one of the 
most complicated versions. All other configurations are less complicated. 

1. If you go to "whatismyipaddress.com" with a browser, you will see your 
current external IP address, and the location where this IP is registered. This is 
mostly not exactly on your current location, but often at least in the country 
where you are. In the example the IP is in Germany 



307 



L 



http://whatismyipaddress.com/ Q 



J 



Nehmen Sie den Zug 



jcv-euroQ 



What Is My IP Address? [Hd.- 



IP Information: 83.236.187.46 

ISP qiCAG 

QSC AG 




o :>. :lc 1 1 if ■■:l i" "r*i: - or - . -i--i o ■unnci - knoivi ■siililaie: : d:i 
(IP) sdd - e;s. IP :dd'e;se;-:cii;i;t : : bu i : . i ■ ■ h ~ i e :-i|Mi.nor t-; ■}&■ cds l.i sc ::< lid a 'rcued-qL.v'i .n 
look something like 127.0.0.1. 



:-i: 



I II 1 .1. 



; ](!.■,( 



-.t lc 



Because the numbers may be tedious to deal with, arilPadd'ess may also ha assigned to a Host name 
which is snmetimes easier to remember. Host names may be looked un to Find IP addresses, arid inte- 
gers-:. At cna ti-ne IIP; i;n.ec cue IP adcres; tc wn u;e'. These a-e crl ec iMtic l : addresres. Hecaj 
there is a limited number of [P addresses and iwith increased usage of the internet ISPs riow issue IP 
addresses h a dvi.-.ri-: -asliicii ch.il jr-a re :l ■:■( I? -dd'e;se: iJsiric ZHZ 1 ']. These are ^terred to as 
cynaTiic IP addresses, "hi; alio I mi'; -.ha ability J-" -.he Liar :o no;l ■.'•-:■ b;i-ei, mail ifvers. (ts severs. 
sting, a single machine car act like 






r ]P 



Topic 




Date 








Pi h: : : " 'ConFusinn.. 




rhu Apr 18 2311 FJ: ? 








it is b ack isted 


Wed Apr 27 2011 17 


he Id me d ease ... 




Wed Apr27 2D11 15 






Wed Apr 27 2011 13 


help o lease 




Wed Apr27 2FJ11 13 






Wed Apr 27 2011 13 






.:,,-! *r.n irvn n 



2. To setup your VPN, open the android menu and choose 'Settings' 



308 



News News and PDF Viewer Peep 
Weather 



c ' 



Phone Places Quickoffice Reisplanner 



* 1» 



Search Seesmic Settings Setup 

People 



Shazam SIM Toolkit Simple Last. Spanish 
fm Scrobb... Class Dem. 



n # 



Stocks Talk Teeter Terminal 



3. In the settings menu choose 'Wireless & networks' 



309 



Setting.. 



\fi. Personalize 



"5" Wireless & networks 



C <=all 
Hf)) Sound 
Display 



\/j Accounts & sync 
(#) Location 



4. Scroll down a bit, here you will found a VPN settings option, choose this 
option 



310 



^ ,,ll "^ 20:34 



Wireless & networ 



furn on Bluetooth 



Bluetooth settings 

Manage connections, set device name & 
discoverability 

Portable Wi-Fi hotspot 

Turn on hotspot 

Portable Wi-Fi hotspot settings 

Manage security, users and LAN 

VPN settings 

Set up & manage Virtual Private Networks (VPNs) 

Mobile network 

Disconnected because data roaming is 
disabled 

Mobile networks 

Set options for roaming, networks, APNs 



5. On the top you will be able to choose to add an VPN 



311 



I VPN settings. 



Add VPN 




6. Next you need to choose the correct type of VPN. This is a vital step as VPN 
types are not interchangeable. Most common types are PPTP of L2TP/lpSsec. 
The L2TP/lpSec can be combined with a PSK or CRT option. The first is "Pre- 
Shared-Key", the option common in smaller company VPN networks. The 
other options is used with some large networks. In this example we will use 
the "L2TP/IPSec PSK VPN", choose this option 



312 



^ ,,ll e 20:34 



AddPPTPVPN 

Point-to-Point Tunneling Protocol 

AddL2TPVPN 

Layer 2 Tunneling Protocol 

AddL2TP/IPSecPSKVPN 

Pre-shared key based L2TP/IPSec VPN 

Add L2TP/IPSec CRT VPN 

Certificate based L2TP/IPSec VPN 



7. Next is setting up the parameters foryour network. Choose 'VPN name' to 
setup a name for this connection 



313 



.Ill H 20:35 



Add L2TP/IPSecPSKVPI 



VPN name 

VPN name not set 

Set VPN server 

VPN server not set 

SetlPSec pre-shared key A 

IPSec pre-shared key not set 

Enable L2TP secret 

L2TP secret is disabled 

Set L2TP secret 

L2TP secret not set 

DNS search domains 

DNS search domains not set 



8. Type a name for your connection. This can be whatever you like to identify 
this connection with. Confirm with OK. 



314 



A $ B ^ 5ll CT 20:35 


Add L2TP/IPSecPSKVPN 
\/DM ^±. 


■ 

(▼) VPN name 


Se 


1 


/pn to my provider 


1 






Sep- | 


OK Cancel 


bnaoie lz ik secret am 

L2TP secret is disabled ^^ 


MM 1 1 1 1 1 1 1 1 


1 ,z - 


-; 


r j" 


'?- 


h 


J 


r- 


r 


♦ 1 

e 

4 


A 


^ C 


\f 


h 


n 


m 


n 


1 ^ 


F— T 


B 

Done 



9. Next choose "VPN Server", and fill in the server name. This name is 
provided when your received your connection and login information. We use 
the tunnel server of Greenhost in this example "tunnel.greenhost.nl". Once 
again confirm with "OK" 



315 




@ Set VPN server 




Cancel 



secret 



I I I I III I I 



1 - 


- r] 


\ ';- z 


h 


J 




1 7 


c v 


h 


n 


m 1 


e 

J% SYM 


'- r^ 





10. Next is the pre-shared-key. If you use a certificated based connection, this 
option does not exists. You should have received your pre-shared key from 
your VPN provider 



316 




11. The rest of the options are normally not used. Hit the menu & save button 
of your phone to confirm the settings. 



317 



A'l' Q '<? .111 ^ 20:38 

Add L2TP/IPSecPSKVPI. 

VPN name 

Vpn to my provider 



Set VPN server 

Tunnel.greenhost.nl 

SetlPSec pre-shared key A 

IPSec pre-shared key is set 

Enable L2TP secret 

L2TP secret is disabled 

Set L2TP secret 

L2TP secret not set 

DNS search domains 

DNS search domains not set 



Save 



Cancel 



12. After saving you will return to the VPN overview. Now just click on the 
newly created connection. 



318 




13. The system will ask for your credentials, type them as you received them 
from your provider. 



319 



.ill W 20:38 



>N settings 



Add VPN 



Connect to Vpn to my 
provider 




14. We use Bill and a password in our example. Press 'Connect' to connect. 



320 




15. If everything goes smoothly, you will get a "connected" status after a few 
seconds. Notice also the new "key" icon in the top bar. Here you will see if 
your VPN connection is active. 



321 



I VPN settings 



Add VPN 




16. Now, lets return to whatismyipaddress.com: Yeah, we moved, we are 
located in the Netherlands now. Wow! That's fast travelling ;) 



322 



L 



http://whatismyipaddress.com/ 




Nieuw: | 

Wras sim'yo 






What Is My IP Address? [n™ detect* ma 

'■ - J- - 




IP Information: 1 95.1 90.2S.22 
SftEamagavof 

Organization: Eamagavol 
Cgrnec-.ici-.&icjI-M-j 

t.cii-: DetEcted 
Cry 

Country: Netherlands = 

"l95.19fJ.2E.2J | ^dj-dinnnal IP Detail; | 



«!■ 



What is an IP address? 

(IPJ address. [P addresses consist ol four numbers separated by periods 
look something like 127.0.0.1. 

Since these numbers are usually assigned tn internet service providers n 
address cjn elte-i t? usee Ic d'litipj :-ie rc-£iv. or reunrry "Tern which 3 
Internet. An IP .if di-:s: :.ti soir-idn'e; ic uad '.o i-l-c.v ih: i i 



versa. At one time ISPs issuer cm- IP a-in-so It each user. These are called slat 
rne'e i: a lim lad iili 'ib:i o- IP .- r d r-: I-*-: : rid », in h c-=-;ad lsjje 3f the n ten- 
addresses in a dynamic fashion out of a pool of ]p addresses (Using DHCPJ.Thes 
fyi ■ : IP .1 :":■:■ ' - i .' •■' In ■.' :!i-i .loilil-- 1 y-.he Lser ts hast websites, m- 

i"jlt pie i-ach HE; (with m.illbls d 1 1 : - i "1 rallies :nd ]P addresses!. 

Recent Forum Discussion; 



Topic 




Date 






Thu Apr It, 2011 3:0 


Pubic IP Confusion.. 




Thu Apr 2E 2011 [1:2 






Mv aersc-nul piru .. ■ 1 ■ 






heir, mE u easa ... 




Wed Apr27 2D11 15 


Trv nz to fird mv IP aaain_. 






help lease 




Wed Acr 27 2OT1 13 



Warning: Losing connectivity 

When you lose connectivity your VPN will get disconnected automatically. If 
you have internet connectivity again, your VPN connection will not be 
enabled automatically. This means you internet connection is unsafe and you 
will have to reactivate the VPN manually. 



It's currently not possible to force the VPN and disallow normal traffic if now 
VPN is active. 



323 



Email security on Android 

With the growing usage of mobile phones for e-mail, it's interesting to be able 
to use PG P also on your mobile. This way your can still read the messages 
send to you in PGP on your phone and not only on your computer. 



PGP on Android: APG 

PGP on mobile phones is very new - currently there are not many tools 
available for Android phones to use PGP. Its a pity there are not more options 
and easier softwares to configure and install, however if you do set it up then 
the same rules apply for using PGP on Android as normal PGP usage as 
described in the PGP/Secure emailing chapter. 



For Android you need at least the APG application. This is a small tool which 
makes PGP encryption possible on the phone. You can use APG to manage 
your private and public. The options in the application are quite 
straightforward if you are a little convenient with PGP in general. 

Management of keys is not very well implement yet. The best way is to 
manually copy all your public keys to the SD card in the APG folder. Then it's 
easy to import your keys. After you've imported your public and private keys, 
PGP encrypting, signing and decrypting will be available for other applications 
as long as these applications have integrated encryption/PGP. 

PGP enabled e-mail on Android: K-9 Mail 

The default mail application does not support PGP. Luckily there is an 
excellent alternative: K-9 Mail. This application is based on the original 
Android mail application but with some improvements. The application can 
use APG as it's PGP provider. Setting up K-9 Mail is straightforward and similar 
to setting up mail in the Android Default mail application. In the settings 
menu there is an option to enable "Cryptography" for PGP mail signing. 



If you want to access your PGP mails on your phone this application is a must 
have. 

Please note, due some small bugs in K-9 Mail and/or APG, it's very advisable to 
disable HTML mail and only Plain text. As HTML mails are not encrypted nicely 
and are often not readable. 



324 



BACKGROUND INFORMATION 



325 



FAQ 



Suggestion: let's go through these questions when we are 
finished, to see which ones we address in the manual so 
we can refer to chapters, and which we can answer by 
referring to others. 




General 

1 How to assess the risks of online communication, and how to counter 
them? 



This is a good question. This is always a factor between social and technological 
factors. Read the introduction/explanation about the manual, make an 
estimation of the risks and choose between basic or more complex safety 
measures. If you are experiencing suspicious behaviour in your computer at 
suspicious times, (pop-ups, loads of traffic when you are not even browsing, fans 
that are always on because you're processor is working very hard all the time etc.) 
please have a good look into your stuff and take appropriate action. 

2 How to keep updated about safety risks online? 

The Electronic Frontier Foundation (EFF, http://www.eff.org) and European 
Digital Rights (http://www.edri.org/) keep you updated about online defence 
strategies and of course we hopeyou and others will update this book frequently 
online! 

3 What can others find out about me online? 
Depends on what traces you leave. 

(a) in public for normal users: This is very simple, just type in your 
names and aliases in google. 

(b) semi-public for the technologically educated: Not all pages are 
indexed in Coogle. Have a good look into your social networks. Also 
remember entering your private data into some websites is sometimes 
stored in places whereyou cannot find this. 

(c) non-public for sophisticated intelligence services: This is 
difficult to know. Remember phone lines and internet connections can 
be tapped by government institutions, especially when you are not 
using security measures, which can be found in this book in the 
chapter about securing your connection or using TOR. 



326 



4 Which data can companies give to governments or other parties? 

Basically all data you give them, although in some countries there some legals 
limitations to what they are allowed to give. Most companies only care about 
their profit and not about your privacy. Or, like Mark Zuckerberg from Facebook 
said: "Privacy is so 1984". 

The Electronic Frontier Foundation (EFF) has a section on the legal rules 
(https://ssd.eff.0rg/3rdparties) that govern when and how law enforcement 
agents can obtain this kind of information stored by and with third parties, but 
this is focussed on the US. Check with your local Digital Rights Croup (like Bits of 
Freedom in the Netherlands) for details about the country you are residing. 

Social Media 



5 How long does my Facebook profile stay online? Does Facebook keep my 
data forever? 



Facebook makes money with your private data. Although you are never sure, the 
chances are very big Facebook will keep your data forever. To be sure, ask Mark 
Zuckerberg, but don't expect a truthful answer. 

There are several websites on 'how to delete my Facebook account', but Facebook 
also regularly changes its settings. Possible sources: 

http://www.facebook.com/group. php?gid=l6929680703 or Maximizing privacy on 
Facebook: http://www.eff.org/deeplinks/20io/05/more-privacy-facebook-new- 
privacy-controls 

You can prevent interaction with Facebook from other Web sites by installing Ad- 
ons to Firefox. Check theAd-on database of Firefox to look for this. 

6 What are the do's and don'ts with Social Media? 

do's: keep away from them. 

don't: create an account. 



327 



Telecommunication 



V* 



7 Can we use local SIM cards and if so, how? 



Yes, you can use them, but please remember, in most countries your are required 
to give a copy of your ID. There is always a connection between your SIM card and 
the Telephone network. If you think you are under direct threat, please keep a 
close attention about what you do with your identity regarding phone networks. 
Even when your are not calling, but your phone is online, the network can track 
the location of your phone (and you). Also have a look on de IMEI chapter. 

8 How to safely use smart phones, in my own country and during travels? 

If you are not brave enough to throw your iPhone or Blackberry away, make sure 
you have read the chapter on how to secure them through at least a VPN. A 
better option is to buy an Android, that allow better encryptions. 

Email -^ 




9 How to safely use webmail? (Hotmail, gmail etc.) 

Safe webmail = safe provider + safe technology + safe connection + nobody looking 
over your shoulder. 

It also depends on who you are, who is threatening you, the country of your 
webmail provider, where is the data resides and how your provider relates to 
others (commercially or politically). If you use Gmail, you don't always know 
where the server is, but the (business) customers can choose to take a server in 
the US 

Generally, you might consider to use Thunderbird, which is much safer than 
webmail. 

10 What is mail encryption and how to do it? PG P? 



328 



Depends what you want to encrypt. There is a difference between securely 
connecting to your mail and actually encrypting the mail data. PGP stand for 
Pretty good Privacy and does indeed a pretty good job at keeping your data secure 
on your computer and while being send through the net. 

11 How to send or receive e-mails without giving away my location? 

This can be done by using Tor or a VPN. Tor is the most secure way, but is slower 
then a VPN solution. Be aware however that both solutions come with some small 
security issues. Please read the chapters about these issues. 

12 How are passwords for webmail, external websites and CMS systems 
hacked? 

This really depends. There are many risks if you do not connect safely to your e- 
mail and internet in general. Many people 'loose' their password by giving it away 
voluntarily because they are subject to social engineering; i.e.. they are made 
believe they are communicating with a trustworthy source (a friend in a chat) 
while actually it is a crook. It is difficult to protect yourself against this, but a 
good rule of thumb is: NEVER GIVE YOUR PASSWORDS TO ANYBODY. 

More information about other threats and risks can be found in the chapters 
VPN, Setting up email and HTTPS- Everywhere. Also it is important to use safe 
passwords. Please have a close look to password security. 

13 What to do with e-mails that seem to be coming from you 'know' but look 
strange. 

The sender's address can be easily forged. Reply to the mail asking confirmation, or 
if you suspect that the mailbox of the sender was actually hacked; call the owner 
of the mailbox and warn her. And check our chapter on safe e-mail about how to 
sign e-mails. 

Personal safety and privacy: 




▲'A 



15 We are activists that work in an undemocratic country. Do we need to take 
our pictures offline? 

What do you think yourself? Everything on social networking sites, for instance 
Facebook, is online and will remain available to Facebook and possibly also to 
others. So if you fear that your friendship with Iranian bloggers will endanger 
their future, unfriend them and takeyour Facebook account offline. Hopefully the 
data get's deleted at some point soon by the corporation running the social media 
network you were using... 

329 



There is currently no safe way of using Social Media. Period. 

16 My private and business communication seem to become fused. 

Start seeing your online profile as something you need to "manage". Just as you 
take care of how you look when going outside on the streets, make sureyour 
online self appears the way you want it for the appropriated public. 

17 How to delete online information about myself? 

Dependson what kind of information. Is your concern your profile on social 
networking sites? See our answers under 'Social Media'. Don 'tyou like the way 
you appear in the Coogle search results? That is really beyond the scope of our 
possibilities. Ask Coogle. 



Internet while travelling 




19 Can I use wireless internet in bars? 

You can only if you do it with care. Read our chapter on using VPN and secure 
email. 

20 What are the dangers of internet cafe's? 

We have a special chapter on internet cafes. 

It is possible to install Firefox on a CD-ROM or USB-drive. This will also enableyou 
to bring you're own bookmarks, setting, add-ons etc. etc. and it will limit the 
amount of data and traces you'll leave on the computer your using. So it could 
prove to be exceptionally useful when you have to use untrusted computers or 
internet cafes. 

It is also recommended to read the chapter on safe browsing. 

21 How to secure my laptop when travelling? 

It depends: install the right passwords, encrypt your mail on securing your 
computer. 

22 How safe is Skype? 



330 



Skype is safer than using a mobile phone, but we don't know exactly the specifics 
because Skype uses a closed protocol. From time to time intelligent services 
complain about their inability to listen in on Skype. Them being so open about this 
could also been seen as an way to lure people into using Skype because they 
secretly do have access to it. Bottem line; we think it is safe, but we have no way 
of knowing for sure. 

23 What are alternatives for e-mail when travelling? 

Depends on the form of data you want to send and which other possibilities are 
open to you. End to end encryption is always the safest option be it VPN, a tunnel 
or encrypted SMS. Make sure that if you know on forehand you won;t be able to 
use email that other trustworthy options are open so that you are not tempted to 
use an insecure connection. 

24 What is a proxy and what to do with it? 
Read the chapter on proxies. 

25 Should we avoid public proxies? 

There are very good open and public proxies. But you should always know who 
owns and operates it and decide for yourself if you trust these people. 

Sharing information versus security 

26 I work in a dangerous country but I need to get my message through. What 
to do? 



As all are questions hopefully make clear: it is always a trade off. Read this book, 
know the dangers and the possibilities, talk about it with professionals and then 
make a risk assessment. 



331 



How the Net Works 



This chapter is included should you wish to understand a 
little more about how the internet works. 




Imagine a group of individuals who decide to share information on their 
computers by connecting them, and by sending information between these 
computers. Their efforts result in a set of devices able to communicate with 
each other via a computer network. Of course, the network can be even more 
valuable and useful if it is connected to other networks and hence to other 
computers and network users. This simple desire to connect and share 
information electronically is manifested today in the global Internet. As the 
Internet has grown rapidly, the complexity of its interconnections has also 
increased, and the Internet is literally built up from the interconnection of a 
tremendous number of networks. 

The fundamental task of the Internet can be described as facilitating the 
journey of digital information from its origin to its destination, using a 
suitable path and an appropriate mode of transportation. 

Local computer networks, called Local Area Networks, or LANs, physically 
connect a number of computers and other devices at the same physical 
location to one another. They can also connect to other networks via devices 
called routers that manage the information flow between networks. 
Computers in a LAN can communicate with each other directly for purposes 
like sharing files and printers, or playing multi-player networked video games. 
A LAN could be useful even if it were not connected to the outside world, but 
it clearly becomes more useful when it is. 



332 



The Internet today is a decentralized world-wide network of such local 
computer networks, as well as larger networks such as university and 
corporate networks, and the networks of hosting providers. 

The organizations that arrange these interconnections between networks are 
called Internet Service Providers or ISPs. An ISP's responsibility is to deliver 
data to the appropriate place, usually by forwarding the data to another 
router (called "the next hop") closer to the data's final destination. Often, the 
next hop actually belongs to a different ISP. 

In order to do this, the ISP may purchase its own Internet access from a 
larger ISP, such as a national provider. (Some countries have only a single 
national-level provider, perhaps government-operated or government- 
affiliated, while others have several, which might be competing private 
telecommunications firms.) National providers may similarly receive their 
connections from one of the multinational companies that maintain and 
operate the servers and connections that are often mentioned as 
the backbone of the Internet. 

The backbone is made up of major network equipment installations and 
global connections between them via fiber-optic cables and satellites. These 
connections enable communications between Internet users in different 
countries and continents. National and international providers connect to 
this backbone through routers sometimes known as gateways, which are 
connections that allow disparate networks to communicate with each other. 
These gateways, just like other routers, may be a point at which Internet 
traffic is monitored or controlled. 



Building the Internet 

The originators of the Internet generally believed that there is only one 
Internet, that it is global, and that it should allow any two computers 
anywhere in the world to communicate directly with one another, assuming 
the owners of both computers want this to happen. 



In a 1996 memo, Brian Carpenter, then chairman of the Internet Architecture 
Board, wrote: 



in very general terms, the [Internet engineering] community 
believes that the goal is connectivity . . . [the] growth of the 
network seems to show that connectivity is its own reward, and 
is more valuable than any individual application. 



44 



333 



The originators of the Internet created and continue to create standards 
aimed to make it easier for others to also create their own networks, and to 
join them to each other. Understanding Internet standards helps make clear 
how the Internet works and how network sites and services become 
accessible or inaccessible. 

The most basic standard that unites all of the devices on the global Internet is 
called the Internet Protocol (IP). 



Standards for identifying devices on the network 

When your computer connects to the Internet, it is normally assigned a 
numeric IP address. Like a postal address, the IP address uniquely identifies a 
single computer on the Internet. Unlike the postal address, however, an IP 
address (particularly for a personal computing device) is not necessarily 
permanently associated with a specific computer. So, when your computer 
disconnects from the Internet and reconnects at a later time, it may receive a 
different (unique) IP address. The IP protocol version currently in 
predominant use is IPv4. In the IPv4 protocol, an IP address is written as four 
numbers in the range 0-255, separated by dots (e.g. 207.123.209.9). 



Domain names and IP addresses 

All Internet servers, such as those which host Web sites, also have IP 
addresses. For example, the IP address ofwww.freepressunlimited.org 
is 195.190.28.213. Since remembering IP addresses is cumbersome and IP 
addresses might change over time, specific systems are in place to make it 
easier foryou to reach your destination on the Internet. This system is the 
Domain Name System (DNS), where a set of computers are dedicated to 
serving your computer with the IP addresses associated with the human- 
memorable "names". 



For example, to access the Free Press Unlimited website you would type in 
the www.freepressunlimited.org address, also known as a domain name, 
instead of 195.190.28.213. Your computer then sends a message with this name 
to a DNS server. After the DNS server translates the domain name into an IP 
address, it shares that information with your computer. This system makes 
Web browsing and other Internet applications more human-friendly for 
humans, and computer-friendly for computers. 



334 




o 



Mathematically speaking, IPv4 allows for a pool of about 

4.2 billion different computers to be connected to the 

Internet. There is also technology that lets multiple 

computers share a single IP address. Despite this, the pool 

of available addresses was more or less exhausted at the 

beginning of 2011. As a result, the IPv6 protocol has been 

devised, with a much larger repository of possible unique 

addresses. IPv6 addresses are much longer, and even 

harder to remember, than traditional IPv4 addresses. An example of an IPv6 

address is: 

2001:Odb8:85a3:0000:0000:8a2e:0370:7334 

Although as of 2011 less than 1% of the Internet uses the IPv6 protocol, this 
will probably change dramatically in the near future. 



Protocols for sending information through the network 

The information you exchange as you use the Internet could take many forms: 

• an e-mail to your embassy 

• a picture or video of an event 

• a database of contact information 

• a file containing a set of instructions 

• a document containing a report on a sensitive topic 

• a computer program that teaches a skill. 

There is a wide variety of Internet software to accommodate proper handling 
of the various forms of information according to specific protocols, such as: 

• e-mail via Simple Mail Transport Protocol (SMTP) 

• instant messaging via Extensible Messaging and Presence Protocol 
(XMPP) 

• file sharing via File Transfer Protocol (FTP), 

335 



peer-to-peer file sharing via BitTorrent protocol 

Usenet news via Network News Transfer Protocol (NNTP) 

a combination of protocols: voice communication using Voice Over 
Internet Protocol (VoIP), Session Initiation Protocol (SIP) and Real-time 
Transport Protocol (RTP) 



The Web 

Although many people use the terms "the Internet" and "the Web" 
interchangeably, actually the Web refers to just one way of communicating 
using the Internet. When you access the Web, you do so using software called 
a Web browser, such as Mozilla Firefox, Google Chrome, Opera, or Microsoft 
Internet Explorer. The protocol that the Web operates on is called the Hyper- 
Text Transfer Protocol or HTTP. You might also have heard of HTTPS, which is 
the secure version of HTTP that uses Transport Layer Security (TLS) encryption 
to protect your communications. 



Following your information on the Internet - the journey 

Let's follow the example of visiting a Web site from your home computer. 

Browse to the Web site 

1. You type in http://freepressunlimited.org/. The computer sends the 
domain name "freepressunlimited.org" to a selected DNS server, which 
returns a message containing the IP address for the Free Press 
Unlimited server (currently, 195.190.28.213). 

2. The browser then sends a request for a connection to that IP address. 

3. The request goes through a series of routers, each one forwarding a 
copy of the request to a router closer to the destination, until it reaches 
a router that finds the specific computer needed. 

4. This computer sends information back to you, allowing your browser to 
send the full URL and receive the data to display the page. 



The message from the Web site to you travels through other devices 
(computers or routers). Each such device along a path can be referred to as a 
"hop"; the number of hops is the number of computers or routers your 
message comes in contact with along its way and is often between 5 and 30. 



336 








Why This Matters 

Normally all of these complex processes are hidden and you don't need to 
understand them in order to find the information you need. However, when 
people or organizations attempting to limit your access to information 
interfere with the operation of the system, your ability to use the Internet 
may be restricted. In that case, understanding just what they have done to 
interfere with your access can become extremely relevant. 



Consider firewalls, which are devices that intentionally prevent certain kinds 
of communication between one computer and another. Firewalls help a 
network owner enforce policies about what kinds of communication and use 
of a network are allowed. Initially, the use of firewalls was conceived as a 
computer security measure, because they can help repel electronic attacks 
against inadvertently misconfigured and vulnerable computers. But firewalls 
have come to be used for a much wider range of purposes and for enforcing 
policies far beyond the purview of computer security, including content 
controls. 

Another example is DNS servers, which were described as helping provide IP 
addresses corresponding to requested domain names. However, in some 
cases, these servers can be used as censoring mechanisms by preventing the 
proper IP address from being returned, and effectively blocking access to the 
requested information from that domain. 



337 



Censorship can occur at different points in the Internet infrastructure, 
covering whole networks, domains or subdomains, individual protocols, or 
specific content identified by filtering software. The best method to avoid 
censorship will depend on the specific censorship technique used. 
Understanding these differences will help you to choose appropriate 
measures for you to use the Internet effectively and safely. 



Ports and Protocols 

In order to share data and resources, computers need to agree on 
conventions about how to format and communicate information. These 
conventions, which we call protocols, are sometimes compared to the 
grammar of human languages. The Internet is based on a series of such 
protocols. 

The layered networking model 

Internet protocols rely on other protocols. For example, when you use a Web 
browser to access a Web site, the browser relies on the HTTP or HTTPS 
protocol to communicate with the Web server. This communication, in turn, 
relies on other protocols. Suppose we are using HTTPS for a particular Web 
site to ensure that we access it securely. 




In the above example, the HTTPS protocol relies on the TLS protocol to 
perform encryption of the communications so that they are private and 
unmodified as they travel across the network. The TLS protocol, in turn, relies 
on the TCP protocol to ensure that information is not accidentally lost or 
corrupted in transmission. Finally, TCP relies on the IP protocol to ensure that 
data is delivered to the intended destination. 



338 



While using the encrypted HTTPS protocol, your computer still uses the 
unencrypted DNS protocol for retrieving an IP address for the domain name. 
The DNS protocol uses the UDPprotocol to mark the request for proper 
routing to a DNS server, and UDP relies on IP for actual transmission of data 
to the intended destination. 

Because of this hierarchical protocol relationship, we often refer to network 
protocols as existing in a set of layers. A protocol at each layer is responsible 
for a particular aspect of the communications functionality. 



What is the difference between HTTP and HTTPS? Meet Sacha and John: 



Sacha uses HTTP 
to browse the web 
His data isn't 
protected end to 
end and can be 
recorded and 
accesed any- 
where between 
his computec 
and the web. 



A'A 




John uses HTTPS to 

browse the web 

His data is protected 

end to end and can 

also be recorded 

but appears as 

garble to any 

eavesdropper 

between his 

computer and 

the web. 



— M 



Using Ports 

Computers connect to each other via the TCP protocol mentioned above and 
stay connected for a period of time to allow higher-level protocols to carry 
out their tasks. TCP uses a concept of numbered ports to manage these 
connections and distinguish connections from one another. The use of 
numbered ports also allows the computer to decide which particular 
software should handle a specific request or piece of data. (UDP also uses 
port numbers for this purpose.) 



The IANA (Internet Assigned Names Authority) assigns port numbers for 
various higher-level protocols used by application services. A few common 
examples of the standard assigned port numbers are: 

• 20 and 21 - FTP (file transfer) 

• 22 - SSH (secure shell remote access) 

• 23 - Telnet (insecure remote access) 

• 25 -SMTP (send e-mail) 

• 53 - DNS (resolves a computer's name to an IP address) 

• 80 - HTTP (normal Web browsing; also sometimes used for a proxy) 



339 



• 110 - POP3 (receive e-mail) 

• 143 - IMAP (send/receive e-mail) 

• 443 - HTTPS (secure Web connections) 

• 993 - secure IMAP 

• 995 -secure POP3 

• 1080 - SOCKS proxy 

• 1194 - OpenVPN 

• 3128 - Squid proxy 

• 8080 - Standard HTTP-style proxy 

Using these particular numbers is not generally a technical requirement of the 
protocols; in fact, any sort of data could be sent over any port (and using non 
standard ports can be a useful circumvention technique). However, these 
assignments are used by default, for convenience. For example, your Web 
browser knows that if you access a Web site without specifying any port 
number, it should automatically try using port 80. Other kinds of software 
have similar defaults so that you can normally use Internet services without 
knowing or remembering the port numbers associated with the services you 
use. 



340 



Glossary 

Much of this content is based on http://en.cship.Org/wiki/Special:Allpages 



aggregator 

An aggregator is a service that gathers syndicated information from one or 
many sites and makes it available at a different address. Sometimes called an 
RSS aggregator, a feed aggregator, a feed reader, or a news reader. (Not to be 
confused with a Usenet News reader.) 



anonymity 

(Not be confused with privacy, pseudonymity, security, or confidentiality.) 

Anonymity on the Internet is the ability to use services without leaving clues 
to one's identity. The level of protection depends on the anonymity 
techniques used and the extent of monitoring. The strongest techniques in 
use to protect anonymity involve creating a chain of communication using a 
random process to select some of the links, in which each link has access to 
only partial information about the process. The first knows the user's IP 
address but not the content, destination, or purpose of the communication, 
because the message contents and destination information are encrypted. 
The last knows the identity of the site being contacted, but not the source of 
the session. One or more steps in between prevents the first and last links 
from sharing their partial knowledge in order to connect the user and the 
target site. 

anonymous remailer 

An anonymous remailer is a service that accepts e-mail messages containing 
instructions for delivery, and sends them out without revealing their sources. 
Since the remailer has access to the user's address, the content of the 
message, and the destination of the message, remailers should be used as 
part of a chain of multiple remailers so that no one remailer knows all this 
information. 

ASP (application service provider) 

An ASP is an organization that offers software services over the Internet, 
allowing the software to be upgraded and maintained centrally. 



341 



backbone 

A backbone is one of the high-bandwidth communications links that tie 
together networks in different countries and organizations around the world 
to form the Internet. 

badware 
See malware. 

bandwidth 

The bandwidth of a connection is the maximum rate of data transfer on that 
connection, limited by its capacity and the capabilities of the computers at 
both ends of the connection. 



bash (Bourne-again shell) 

The bash shell is a command-line interface for Linux/Unix operating systems, 
based on the Bourne shell. 



BitTorrent 

BitTorrent is a peer-to-peer file-sharing protocol invented by Bram Cohen in 
2001. It allows individuals to cheaply and effectively distribute large files, such 
as CD images, video, or music files. 

blacklist 

A blacklist is a list of forbidden persons or things. In Internet censorship, lists 
of forbidden Web sites may be used as blacklists; censorware may allow 
access to all sites except for those specifically listed on its blacklist. An 
alternative to a blacklist is a whitelist, or a list of permitted things. A whitelist 
system blocks access to all sites except for those specifically listed on the 
whitelist. This is a less common approach to Internet censorship. It is possible 
to combine both approaches, using string matching or other conditional 
techniques on URLs that do not match either list. 

bluebar 

The blue URL bar (called the Bluebar in Psiphon lingo) is the form at the top of 
your Psiphon node browser window, which allows you to access blocked site 
by typing its URL inside. 

See also Psiphon node 



342 



block 

To block is to prevent access to an Internet resource, using any number of 
methods. 



bookmark 

A bookmark is a placeholder within software that contains a reference to an 
external resource. In a browser, a bookmark is a reference to a Web page - by 
choosing the bookmark you can quickly load the Web site without needing to 
type in the full URL. 



bridge 

See Tor bridge. 

brute-force attack 

A brute force attack consists of trying every possible code, combination, or 
password until you find the right one. These are some of the most trivial 
hacking attacks. 

cache 

A cache is a part of an information-processing system used to store recently 
used or frequently used data to speed up repeated access to it. A Web cache 
holds copies of Web page files. 



censor 

To censor is to prevent publication or retrieval of information, or take action, 
legal or otherwise, against publishers and readers. 



censorware 

Censorware is software used to filter or block access to the Internet. This 
term is most often used to refer to Internet filtering or blocking software 
installed on the client machine (the PC which is used to access the Internet). 
Most such client-side censorware is used for parental control purposes. 



Sometimes the term censorware is also used to refer to software used for the 
same purpose installed on a network server or router. 



343 



CGI (Common Gateway Interface) 

CGI is a common standard used to let programs on a Web server run as Web 
applications. Many Web-based proxies use CGI and thus are also called "CGI 
proxies". (One popular CGI proxy application written by James Marshall using 
the Perl programming language is called CGIProxy.) 

chat 

Chat, also called instant messaging, is a common method of communication 
among two or more people in which each line typed by a participant in a 
session is echoed to all of the others. There are numerous chat protocols, 
including those created by specific companies (AOL, Yahoo!, Microsoft, 
Google, and others) and publicly defined protocols. Some chat client software 
uses only one of these protocols, while others use a range of popular 
protocols. 



circumvention 

Circumvention is publishing or accessing content in spite of attempts at 
censorship. 

Common Gateway Interface 
See CGI. 

command-line interface 

A method of controlling the execution of software using commands entered 
on a keyboard, such as a Unix shell or the Windows command line. 

cookie 

A cookie is a text string sent by a Web server to the user's browser to store on 
the user's computer, containing information needed to maintain continuity in 
sessions across multiple Web pages, or across multiple sessions. Some Web 
sites cannot be used without accepting and storing a cookie. Some people 
consider this an invasion of privacy or a security risk. 

country code top-level domain (ccTLD) 

Each country has a two-letter country code, and a TLD (top-level domain) 
based on it, such as .ca for Canada; this domain is called a country code top- 
level domain. Each such ccTLD has a DNS server that lists all second-level 
domains within the TLD. The Internet root servers point to all TLDs, and cache 
frequently-used information on lower-level domains. 



344 



DARPA (Defense Advanced Projects Research Agency) 

DARPA is the successor to ARPA, which funded the Internet and its 
predecessor, the ARPAnet. 

decryption 

Decryption is recovering plain text or other messages from encrypted data 
with the use of a key. 

See also encryption, 
domain 

A domain can be a Top-Level Domain (TLD) or secondary domain on the 
Internet. 



See also Top-Level Domain, country code Top-Level Domain and secondary 
domain. 



DNS (Domain Name System) 

The Domain Name System (DNS) converts domain names, made up of easy- 
to-remember combinations of letters, to IP addresses, which are hard-to- 
remember strings of numbers. Every computer on the Internet has a unique 
address (a little bit like an area code+telephone number). 

DNS leak 

A DNS leak occurs when a computer configured to use a proxy for its Internet 
connection nonetheless makes DNS queries without using the proxy, thus 
exposing the user's attempts to connect with blocked sites. Some Web 
browsers have configuration options to force the use of the proxy. 

DNS server 

A DNS server, or name server, is a server that provides the look-up function of 
the Domain Name System. It does this either by accessing an existing cached 
record of the IP address of a specific domain, or by sending a request for 
information to another name server. 



DNS tunnel 

A DNS tunnel is a way to tunnel almost everything over DNS/Nameservers. 



345 



Because you "abuse" the DNS system for an unintended purpose, it only 
allows a very slow connection of about 3 kb/s which is even less than the 
speed of an analog modem. That is not enough forYouTube or file sharing, 
but should be sufficient for instant messengers like ICQ or MSN Messenger 
and also for plain text e-mail. 

On the connection you want to use a DNS tunnel, you only need port 53 to be 
open; therefore it even works on many commercial Wi-Fi providers without 
the need to pay. 

The main problem is that there are no public modified nameservers that you 
can use. You have to set up your own. You need a server with a permanent 
connection to the Internet running Linux. There you can install the free 
software OzymanDNS and in combination with SSH and a proxy like Squid 
you can use the tunnel. More Information on this on 
http://www.dnstunnel.de. 



eavesdropping 

Eavesdropping is listening to voice traffic or reading or filtering data traffic on 
a telephone line or digital data connection, usually to detect or prevent illegal 
or unwanted activities or to control or monitor what people are talking 
about. 



e-mail 

E-mail, short for electronic mail, is a method to send and receive messages 
over the Internet. It is possible to use a Web mail service or to send e-mails 
with the SMTP protocol and receive them with the POP3 protocol by using an 
e-mail client such as Outlook Express orThunderbird. It is comparatively rare 
for a government to block e-mail, but e-mail surveillance is common. If e-mail 
is not encrypted, it could be read easily by a network operator or 
government. 

embedded script 

An embedded script is a piece of software code. 



encryption 

Encryption is any method for recoding and scrambling data or transforming it 
mathematically to make it unreadable to a third party who doesn't know the 
secret key to decrypt it. It is possible to encrypt data on your local hard drive 
using software like TrueCrypt (http://www.truecrypt.org) or to encrypt 
Internet traffic with SSL or SSH. 



See also decryption. 

346 



exit node 

An exit node is a Tor node that forwards data outside the Tor network. 
See also middleman node, 
file sharing 

File sharing refers to any computer system where multiple people can use the 
same information, but often refers to making music, films or other materials 
available to others free of charge over the Internet. 

file spreading engine 

A file spreading engine is a Web site a publisher can use to get around 
censorship. A user only has to upload a file to publish once and the file 
spreading engine uploads that file to some set of sharehosting services (like 
Rapidshare or Megaupload). 

filter 

To filter is to search in various ways for specific data patterns to block or 
permit communications. 

Firefox 

Firefox is the most popular free and open source Web browser, developed by 
the Mozilla Foundation. 



forum 

On a Web site, a forum is a place for discussion, where users can post 
messages and comment on previously posted messages. It is distinguished 
from a mailing list or a Usenet newsgroup by the persistence of the pages 
containing the message threads. Newsgroup and mailing list archives, in 
contrast, typically display messages one per page, with navigation pages 
listing only the headers of the messages in a thread. 

frame 

A frame is a portion of a Web page with its own separate URL. For example, 
frames are frequently used to place a static menu next to a scrolling text 
window. 



347 



FTP (File Transfer Protocol) 

The FTP protocol is used for file transfers. Many people use it mostly for 
downloads; it can also be used to upload Web pages and scripts to some Web 
servers. It normally uses ports 20 and 21, which are sometimes blocked. Some 
FTP servers listen to an uncommon port, which can evade port-based 
blocking. 



A popular free and open source FTP client for Windows and Mac OS is 
FileZilla. There are also some Web-based FTP clients that you can use with a 
normal Web browser like Firefox. 



gateway 

A gateway is a node connecting two networks on the Internet. An important 
example is a national gateway that requires all incoming or outgoing traffic to 
go through it. 

honeypot 

A honeypot is a site that pretends to offer a service in order to entice 
potential users to use it, and to capture information about them or their 
activities. 



hop 

A hop is a link in a chain of packet transfers from one computer to another, or 
any computer along the route. The number of hops between computers can 
give a rough measure of the delay (latency) in communications between 
them. Each individual hop is also an entity that has the ability to eavesdrop 
on, block, or tamper with communications. 

HTTP (Hypertext Transfer Protocol) 

HTTP is the fundamental protocol of the World Wide Web, providing methods 
for requesting and serving Web pages, querying and generating answers to 
queries, and accessing a wide range of services. 

HTTPS (Secure HTTP) 

Secure HTTP is a protocol for secure communication using encrypted HTTP 
messages. Messages between client and server are encrypted in both 
directions, using keys generated when the connection is requested and 
exchanged securely. Source and destination IP addresses are in the headers of 
every packet, so HTTPS cannot hide the fact of the communication, just the 
contents of the data transmitted and received. 



348 



IANA (Internet Assigned Numbers Authority) 

IANA is the organization responsible for technical work in managing the 
infrastructure of the Internet, including assigning blocks of IP addresses for 
top-level domains and licensing domain registrars for ccTLDs and for the 
generic TLDs, running the root name servers of the Internet, and other duties. 

ICANN (Internet Corporation for Assigned Names and 
Numbers) 

ICANN is a corporation created by the US Department of Commerce to 
manage the highest levels of the Internet. Its technical work is performed by 
IANA. 



Instant Messaging (IM) 

Instant messaging is either certain proprietary forms of chat using proprietary 
protocols, or chat in general. Common instant messaging clients include MSN 
Messenger, ICQ, AIM or Yahoo! Messenger. 

intermediary 

See man in the middle. 



Internet 

The Internet is a network of networks interconnected using TCP/IP and other 
communication protocols. 



IP (Internet Protocol) Address 

An IP address is a number identifying a particular computer on the Internet. 
In the previous version 4 of the Internet Protocol an IP address consisted of 
four bytes (32 bits), often represented as four integers in the range 0-255 
separated by dots, such as 74.54.30.85. In IPv6, which the Net is currently 
switching to, an IP address is four times longer, and consists of 16 bytes (128 
bits). It can be written as 8 groups of 4 hex digits separated by colons, such as 
2001 : 0db8 : 85a3 : 0000 : 0000 : 8a2e : 0370 : 7334. 



IRC (Internet relay chat) 

IRC is a more than 20-year-old Internet protocol used for real-time text 
conversations (chat or instant messaging). There exist several IRC networks 
the largest have more than 50 000 users. 



349 



ISP (Internet Service Provider) 

An ISP (Internet service provider) is a business or organization that provides 
access to the Internet for its customers. 



JavaScript 

JavaScript is a scripting language, commonly used in Web pages to provide 
interactive functions. 



keyword filter 

A keyword filter scans all Internet traffic going through a server for forbidden 
words or terms to block. 



latency 

Latency is a measure of time delay experienced in a system, here in a 
computer network. It is measured by the time between the start of packet 
transmission to the start of packet reception, between one network end (e.g. 
you) to the other end (e.g. the Web server). One very powerful way of Web 
filtering is maintaining a very high latency, which makes lots of 
circumvention tools very difficult to use. 

log file 

A log file is a file that records a sequence of messages from a software 
process, which can be an application or a component of the operating 
system. For example, Web servers or proxies may keep log files containing 
records about which IP addresses used these services when and what pages 
were accessed. 



low-bandwidth filter 

A low-bandwidth filter is a Web service that removes extraneous elements 
such as advertising and images from a Web page and otherwise compresses 
it, making page download much quicker. 

malware 

Malware is a general term for malicious software, including viruses, that may 
be installed or executed without your knowledge. Malware may take control 
of your computer for purposes such as sending spam. (Malware is also 
sometimes called badware.) 



350 



man in the middle 

A man in the middle or man-in-the-middle is a person or computer capturing 
traffic on a communication channel, especially to selectively change or block 
content in a way that undermines cryptographic security. Generally the man- 
in-the-middle attack involves impersonating a Web site, service, or individual 
in order to record or alter communications. Governments can run man-in- 
the-middle attacks at country gateways where all traffic entering or leaving 
the country must pass. 

middleman node 

A middleman node is a Tor node that is not an exit node. Running a 
middleman node can be safer than running an exit node because a middleman 
node will not show up in third parties' log files. (A middleman node is 
sometimes called a non-exit node.) 



monitor 

To monitor is to check a data stream continuously for unwanted activity. 

network address translation (NAT) 

NAT is a router function for hiding an address space by remapping. All traffic 
going out from the router then uses the router's IP address, and the router 
knows how to route incoming traffic to the requestor. NAT is frequently 
implemented by firewalls. Because incoming connections are normally 
forbidden by NAT, NAT makes it difficult to offer a service to the general 
public, such as a Web site or public proxy. On a network where NAT is in use, 
offering such a service requires some kind of firewall configuration or NAT 
traversal method. 



network operator 

A network operator is a person or organization who runs or controls a 
network and thus is in a position to monitor, block, or alter communications 
passing through that network. 



node 

A node is an active device on a network. A router is an example of a node. In 
the Psiphon and Tor networks, a server is referred to as a node. 



non-exit node 

See middleman node. 



351 



obfuscation 

Obfuscation means obscuring text using easily-understood and easily- 
reversed transformation techniques that will withstand casual inspection but 
not cryptanalysis, or making minor changes in text strings to prevent simple 
matches. Web proxies often use obfuscation to hide certain names and 
addresses from simple text filters that might be fooled by the obfuscation. As 
another example, any domain name can optionally contain a final dot, as in 
"somewhere.com.", but some filters might search only for "somewhere.com" 
(without the final dot). 

open node 

An open node is a specific Psiphon node which can be used without logging 
in. It automatically loads a particular homepage, and presents itself in a 
particular language, but can then be used to browse elsewhere. 

See also Psiphon node, 
packet 

A packet is a data structure defined by a communication protocol to contain 
specific information in specific forms, together with arbitrary data to be 
communicated from one point to another. Messages are broken into pieces 
that will fit in a packet for transmission, and reassembled at the other end of 
the link. 



peer-to-peer 

A peer-to-peer (or P2P) network is a computer network between equal peers. 
Unlike client-server networks there is no central server and so the traffic is 
distributed only among the clients.This technology is mostly applied to file 
sharing programs like BitTorrent, eMule and Gnutella. But also the very old 
Usenet technology or the VoIP program Skype can be categorized as peer-to- 
peer systems. 

See also file sharing. 



PHP 

PHP is a scripting language designed to create dynamic Web sites and web 
applications. It is installed on a Web server. For example, the popular Web 
proxy PHProxy uses this technology. 



352 



plain text 

Plain text is unformatted text consisting of a sequence of character codes, as 
in ASCII plain text or Unicode plain text. 

plaintext 

Plaintext is unencrypted text, or decrypted text. 
See also encryption, SSL, SSH. 



privacy 

Protection of personal privacy means preventing disclosure of personal 
information without the permission of the person concerned. In the context 
of circumvention, it means preventing observers from finding out that a 
person has sought or received information that has been blocked or is illegal 
in the country where that person is at the time. 



POP3 

Post Office Protocol version 3 is used to receive mail from a server, by default 
on port 110 with an e-mail program such as Outlook Express orThunderbird. 



port 

A hardware port on a computer is a physical connector for a specific purpose, 
using a particular hardware protocol. Examples are a VGA display port or a 
USB connector. 



Software ports also connect computers and other devices over networks 
using various protocols, but they exist in software only as numbers. Ports are 
somewhat like numbered doors into different rooms, each for a special 
service on a server or PC. They are identified by numbers from to 65535. 



protocol 

A formal definition of a method of communication, and the form of data to be 
transmitted to accomplish it. Also, the purpose of such a method of 
communication. For example, Internet Protocol (IP) for transmitting data 
packets on the Internet, or Hypertext Transfer Protocol for interactions on 
the World Wide Web. 



353 



proxy server 

A proxy server is a server, a computer system or an application program 
which acts as a gateway between a client and a Web server. A client connects 
to the proxy server to request a Web page from a different server. Then the 
proxy server accesses the resource by connecting to the specified server, and 
returns the information to the requesting site. Proxy servers can serve many 
different purposes, including restricting Web access or helping users route 
around obstacles. 



Psiphon node 

A Psiphon node is a secured web proxy designed to evade Internet 
censorship. It is developed by Psiphon inc. Psiphon nodes can be open or 
private. 

private node 

A private node is a Psiphon node working with authentication, which means 
that you have to register before you can use it. Once registered, you will be 
able to send invitations to your friends and relatives to use this specific node. 

See also Psiphon node. 
publicly routable IP address 

Publicly routable IP addresses (sometimes called public IP addresses) are 
those reachable in the normal way on the Internet, through a chain of 
routers. Some IP addresses are private, such as the 192.168.X.X block, and 
many are unassigned. 

regular expression 

A regular expression (also called a regexp or RE) is a text pattern that specifies 
a set of text strings in a particular regular expression implementation such as 
the UNIX grep utility. A text string "matches" a regular expression if the string 
conforms to the pattern, as defined by the regular expression syntax. In each 
RE syntax, some characters have special meanings, to allow one pattern to 
match multiple other strings. For example, the regular expression lo+se 
matches lose, loose, and looose. 



354 



remailer 

An anonymous remailer is a service which allows users to send e-mails 
anonymously. The remailer receives messages via e-mail and forwards them 
to their intended recipient after removing information that would identify the 
original sender. Some also provide an anonymous return address that can be 
used to reply to the original sender without disclosing her identity. Well- 
known Remailer services include Cypherpunk, Mixmasterand Nym. 



router 

A router is a computer that determines the route for forwarding packets. It 
uses address information in the packet header and cached information on the 
server to match address numbers with hardware connections. 

root name server 

A root name server or root server is any of thirteen server clusters run by 
IANA to direct traffic to all of the TLDs, as the core of the DNS system. 

RSS (Real Simple Syndication) 

RSS is a method and protocol for allowing Internet users to subscribe to 
content from a Web page, and receive updates as soon as they are posted. 

scheme 

On the Web, a scheme is a mapping from a name to a protocol. Thus the 
HTTP scheme maps URLs that begin with HTTP: to the Hypertext Transfer 
Protocol. The protocol determines the interpretation of the rest of the URL, so 
that http://www.example.com/dir/content.html identifies a Web site and a 
specific file in a specific directory, and mailto:user@somewhere.com is an e- 
mail address of a specific person or group at a specific domain. 

shell 

A UNIX shell is the traditional command line user interface forthe UNIX/Linux 
operating systems. The most common shells are sh and bash. 



355 



SOCKS 

A SOCKS proxy is a special kind of proxy server. In the ISO/OSI model it 
operates between the application layer and the transport layer. The standard 
port for SOCKS proxies is 1080, but they can also run on different ports. Many 
programs support a connection through a SOCKS proxy. If not you can install 
a SOCKS client like FreeCap, ProxyCap orSocksCap which can force programs 
to run through the Socks proxy using dynamic port forwarding. It is also 
possible to use SSH tools such as OpenSSH as a SOCKS proxy server. 

screenlogger 

A screenlogger is software able to record everything your computer displays 
on the screen. The main feature of a screenlogger is to capture the screen and 
log it into files to view at any time in the future. Screen loggers can be used as 
powerful monitoring tool. You should be aware of any screen logger running 
on any computer you are using, anytime. 



script 

A script is a program, usually written in an interpreted, non-compiled 
language such as JavaScript, Java, or a command interpreter language such as 
bash. Many Web pages include scripts to manage user interaction with a Web 
page, so that the server does not have to send a new page for each change. 

smartphone 

A smartphone is a mobile phone that offers more advanced computing ability 
and connectivity than a contemporary feature phone, such as Web access, 
ability to run elaborated operating systems and run built-in applications. 



spam 

Spam is messages that overwhelm a communications channel used by 
people, most notably commercial advertising sent to large numbers of 
individuals or discussion groups. Most spam advertises products or services 
that are illegal in one or more ways, almost always including fraud. Content 
filtering of e-mail to block spam, with the permission of the recipient, is 
almost universally approved of. 



356 



SSH (Secure Shell) 

SSH or Secure Shell is a network protocol that allows encrypted 
communication between computers. It was invented as a successor of the 
unencrypted Telnet protocol and is also used to access a shell on a remote 
server. 

The standard SSH port is 22. It can be used to bypass Internet censorship 
with port forwarding or it can be used to tunnel other programs like VNC. 

SSL (Secure Sockets Layer) 

SSL (or Secure Sockets Layer), is one of several cryptographic standards used 
to make Internet transactions secure. It is was used as the basis for the 
creation of the related Transport Layer Security (TLS). You can easily see if you 
are using SSL/TLS by looking at the URL in your Browser (like Firefox or 
Internet Explorer): If it starts with https instead of http, your connection is 
encrypted. 



steganography 

Steganography, from the Greek for hidden writing, refers to a variety of 
methods of sending hidden messages where not only the content of the 
message is hidden but the very fact that something covert is being sent is also 
concealed. Usually this is done by concealing something within something 
else, like a picture or a text about something innocent or completely 
unrelated. Unlike cryptography, where it is clear that a secret message is 
being transmitted, steganography does not attract attention to the fact that 
someone is trying to conceal or encrypt a message. 

subdomain 

A subdomain is part of a larger domain. If for example "wikipedia.org" is the 
domain for the Wikipedia, "en.wikipedia.org" is the subdomain for the English 
version of the Wikipedia. 

threat analysis 

A security threat analysis is properly a detailed, formal study of all known 
ways of attacking the security of servers or protocols, or of methods for using 
them for a particular purpose such as circumvention. Threats can be 
technical, such as code-breaking or exploiting software bugs, or social, such 
as stealing passwords or bribing someone who has special knowledge. Few 
companies or individuals have the knowledge and skill to do a comprehensive 
threat analysis, but everybody involved in circumvention has to make some 
estimate of the issues. 



357 



Top-Level Domain (TLD) 

In Internet names, the TLD is the last component of the domain name. There 
are several generic TLDs, most notably .com, .org, .edu, .net, .gov, .mil, .int, 
and one two-letter country code (ccTLD) for each country in the system, such 
as xa for Canada. The European Union also has the two-letter code .eu. 



TLS (Transport Layer Security) 

TLS or Transport Layer Security is a cryptographic standard based on SSL, used 
to make Internet transactions secure. 



TCP/IP (Transmission Control Protocol over Internet Protocol) 

TCP and IP are the fundamental protocols of the Internet, handling packet 
transmission and routing. There are a few alternative protocols that are used 
at this level of Internet structure, such as UDP. 



Tor bridge 

A bridge is a middleman Tor node that is not listed in the main public Tor 
directory, and so is possibly useful in countries where the public relays are 
blocked. Unlike the case of exit nodes, IP addresses of bridge nodes never 
appear in server log files and never pass through monitoring nodes in a way 
that can be connected with circumvention. 



traffic analysis 

Traffic analysis is statistical analysis of encrypted communications. In some 
circumstances traffic analysis can reveal information about the people 
communicating and the information being communicated. 

tunnel 

A tunnel is an alternate route from one computer to another, usually including 
a protocol that specifies encryption of messages. 

UDP (User Datagram Packet) 

UDP is an alternate protocol used with IP. Most Internet services can be 
accessed using either TCP or UDP, but there are some that are defined to use 
only one of these alternatives. UDP is especially useful for real-time 
multimedia applications like Internet phone calls (VoIP). 



358 



URL (Uniform Resource Locator) 

The URL (Uniform Resource Locator) is the address of a Web site. For 
example, the URL for the World News section of the NY Times is 
http://www.nytimes.com/pages/world/index.html. Many censoring systems 
can block a single URL. Sometimes an easy way to bypass the block is to 
obscure the U RL. It is for example possible to add a dot after the site name, so 
the URL http://en.cship.org/wiki/URL becomes http://en.cship.org./wiki/URL. If 
you are lucky with this little trick you can access blocked Web sites. 

Usenet 

Usenet is a more than 20-year-old discussion forum system accessed using 
the NNTP protocol. The messages are not stored on one server but on many 
servers which distribute their content constantly. Because of that it is 
impossible to censor Usenet as a whole, however access to Usenet can and is 
often blocked, and any particular server is likely to carry only a subset of 
locally-acceptable Usenet newsgroups. Google archives the entire available 
history of Usenet messages for searching. 

VoIP (Voice over Internet Protocol) 

VoIP refers to any of several protocols for real-time two-way voice 
communication on the Internet, which is usually much less expensive than 
calling over telephone company voice networks. It is not subject to the kinds 
of wiretapping practiced on telephone networks, but can be monitored using 
digital technology. Many companies produce software and equipment to 
eavesdrop on VoIP calls; securely encrypted VoIP technologies have only 
recently begun to emerge. 

VPN (virtual private network) 

A VPN (virtual private network) is a private communication network used by 
many companies and organizations to connect securely over a public 
network. Usually on the Internet it is encrypted and so nobody except the 
endpoints of the communication can look at the data traffic. There are 
various standards like IPSec, SSL, TLS or PPTP. The use of a VPN provider is a 
very fast secure and convenient method to bypass Internet censorship with 
little risks but it generally costs money every month. 

whitelist 

A whitelist is a list of sites specifically authorized for a particular form of 
communication. Filtering traffic can be done either by a whitelist (block 
everything but the sites on the list), a blacklist (allow everything but the sites 
on the list), a combination of the two, or by other policies based on specific 
rules and conditions. 



359 



World Wide Web (WWW) 

The World Wide Web is the network of hyperlinked domains and content 
pages accessible using the Hypertext Transfer Protocol and its numerous 
extensions. The World Wide Web is the most famous part of the Internet. 

Webmail 

Webmail is e-mail service through a Web site. The service sends and receives 
mail messages for users in the usual way, but provides a Web interface for 
reading and managing messages, as an alternative to running a mail client 
such as Outlook Express orThunderbird on the user's computer. For example 
a popular and free webmail service is https://mail.google.com/ 

Web proxy 

A Web proxy is a script running on a Web server which acts as a 
proxy/gateway. Users can access such a Web proxy with their normal Web 
browser (like Firefox) and enter any URL in the form located on that Web site. 
Then the Web proxy program on the server receives that Web content and 
displays it to the user. This way the ISP only sees a connection to the server 
with the Web proxy since there is no direct connection. 



WHOIS 

WH0IS (who is) is the aptly named Internet function that allows one to query 
remote WHOIS databases for domain registration information. By performing 
a simple WHOIS search you can discover when and by whom a domain was 
registered, contact information, and more. 



A WHOIS search can also reveal the name or network mapped to a numerical 
IP address 



360 



Made with Booki 

Visit http://software.booki.cc