What You Need to Know About Microsoft’s Spying Ways

microsoftI had a conversation the other day with the best and most knowledgeable computer guy I know. After discussing privacy threats, he made this statement:

Everybody buying a Windows computer today is a traitor to humanity.

Now, this is a very technically oriented guy, and he quickly agreed with me that most people don’t have a clue about such things. Still, the primary point stands: Whenever any of us buys a Microsoft product, we are supporting the tools of our own slavery.

Here’s the problem:

Because people keep buying Windows, computer manufacturers are forced to buy and provide “Licensed for Windows” products. And those products include a lot of bad things. As I’ve pointed out before, Microsoft cooperates massively with the NSA to provide them with records of your thoughts and actions. But the problem my friend referred to was something else… something called TPM,

Trusted Platform Module.

It’s a little chip in your computer that is, in my friend’s words, “way evil.”

Microsoft’s goal (with Apple following in their footsteps, by the way) is to kill the general purpose computer. Combining this Trusted Platform Module with Windows provides something that Microsoft and their government pals have been after for a number of years: something called Digital Hygiene.

If that sounds slightly Nazi-ish to you, I’m glad, because it is.

Digital Hygiene means that unless Microsoft approves of all the software on your computer – or any number of other factors, to be determined in the future – your Internet access will be instantly cut-off.

Here’s what Microsoft’s Corporate Vice President of Trustworthy Computing was quoted as saying (by multiple sources, at a conference in Berlin) in 2010:

Infected computers should be quarantined from the Internet, and PCs should have to prove themselves clean with a digital health certificate in order to access the Internet.

Now they are doing it, and my friend is right to raise an alarm.

More and more computers cannot run anything except a “signed” operating system – signed by Microsoft or the hardware manufacturer. In other words, if they haven’t given the A-OK that what you’re using is as it should be, you get cut off. Moreover, the “we certify it or what you bought won’t work” extends to every program you run.

This is already inside any computer that is sold as “Ready for Windows 8.” When you install Windows 8, these capabilities are automatically activated.

Once that’s done, you will need major computer skills to wipe it off your machine and install something better.

What this all means is that, in the not too distant future – if you use a Windows machine – you might be limited to a small selection of pre-approved, pre-sanitized, privacy-questionable programs.

And I can almost guarantee all the tools we use now to protect ourselves from the reach of digital snoops will be blocked too, leaving us naked and vulnerable.

But there is a solution.

Buy a Linux machine. Not only will it protect you against the above, but it’ll be cheaper, and doesn’t have all the problems that Windows does (e.g., the blue screen of death).

Here’s how to get started:

  • Buy an older model computer with an AMD processor. They’re cheaper and still offer WAY more power than you’re likely to need. Just be sure to ask if the thing comes with “vPro,” “CompuTrace,” or a “TPM chip.” If it has any of these, don’t buy it!
  • Install Linux Mint on it; a user-friendly version of the program.

Most likely, unless you’re technically minded, you’ll need to enlist the help of your local independent computer retailer. Do so – they will be a great resource as you shift to a non-Microsoft world.

Remember, Microsoft is a traitor to their customers, relying upon their ignorance to keep the game going.

Don’t be their zombies!

microsoftSource: Edward Snowden

Paul Rosenberg
FreemansPerspective.com

Cryptohippie Responds to the NSA’s Attack on Encryption

cryptohippieEditor’s Note: The founder of FreemansPerspective.com, Paul Rosenberg, has spent many years trying to protect Internet users from unjustified surveillance by groups like the NSA. He is part of the team at Cryptohippie, who offer something called a Virtual Private Network (VPN). It’s a service that helps its users avoid tracking by the snoops.

However, it’s just come to light that many such “protection” services have been compromised themselves. Lest people think Cryptohippie has suffered the same fate, he’s asked us to publish a clarification on just how Cryptohippie protects its users – and indeed, what you should look for before using such a service yourself.

– Thomas Anderson
Editor, FreemansPerspective.com

——————

On September 5th, Glenn Greenwald and others revealed that the NSA was able to break the vast majority of encryption used on the Internet. You can find the story here or here, and commentary by cryptographer Bruce Schneier here.

Below, we’ll explain why you need not worry about your Cryptohippie service, but first, here is a short list of what was revealed:

  • Tech companies and Internet providers are cooperating with the NSA to break encryption everywhere. They are installing “secret vulnerabilities” and “covertly influencing product designs.”
  • Encryption for Hotmail, Google, Yahoo and Facebook is already broken.
  • Your data streams are recorded and decrypted, since the NSA (and their British counterpart, GCHQ) already have access to your secret keys.
  • These attacks involve something called key exchanges (involved in all encryption) and the subversion of certificate authorities, such as Symantec, Comodo and GoDaddy.
  • They have already broken 30 VPNs (Virtual Private Networks) and are working toward 300.
  • The NSA has capabilities against HTTPS (used to protect online shopping and banking) and voice-over-IP.
  • Encryption is still effective, if used well. As Edward Snowden said, “Properly implemented strong crypto systems are one of the few things that you can rely on.”

It appears the NSA and GCHQ are specifically targeting “certificate authority” services. These are services that verify the authenticity of cryptographic keys.

In particular, it seems that the NSA is colluding with, intimidating or subverting these companies.

Why Cryptohippie Remains Safe

None of the leaks so far have changed anything in our threat assumptions. Almost all of this has been assumed among industry professionals, and we have done a few things from the beginning to keep such problems at bay. In specific:

  1. We run our own certificate authority (CA).
  2. We separate server keys from client keys.
  3. We force clients to verify that they are talking to a server-key and that it is signed exactly by our CA.
  4. We do not allow new keys to be generated.
  5. We generate all keys with a known good generator.
  6. We only rely on static asymmetric keys for authentication, not for negotiating the session keys for content encryption. For that we use DH to generate ephemeral session keys.
  7. We use good random source on the servers (combination of hardware and software source, with a FIPS check on randomness).
  8. Because we use DH and good random sources on the server, we can assure good session keys for each connection, even if the user’s computer cannot provide good quality randomness itself.

In other words, our network remains highly secure.

Our public facing website is less secure. We have to use official CA keys there. That, however, matters very little; we don’t have any non-public data attached to that site at all.

Our mail servers have that same certificate issue, but only on the public facing side, not internally. This doesn’t affect our security either: Mails sent out of the Cryptohippie (CH) network have never been safe from the NSA, only mails that stay inside our network – to and from other Cryptohippie users.

Implications

The long-term implication of this for Cryptohippie is that we may face the day when they come knocking, or come hacking. So far, all goes well for us.

The bosses at NSA apparently see this as absolutely necessary for the survival of the United States. (The fact that it survived for 200 years prior is ignored.) One of their documents from 2007 said this:

In the future, superpowers will be made or broken based on the strength of their cryptanalytic programs. It is the price of admission for the U.S. to maintain unrestricted access to and use of cyberspace.

In other words, they are obsessed with this, and see it in the starkest possible terms. We’re not sure whether this is just rah-rah talk for the techies who work for them, or whether they really believe it (which would border on mental illness), but it is very dangerous. There’s no worse tyrant than one who believes he’s righteous.

The implications for the Internet community in general are these:

  1. Do not use a VPN unless it has its own Private Key Infrastructure.
  2. Do not trust certificate authorities.

Specifics

This may be a little technical, but we want to be clear on so serious a matter. Here’s what we see at the moment:

  1. From the data we have both from Snowden and from other sources, plus our own experience, the base algorithms are secure.
  2. The NSA is doing exactly what has been asserted among professionals for some time: subverting certain software, systems and providers, then promoting them as the ones to use.
  3. Several of the protocols used – or at least certain of their implementations – are insecure, not just by accident, but also by design.
  4. The global public key infrastructure is broken.
  5. Some key generation implementations have been tweaked to give out keys that can be cracked more easily. That has happened accidentally in the past, but the NSA seems to have done it on purpose. There are good hints as to which implementations are subverted.
  6. The NSA’s plan is to: give up on controlling crypto itself (it’s unfeasible); don’t rely on breaking algos (too expensive or not possible); subvert stuff, then push the subverted stuff; and kill stuff that isn’t subverted.
  7. The NSA has active capabilities to intrude into many connections. This requires a lot of technology, which is in place all over the world.
  8. We can still protect intergroup communications.
  9. Public communication without secure key exchange and traveling over the clearnet is broken, likely beyond repair. It’s almost impossible to roll out an alternative to x509 on a global scale.
  10. This might lead to a push for a general overhaul of the security infrastructure on the internet.

Key Authentication

Here’s what key authentication means:

To connect the owner of a key to his/her key, most systems today use a trusted third party for verification. In order to trust the verifications of these parties, you must trust three particular things:

  1. That the trusted party is acting faithfully, not deceiving, and not deceived itself.
  2. That the signature system is unbroken; that is, both the signature algorithm and the hashing used in it are secure.
  3. That the signed key is secure, that it hasn’t been leaked, and that there has not been a private key generated from the public key that has been signed.

That leads you to questions (and answers) like the following. We have omitted the complicated discussion of hashing.

Is the trusted party trustworthy? (No. Most CAs are surely not trustworthy.)

Is the trusted party competent? (Some are; others are not.)

Is the signature algorithm secure? (Yes, the signature algos are secure.)

Is the public key algorithm irreversible? (That depends on random number source. We have seen many such attacks in the past few years.)

Is the private key secret? (Clearly many secret keys are being sold to the NSA, or stolen.)

Key exchange is only secure if you can answer “yes” to ALL of the above questions. Clearly, we can’t, in most cases today. The math is generally good, but the implementations and organizations are not.

Paul Rosenberg
FreemansPerspective.com

The NSA’s Secret War Against Online Privacy Seekers

nsa surveillance privacyIf you haven’t seen this yet, I’m sorry to drop it on you:

On September 5th, Glenn Greenwald and others revealed the extent of the NSA’s destruction of privacy – not just the privacy of people who are oblivious to the situation, but that of privacy seekers as well. You can find the story here or here, and commentary by a legitimate expert here.

Here’s What Was Revealed

  • The biggest tech companies and Internet providers are cooperating with the NSA (which may be why they’re big) to break encryption everywhere. They are installing “secret vulnerabilities” and “covertly influencing product designs.”
  • Encryption for Hotmail, Google, Yahoo and Facebook is already broken. Others as well.
  • Your data streams are recorded and decrypted, since the NSA (and their British counterpart, GCHQ) already have access to your secret keys.
  • These attacks involve something called key exchanges (involved in all encryption) and the subversion of certificate authorities, such as Symantec, Comodo and GoDaddy.
  • They have already broken 30 Virtual Private Network systems and are working toward 300.*
  • Greenwald and others report that in the NSA documents, ordinary Internet customers are referred to as “adversaries.”
  • The NSA has capabilities against “HTTPS, voice-over-IP… [which are] used to protect online shopping and banking.”
  • However, it can be said that encryption is still effective, if used well. As Edward Snowden said, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

What This Means to You

If you hadn’t taken this seriously or were content to let others keep you safe, now’s the time to wake up and act. You have to protect yourself. No one is going to step in and do it for you. Magic hackers will NOT ride in to your rescue.

You must either learn to handle your own security, seriously, or pay for a top-notch service. If you go cut-rate, you’re just paying for the NSA to spy on you.

I may be preaching to the choir here, but don’t even try to pretend that the government will fix this – they are the people who are doing it – and they love the power. And don’t pretend that the military will step in either – the NSA is part of the military.

We’re all perps now. If all Internet users are “adversaries,” do you really think anyone is safe?

What This Means to Us All

Forget about the US Constitution; it’s a non-factor now. This is just the latest example of people who are drunk on power and don’t care about the principles on which this country was founded.

The NSA and the entire US/UK “security” apparatus is a gigantic drunken beast. The operators are arrogant and untouchable. Their bosses have openly lied to Congress, with no consequences. Do you really think they will remain angels? (Did you ever really think they were?)

The reality is, the system is beyond broken, no matter what kind of happy talk you hear on TV.

Make no mistake, this is the eye of Sauron. It is the empowerment of arrogance and power… and ultimately of death. You might think me dramatic but history doesn’t lie: Surveillance kills.

Once they have your communications, they have your thoughts. They are currently analyzing those thoughts and have already begun to quietly manipulate them. That is, if you choose to let them. Yes, it is your choice.

Be aware of the danger, take it seriously and become the kind of person you want to be… not the one they want to manipulate you into becoming.

[Ed. Note. An important paid report… yours today for free: How Surveillance Destroys Us (and what we can do to stop it).]

While the various program specifics of government surveillance have been well covered, Paul Rosenberg has come up with a brilliant perspective different from anything else we’ve seen.

In this important report, he talks about the (often subtle) psychological effects that non-stop surveillance has on us as living, breathing and thinking human beings.

Specifically, he sheds light on how governments routinely use surveillance to quietly manipulate us into doing what they want without question. That may sound crazy but the evidence doesn’t lie. And it’s all out there in plain sight for those who choose to see it.

This is traditionally a paid members-only benefit, but for a limited time, we’ll make it available to anyone who wants it. Click here to grab your copy.]

* The service I am associated with, Cryptohippie, is unaffected by this. Like other professional services, we operate our own public key infrastructure, without outsourcing trust and control to a third party, like an unaccountable Certificate Authority. We use Perfect Forward Security cipher suites, which prevent communication from being decrypted after the fact, or when keys are lost. We will be publishing a detailed explanation of why Cryptohippie remains safe for our customers, and we’ll ask FreemansPerspective.com to post it as well.

Paul Rosenberg
FreemansPerspective.com

Digital Diversification: How to Do It

digital diversificationThank God for Edward Snowden. I used to warn people about surveillance and the death of privacy, but most of them found it hard to believe me; it was just too far out of the mainstream. Not so anymore.

Just as the diversification of investments has become crucial, so has digital diversification. Not only are the Western nations (especially the US and UK) abusing every piece of data they can touch, but the Hollywood/DC complex has been throwing around their power thuggishly. It’s way beyond suing 12-year-old girls, by the way; if you haven’t seen the raid on Kim Dotcom’s house, you really should. And not only are they forcibly shutting down many web services, but they are pushing laws that allow the Hollywood studios to break into your computer – legally.

Since I have been involved with an international privacy company (Cryptohippie.com) for some time, let me report to you what we have found on the subject of digital diversification.

Privacy Laws

The first thing many people think about for digital diversification is privacy laws. I’m sorry to tell you, however, that they don’t matter very much. They can be important for networks and data centers, but not often for individual users.

The reason for this is the international construction of the Internet. Your Internet traffic (surfing, email, Skype, whatever) is not contained within any single country – it flies right past national borders without the slightest delay.

Making things worse, it probably passes through the United States, whose NSA grabs it all and shares or sells it to god knows who. (Again, I refer you to Mr. Snowden, as well as to William Binney, Russell Tice, and Mark Klein, previous whistle-blowers.)

Take a look at this representation of world Internet traffic, and notice that nearly all of it passes through the US.

digital diversification

So, regardless of local privacy laws, your Internet traffic will more than likely be grabbed by the US and UK. (Not to mention non-government data thieves.)

The Copyright Thugs

As noted above, the Intellectual Property (IP) thugs have been unleashed, and they have often ruined businesses for the ‘crime’ of merely linking to a site where some kind of pirated music, video, or software may have been found. To avoid these excesses of law, you definitely do not want your server to be located inside the US, or in any country that cooperates too closely with the US government.

Which locations to choose depends on what you want to do with your server. Here are some examples:

  1. If you run a very simple, static site, just for fun and with no controversial content, you can pick anywhere that gives you a good price and fast access (even the US). But don’t allow links to be posted by users. If they link to a copy of Braveheart, you could have a problem on your hands.
  2. If you want a server (or a virtual server, which is smaller and cheaper) and you want to allow people to post comments, go offshore. If your site is very simple, will see little traffic, and requires very little in the way of resources, you can go with anything you find. But if you choose a server in the Caribbean, for example, be aware that your server may fall offline from time to time. (I know from personal experience as well as reports from others.)
  3. If you will see more traffic, make sure to check on the connection your data center (where your server is located) has to the Internet. The larger the connection and the larger the number of connections to international fibers, the better. You will, of course, pay more for these servers.
  4. If you run a professional service, look for data centers that will give you real customer service. You cannot allow your professional service to just vanish for a few days, while you track down a technician who likely doesn’t speak your language. In our experience, servers in central and northern Europe are the best choice: Switzerland, Holland, Germany, Austria, and so on. The laws there are fairly good for networks, and the data centers employ professional technicians. You’ll have to pay more, of course, but if you’re running a serious service, it is well worth it.

Political Persecution

If you’re running a Free Tibet web site, or anything like it, consider first who your enemies are likely to be, then avoid them and their allies – rent your servers somewhere that they and their friends are not.

The Dutch have long prided themselves in shielding such groups, so the Netherlands may be a good choice. (Some of the Scandinavians have taken that position as well.) But take a look at other politically persecuted web sites and see where they keep their servers.

And DO tell the data center what you are doing. If they know, they may very well protect you as best they can; but if not, your site will come down, probably at the first attack.

Surveillance

There is nowhere on the planet that is free from surveillance now – it’s simply too cheap, too easy, and too profitable.

The BRIC nations (Brazil, Russia, India, and China) are planning fiber optic cables that they do not share with the US or UK, so data centers on that line may be a better choice at some point. Rest assured, however, that Russia, China, et al, will be running their own surveillance. It will merely be a question of who is reading all your traffic.

Protection from surveillance requires encryption and an anonymity network. We covered that in a previous article, here.

Last Thoughts

It doesn’t take a lot of time or a lot of effort to secure your digital world, but you have to DO IT. Most people don’t want to be bothered and just go with whatever someone else is willing to set up for them.

But you wouldn’t diversify your finances based on the word of a friend’s brother-in-law, would you?

Likewise, don’t build your digital world blindly, taking the first and easiest option you can find. This doesn’t require weeks of work, but it does require some thought and some effort. It will be a good investment of your time.

Paul Rosenberg
FreemansPerspective.com

“Digital Diversification: How to Do It”  was originally published at InternationalMan.com

The New Era of Surveillance is Here

surveillanceSome have said it’s better to make decisions under the influence of alcohol than under the influence of fear.

But in late 2001, Americans made an entire set of decisions under the influence of fear… and created a monster.

We all remember what happened: A frightened public allowed politicians, secret agencies, and militaries to spend any amount of money and build any kind of system they wanted, to “protect us from the terrorists.”

To cash in on the new zeitgeist, new TV shows practically worshiped military and police forces; thousands of churches gave themselves over to the glorification of soldiers; and corporations scrambled for government money to build these new systems.

10 years on, it’s not just the “paranoid crackpots” anymore who can see that Orwell’s Big Brother of 1984 is terrifyingly real and more sinister than even he could have imagined.

The reality is this: Americans now live under the largest and most invasive surveillance state in the history of the world. This has been confirmed and admitted, even by the talking heads of the mainstream press.

I know there have been too many stories, passing too quickly, for most people to see this in all its gory detail, so I want to clarify and simplify a bit.

First, I’ll give you a list of recent stories (all since mid-May), with links, so you can check any of them you want to. Then, I’ll give you a brief, simple summary of where Americans stand now.

To Sum Up

The list above contains only recent and major stories. There are many others, but I want to keep this brief.

So here’s where we stand now:

  1. There are no more legal protections that matter. The 4th amendment is (was) “the law of the land,” and it is very clear. But that doesn’t matter: A pile of court rulings have been given precedence, and the Constitution no longer applies.
  2. The US military can – if and when it wants to – arrest and imprison anyone (foreigner or citizen) for as long as they want, without a trial.
  3. Acts of torture (“advanced interrogation techniques”) are legal, and secret courts are in regular operation.
  4. The US government (through many agencies, most notably the NSA and FBI) is collecting nearly every email, text, chat, phone call, and web site surfed. This information is already being used in government prosecutions.
  5. Government officials lie to citizens with impunity. Citizens who lie to officials go to jail. (Ask Martha Stewart, and a thousand less-famous people.)
  6. You are physically tracked 24/7 by your cell phone and car license plates.
  7. Large corporations are helping the US government run the most complete surveillance state in the history of the world.

Is this is something you would agree to, if given an option?

Is this what you want your children or grandchildren to grow up in?

Do you think Thomas Jefferson would agree to this? Would Abraham or Moses support this? Would Jesus?

What Now?

The first thing we have to do is to gain moral clarity: to be clear on the fact that this is morally wrong. Not legally wrong, but morally wrong.

Because if it is morally wrong, then it remains wrong, no matter how many high-and-mighty authorities proclaim it to be right.

In other words, you need to believe that morality is more important than legality, which is really the core of the Judeo-Christian ethic that underpins our society. (You can deny it if you want, but that doesn’t make it false.)

Once we are morally clear on this subject, the rest follows naturally. But you have to get clear on this, inside of yourself. Writers like me can provide you with facts, but no one can do your internal work for you.

So, do you think this is morally wrong? And if so, why?

Be clear about the answer to this question. It’s the starting point to the struggle for personal freedom.

Paul Rosenberg
FreemansPerspective.com