Aktivix:EmailSecurity

Email Security: Safe and Sound Use

There is background information on privacy with links to further reading on the Knowledge Lab wiki where also the two last sections below are pasted from. More specific information of why you would want to encrypt your emails can be found in notes from a Knowledge Lab session on why and how to use encrypted email.

Getting the GNU Privacy Guard and Digital Signature

The GNU Privacy Guard is generally called GnuPG or simply GPG.

If you like the more techie version of GPG, then check the GPH Manual from where this quote comes:

GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate. GnuPG uses a somewhat more sophisticated scheme in which a user has a primary keypair and then zero or more additional subordinate keypairs. The primary and subordinate keypairs are bundled to facilitate key management and the bundle can often be considered simply as one keypair.

The easiest way for general desktop computer users is to install Mozilla Thunderbird and add the Enigmail extension, which "integrates the renowned OpenPGP standard provided by GnuPG". If you already know how to use encryption and just want the extension, go here and download it.

For GNU/Linux users there is also Kmail, which supports the OpenPGP standard and can automatically encrypt, decrypt, sign, and verify signatures of email messages and its attachments via either the inline or OpenPGP/MIME method of signing/encryption. KMail depends on GnuPG for this functionality. As a visual aid, KMail will colour verified email messages green for trusted signatures; yellow for untrusted signatures; red for invalid signatures; and blue for encrypted messages.

Here is some info for fruit machines. And if you really have to use a Winbloated box, then this might help.

Good Practices

The Enigmail extension and KMail above have their own manuals and there is always the GnuPG Manual, linked to as well. But what is a good way to use encrypted email, where should you upload your public key to, if at all? How and where do you best store your private key? Do you need to back it up? what is a revocation certificate?

These are some of the questions that still needs answering.

Safe Surfing

You might also want to consider how you move around in cyberspace, just as you would in real space. In some place and at some times you wouldn't walk with your bank account written in your forehead or on the back of your coat.

There is more below:

Tools & Tips to keep safe on the net

There are various things one can do to (try to) maintain privacy, or to, rather minimise the amount of data that can be collected about and tied to one's person.

They have their own pros and cons.

A good place to start is the information provided by the TOR project, who writes on their site:

"Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they're in a foreign country, without notifying everybody nearby that they're working with that organization.

Groups such as Indymedia recommend Tor for safeguarding their members' online privacy and security. Activist groups like the Electronic Frontier Foundation (EFF) are supporting Tor's development as a mechanism for maintaining civil liberties online. Corporations use Tor as a safe way to conduct competitive analysis, and to protect sensitive procurement patterns from eavesdroppers. They also use it to replace traditional VPNs, which reveal the exact amount and timing of communication. Which locations have employees working late? Which locations have employees consulting job-hunting websites? Which research divisions are communicating with the company's patent lawyers?

A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.

The variety of people who use Tor is actually part of what makes it so secure. Tor hides you among the other users on the network, so the more populous and diverse the user base for Tor is, the more your anonymity will be protected..

The last point also goes for the use of the Free Software Foundation's GNU Privacy Guard according to the old proverb 'safety in numbers'.

Find out how to use Tor with Privoxy and how to add SwitchProxy for "some degree of anonymisation" online.

The Electronic Frontier Foundation also offers a collection of resources about privacy, another page about anonymity, as well as a collection of information about surveillance.

• Anonym.OS LiveCD from kaos.theory, which is an OpenBSD 3.8 Live CD with strong tools for anonymizing and encrypting connections. Standard network applications are provided and configured to take advantage of the tor onion routing network.
• Arudius offers two Live-CD projects, Newbie based on NetBSD, and Arudius based on Slackware.
• Gibraltar is a professional security product for companies and organizations of any size, based on Debian/GNU Linux. Independent of the kind of Internet connection (dedicated line, ADSL, dial-up connection).
• Mixmaster is a type II remailer protocol and the most popular implementation of it. It can help you anonymise your emails.
• If you use Thunderbird as an email client, you can add the Enigmail extension, which can help you use GPG (mentioned above). See also [ http://dev.weavervsworld.com/projects/ptbirdeniggpg/ Portable Thunderbird with Enigmail / GPG].
• Offical GPG manual.
• Many links to Free Privacy, Encryption, Anonymity and Security Software and Services.

Links for further reading

• Berkman Center for Internet & Society BOLD site for "Privacy in Cyberspace" which was offered in the Spring of 2002.
• ID Cards - the case against, by NO2ID:
• Introduction to Section 3 of High Noon on the Electronic Frontier: Conceptual Issues in Cyberspace by Peter Ludlow
• Report by NATIONAL TELECOMM. AND INFO. ADMIN., U.S. DEP'T OF COMMERCE (1995): PRIVACY AND THE NII: Safeguarding Telecommunications-Related Personal Information.
• Article in The Register: Wiretapping, FISA, and the NSA - excerpt:

"US wiretapping laws, FISA and Presidential powers given to the NSA to intercept communications make for interesting times when coupled with technology. What are the issues surrounding privacy, search, seizure and surveillance? ---- Whenever a new technology is developed, or a new threat that causes us to deploy these technologies, questions invariably arise about their legality. When the telephone was first developed and used, it was not clear that the constitutional dictates on unreasonable searches and seizures applied to conversations that were neither "searched" nor "seized." The recent revelations that the US Department of Defense, through the National Security Agency, was targeting the international communications of US citizens for interception as part of a classified program raises questions about the constitutionality and legality of the program itself."

• Wikipedia entry on Crypto-anarchism
• Wikipedia entry on Computer_surveillance
• Wikipedia entry on Privacy, which reads:

"The earliest recognition of the concept of Privacy is in the Muslim religion. According to a report published by Privacy International (PHR2004 - Overview of Privacy on Nov 13, 2004) there is recognition of privacy in the Qur'an and in the sayings of Mohammed. The edict of privacy is in Chapters 24 and 49 of the Quran - The holy book of Islam. As quoted by Imad A. Ahmad on Islam-Online.net "In Islam the law is God-given and the right of privacy is a sacred right.". Imad A. Ahmad teaches courses on social change and on Religion & Progress at the Johns Hopkins School for Advanced International Studies, and the University of Maryland. Islam places a very great importance on privacy, and on keeping private what should be private. Women have to wear Hijab so that it is a screen of their privacy. Wearing a hijab is one of the methods of protecting the privacy of women."