OPSEC - Keeping your data private.

silentrust

Those of you who have been following the news regarding the US PRISM program and our thread devoted to the same will now know that the US government has long been spying on foreign citizens via popular web services like Facebook, GMail, Skype, Yahoo etc. and it seems they've been doing so for some time.

The Foreign Secretary from my own country, the UK, William Hague defended the similar Tempora program by saying words to the effect that if you've nothing to hide, you've nothing to worry about. You can read an excellent debunking of the "nothing to hide" argument here.

So it would seem all my friends at the Open Rights Group and fellow members of the Electronic Frontier Foundation have been vindicated after all, Big Brother is indeed watching us and we need to ask if he can be trusted with our personal e-mails, info and contents of our phone calls?

As Survialists this is particularly important for us. Not only will we need a way of communicating with one another come the Apocalypse but it is vital in the here and now that any preparations we make are as discrete as possible and this includes staying under BB's radar.

This is why Khannie and I have been asked to post some suggestions about maintaining your privacy, in your day to day online activities. Khannie is an IT whiz whereas I am a mere tinkerer, but I have the advantage of being rather slow when it comes to computers so make a point of not using any privacy related software unless it's very quick and easy to install.

There is also absolutely no need for you to run away and live in a cave or put on a tin foil hat in order to do any of this. There are free and safe alternatives to pretty much every mainstream internet service, see more info at the Prism Break website.

I'm hoping as well that other people will come forward to discuss ways that they've kept a low profile while online so we can share our experiences.

silentrust

Probably the best advice I can give anyone who is just starting out aside from visiting the Prism Break website and learning the free and safe alternatives to the programs they already use is to make sure when you do use a program that it is Open Source. This means that the source code for the program is available online and those people in the know are free to download it and review it.

The fact that certain programs like Skype are closed source is precisely what makes it difficult to tell if they contain a backdoor of some kind, which a shadowy government agency can use to listen in on your communications.

I think the easiest first step to make to keep Big Brother from casually snoopingon your is to switch to using the Mozilla Firefox browser and install these add ons to increase your privacy online:

DuckDuckandGo : This is actually a search engine which doesn't keep a permanent record of things you look for, unlike Google.
Disconnect : This free add-on blocks tracking cookies on websites, designed to monitor your online activity.
AdBlockPlus : Strips annoying adverts from your web page, leaving a reassuring blank space.
HTTPS Everywhere c/o our friends at the Electronic Frontier Foundation. Also available for Chrome. Instructs your browser to use the secure version of a site if available, this means for example that if you log in to Facebook, any information passed between yours and facebook's servers will be protected to an extent N.B it is still possible intercept data sent in this way, particularly if you access the internet from your workplace. The best rule of thumb is not to use your workplace internet for anything personal unless it's an emergency.

eirator

tbh I'm not bothering to do anything, the amount of data produced for the "authorities" to sift through each day is way an above their computing capacity to handle it. Its like the carrying a knife issue, if you don't do anything stupid then no one is going to bother you.

I'd be more concerned about my data being used to impersonate me than anything else.

Khannie

eirator wrote: »

tbh I'm not bothering to do anything, the amount of data produced for the "authorities" to sift through each day is way an above their computing capacity to handle it.

This is just not true in the slightest. I was naive enough to believe that people weren't doing this before. I was at a tech security conference recently and one of the speakers pointed out that the facility currently being built by the NSA will have sufficient storage for several years worth of *all* internet traffic. Even basic filtering to remove the heavy / don't care about stuff like movies etc. and it becomes a relatively cheap task to store things in a searchable way in a large compute cluster.

eirator wrote: »

Its like the carrying a knife issue, if you don't do anything stupid then no one is going to bother you.

That is a variation on the classic "sure I've nothing to hide, look away" argument. It's nothing like that though. We all have things that we want kept private in our communications. If you don't, sure send me on a copy of all your email there. I'll have a grand little sift through it and show you things that you don't want made public. I'm joking of course, but you surely get the point.

silentrust

Khannie wrote: »

This is just not true in the slightest. I was naive enough to believe that people weren't doing this before. I was at a tech security conference recently and one of the speakers pointed out that the facility currently being built by the NSA will have sufficient storage for several years worth of *all* internet traffic. Even basic filtering to remove the heavy / don't care about stuff like movies etc. and it becomes a relatively cheap task to store things in a searchable way in a large compute cluster.



That is a variation on the classic "sure I've nothing to hide, look away" argument. It's nothing like that though. We all have things that we want kept private in our communications. If you don't, sure send me on a copy of all your email there. I'll have a grand little sift through it and show you things that you don't want made public. I'm joking of course, but you surely get the point.

I am afraid I have to agree with Khannie Eirator - sadly we have the proof now that even those people who are law abiding are being spied on. Of course you may not be concerned with your personal correspondence being monitored but as you said yourself, one thing it can be used for is ID fraud, which can be prevented by taking a few basic precautions e.g using SSL versions of websites, encrypting e-mails with GPG and so on.

As for carrying a knife, I'd rather think of it in terms as the Door Security man who wears a stab-proof vest. It's unlikely someone may try to stab him, it may never have happened before but the PRISM program has shown us that we can't be too careful.

eirator

Sorry don't believe it because I supported an email monitoring product and worked closely with the developers and sales people. Sales would say anything to make a sale and the developers would get very pissed off because they knew the limitations of both the hardware and software. One of our sales to the US and the support I provided would indicate to me that no one had more sophisticated software at the time. Limitations were numerous when it came to scaling and I can't see even with dedicated banks of data servers you can get around some of the issues I have seen.

Assuming you can save and search all this data easily the problem is then you get too many results for anything other than for very specific searches so you the average user is now lost in the noise of the stored data rather than the noise of the internet.

silentrust

eirator wrote: »

Sorry don't believe it because I supported an email monitoring product and worked closely with the developers and sales people. Sales would say anything to make a sale and the developers would get very pissed off because they knew the limitations of both the hardware and software. One of our sales to the US and the support I provided would indicate to me that no one had more sophisticated software at the time. Limitations were numerous when it came to scaling and I can't see even with dedicated banks of data servers you can get around some of the issues I have seen.

Assuming you can save and search all this data easily the problem is then you get too many results for anything other than for very specific searches so you the average user is now lost in the noise of the stored data rather than the noise of the internet.

OK, so we can concede that the NSA have a rather daunting task cut out for them if they store logs of everyone's correspondence and then need to sift through it to find something of use. Nevertheless that's what's happening. Edward Snowden has shown the Guardian documentary proof this is the case.

However, if you want to discuss the PRISM program itself and how feasible it is to record this kind of info, there is a link to the thread above in the Tech Security section - I for one am not going to give the NSA or GCHQ a chance to record any of my data in the first place, which is why we started the thread.

silentrust

Just made my first call to my girlfriend using the open source VOIP program Jitsi which, with the aid of earphones now doesn't suffer from the feedback my girlfriend and I experienced yesterday.

Nevertheless the audio quality wasn't as good as Skype, we're still looking for a solution which will afford privacy and good call quality at the same time, watch this space.

Khannie

eirator wrote: »

Sorry don't believe it because I supported an email monitoring product and worked closely with the developers and sales people. Sales would say anything to make a sale and the developers would get very pissed off because they knew the limitations of both the hardware and software. One of our sales to the US and the support I provided would indicate to me that no one had more sophisticated software at the time. Limitations were numerous when it came to scaling and I can't see even with dedicated banks of data servers you can get around some of the issues I have seen.

All that tells me is that you're dealing with software that wasn't written to scale properly. If you start out with massive parallelism in mind (and the vast, vast majority of businesses cannot afford to, because time to market is crucial) then it becomes achievable. Google did a great job for example (and I'm not trivialising with that example. They really did.).

Also, software being the best on the market doesn't mean much. The market may not be very large for software that hoovers up the internet and makes it searchable over tens of thousands of processors. In a case like that the most sophisticated software on the market will be vastly behind what a government with a large budget will produce.

eirator wrote: »

Assuming you can save and search all this data easily the problem is then you get too many results for anything other than for very specific searches so you the average user is now lost in the noise of the stored data rather than the noise of the internet.

Yeah, perhaps a human wont read through *your* mail, but there again, maybe you use the word "wave" too many times (that's on "the list") because you like surfing and it comes up in the automated daily report. Presto, someone's digging through your mail.

Regardless, it is prudent to put a modicum of effort into ensuring your privacy (IMO), given that you are now certain that your communications are being monitored. If not, sure I'll leave you to it so.

silentrust

Anyone with a relatively recent Android phone can encrypt the handset in such a way to make your personal info irretrievable, if you need help with this please let me know.

If like me though your phone is too old, there is an excellent app called TextSecure available from the Play Store which will allow you to receive and send text messages from a password protected area of your phone.

If you want to anonymise your collection and circumvent those damn blocks your provider puts on certain websites, the apps Orbot and Orweb will allow you to access the Tor network and browse it respectively.

A few words of caution. Google has been subjected to court orders in the past to help law enforcement to retrieve personal information from encrypted handsets although it's not clear if they can actually do so. While your phone's info will be safer if the handset is seized, you may also notice slower performance.

Web browsing through the Tor network is also much slower - this is the price for anonymity!

For other privacy enhancing apps check out the website of The Guardian Project.

silentrust

Khannie wrote: »

All that tells me is that you're dealing with software that wasn't written to scale properly. If you start out with massive parallelism in mind (and the vast, vast majority of businesses cannot afford to, because time to market is crucial) then it becomes achievable. Google did a great job for example (and I'm not trivialising with that example. They really did.).

Also, software being the best on the market doesn't mean much. The market may not be very large for software that hoovers up the internet and makes it searchable over tens of thousands of processors. In a case like that the most sophisticated software on the market will be vastly behind what a government with a large budget will produce.



Yeah, perhaps a human wont read through *your* mail, but there again, maybe you use the word "wave" too many times (that's on "the list") because you like surfing and it comes up in the automated daily report. Presto, someone's digging through your mail.

Regardless, it is prudent to put a modicum of effort into ensuring your privacy (IMO), given that you are now certain that your communications are being monitored. If not, sure I'll leave you to it so.

The tragedy here is that the tools to protect ourselves have been freely available for some time and yet people have been either unaware of the need for them or assumed it wasn't necessary. Hopefully the recent revelations will put paid to people who think privacy no longer matters.

Danpad

I stay away from facebook, in fact I hate it! I've been using firefox for some time and Mozilla thunderbird, I'll certainly be looking into those add ons. However, I think I undo all this by keeping a blog! Maybe I need to re-think the need to share my journey/thoughts etc.
Thanks for the advice guys.

silentrust

Danpad wrote: »

I stay away from facebook, in fact I hate it! I've been using firefox for some time and Mozilla thunderbird, I'll certainly be looking into those add ons. However, I think I undo all this by keeping a blog! Maybe I need to re-think the need to share my journey/thoughts etc.
Thanks for the advice guys.

No harm in having your blog Danpad as you are deliberately publishing this info on the internet in the way you want, so naturally even if, for instance, a potential employer were to stumble across it, they would only see what you want them to.

Khannie

So back on topic from me. Here's a really good talk on opsec that was linked to in another thread:

https://www.youtube.com/watch?v=9XaYdCdwiWU

The take home message from it: Don't say anything in unencrypted conversation that you wouldn't be happy writing on a postcard. That, and STFU (otherwise known as "don't say it").

There are a few areas you need to cover, based on how much you want to protect.
- email
- instant messaging
- browsing
- your hard drive / files

If it's not open source, I don't trust it to secure my communications any more. The example I'll give here is Skype. I believe that communications are encrypted end to end alright, so Joe average (and my employer) wont be able to listen in and / or decrypt them. That used to be enough for me. I have exchanged sensitive information over Skype before (passwords for example). Someone with the encryption keys (and you have to assume that they are in the hands of authorities now) would have little difficulty though. I now consider skype to be unencrypted for all intents and purposes. I use pidgin with the OTR (off the record) plugin. It encrypts google chat, facebook chat, etc. etc. Super little client.

Encrypting your hard drive is becoming easier. Full hard drive encryption is part of the basic Ubuntu Linux install now. I'm not sure about windows because (:o) I stopped using it many years ago. Truecrypt is a good little piece of software. It allows you to create an encrypted container for your files, which itself can contain a hidden (and plausibly deniable - i.e. nobody could ever prove that it was there) container.

A VPN is useful if you don't want the Irish government with a history of your browsing activity. That activity is stored currently (by EU directive) for 2 years. I don't want anyone learning about my pony hoof fetish though. VPN's cost around 4 euro a month these days and they're pretty easy to set up (probably 10 minutes effort). They're also useful for masking your real IP address for other activities (e.g. if you're downloading stuff).

Email is the trickiest part IMO. PGP is still not quite ready for prime time. I did find a really good, easy to use plugin for chrome that works with gmail / hotmail etc. called "mailvelope". I'd say that's worth having a look at.

Khannie

Oh, on passwords - We've seen various sites have their encrypted passwords leaked (LinkedIn was the most recent big one if memory serves). People then set about the task of figuring these passwords out and posting them on the internet. It was all done quite quickly. Geeks love a challenge.

Anything less than 12 characters is a waste of time IMO. It has become very cheap to compromise shorter passwords (i.e. the average punter in their house with a half decent graphics card could give it a shot). I have started using KeePass. It takes the hassle out of very long passwords and works like this:

- In KeePass you create a "safe". This is an encrypted file. You use a single, long and complex password for this safe.
- KeePass then stores your various passwords inside that safe. It will generate very complex passwords for you when you're joining a site.
- You then never need to know the passwords for your various favourite sites. KeePass does that for you (I have no idea what my boards.ie password is for example, but it's about 20 characters long and contains things like * and & and what not).
- You can get android and iPhone clients. I have the android one and it works a treat.
- There are plugins available for the various browsers to automate logins for you once you have logged into KeePass.
- It doesn't matter if someone gets access to your "safe" file. It is encrypted with the one long and complex password that you need to remember.

Khannie

While I think of it. Most people don't know this but your photographs contain "metadata". That is information about when the photo was taken, the shutter speed, yada yada. A lot of smart phones now include the GPS coordinates where the picture was taken by default. It is worth turning that off.

Tabnabs

Khannie wrote: »

While I think of it. Most people don't know this but your photographs contain "metadata". That is information about when the photo was taken, the shutter speed, yada yada. A lot of smart phones now include the GPS coordinates where the picture was taken by default. It is worth turning that off.

Checkout Jeffrey's Exif Viewer for all sorts of interesting metadata.

silentrust

Khannie wrote: »

So back on topic from me. Here's a really good talk on opsec that was linked to in another thread:

https://www.youtube.com/watch?v=9XaYdCdwiWU

The take home message from it: Don't say anything in unencrypted conversation that you wouldn't be happy writing on a postcard. That, and STFU (otherwise known as "don't say it").

There are a few areas you need to cover, based on how much you want to protect.
- email
- instant messaging
- browsing
- your hard drive / files

If it's not open source, I don't trust it to secure my communications any more. The example I'll give here is Skype. I believe that communications are encrypted end to end alright, so Joe average (and my employer) wont be able to listen in and / or decrypt them. That used to be enough for me. I have exchanged sensitive information over Skype before (passwords for example). Someone with the encryption keys (and you have to assume that they are in the hands of authorities now) would have little difficulty though. I now consider skype to be unencrypted for all intents and purposes. I use pidgin with the OTR (off the record) plugin. It encrypts google chat, facebook chat, etc. etc. Super little client.

Encrypting your hard drive is becoming easier. Full hard drive encryption is part of the basic Ubuntu Linux install now. I'm not sure about windows because (:o) I stopped using it many years ago. Truecrypt is a good little piece of software. It allows you to create an encrypted container for your files, which itself can contain a hidden (and plausibly deniable - i.e. nobody could ever prove that it was there) container.

A VPN is useful if you don't want the Irish government with a history of your browsing activity. That activity is stored currently (by EU directive) for 2 years. I don't want anyone learning about my pony hoof fetish though. VPN's cost around 4 euro a month these days and they're pretty easy to set up (probably 10 minutes effort). They're also useful for masking your real IP address for other activities (e.g. if you're downloading stuff).

Email is the trickiest part IMO. PGP is still not quite ready for prime time. I did find a really good, easy to use plugin for chrome that works with gmail / hotmail etc. called "mailvelope". I'd say that's worth having a look at.

Thanks Khannie, I too was extremely please when installing the latest version of Ubuntu that they no longer have an "alternate" install CD and full disk encryption is offered as standard.

Truecrypt can encrypt your entire system if you're running Windows. The process is extremely simple and you can read instructions for doing so here.

Do bear in mind this will reduce system performance slightly but I never noticed any difference when using Windows XP or Windows 7. Also you'll only be safe once the laptop is shut down and your security key has disappeared from the computer's RAM memory (usually around 10 minutes but this can be extended by cooling the machine).

This means if the Secret Police do come and knock down your door and your computer is still on or hibernating, encrypted the whole hard drive won't be much help. You can solve this problem by having good physical security and shutting down your machine fully when you're not using it.

You can further increase your security by having a hidden Operating System with a separate password, so if you're forced to hand over a password by law (as you must in the UK), you can hand over the "safe" password which won't reveal any useful information. You can do the same thing for data on a USB stick too. More info with step by step instructions here.

Although VPN's aren't as anonymous as using services like Tor or I2P, the paid services will allow you to download large files, stream video etc. without too much loss in download speed.

Do remember though if you use Paypal/Credit card/Bank transfer to pay for your VPN then if the authorities were to examine your finances they could find out your VPN provider and try to extort your information from then.

You can get round this problem by either using a VPN provider with a server based in a country which cannot compel them to reveal your personal data such as VyprVPN.

Alternatively (and I think this is the best option), find a VPN provider which accepts payment in the anonymous currency Bitcoins. My favourite is Mullvad as it's the cheapest one I know (around €5 a month) and is based in Sweden which falls outside of the shadowy "Data Retention Directive" which requires EU telephony companies to keep records of all users.

Bitcoins probably deserve a mention in their own right, as they are a secure way of transferring money anonymously if used properly - back in the day I was a Bitcoin trader. If you want more information about how this works and how you can get started using them to pay for all manner of goods and services, you can find it here.

If you do decide to go ahead and buy some in order to use a VPN, I would suggest you use the locabitcoin.com website to find someone near to you who will sell Bitcoins for cash, so that their purchase can't be traced back to you.

Please bear in mind though that although this will protect you from causal snooping on your connection, it would still be possible to examine your computer to tell which VPN provider you're using and examine your internet history.

You can get around this problem by using system encryption e.g with Truecrypt and also programming your browser not to record History. Fortunately Firefox now allows you to do this by going to File > New Private Window.

silentrust

Tabnabs wrote: »

Checkout Jeffrey's Exif Viewer for all sorts of interesting metadata.

Absolutely, it's scary stuff isn't it?

Android Users can install ObscuraCam which will allow you to take photos stripped of their usual geotagging data and other personal information. It also allows you to pixelate out people's faces from pictures and videos if you're so inclined.

silentrust

An excellent BBC article on what "THEY" know about you:

http://www.bbc.co.uk/news/magazine-22853432

eirator

silentrust wrote: »

An excellent case in point for the "nothing to hide" brigade - a man has just been jailed in the part of Britain where I'm from for agreeing to take some Euros and load it onto a prepaid currency card for a friend. He thought he was helping his friend avoid paying VAT on a purchase- in fact the cash was drug money, he blithely explained the whole situation to the Police when questioned and has just been sent to cool his heels for 11 months for laundering the proceeds of crime... ignorance is no defence in the eyes of the law!

You might think you wouldn't do something like this but if you can be guilty by association for doing what you believe to be a harmless favour for a friend then all the more reason in my humble opinion why you need to keep your private life just so.

Hardly related to internet snooping, that was just plain stupidity. In the UK you'd have all your data encrypted and be assumed guilty if you didn't provide the password. Plausible deniability is a lot more difficult than you think, if you have common applications that have saved and last used files on a drive letter that doesn't exist on the PC then its not plausible to say that apparently random data on part of your local drive isn't more hidden and encrypted data.

silentrust

A lot of us (myself included!) like to keep a backup of our personal files using a cloud storage service.

My first recommendation to people would be to use a secure service like Wuala or SpiderOak however for those of you who already have an account with Dropbox, Skydrive, Google Drive etc. and are comfortable with using it, I realise the change might be a bit of a wrench.

A good middle ground might be using BoxCryptor - this handy app will encrypt your data with ultra secure AES 256 Bit encryption before it leaves your machine, and integrates with your existing service be it Skydrive, Box.Net or Dropbox. The free version gives you one drive for unlimited devices and it also is available for Android/iOs.

Although the contents of files will be encrypted the filenames won't so it would still be possible for the powers that be to see that you have a file named "GreenPeace Members List.doc" for instance and try to force you to hand over the key. You can fix this by paying for a subscription but I prefer just to use Wuala which encrypts both the files and the names.

silentrust

eirator wrote: »

Hardly related to internet snooping, that was just plain stupidity. In the UK you'd have all your data encrypted and be assumed guilty if you didn't provide the password. Plausible deniability is a lot more difficult than you think, if you have common applications that have saved and last used files on a drive letter that doesn't exist on the PC then its not plausible to say that apparently random data on part of your local drive isn't more hidden and encrypted data.

Sorry eirator, I should have clarified that the Police were able to link the man to the criminal with drug money by examining their e-mail correspondence and text messages.

When it comes to Plausible Deniability, if you have a hidden OS using Truecrypt, the password to the "safe" outer partition will not reveal this kind of information as without getting too technical, the hidden OS automatically sets the "safe" one to read only to prevent the kind of leaks you mention (see more info here) - Indeed Truecrypt itself has no way of knowing if a container or partition has a hidden area until you enter the password for it, and can even accidentally write over the hidden data if the "safe" password is used.

That said, it is conceivable that a canny person monitoring your connection might notice that you use two different types of web browsers. It would also be possible to tell that a hidden volume existed if you created a partition, deleted some files and then decided to encrypt it - see more info here but this would be a moot point if you used whole disk encryption to have a hidden operating system.

For those people who are particularly concerned about sensitive personal information leaking onto their hard drive, it is possible to run your operating system directly from a "Live" USB stick or CD such as Ubuntu Linux. Any data would be kept in RAM and would disappear within minutes of the machine being switched off. While running from a Live CD it's also possible to access your Truecrypt encrypted hard drive to store information, although I don't think it would be necessary if you've already a hidden OS installed on your machine.

silentrust

Just to clarify my earlier post - If you run Windows and you use Truecrypt to encrypt your system, it would be very easy to prove that your computer was encrypted, as in the nature of things Truecrypt creates a small, unencrypted "boot" partition on your hard drive. It would not however be possible to prove that there was a hidden OS from examining the hard drive in this way. For more information see Truecrypt's own page on data leak protection.

If you want to dispute that a device is encrypted in the first place, it's by far better to encrypt an entire USB stick as you can always claim that it is not, in fact, encrypted but that you used a secure erasing program to wipe it, which would account for the random data with which it seems to be filled. If you're not believed or someone threatens to beat the password out of you with a lead pipe, a hidden partition on the USB stick is your friend once again.

My only advice to people to do this is to put something in the "safe" outer volume worth hiding. If it's just a few family photos of your Uncle and your Aunt with the big nose, then it's probably not going to seem plausible to a judge in the UK that this is what you planned to hide. Good suggestions might be passwords to e-mail accounts you only use infrequently, or the password to your work computer which the Police could seize anyway.

silentrust

Ok firstly, although I am usually skeptical about Wikifacts I have not been able to find a better summary of what keylogging is than provided by the good people at Wikipedia.

Even the best security system using full disk encryption, GPG to encrypt e-mails etc. can fall victim to keystroke logging, as naturally any fool with the password can then unlock your machine / access your account and so on.

Your first and best defence is to maintain good physical security for your machine. Make sure there's a separate computer for family and friends to use, and that yours is kept in a locked room when you're not there. This is the best defence against the so-called Evil Maid attack. This is especially important if you're away from home e.g staying in a hotel. If your room, has a safe use it. Otherwise take your machine with you.

Your second defence is probably to use an onscreen keyboard to enter passwords where possible, or to copy and paste your passwords from an encrypted area e.g using a program like Keepass. (There is also a plugin for Keepass which acts as an onscreen keyboard if you're super paranoid).

More advanced users might want to employ Two factor authentication which would involve using both a password and something like a smart card or security token of some kind to unlock the machine.

Personally I have chosen not to do this as Smart card readers cost money, it would be very easy to bash me on the head and steal it ,not to mention the fact you no longer have plausible denial when it comes to encryption as any fool could see you have a smart card reader next to your machine and some kind of security token on your person. However you may have a way of keeping the key safe or hiding it - if so, good luck to you!

Khannie

silentrust wrote: »

Even the best security system using full disk encryption, GPG to encrypt e-mails etc. can fall victim to keystroke logging

Just to go a bit further on this - I set up the computer I'm currently on to specifically avoid this (and many other types of privacy invasion). It will only boot with a USB key that I have. The hard drive is fully encrypted and the bootloader is on the USB key (to avoid the evil maid attack). Couple those things and even with physical access you can't install a keylogger.

I think it would be theoretially possible but realistically impossible for someone to install one anyway.

Keyloggers are the devils work. They are such hard things to root out if you have one secretly installed.

silentrust

Khannie wrote: »

Just to go a bit further on this - I set up the computer I'm currently on to specifically avoid this (and many other types of privacy invasion). It will only boot with a USB key that I have. The hard drive is fully encrypted and the bootloader is on the USB key (to avoid the evil maid attack). Couple those things and even with physical access you can't install a keylogger.

I think it would be theoretially possible but realistically impossible for someone to install one anyway.

Keyloggers are the devils work. They are such hard things to root out if you have one secretly installed.

Thanks Khannie, that sounds very intriguing - I am afraid I did see instructions for something similar but it was a bit too much for my poor addled brain.

Of course people in need of a watertight OS can also put an entire one onto a USB stick (I think we've already talked about TAILS?) but naturally you'd have to keep it on your person as Khannie does to make sure it can't be tampered with.

It would seem you're right though in that this doesn't happen very often, although this may be because most people aren't very conscious of their privacy so usually the Feds can just whip a person's hard drive out of their machine.

I did find this article on the DEA in the US employing a keylogger to break up a drug cartel. Worryingly as well the FBI developed software named Magic Lantern a few years ago which apparently disguises itself in e-mail attachments, meaning they wouldn't have to break into your home. It seems to be targeted towards privacy-conscious people as it only activates when PGP is fired up.

I don't know what the situation is here in Ireland but it can't hurt to be prepared I suppose.

Tabnabs

A fascinating and long article on the subject. A real eye opener.

http://www.theguardian.com/world/2013/oct/03/edward-snowden-files-john-lanchester

Well worth sticking with it and reading the whole thing.

Khannie

Super article. Thanks for sharing.

Danpad

Khannie wrote: »

While I think of it. Most people don't know this but your photographs contain "metadata". That is information about when the photo was taken, the shutter speed, yada yada. A lot of smart phones now include the GPS coordinates where the picture was taken by default. It is worth turning that off.

That's bang on the money. One of the best pieces of advice given to me was by a 'coder' (is that the right phrase?) acquaintance of mine who said "have a phone and have a computer, but don't have a phone that's a computer." I recall him talking to me about 'tracking' people by their phone usage as far back as 2002. Having said that, I don't mind people knowing my location too much as I doubt there's an app yet that would scare German Shepherds and a team of eager hosts waiting in the darkness of the woods.

Khannie

If you have a phone, your movement is easily tracked by cell tower triangulation tbh. There was a lad who sued Deutche Telecom under freedom of information and got all the data they were holding on him. Frightening stuff....

http://www.zeit.de/datenschutz/malte-spitz-data-retention/