From: Mustafa Akgul (akgul@Bilkent.EDU.TR)
Date: Sat 24 May 2003 - 17:35:19 EEST
*** Democracies Online Newswire - http://e-democracy.org/do ***
*** See something? Send submissions to: clift@publicus.net ***
-----Original Message-----
From: Digital Freedom Network <dfn-news@topica.email-publisher.com>
To: clift@publicus.net
Subject: [DFN-News] Food for Thought: Encryption and security issues
Date: Fri, 23 May 2003 09:41:57 -0700
DIGITAL FREEDOM NETWORK: Human rights and cyber-rights news
-------------------------------------------------------------------
Food for Thought: Encryption and security issues affecting human rights
activism
Summary by Shravanti Reddy, Digital Freedom Network
URL: www.dfn.org/fft/fft2003-05-22.htm
(May 23, 2003) The Digital Freedom Network's monthly Food for Thought
conversation series offers an opportunity for informal discussion on the
use of technology in human rights work. The purpose of the Food for
Thought series is to facilitate networking among like-minded
organizations and individuals and provide a platform for information
exchange on technological uses, needs and trends throughout the world.
The May 14, 2003 meeting focused on encryption and security issues
affecting human rights activism.
As technology becomes an increasingly important tool for human rights
activists, the security of the information they collect and their
communications remain vulnerable to security risks and the need to use
encryption is becoming more important.
To facilitate the discussion, DFN invited two individuals to discuss the
encryption and security needs of human rights activists:
Sean DeWitt is the eBase Coordinator of the Fund for the City of New
York, whose mission is to improve the quality of life of New Yorkers. He
is also the Executive Director of the Alliance for Southern African
Progress (ASAP), which is based in New York and Bulawayo, Zimbabwe and
works to restore basic human rights and freedoms in Zimbabwe by
strengthening civil society.
Jo Hastings is the director and co-founder of Privaterra, an
organization that protects human rights workers throughout the world by
offering and implementing privacy and security technology and
technological education and support.
-------------------------------------------------------------------
What is encryption?
Encryption is the art and science of scrambling data so that only the
intended party can read what you've sent them. One of the most critical
aspects of encryption is encrypting e-mail. This is especially true for
human rights groups and activists that are more likely to be targets of
surveillance than other nongovernmental organizations (NGOs) or
businesses because they are often sharing very sensitive data that other
third parties are very interested in obtaining.
What most people do not realize is that when you send information over
the Internet which is a public network, anybody can read it by making a
little bit of effort. Sending an e-mail is as private as sending a
postcard through the mail, and encryption is like the sealed envelope
for your e-mail. It makes your communication almost unreadable to anyone
but the intended recipient.
Unfortunately, many human rights activists do not use encryption because
they feel that it singles them out as people with something to hide and
that it gives the government that much more reason to watch them.
Privaterra's policy is to urge everybody to use encryption and to use it
all the time, whether the information is sensitive or not so that it
becomes standard practice that no longer generates suspicion.
While your computer or e-mail can never be 100 percent secure, any steps
taken to encrypt data are better than not encrypting at all as most
people are foiled by any level of encryption. And although using
encryption takes some extra time, the added security is often of great
benefit to human rights activists.
Encryption not only protects your data and your communications, but it
is also a method of authentication. You can digitally stamp press
releases, e-mails, or any other document so that people are absolutely
sure that it has come from you and that someone else did not send it
pretending to be you. There are ways that people can spoof documents if
you are not using encryption technology so that a press release can look
like it was issued by your organization. Such a spoof can be used to get
a group of people all in one place at the same time so that they can be
arrested or to get people to do something that they normally wouldn't
do.
Users should be aware that encryption can be illegal. Governments are
afraid of strong encryption because they cannot break it and they think
it is very dangerous for people to hold private conversations. It can
take 20 years of strong computing power to crack maybe just one e-mail.
In the US, it was illegal to export encryption technology because it was
considered arms trafficking for a long time. This has since been
overturned and now encryption is freely used in the US and in 95 percent
of other countries.
Although there is a growing movement to ban encryption in the US, it
will be harder to ban as more and more people use it. The US government
is also toying with the idea of keeping a key escrow, which would
require everyone to register their private key with their Internet
service provider. It is the electronic equivalent of leaving a key to
your house with the police, enabling them to enter whenever they want.
While theoretically they would need a search warrant or whatever other
political process was mandated, this type of process is often abused.
Key escrow has already been implemented in the United Kingdom and
France. If you are travelling overseas and plan to use encryption, check
with an organization like Privaterra, which answers such questions.
Another advanced level of encryption is called steganography, which
involves taking a photo or MP3 and changing a few insignificant bits
that do not really change the nature of the photo and hiding your data
in those few insignificant bits. Unfortunately, terrorists have used
this method to send information, so future restrictions on steganography
are likely. Encryption is a powerful technology that empowers users to
communicate without surveillance, but there is an ongoing tension
between the needs of human rights activists who need security and those
who are using it to hide criminal activity.
How does e-mail encryption work?
With e-mail encryption, each user has two keys, one public and one
private, that are mathematically coordinated to each other. The public
key is made available to everyone and is placed on a public server such
as VeriSign. The private key is meant to be kept private. Users should
never make their private key available to anyone. When two people want
to send encrypted e-mail to each other, Activist 1 and Activist 2 will
swap public keys. When Activist 1 sends a message to Activist 2, it is
encrypted using the public key of Activist 2 (which Activist 1 has
because they have swapped public keys). Activist 2 is now the only one
who can read this message because it can only be decrypted using his or
her own private key.
E-mail encryption is analogous to voicemail. Activist 2's phone number
is like his or her public key, which is given to Activist 1. When
Activist 1 calls Activist 2, nobody can check Activist's 2 message
without his or her private password, which is like the private key.
Tools for encryption
There are a lot of tools to accomplish encryption and security with a
different tool for each job, including those for hard drives, data
storage, virus protection, networks, and physical security. They all
have their pros and cons.
The standard for e-mail encryption is Pretty Good Privacy (PGP), which
is very good but difficult to use. ASAP has had problems with
implementing this in the field because of the training necessary for
people to maintain and use it. If you are using Microsoft Outlook or
Outlook Express, there is a plug-in that works very well. It also works
well with Eudora, Netscape, and America Online (AOL) mail applications.
If you are not using these e-mail programs, then it can become a real
problem. PGP will also work with Web-based mail, but this requires
several extra steps and is not as automated.
Using encryption does slow down the process of sending e-mail, depending
on the level of encryption. For PGP, it is almost negligible if you are
using MS Outlook where it only requires the click of an extra button.
The time-consuming part of using PGP is the setup and training. In order
to use it, both parties must have PGP, know how to use it and use it all
the time. If you send out an encrypted message and the receiver forwards
it to others without encrypting it again, then the effort to encrypt is
wasted because the information is now accessible to anyone.
Human rights activists often use Internet caf鳠and PGP will not work
unless they are carrying around a physical disk with their private key
on it that they can insert into the computer. In order to encrypt mail
when using an Internet caf鬠they must have carry around their private
key with them on a disk. However, carrying around a disk with your
private key on it is also a security risk because you are carrying
around the key to everything that you are trying to keep secure. If that
disk becomes compromised then it is a big problem.
A lot of human rights activists use Web-based mail such as yahoo mail or
something that is also horribly insecure. Other alternatives e-mails are
Hushmail or S-Mail, which allow you to send encrypted mail. If you are
using Hushmail, it will be automatically encrypted to all other Hushmail
users and there are no other extra steps, but if you are sending to
someone who is using PGP then there are a few other steps. If someone
using Hushmail sends an e-mail to someone using Yahoo! mail, the e-mail
would not be encrypted because the person on the other end does not have
the key to decode the e-mail.
A large part of security is about just being aware of your surroundings
and what data needs to be public and ensuring that private data is kept
private. Everybody is vulnerable to security breaches. The president of
Colombia recently lost his wallet, and the person that found it was able
to withdraw thousands of dollars from his bank account because he kept a
sticky note with his PIN number attached to his ATM card. Common sense
and some background on the management of data can prevent such things.
One should never stop thinking about how to keep private data private
because information is available online through a Google search and in
searchable databases that are not encrypted and therefore accessible.
The problem is that you can forget a password, but there are tips for
remembering passwords and keeping them secure. Passwords are more
critical than most people realize and you need to make them both
memorable to yourself and also not easily guessable by others or can be
cracked in ten minutes using a dictionary attack. A dictionary attack is
an attack in which someone uses a program that runs through all the
words in the dictionary, then tries all the words again with one digit
afterwards, then two, and so on. Such software is readily available in
the hacker community and you should ensure that your password is not
susceptible to it. For example, your password should not be "banana" or
"banana16".
Also, using the same password for all online sign-ins is a bad idea.
System administrators have access to these passwords and if they are
malicious they can also try and use it for some of your more private
things. It is a good idea to have a few throwaway passwords for
information that is not very private and then have another that you use
for more sensitive information.
Another tip is to keep a password-protected file of all your passwords.
It can be a little dangerous because all your passwords are concentrated
in one file, but if you encrypt it using PGP and not call it do not call
it "password file" but something else that only you would recognize,
then it is pretty safe.
You can also use a proactive password checker, which takes a password
that is input, tells you how secure your password is, and enables you to
mix letters and numbers until you achieve the right level of security.
These are being incorporated into some applications and it already
exists in PGP. In fact, PGP does not even use passwords but passphrases
because they are harder to guess and therefore more secure.
It is also important to not use sensitive subject headings with
encrypted messages. While someone may not be able to read the encrypted
message, they will know that there is important information in the
e-mail and they may "socially hack" the receiver of the e-mail to obtain
it, physically take the computer, or even send you an innocuous looking
e-mail that is actually a virus that transfers all of the data on your
computer to someone else via the Internet. Social hacking can be done by
pretending to be someone else in order to get the information in a very
innocuous sounding way, such as pretending to be working with your
system administrator and asking for your password to make an upgrade to
your computer. Never give your password to anybody unless you know you
absolutely trust that they are safe.
If you are using File Transfer Protocol (FTP) for Web development, note
that FTP does not encrypt passwords, which is a huge security risk. ASAP
had to disable FTP on their server and used a shared hosting set-up
instead that required switching to a dedicated server that is more
expensive.
Case studies
Ms. Hastings provided a case study concerning an NGO in Guatemala that
experienced repeated theft of its computers. It was relatively clear
that the government was stealing its computers because the NGO was
involved in a court case that was attempting to punish government
officials for their past human rights atrocities.
While the NGO was trying to learn encryption and was encrypting e-mail,
the staff did not encrypt their computers' hard drives. Therefore, every
time their computers "disappeared" the government was not only able to
access all the information they had compiled for the case against the
officials but the NGO also lost all their own information.
The solution implemented for this case was fairly simple and was
tailored for the specific purpose of this NGO, but it can easily be
duplicated for other settings. All staff were required to save their
information to an encrypted central file server within the office that
was then securely backed up in the US. Now, when the computers are
stolen they are still able to access their data and information on the
stolen computers will remain gibberish unless the thieves can guess the
passphrases. This NGO was able to get on the path from losing and
exposing data to a better level of security and while this is not an
off-the-shelf solution, Privaterra can provide guidelines and technical
support for NGOs to ensure the preservation of sensitive human rights
data and ensure that it does not fall into the wrong hands.
ASAP is currently piloting a project called Zimposium, a secure
encrypted forum for civil society organizations in Zimbabwe that promote
freedom and human rights to communicate and collaborate with each other
online. It will be officially launched within the next few months.
The country has become increasing polarized between opposition and
government supporters and there has been widespread torture,
intimidation of opposition group members and supporters including the
Movement for Democratic Change (MDC), the Zimbabwe Congress of Trade
Unions (ZCTU) and the National Constitutional Assembly (NCA). With
members scattered in Harare and Bulawayo, electronic communications are
very important to these groups but they have not had the opportunity to
use encryption, mostly because of a lack of training. They have sent
laptops to these groups to try and teach people how to take the hard
drive out so that anyone stealing the computer cannot obtain the
information, but this is limited by available funds.
Zimposium uses an encryption method called Secure Sockets Layer (SSL).
SSL creates an automatic encryption by exchanging certificates and keys
for a secure connection between users and the server no matter what
application they are running. When you visit a Web site and see https,
that means that they are using SSL and that it is a secure site.
Among other things, Zimposium provides encrypted e-mail, teaches users
to encrypt files that are on their local machines, and provides other
general information regarding encryption and the risks involved. It is
important to be as transparent as possible and ensure that users
understand the risks involved since they are the ones risking their
lives to do their work. They should be aware that nothing is completely
secure and that there is always a security hole somewhere.
In addition to information about encryption, Zimposium has many
different sections:
The Upcoming Events section allows users to plan non-violent mass
action by working out a schedule for stay-aways, rallies, and protests
that have been difficult to coordinate because of government
restrictions. Many Zimbabweans are often unaware of such actions and
better coordination of planning efforts is likely to lead to increased
participation.
The News and Comments section allows users to post news stories that
other users can post comments on through a log form. Since
misinformation in the press often appears, Zimposium allows people to
substantiate or refute information in the news piece and hopefully come
to some sort of agreement of the truth. ASAP has placed a disclaimer
stating that the information in this section is saved in a database and
suggests that users keep their most sensitive data out of this area
because a security breach in Zimposium's US-based server might
compromise a great deal of sensitive information.
The Meeting Table section is a chat facility that is a powerful medium
for communication between activists because the data is not stored in a
database and therefore cannot be compromised in the future. One problem
with this is that if activists want to summarize and share a meaningful
conversations they have in the Meeting Table with others, they will
introduce a security risk. They can copy and paste the information into
an encrypted Microsoft Word document and send it to others, but the
information is then on multiple hard drives, thereby increasing the
security risks.
For encrypted instant messaging, Zimposium uses a program called
GAIM-Encryption which allows users to use all messaging programs within
one application. An encryption and authentication plug-in was built for
GAIM. Although the encryption algorithm it uses, RC5, is outdated and
not the best, it is better than nothing at all and is easy to use.
Overall, Zimposium was built to be a very functional site. There is only
one graphic on the whole site and everything else is text-based.
Depending on the level of encryption, communications can be a bit slower
and with GAIM activists can encrypt with a public key at about 4,090
bits, a high number that will slow down usage.
Zimposium is currently limited to only five very trusted users, but when
it is launched on a larger scale it may be difficult to avoid
infiltration by government sources. While ASAP is lucky to have people
on the ground that can validate and substantiate information and people,
there is always some risk involved.
The programs utilized for Zimposium are all open-source and freely
available on www.sourceforge.net. While the GAIM encryption application
is built-in, and PGP is an encryption application in itself, the PHPBB
software that is used for the news site, the myorgbook software (ask)
for the event scheduling, and the chat facility for the Meeting Table do
not have any built-in encryption but rather the encryption is provided
by the SSL on their server. ASAP is interested in sharing a generic
version of Zimposium and their lessons learned with other
organizations.
Reasons why human rights activists should use encryption
*Human rights activists are more likely to be under surveillance.
*Encryption protects human rights data and communications from curious
eyes
*In most cases, encryption merely requires the click of one extra
button.
*Most people are foiled by any level of encryption.
*It is also a method of authentication.
*Most encryption software is free.
*The more people who use encryption, the harder it will be for
governments to ban it.
*It can help you network and collaborate with other human rights
organizations without fear.
-------------------------------------------------------------------
Copyright (c) 2003 Digital Freedom Network (www.dfn.org). All rights
reserved. These news headlines and their accompanying links may be
reproduced or redistributed for online not-for-profit use without prior
written consent.
If you wish to SUBSCRIBE to this or other DFN newsletters, please go to
this URL: www.dfn.org/subscribe
-------------------------------------------------------------------
Copyright (c) 2003 Digital Freedom Network (www.dfn.org). All rights
reserved. This article may be reproduced or redistributed for online
not-for-profit use without prior written consent as long as DFN is
recognized with this credit.
If you wish to SUBSCRIBE to this or other DFN newsletters, please go to
this URL: www.dfn.org/subscribe
====================================================================
Update your profile here:
http://dfn-news.u.tclk.net/survey/?a2iUrN.a5WH3P.Y2xpZnRA
Unsubscribe here:
http://dfn-news.u.tclk.net/survey/?a2iUrN.a5WH3P.Y2xpZnRA.u
Delivered by Topica Email Publisher, http://www.email-publisher.com/
- - - - - - -
Steven Clift
clift@publicus.net
http://publicus.net
E-mailed from my wireless "Sidekick"
*** Past Messages, Discussion http://e-democracy.org/do ***
*** To subscribe, e-mail: listserv@tc.umn.edu ***
*** Message body: SUB DO-WIRE ***
*** To UNSUBSCRIBE instead, write: UNSUB DO-WIRE ***
*** Please send submissions to: clift@publicus.net ***