Online armour: Duncan Campbell's tech chief on anonymity 101

Of Tor, TAILS and Jabber


Crypto toolbox, Part II In the first article in this two-parter on building your own crypto toolbox I covered older tools that have been around for a relatively long time now: Truecrypt and OpenPGP. Here, I will go in a different direction and look at ways of protecting instant messaging, general web-browsing, and how to trust the operating system where we run these tools.

Voice and video chat

The once vaunted Skype is no longer secure in any meaningful sense of the word.

If you need secure voice or video chat, the commercial Silent Phone service (from Phil Zimmermann's Silent Circle) is generally regarded as robust and trustworthy, as it builds on top of the security model of the old PGPfone. It is available for Windows, Android and iOS – but OS X seems to be notably absent at present.

From a practical standpoint the VOIP experience on Silent Phone is not as polished as you may be used to from Skype – for example, there's no-to-poor echo cancellation – so I strongly recommend using a proper headset rather than speakers and the crummy mic built in to your webcam or laptop. For the sake of completeness it must also be noted that this is a proprietary closed-source service; it's up to you to decide if that's a deal-breaker for you. Like it or not, this is what's used and trusted in certain circles.

OTR plugin, on top of Jabber/XMPP

For the instant-message generation, a plugin called OTR (Off The Record) offers end-to-end protection for communications on compatible IM services and applications.

The combination used by NSA whistleblower Edward Snowden and his supporters is to use the open XMPP IM protocol, often on the Pidgin client, with this OTR plugin to provide the security. Youíd then transmit over Tor for general anonymity, using the TAILS OS for local security, which I'll come to shortly.

OTR uses some of the same Public-Key crypto concepts as OpenPGP, but with a focus on protecting live chat sessions. Once you have established a secured OTR session, you can be sure that nobody is snooping on your conversation – but after the fact, what you said can't be held against you. The person you're chatting with would be completely able to forge the digital signatures, meaning third parties can't prove that you yourself said something.

This is in stark contrast to PGP, where a signature is a very strong proof of the authorship of a message.

Pidgin

The open XMPP IM protocol is often on the Pidgin client

As with OpenPGP, you are responsible for checking the key fingerprint of the person you're communicating with. Unlike PGP, however, there is no concept of signing someone else's key to be able to transfer trust – you will definitely need to check manually. As with PGP, a Skype video call is suitable - I recommend doing a full Fingerprint check rather than using any "question and answer" alternatives, as that's what makes me most comfortable in terms of robustness of security.

There are a wide range of public servers using Jabber that is based on XMPP. Because Jabber is federated, users on one server can communicate freely with users elsewhere – provided that both ends offer server-to-server TLS encryption. The general Jabber server-admin community has recently moved towards absolutely requiring server-to-server encryption, which has had the effect of cutting off Google Talk users from pretty much everyone else.

One Jabber server offered by the German Chaos Computer Club is used quite heavily and is available as a Tor Hidden Service, although they don't offer much in the way of guidance or hand-holding.

American tech-collective Riseup offer email accounts with matching Jabber service, have very nice tutorials for a variety of chat clients (including Adium for OS X users), and their server can also be reached as a Tor Hidden Service, although you will need to request an invite to sign up for their services.

The OTR plugin's website has links for some tutorials on its use. I found this one to be very thorough and covered everything for Windows. A little bit of digging elsewhere revealed a similar guide for Adium users in OS-X-land.

TOR, The Onion Router

While you can use GPG to secure the contents of your email, a state-level adversary with extensive taps on the big intercontinental submarine cables will still be able to see that you are emailing this other person. If someone from a government or military IP address range started sending encrypted mail to known investigative journalists (or other potential enemies of the state), there's a very strong risk there – even if the security forces can't read the contents of the messages.

Also visible for your ISP to see – and therefore also freely visible to the state via their ability to twist your ISP's arm in secret – is your web browsing, instant messaging, and anything else you're doing.

The most robust way to anonymise your internet use is to use Tor (The Onion Router), which does a very robust job of evading that sort of surveillance.

GCHQ Tor nodes

GCHQ owns Tor nodes

We know it works well because we've got the NSA's slides where they describe how much they hate it. They describe it as a "CNE [Computer Network Exploitation] headache", which is a superb seal of approval.

It is worth noting that Tor provides anonymity. That's it. It does not automatically provide security or privacy. If the "exit node" you are using (the point where your traffic exits the Tor process and emerges on to the normal internet) is unscrupulous, evil, or just hacked, (or, run by GCHQ) it has the ability to intercept the contents of your communications. It won't automatically know who you are (e.g. your real IP address), because that is hidden by Tor – but it can see what you're sending and receiving.

Similar topics


Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022