Internet Security and Privacy for Activists and Citizens

by Leftism

Introduction
Terminology
Your IP address
Hiding your IP address
Why should I hide my IP address?
How do I hide my IP address?
Checking that your IP address is hidden
Your Internet Service Provider
The problem of ISP surveillance
A solution to the problem
Anonymous/Secure Surfing
Anonymous/Secure Emailing
web-based remailers
Hushmail
PGP (Pretty Good Privacy)
Anonymous Newsgroup Posting
Securing your computer and files
Your browsing/windows habits
Deleted files not secure
Keeping your files private
Emerging Technologies
Afterword

* Unmodified copies of this document may be freely distributed.

Introduction

This web page is intended to be a very basic introduction to Internet security and privacy issues for activists and citizens. It is not meant to be an exhaustive text of all the issues, nor does it deal with any of the issues in great depth. My intention is not to teach the theoretical or technical basis for security on the Internet, but rather to enable the user to protect his/her security and privacy as quickly and easily as possible.

Terminology

Before we begin, we need to clarify the terms that we will be using in this essay.

'Anonymity': refers to the ability to engage in activity on the Internet, such as emailing, surfing, or posting to newsgroups, in such a manner that no one can determine who you are or practically any other nontrivial information about you.

'Privacy': refers to the ability to store information, or transmit information, from sender to recipient(s) in such a manner that only the intended recipients or owner(s) are able to decode, read, or use the information. This usually involves making sure that no unintended third-party is able to intercept the information along the transmission route and make any real use of it. In the context of websurfing, I will also use the term 'Securely'.

'Encryption': refers to the process in which data is 'scrambled' in such a way as to make it deliberately unintelligible to anyone who reads or gains access to it other than the intended recipient(s).

Your IP address

Every computer on the Internet has an IP address. This is a number of the format x.x.x.x (where each x is a number from 0-255) which uniquely identifies your computer on the Net. This number is essential for sending and receiving information from one computer on the Net to the next. If you are on a dial-up connection, this number usually changes each time you connect. Alternatively, your IP address may not change if you are on a high-speed, always on line, or your Internet Service Provider (ISP) has designated you a 'static' IP address.

What this means is that your Internet activity can potentially be recorded or traced, either by your ISP or by the various servers (computers) that you connect to. Web-sites, for example, are known to sometimes log IP addresses. What further information about you that can be obtained with the knowledge of your IP address varies greatly depending how you are connected to the Net. Suffice to say your ISP keeps a log of who is using what IP address at what times. If someone should complain to your ISP for whatever reason about activity from such-and-such IP address, or if the authorities legally force your ISP to tell them who was using what IP address at whatever time, then any such activity can be traced directly back to you.

Hiding your IP address

Why should I hide my IP address?

Because of the way that your IP address is a unique identifier for who you are and your activity on the net, it is essential that you hide your IP address while surfing the web and doing other net activity if you wish to preserve your anonymity and preserve your online.

The simplest way to do this is to use a 'proxy'. Simply put, a proxy is an intermediary machine between you and the computer that you wish to connect to. The way a proxy works is this: If you wish to access a file on another computer on the net (machine X, say), you tell the proxy machine to get it for you. The proxy machine then retrieves the information from that machine and then passes it on to you. Machine X knows nothing about your computer. All it knows is that the proxy machine made the request for this information. Ideally, any information that it gathers will be about the proxy machine, and not your computer.

Next, we will discuss how to hide your IP address while surfing and web-mailing by setting up your browser to use a proxy. This will also be useful for sending anonymous web-based mail, as we shall see later on. Anonymous emailing will also be dealt with in more depth further down.

How do I hide my IP address?

Setting up a proxy on your browser may sound complicated, but it is actually a fairly simple process. All browsers that I am aware of have a feature which allow you to configure them to use proxies.

First, find an anonymous proxy to use by visiting one of these pages:

Multiproxy

proxys4all

Both pages have instructions on how to configure your browser to use Proxies. I will not go into detail here on how to do it, since I believe these pages explain them quite nicely and better than I ever could. The Multiproxy site contains a program called 'Multiproxy' which installs on your computer and which, once configured, makes your browser 'chain' a large number of proxies together, providing the assurance of maximum anonymity- since there is nothing stopping a proxy itself from recording your IP address. You do not have to install this program, however, and can simply use one of the proxies listed with your browser in the normal manner, as instructed at 'proxys4all'.

The instruction page on the 'Multiproxy' website is here.

The instruction page on the 'proxys4all' website is here.

Checking that your IP address is hidden

Once you have configured your browser to use a proxy, it is crucial that you check that your IP address is hidden and you are indeed anonymous; you may have misconfigured your browser, the proxy you installed may not have been anonymous, or a number of other problems may have occurred.

To do this, you need to use what is called an 'Environment checker'. This is normally a web-page that you visit that tries to gather as much information about you that it can. The most important piece of information being, of course, your IP address. From this web page, you can tell how much information you are giving away while browsing. It is recommended that you first visit such a web page with your proxy turned off so you can determine your IP address if you don't already know how to obtain it. Once you have done that, revisit the 'Env checker' web page (or a different one) and compare the two results. The 'Env checker' web page should now show the IP address of the proxy that you have configured - or, if you have chained several proxies, the last proxy in the chain.

Here is a very good 'Env checker' at http://www.privacy.net/

Both the 'Multiproxy' and 'proxys4all' websites also have 'Env checkers' or links to them.

Your Internet Service Provider (ISP)

The problem of ISP surveillance

It is important to be aware that everything that you do online can be monitored and recorded by your ISP- every web page your visit, everything you type and send over the Internet, everything you download. Most of the techniques outlined in this document concentrate of preventing 'third-parties' from being able to trace particular Internet activity back to you or your Internet Service Provider. However, if the authorities already suspect that you are engaging in 'suspicious' activities (for example, organising a peaceful protest), they can order your ISP to start recording your activities (although unlikely, they may already do so as a matter of course for all users) and hand over these records to them.

It is worth briefly mentioning that government spy networks such as Echelon pose a similar threat to your privacy and anonymity by intercepting data en route. This need not involve your ISP at all.

A solution to the problem

The only way to prevent this sort of monitoring is to make sure that everything that you send out to and receive over the Net is encrypted. This includes surfing, emailing and newsgroup posting. Simply put, encryption means 'scrambling' or 'encoding' your data so that no one but the intended recipients can make any sense of it if they intercept it along the way or at the destination.

Below we will discuss ways of allowing you to do the main three Internet activities - Web Surfing, Emailing, and Newsgroup posting - anonymously, and if you wish, using encryption for extra security. We will also discuss how to send email securely so that only the intended recipients can read it, whether the sender is anonymous or a known party.

Anonymous/Secure Surfing

If you have configured your browser to use a proxy or proxies correctly, then you are already surfing anonymously. The web site that you visit will almost certainly not be able to trace your visit back to your computer. The more proxies you have chained, the lower this probability.

Another way of surfing anonymously without configuring your browser to use a proxy, is to use a 'CGI' web-based proxy. This just means a web site which you can visit as you would any other web site, but that which you can make page requests to, and will act as an intermediary or proxy server for you. This is no doubt the easiest method of anonymous surfing. Here are a few good web based proxies:

Anonymizer.com - http://www.anonymizer.com/

Janus Rewebber - http://www.rewebber.de/

Anonymouse - http://anonymouse.is4u.de/

Safeweb - http://www.safeweb.com/ [*]

Autistici.org - https://proxy1.autistici.org/

The last two of these - 'Safeweb' and 'Autistici.org' - also encrypt all the URL's that your request and all the data that leaves or enters your computer. This allows you to browse the web securely.

[*] You should be aware that the trustworthiness of safeweb has been called into question for not entirely unjustified reasons, which can be read here, here or here.

Anonymous/Secure Emailing

web based remailers

Anonymous emailing can be very easily achieved through the same method as anonymous surfing. There are web sites that provide you with an email template which you fill out in the same way as a regular email message when using a POP/SMTP account (for example, when you use a mail client such as Eudora, Pegasus or Outlook Express). These web sites then forward your mail to the destination you designate in the 'To:' and 'CC:' fields. The mail could then be theoretically traced back to the web remailer that you used, but not to you or your computer. Such a service is called a 'web to mail gateway'. Here are a few good web based anonymous remailers:

(a) Anonymouse - http://anonymouse.is4u.de/

(b) The Global Internet Liberty Campaign remailer - http://www.gilc.org/speech/anonymous/remailer.html

© Riot anonymous emailer - https://riot.eu.org/cgi/remailer.cgi

These three remailers are listed in increasing level of security. The 'Anonymouse' remailer (a) does not encrypt your message as it is sent from your computer to the server and does not chain your message with other anonymous remailers. The GILC (b) remailer chains several anonymous remailers together, thereby enhancing your security greatly, but is also not encrypted. The person you email may not be able to determine who you are, but anyone snooping in on your communications will be able to determine the contents of your email, who you emailed, and at precisely what time. The Riot © anonymous remailer provides the highest level of security. It chains several remailers together, like the GILC remailer, but also uses 'SSL' encryption to scramble your data during transmission from your computer to the server.

Anonymous remailers that use encryption are both anonymous and secure.

Use whatever level of security that you think best fits your needs. Always be aware of the type of security whatever remailer you are using provides in terms of chaining, encryption, and whether or not you can trust the provider of the service itself.

Hushmail

Hushmail is a free webmail service that offers anonymous and secure communications to its users. The advantage of having a webmail account over using an anonymous web remailer is that people can reply back to the messages that you send out, giving you a two-way communication channel. If the service that you use does not require you to provide your name and other personal information, like Hushmail, or the information tht your provide is false[1], then it can be considered somewhat anonymous. I stress the word 'somewhat', because the webmail service provider can still determine your IP address in the usual manner unless you have taken steps to conceal it - as I have explained above.

Apart from anonymity, Hushmail provides a secure channel by which Hushmail users can send emails to each other. In other words, Hushmail users can send emails to each other without fear that their messages are being intercepted en route and being read by an unintended third-party. Once again this is achieved through encryption. This encryption process is done completely automatically and the users sending and receiving mails don't have to do anything differently than if they were using regular webmail accounts.

You must be remember, though, the privacy aspect of Hushmail only works when sending messages between Hushmail accounts. If a Hushmail user sends a message to anyone other than another Hushmail user, then the communication will not be secure, though if they have taken the adequate steps, they will be remain anonymous. Also remember that all your emails are still being stored on Hushmail's mail servers and the authorities can always force Hushmail to hand over the contents of your mail box.

Hushmail is useful as a quick and easy way to send secure messages between you and your friends or fellow activists that requires no additional computer expertise above sending a regular email message. It is highly recommended.

[1] The author of this article is not encouraging any illegal activity such as falsifying information. Every user is responsible for their own online activity.

PGP (Pretty Good Privacy)

PGP, or Pretty Good Privacy, is a software program that provides practically unbreakable[2] encryption for anyone with a reasonably powerful computer to use for all their online communications, including and especially email, as well as a way of securing files on their computer from prying eyes.

Unlike when using Hushmail, data is encrypted by the user himself using the PGP program and the user can verify this fact for himself by examining the data. Also, when using PGP, there is no intermediary location that stores emails or files in their unencrypted form. For these reasons, among others, PGP provides probably the best security a home PC user can get. In fact, the level of security is so high that, when used properly, not even government agencies with huge computing power at their disposal are able to crack a high level security (large keylength) PGP encrypted file. It is for this fact that the US government classified PGP software as 'munitions', and until very recently, 'banned' it from being exported from the United States.

Apart from encryption, another feature of PGP, is the implementation of 'digital signatures'. Briefly, this means that one can digitally 'sign' a document in such a way that the intended recipient is absolutely sure that the source is authentic, and that the message or file has not been tampered en route.

PGP is widely available over the internet. For starters, you can go to C|NET - download.com and type in 'PGP' in the search text box after choosing your operating system. For beginners, it is recommended that download 'PGP Freeware' instead of 'PGP x.x.x'.

Be forewarned, although the authors of the software have tried to make the software as easy to use as possible, some users may experience difficulties in getting the software to work. Although somewhat confusing to operate at first, the rewards are well worth the effort. Therefore, I strongly recommend that every computer user above novice level who is concerned about their online privacy, make a concerted attempt to install and run PGP on their home machines.

[2] It is a tenet of cryptography that nothing can or should be considered unbreakable under all circumstances, all of the time, for all time. However, the cryptographic methods of PGP are soo strong that, when used properly, they are considered to be unbreakable - practically speaking - for the time being and foreseable future.

Anonymous Newsgroup Posting

Anonymous newsgroup posting can be achieved most easily through the same method as anonymous emailing... that is, through a web interface. Such a service is called a 'web to news gateway'.

both 'Anonymouse' and 'Riot', as listed above provide web to news gateways.

In addition to the above two, here is an additional gateway:

Elandnews 'Pseudo anonymous web2news' - http://www.elandnews.com/mauritius/anon.html

Another way of sending anonymous newsgroup messages is to sign up to 'Google Groups', which is a service provided by Google which provides a near complete inferface to newsgroups via the web; users can both read and post newsgrousps.

In order to access this service, you need a valid email address, but no other information is asked of you other than the username that will appear on your posts - which can be any name of your choice that is not already taken.

Of these four, only the 'Riot' gateway is anonymous, chained and secure. Remember to always use a proxy when connecting to any of these web to mail or web to news services if you want to ensure your anonymity.

Securing your computer and files

This essay has, up until now, discussed security and anonymity when a user is transmitting information over the internet. There is, however, another important aspect which we have not discussed - the security and privacy of the files stored on your computer, including files containing records of your internet activity. It is in this section that we will briefly discuss a few of the most important areas in this subject.

Your browsing/windows habits

Many users do not realise the size and scope of the trail of information that they leave on their computer when they open files and browse the internet. A great deal of what you do online and offline on your computer is being recorded on various files on your hard drive.

For example, every URL (hypertext link) that a user visits is recorded on his or her hard drive. This information can be stored for months, years, or even an indefinate amount of time. Every image, or almost every image, that has been loaded while browsing the web is also stored on the hard drive for a specified period of time, or until the cumulative space consumed by these images reaches a certain amount. In addition, URL's are sometimes stored in a browsers 'Location bar' for easy access later on. These things are done (ostensibly) in order to speed up and facilitate a users 'browsing experience', but obviously raise seriously privacy concerns.

Another concern is the use of 'cookies'. These are small text files that are created on your computer when you visit a web-site that keep track of your online activity within the site that the cookie originated from (sharing cookies is rare, but does happen on occassion). A cookie is sometimes used, for example, to determine whether a user has visited the site before, and if so, what areas they took an interest in.

There are four main areas that a user should primarily be concerned with with regards to surfing habits:

The History folder, located at c:\windows\history ...which stores URL's of every page you have visited The Windows Temp folder, located at c:\windows\temp ...which stores .html and image files from pages you have visited The Cookies folder, located at c:\windows\cookies ...which stores all the cookies you were given by websites The Temporary Internet Files folder, located at c:\windows\tempor~1 ...which again stores the URL's of the pages you have visited, along with some other information. in addition to the 'normal' files which are stored in these folders, an addition special file is also added. This file is called 'index.dat' and cannot be deleted from within Windows. This is potentially a very big problem, because it also contains information of a sensitive nature (for example, URL's).

You can solve this problem by exiting to DOS (completely quitting Windows, not just opening up a DOS window) and deleting these folders by hand or by modifying your 'autoexec.bat' file to do this for your every time you start up your computer. I would recommend the latter, as the index.dat files will be recreated by Windows anyway and it wont be long before they start to grow in size again by accumulating more and more sensitive data; if you modify your 'autoexec.bat' file to delete these files for you, you will never have to worry about them again.

Find the text file called 'autoexec.bat' in your root directory (usually C:\). If you can't find it, that's ok, just create a new one. Copy the below five lines in italics into it and save. If you want to actually see the process happening every time you start up, ommit '@ECHO OFF' entirely and the '> NUL' part at the end of each line.

@ECHO OFF

DELTREE /y c:\windows\history\*.* > NUL
DELTREE /y c:\windows\tempor~1\*.* > NUL
DELTREE /y c:\windows\temp\*.* > NUL
DELTREE /y c:\windows\cookies\*.* > NUL

Deleted files not secure

When you 'delete' a file using right-click, 'Delete' in Windows or typing in 'del' from DOS, you are not actually erasing that information from your hard drive. What you are instead doing is removing all references to that information. Your operating system does this because it is a lot quicker to remove references to files and file information than to physically write over or delete (destroy) the actual information stored on the disk.

This can present problems for privacy, since information which you may have thought you safely deleted can actually later be retrieved by someone who you may not wish to have access to it.

Remeber, this also holds true for the files listed in the above section relating to your browser history, temp, and cookie files.

The solution is to download a program which will both a) delete individual files for you in such a manner as to completely (irretrievibly) destroy them by overwriting on top of file data several times and b) perform a 'wipe free disk space' operation that will do the same thing on the free space on your HD (which may contain file fragments of old files erased 'normally').

There are several of these programs, called 'file wipers', at C|NET - download.com. Among some of the better ones are 'Eraser' and 'BCWipe'. Go to C|NET and do a file search for 'file wipe', or type in the names in the search box of the above two programs directly. I would recommend trying out a few to see which one you think is the fastest and most productive.

Don't forget to wipe both sensitive individual files and free disk space (on a regular basis).

Keeping your files private

The only way to keep your files private with any real degree of security is to encrypt them on your hard disk. While there are many utilities that do various tricks with your operating system to hide or password protect your files, ultimately these should only be used in conjunction with 'strong' encryption to provide additional security.

There are many programs available to do this. Again, you can find a number of them on C|Net. While there are many programs that provide encryption, what is needed is 'unbreakable' encryption. While no encryption technique is fool-proof and will remain so forever, there are encryption techniques which, for all intents-and-purposes (if used correctly) are, practically-speaking, unbreakable (as far as we know) for the time being.

PGP is one program which provides such encryption techniques. Though are other programs out there besides PGP, but PGP is certainly the most well-known and trusted. Therefore, I recommend using PGP for this purpose, in addition to encrypting emails.

Be sure to read the manual first and use PGP properly. I would also recommend a key size of at least 2048 bits - you will understand the meaning of this once you download the program and read the instructions.

Emerging Technologies

I will briefly now only mention three future communication technologies for the internet that may be of interests to activists and citizens concerned about their privacy.

The three programs are called 'Freenet', 'Peekabooty' and 'psst'. There are working versions of these programs at this very moment available for download, but users should be aware that they are still under development.

Freenet is program that implements a peer-to-peer network over the internet. I will not go detail as to what this means, other than to say that peer-to-peer networks are computer networks that have a decentralised structure- making them less vulnerable to attack and censorship.

Freenet allows you to share files and information using your web browser in a way that is private (nobody knows what you're downloading or uploading), anonymous, and uncensorable. For these reasons Freenet has the potential to be an extremely useful technology in the context of modern 'information warfare'.

Not much is known about Peekabooty, as no versions have even been released yet. I mention it here because it sounds quite promising. Like Freenet, Peekabooty will allow users to download content anonymously. Unlike Freenet however, Peekabooty will not grab this content from it's own network, but instead uses the web. So for all intents-and-purposes, it will be an anonymous browser.

In similarity with Freenet, Peekabooty is being designed specifically to the censoring of content by governments and corporations very difficult.

If you would like to learn more about Peekabooty, the best thing to do is to do a Google seach for 'Peekabooty', or simply click this link to do so automatically.

psst is a chat program that runs on both Windows and Linux and which the programmer describes as:'Simple, free, convenient no-frills Instant Messaging software with strong encryption...'

Alternatively, you can get the PGP plug-in for ICQ if you are more comfortable with it. psst has the advantage of being very small and quick and won't add any other files to your system.

Afterword

I hope this document has been informative and useful. It covers the very basics of Internet security which everyone should understand if they are concerned about their online privacy and wish to do something about it. I have not mentioned Firewalls, Trojan Horses, and Viruses. These topics may be covered in the next version of this document. Knowledge of them will greatly enhance the chances of you maintaining your privacy. I therefore encourage readers of this document to investigate these matters on their own by clicking on the links below.

These links concern the topics mentioned immediately above as well as other issues. They are written for varying levels of expertise.

Cryptography FAQ

CERT Manual on Home Network Security

Security Focus's basic Basic Security Checklist for Home and Office Users

and finally the wealth of information at Astalavista.com

Good luck.

Credits

Version 1.0*
Written by Leftism
editorial assistance by Azz