protonmail

ProtonMail is a new email service developed by a group from MIT and European research center CERN. It promises to bring secure, encrypted email to the masses and keep sensitive information away from prying eyes.

“We guarantee only the sender and receiver can read the messages,” said Andy Yen, a co-founder of ProtonMail. “We have zero access to user data.”

Not only has its platform has been successful, its crowdfunding campaign on Indiegogo has already surpassed its $160,000 goal within three days and has, so far, raised $197,130 from 4,250 backers. The campaign started on June 17th. Their servers are currently at maximunm, but additional funds raised will go towards increasing their capacity. You can request an account and go onto the waiting list here.

Get a ProtonMail account here

In my opinion, this looks to be the best solution to mass collection of emails by intelligence agencies.

  • They do not collect user data such as IP addresses or times of activity
  • The servers are in Switzerland, which means any government trying to get access to the little data ProtonMail says it collects would have to work through Swiss digital privacy laws, some of the toughest in the world.
  • They are not accepting investors so ProtonMail’s focus remains on privacy and security without corporate interests interfering with that.
  • You can send encrypted email to non-ProtonMail users, including Hotmail, Gmail and Yahoo accounts.
  • They use only the most secure implementations of AES, RSA, along with OpenPGP. They are open-source meaning there are no ‘backdoors’ in the code.
  • Hardware is contained in secure datacentres also used by Swiss banks.
  • They run special routines on our servers to ensure that the code running on our systems is not illicitly changed without our knowledge in the event of a server compromise.
  • Full details on their security implementations can be found here.

I am on the waiting list and currently awaiting my own free account. I would urge everyone who is concerned about online privacy to do the same. While it is not completely secure, it is the best service currently available, and the creators have been very upfront about the strengths, and weaknesses, of their service.

We know that the NSA collects encrypted emails simply because they are encrypted, arguing that if you want to hide the contents of your email then there must be something worth reading. This email service prevents that from happening.

However, the greatest weakness lies in keyloggers; the contents of your emails are most vulnerable when you are typing them into the email message in an unencrypted form. If the NSA or GCHQ want to read your emails, then they will need to carry out a personalised attack, with the most likely to be the installation of a keylogger to retrieve your account password, decryption key and emails. We know that they use this tactic. It may be hard to prevent this, but you can take heart knowing that they have wasted their time and resources on an innocent citizen fighting back. If you want some information, including a time-consuming, but effective, method for combating keyloggers, then look here. There are also anti-keylogging softwares available, but no-one can vouch for their integrity or effectiveness.

The British security services community is making its voice heard. They want more resources, more powers and less oversight. The justification? The Islamic State in Iraq and the Levant (ISIS) are a threat to the security of Britain.

In the last few days, David Cameron, MI6 and the London police have all issued warnings of the “danger to Britain” from this month’s ISIS invasion of northern Iraq, and from a possible 400-500 “returning jihadists”. Liam Fox, the former Defence Secretary disgraced for abuse of his position and influence, has now waded in and thrown his support behind greater surveillance powers.

liam-fox-gun_2027316i

It is simply ludicrous to state that the returning jihadists pose a threat to national security. This is yet another example of this Conservative government using fear politics to set the backdrop for easing these powers through Parliament and being written into law.

Those that put security as a greater priority over civil liberty, deserve neither. Once a government has these surveillance powers, it is much more difficult to take them away. Sadly, as each new surveillance power is granted, we edge closer and closer to the dystopian, surveillance society predicted in Orwell’s ‘1984’. We must preserve our freedom and fight to protect it.

The internet’s largest torrent search engine, Torrentz.eu, has been taken down in the latest attempt by UK police to combat copyright infringement.

commiepics_2

The site’s domain was suspended by the registrar of its domain after a request from the UK’s Police Intellectual Property Crime Unit. Although the latest news suggests the domain has been released after lawyers argued the takedown was unlawful.

Many competitors have also been taken offline recently. Two of Torrentz.eu’s most significant peers — isoHunt and The Pirate Bay — have been taken down completely or blocked in many countries. My previous blog entry found here will show you many ways of getting around the blocks and bans put in place.

The police began to block websites rather than targeting individuals towards the end of last year, when it asked Internet Service Providers to block 21 sites that link to infringing material. Unlike that move — which meant that Torrentz.eu was already banned on many ISPs — the ban on the domain means that users will be unable to access the site through any ISP.

However, we have a solution.

Just click HERE or HERE.

If this site goes down, please let me know by leaving a comment so I can fix it and continue to assist in accessing Torrentz. The internet should be a place free from any government censorship, particularly when this latest censorship campaign against copyright ‘pirates’ is being funded by wealthy media lobbyists and their indiscriminate cull affects so many innocent individuals.

scale

Vodafone, the world’s second-largest mobile phone carrier behind China Mobile, revealed that in six countries where it does business, the government requires direct access to the telecom’s network.

Transparenz beim Datenschutz

“In a small number of countries, the law dictates that specific agencies and authorities must have direct access to an operator’s network, bypassing any form of operational control over lawful interception on the part of the operator,” the report said.

Vodafone declined to name those specific countries for legal reasons but noted that nine countries worldwide — including three from the European Union — forbid disclosure of any information related to wiretapping, interception, or surveillance under their own law. Those countries include Albania, Egypt, Hungary, India, Malta, Qatar, Romania, South Africa, and Turkey.

The disclosure came as part of a 147-page transparency report from the United Kingdom-based telecommunications company, which provides services to 430 million customers across 27 countries.

Vodafone also noted ominously that “several countries empower agencies and authorities to require the disclosure of the encryption ‘keys’ needed to decrypt data. Non-compliance is a criminal offence”.

Vodafone confirmed that in around half a dozen of the markets in which it operates, governments in Europe and outside have installed their own secret listening equipment on its network and those of other operators.

Under this direct access system, wires suck up traffic at key points in the network, allowing unfettered access to the content of phone conversations and text messages, and in some cases delivering live data about the location of customers.

They allow surveillance without the usual warrants, and it means the phone company cannot know how many people are being targeted and what the justification is for any snooping.

However, it noted that data encrypted on individual devices is not typically held by a company like Vodafone, and thus it could not be compelled to hand that information over anyway.

“The usefulness of transparency reports hinges on governments abiding by the rule of law,” the statement continued. “We now know that these reports only provide a limited picture of what is going on. It is ridiculous that a year after the first Snowden leaks, governments continue to impoverish our much-needed democratic debate. It is also incredible that governments think that they may craft laws to provide for mass surveillance. And it is insulting that not a single law has changed after a yearlong global debate about surveillance.”

Deutsche Telekom, who own half of EE and operate in 14 countries including the US, Britain, Spain and Poland, has followed suit and has already published surveillance data for its home nation.

 

Thinking about downloading the latest version of TrueCrypt? Forget about it. The TrueCrypt developers shuttered their website on May 28 and redirected traffic to this webpage in the same mysterious fashion that LavaBit did.

For those not familiar with TrueCrypt, it is an open-source software project for file and full-disk encryption. It was fairly well known and respected. A major volunteer project was under way, run by legitimate crypto experts, to give it a formal security audit.

One theory is that TrueCrypt has been compromised. Proponents of this theory feel that government pressure forced the TrueCrypt developers to either do as ordered or shutter the website. This theory is based on unsubstantiated evidence like the Twitter conversation between Matthew Green, a cryptographer and research professor at John Hopkins University who claims to be in private contact with the TrueCrypt developers, and Glenn Greenwald. Greenwald claims his partner did not have the password to decrypt the top secret files that were supposedly encrypted with TrueCrypt, yet the government were able to access them somehow.

Another possible theory is that issues surfaced causing the audit to fail: Security firm iSec completed the first portion (analysis of the bootloader) of the TrueCrypt audit. The report’s summary mentioned:

“Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth.”

The report rated the issues by severity; of the 11 found, most were medium or low. However, proponents of this explanation are wondering if the second part of the audit uncovered a major issue.

Microsoft bought TrueCrypt: Buying out the competition is not unheard of, this explanation is fueled by the detailed instructions on how to migrate to Microsoft Bitlocker.

Whatever the true reason, which we may never find out, the only option for those of us with privacy concerns is to presume TrueCrypt has been compromised. Unfortunately, we are short on options.

 

Will Bitlocker fulfill the need?

TrueCrypt’s multi-faceted capabilities made it unique. As the developers suggested, Bitlocker can replace TrueCrypt for hard drive and removable drive encryption.

However, replacing the portable version of TrueCrypt is going to be a different story. After some initial checking, Secret Space Encryptor by Paranoia Works, also an open-source encryption application, might work as a replacement. However, it has not undergone a rigorous audit like TrueCrypt was.

Last thought

The spotlight is now on Microsoft. And remember, the software giant has been accused of aiding government agencies by placing backdoors in several of their products including Bitlocker.

My entire drive is currently encrypted by TrueCrypt. I will now be searching for an alternative and it will not be Bitlocker.

This week, a man believed to be a senior executive of a financier company, has avoided prosecution after dodging paying train fares into London for five years. The man avoided prosecution, and subsequently a criminal record, by agreeing an out-of-court settlement of £43,000 with Southeastern railways. There was no admission of guilt.

The man, who kept his anonymity as a result of offering to make the payment, travelled from Stonegate station in East Sussex into London Bridge, only paying a measly £7.20 for each journey during his 5 year’s worth of commutes by exploiting a loophole in the Oyster card system, Southeastern discovered.

There is no barrier at the station so he could board without being detected. Southeastern said it did not know how he managed to avoid detection by ticket inspectors on the train itself.

The senior executive from Sussex is not the only executive to avoid prosecution. Gray Hooper Holt, a law firm which specialises in fare evasion cases, last year acted for a “professional financier” who was accused of fare evasion and giving a false address by First Capital Connect. The case was dropped after the lawyers intervened, enabling the financier to avoid a criminal record. In another case in 2012 the firm acted for “a senior financial adviser for an international company for whom a successful prosecution for railway fare evasion or fraud would have led to the loss of his job and his career”. He was accused by Greater Anglia railways but the parties reached “an informal settlement”.

These actions raise the question; is there one law for the rich and another law for the poor? Are the wealthy above the law? It would seem to suggest that they are.

During the London riots a few years ago, a 23 year old student with no previous convictions was imprisoned for 6 months for stealing £3.50 worth of bottled water from a Lidl store. He was not given the option of repaying the money and retaining anonymity. He was hauled before magistrates, publicly named and shamed and subsequently received the maximum penalty for his crime.

Also in 2011, Nigel and Penny Ward, a couple from Cambridgshire, re-used a money-off coupon worth £17.50 at Tescos dozens of times to get money off their shopping totaling just over £1,000. They were prosecuted and convicted. Again, they were never given the option of remaining anonymous and paying back the money.

Anyone caught breaking the law should face punishment. By avoiding his fare, the criminal has robbed every other law-abiding, fare-paying train passenger.

It would seem that in this country, if you are wealthy then you can buy yourself protection from the law. Equality at its finest. Power to the proles.

By Chris Fearnley

You would be hard pushed to find a country where human rights mean less than in Saudi Arabia. The country is run by a dictatorial monarch that has even been accused of keeping his four daughters under house arrest. What has happened to the princesses is shocking, but it also raises the obvious question: if this is how they treat royalty, how do they treat their opponents?
To protest against the regime is to risk your liberty, and even your life. The risk has become even greater, with the government having recently passed a new ‘terrorism’ law that treats atheists and political dissidents as enemies of the state. This is far from an isolated event; government repression is widespread and systematic all across the ‘kingdom’. This is why the most recent Economist Democracy Index said that it is the fifth most authoritarian government in the world.
Despite the widespread human rights abuses, the regime is not short of international support. In the last few weeks alone it has hosted state visits by Barack Obama and Prince Charles. The latter was visiting to finalise an arms deal for BAE Systems and even took part in a traditional Saudi sword dance. The day after Prince Charles’ recent visit, seven Saudi citizens were jailed for 20 years for protesting against the regime.
The relationship between the UK and Saudi Arabia is a close one that is based on extensive arms trading and oil deals. The deals are complemented by a strong level of political support and a deafening silence and inaction on human rights. Their influence goes beyond foreign policy and has even begun to penetrate domestic decisions. Seemingly at the regime’s behest, prime minister David Cameron, has called for an investigation into the Muslim Brotherhood to be spearheaded by Sir John Jenkins, the British ambassador to Saudi Arabia.
The Saudi regime understands the importance of muting criticism. So the international legitimacy that they get from UK support, and state visits from the heir to the throne, is just as powerful as any of the weapons they are buying. Even when criticisms are made they are often ignored or met with indifference. For example, in the most recent Human Rights and Democracy’ report from the UK Foreign & Commonwealth Office (FCO) Saudi Arabia is listed as a country of concern. The report highlighted a number of the human rights abuses taking place, but provided no explanation for why the UK had licensed £1.9 billion in military exports during the two years that preceded it. Surely this is completely incompatible with the UK’s commitment to human rights?
In 2013 the House of Commons’ foreign affairs committee (FAC) published the results of an inquiry into the UK’s relations with Saudi Arabia and Bahrain. Unfortunately the report made it clear that arms company and establishment interests had made their way into the heart of the inquiry. The committee had appointed Sir William Patey, former UK ambassador to Saudi Arabia, as a specialist adviser; a man who was hardly likely to have acted in a disinterested or questioning manner. Similarly, the committee hosted informal meetings with representatives from BAE Systems, the UK’s largest arms company and major arms supplier to Saudi Arabia.
The report was a whitewash, concluding: “The government has placed a renewed emphasis on its long-term relations with both Saudi Arabia and Bahrain, in part by relying on our rich heritage of historic links with these traditional allies.” What it did was provide the government with cover as it continues the policy of talking about human rights abroad at the same time as it turns a blind eye to the actions of despicable regimes in a desire to drum up sales for BAE Systems.
Sadly this is nothing new. Saudi Arabia has been a major buyer of UK weapons since the 1960s. The deals have enjoyed the backing of successive UK governments and benefited from a strong institutional support, which has facilitated a great deal of three-way co-operation between the UK government, Saudi Arabia and BAE. Top-level support has always been made available when promoting its arms deals with Saudi Arabia. For example, in November 2012 Cameron visited the regime in a bid to cement the Eurofighter Typhoon deal.
Of course the UK is not alone in aligning with the tyrants and ignoring human rights concerns. The most recent European arms exports report, which covers licences for 2012, shows that year alone EU member states licensed 3.5 billion euros worth of weapons to the regime. The nature of these relationships has suppressed any opposition from Europe and ensured that the prevailing environment is one that is characterised by violence, intimidation and repression. As the situation continues to escalate we can be under no doubt that decisions being made in the name of arms trade profits are having serious consequences for the victims of the terrible regime.
What is implicit in the arms sales is the backing for the current Saudi regime and a message to those in Saudi Arabia and the wider region that their aspirations for human rights and democracy are of less importance than arms trade profits. The FAC report into relations with Bahrain and Saudi Arabia noted: “Both the government and the opposition in Bahrain view UK defence sales as a signal of British support for the government.” This could be applied equally to Saudi Arabia.
The Arab Spring should have been the start of a re-evaluation of how the UK does business in the region. The UK must put human rights at the heart of its policy towards Saudi Arabia, not the interests of the arms companies.

Yesterday afternoon, Ars Technica published a story reporting two possible logs of Heartbleed attacks occurring in the wild, months before Monday’s public disclosure of the vulnerability. It would be very bad news if these stories were true, indicating that blackhats and/or intelligence agencies may have had a long period when they knew about the attack and could use it at their leisure.

In response to the story, EFF called for further evidence of Heartbleed attacks in the wild prior to Monday. The first thing they learned was that the SeaCat report was a possible false positive; the pattern in their logs looked like it could have been caused by ErrataSec’s masscan software, and indeed one of the source IPs was ErrataSec.

The second log seems much more troubling. EFF have spoken to Ars Technica’s second source, Terrence Koeman, who reported finding some inbound packets, immediately following the setup and termination of a normal handshake, containing another Client Hello message followed by the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs from November 2013. These bytes are a TLS Heartbeat with contradictory length fields, and are the same as those in the widely circulated proof-of-concept exploit.

Koeman’s logs had been stored on magnetic tape in a vault. The source IP addresses for the attack were 193.104.110.12 and 193.104.110.20. Interestingly, those two IP addresses appear to be part of a larger botnet that has been systematically attempting to record most or all of the conversations on Freenode and a number of other IRC networks. This is an activity that makes more sense for intelligence agencies than for commercial or lifestyle malware developers.

To reach a firmer conclusion about Heartbleed’s history, it would be best for the networking community to try to replicate Koeman’s findings. Any network operators who have extensive TLS-layer traffic logs can check for malicious heartbeats, which most commonly have a TCP payload of 18 03 02 00 03 01 or 18 03 01 00 03 01. I urge any network operators who find this pattern to contact myself or EFF.

Network operators might also keep an eye out for other interesting log entries from 193.104.110.* and the other IPs in the related botnet. Who knows what they might find?

A lot of the narratives around Heartbleed have viewed this bug through a worst-case lens, supposing that it might have been used for some time, and that there might be tricks to obtain private keys somewhat reliably with it. At least the first half of that scenario is starting to look likely.

OpenSSL is an open-source implementation of SSL and TLS, the protocols that secure much of what you see on the web. Recently, a critical bug was discovered that has been present in OpenSSL for over two years, that can allow anyone on the internet to possibly uncover names, passwords, and content you send to a seemingly secure web site. As you can imagine, this is a big deal.

The Heartbleed bug, as its now known, affects any sites and services running specific versions of OpenSSL (1.0.1 through 1.0.1f). Many sites may run older versions of OpenSSL that are not vulnerable, and many have likely already updated to a fixed version. Furthermore, not all sites and services use OpenSSL.

It is estimated that around 66% of the web utilises OpenSSL, so a large portion of the internet may be vulnerable. You can test certain sites using this tool, though it won’t answer whether a site was previously vulnerable at any point in the past. You can find a list of possibly affected sites here, but check their respective blogs for any recent updates—and keep in mind they may have been vulnerable sometime in the past two years (Google and Facebook, for example, are not listed as currently vulnerable, but have yet to issue any official statements).

Unfortunately, there’s not much you can do about this. The only way to fix this problem is for the vulnerable sites to update OpenSSL and reissue their security certificates. Changing your password won’t help until the site has fixed the bug, so wait for confirmation from your favorite sites before you go changing passwords. (LastPass now has a tool that lets you know what passwords to change, and when.)

But the bug is also unusually worrisome because it could possibly be used by hackers to steal your usernames and passwords — for sensitive services like banking, ecommerce, and web-based email — and by spy agencies to steal the private keys that vulnerable web sites use to encrypt your traffic to them. This raises the question: Is the NSA and GCHQ involved?

Cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, The Guardian reported that the NSA and Britain’s GCHQ had “successfully cracked” much of the online encryption we rely on to secure email and other sensitive transactions and data.

So far, though, there’s no evidence to suggest this is the case. And there are reasons why this method wouldn’t be very efficient for the NSA.

First, the vulnerability didn’t exist on every site. And even on sites that were vulnerable, using the Heartbleed bug to find and grab the private keys stored on a server’s memory isn’t without problems. Heartbleed allows an attacker to siphon up to 64kb of data from a system’s memory by sending a query. But the data that’s returned is random — whatever is in the memory at the time — and requires an attacker to query multiple times to collect a lot of data. Though there’s no limit to the number of queries an attacker can make, no one has yet produced a proof-of-concept exploit for reliably and consistently extracting a server’s persistent key from memory using Heartbleed.

European Union laws requiring communications providers to retain metadata are invalid because they seriously interfere with fundamental privacy rights, the Court of Justice of the EU (CJEU) ruled Tuesday.

The EU’s Data Retention Directive requires telecommunications and Internet providers to retain traffic and location data as well as related data necessary to identify the subscriber or user. This is required for the prevention, investigation, detection and prosecution of serious crime, in particular organized crime and terrorism.

However, the High Court of Ireland and the Constitutional Court of Austria doubted the validity of the directive, and asked the CJEU to investigate whether it violates the fundamental rights to respect for private life and to the protection of personal data enshrined in the Charter of Fundamental Rights of the EU, the court said.

The CJEU found the directive interferes with those rights and declared it invalid, a decision welcomed by campaigners for online privacy.

The European Commission said it will assess the court’s verdict and its effects.

Member of the European Parliament Sophie Veld said, “It is good that the legislature gets a slap on the wrist. Now we can finally delete this unsound law,” adding that future laws to combat terrorism must comply with civil rights.

European Digital Rights Group (EDRi) executive director Joe McNamee called the law an affront to the fundamental rights of European citizens and said the decision marked the end of “eight years of abuses of personal data.”

And in the U.K. Open Rights Group director Jim Killock said, “Blanket data collection interferes with our privacy rights. We must now see the repeal of national legislation that obliges telecoms companies to collect data about our personal phone calls, text messages, emails and internet usage.”

The court said retaining such data makes it possible to know how, when and with whom service users communicate, how often they call, and where they call from. That, in turn, could provide precise information on the private lives of the persons whose data are retained, including where they live, their daily habits, and their social lives, the court said. Requiring that telecommunications operators retain the data and allow the authorities to access it interferes with the fundamental rights to respect for private life and to the protection of personal data—and, because those data are retained and used without informing the user the directive is likely to generate a feeling that people’s private lives are the subject of constant surveillance, the court added.

Although the court acknowledged that retention of data can help fight serious crime and improve public security, it identified several ways in which the EU legislature had exceeded the limits of proportionality in adopting the directive.

The directive is too general, covering all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception. It also makes no requirement for review by a court or an independent body before providing access to the data. In addition, the directive imposes a retention period of at least six months without making any distinction between the categories of data on the basis of the persons concerned or the possible usefulness of the data in relation to the objective pursued.

The directive included insufficient protections to prevent the data from being accessed unlawfully, and did not require that the retained data be stored within the EU, as explicitly required by the Charter of Fundamental Rights, the court added.

The CJEU’s ruling is binding for national courts who have to dispose of cases in accordance with the Court’s decision.