My keen interest in online security and privacy has recently blossomed into a full on obsession. Some may say it's because I'm eccentric and weird, but it's at least partly because of the crazy new laws going down in this country. There is an excellent chance that all of your e-mails and IM conversations are at the very least being analyzed and logged. I doubt anyone actually reads them, but you never know.
The common argument against online privacy measures is "if you have nothing to hide, why do you care?". True, I'm not some criminal mastermind, but it's not unreasonable for people to think that I am. Many people in real life think that I'm a drug dealer for some reason. The forums that I visit to read about privacy concerns are often hot beds for credit card scammers. I think credit card scamming is retarded and would never do it, but I'd hate to be accused of being guilty by association.
There are also a lot of people sniffing traffic. The average internet user doesn't realize that it's not particularly difficult to intercept traffic on the internet - especially if you're using a wireless or shared connection. Encrypted communication can be intercepted, but not decoded - making it useless.
No one seems too concerned with encrypting e-mail. This is probably the result of everyone using web clients. I don't understand why everyone is so obsessed with gmail, yahoo mail, etc. but that's another post.
PGP stands for Pretty Good Privacy. If you want info on it, look it up elsewhere. Basically it's very easy cryptography to use, and very difficult to break. There are several ways to use it to encrypt your e-mail.
The easiest and best way is to use The Bat!. This e-mail client is leagues better than Outlook, Outlook Express, and Thunderbird. It's super configurable, very compact and nice looking, and isn't a memory hog. It has all the features you know and love, and even has plugins for many different anti spam and anti virus methods. Best of all, it has built in PGP. Going through the process takes 5 minutes at most, and you can now send encrypted messages to anyone using PGP.
Thunderbird has a great plugin called Enigmail. It's free, easy to install, and integrates into Thunderbird perfectly. This is what I used until I switched to The Bat!.
There are also some PGP plugins for Outlook and Outlook Express. I don't use these programs, so I have no idea which plugins are the best.
The cool thing about PGP e-mail is that you don't have to worry about the other person using the same e-mail program as you. That is... unless they use Freenigma.
Freenigma is the only option for gmail, which is good for you if you use gmail and all of your friends do too. It's super easy to set up, but it's not interoperable with other PGP services.
Instant messaging used to be hard to encrypt. Every client used a different protocol, and none of them worked together. Trillian has a decent built in one. It's very easy to use, but apparently also fairly easy to crack. Still - just having one layer of defense is a huge step up from nothing.
But now there is an awesome product that works with every popular client and protocol. I like using trillian, but I can still encrypt chats with friends using AIM or that stupid google chat thing.
Installing SimpLite is really easy. It's free, and it even changes the text color of your friends messages to reflect whether or not the conversation is encrypted. The program runs in your tray and is very non-intrusive.
Even if you're the only person who uses your computer and you trust everyone else, you should encrypt personal files. If your computer gets stolen, do you really want a potential hacker to have all the time in the world to search through your files?
Your first line of defense can be SecurStar DriveCrypt Plus. This program encrypts your whole hard drive in real time. That means that even if someone takes your hard drive out of the computer and puts it in their computer, they can't read a single thing off of it. If your computer is on, however, your files can still be read like normal.
You can also make container files that basically act as encrypted directories. They're useful for storing sensitive files so that people can't get at them even if they have full access to your computer while it's on. The best program to do that with is SecurStar DriveCrypt. There is a free alternative called TrueCrypt, but it has a major security flaw that lets anyone who knows what they're doing get into your files.
Want to buy a sex toy, but don't necessarily want people seeing it your history? Want to look up some embarassing medical condition you have but don't want it in your google search history? Or maybe you just want to leave a nice anonymous comment on someone's blog and don't want them to be able to figure out that it came from your city.
Enter Torpark. Torpark is a self contained copy of firefox with a built in anonymous proxy router. Have you ever seen those movies where someone is "bouncing their signal" all over the globe, and there are cool red lines showing where it's going? That's basically what this is. It routes your traffic through a number of anonymous proxy servers all over the world, making it impossible to find out who is visiting the site.
One little trick I like is to put your copy of Torpark inside a Drivecrypt file container. Torpark is a portable app, meaning it doesn't need to be installed - you just copy it and go. When you put it in the Drivecrypt container, you can safely browse knowing that no one will ever see your history or know where your traffic is coming from.
Just do it
There are many more complicated ways to secure your personal information, but they aren't better. The methods I've outlined represent the best technology with the easiest implementation. You could probably set up everything I mentioned here in about 45 minutes. Maybe all of it is pointless and you'll never need this level of security, but it's so transparent that you may as well have the safety net.
I'm all for privacy. Responding to Magnus, the man who allegedly never does anything wrong - would it be OK for me to rummage through your drawers at home if I leave it like I found it? I bet the answer is "NO!" even if there is "nothing to hide." I'd also like to say that I worry that many of these privacy apps are government traps.
The problem with privacy is not that we have problems if everyone's stuff is hanging out, but that we have problems when SOME people have privacy and others do not.
The best explanation of how eliminating privacy totally could work is still John Brunner's novel Shockwave Rider.
But privacy, when implemented in law, tends to protect the rich and powerful at the expense of the poor--instead of the well-oof helping the unfortunate, the well-off today make much of their swag off of the very poor....
Many 'social programs' implemented in the US say that they are for one purpose while actually serving another.
An example is the "War on Drugs" (which has been as effective as it's predecesor, the "War on Poverty" and its successor, the "War on Terror."
If one were really serious about stopping drug use from causing problems in a society, testing would be implemented based upon the person's position's ability to cause harm. Under such a program, testing would be implemented upon these lines:
The President would be tested hourly. As would his executive staff and the Security and Military heads--all top level administrators in and out of government would be on this rigerous schedule. Corporate executives included.
After all, these are the people who can misallocate money on massive scale, destroy whole nations and economies.
Under such a plan, people on the bottom, sales clerks, warehouse workers & such would be tested on a random basis and in case of an accident.
Instead, the current system acts as if it is designed to keep people from changing jobs. We test new employee's (prior to their employment) but we seldom test top-level executives (even at hiring time,) and never test them after employment.
The result is that you can use anything you like so long as you stay at an employer, but to change jobs (or get one in the first place,) you must be clean for testing.
Encryption is needed if only for verification of the sender--it is way to easy to falsify a message's origin, and this is unlikely to change in the near or mid-term future.
All communications must, at this point be assumed to be overheard--including pillow talk. Bugging devices are nearly too small to be seen now, and soon will be invisible to the naked eye.
Yes, the monitor(s) is/are almost certainly computer programs. But data can be harvested by programs and condensed into a readily usable form, as the increase in successful large scale thefts using identity theft and software infiltrators has shown.
Privacy is no longer a real option. The only consideration that we may have control over is whether only certain groups (gov'ts, corps) have access toeverything, or whether everyone has access to everything.
Certainly public officials have no 'right to privacy' within their jobs, such privacy is crucial to misallocation or theft, but serves no useful purpose for the general public (whose resources are at risk.)
It is now possible to make an A/V recording of an entier day in the life of anyone with a device smaller than a nanopod. Equiping public officials with such devices, designed to store the data in a secure location for later retreival by a court, would drasticly improve said officals interactions with the publi--and even provide the official with evidence that their actions were just--both particular points with the police and security communities. Like recording witness interrigations, the police would undoubtedly find reviewing such evidence of great value, ssince it is possible to examine a situation much more closely if you can re-run it multiple times. This might well reduce the number of people who are innocent but charged with crimes, and would be certain to decrease the number of criminals released as 'cleared' suspects.
Any encryption of your communications is better than no encryption, just so long as you don't make the assumption that your encrypted traffic is truely secure--it never will be. Any security which can be created can be defeated, by definition using methods not thought of by the creator. (For instance, if I can monitor the inside of your computer, I don't need to decrypt your messages--I'll just read them in clear as you write or read.)
My $50 worth.
I have to say that Torpark is super slow. It's only good for one time thing (like you said to buy something or look up some crap), it's impossible to surf using Torpark.
I can agree with most you said but your section on encrypting files worried me a bit.
Firstly, there is nothing wrong with TrueCrypt -- it uses well known algorithms and there are no public accounts of it being broken.
Secondly, I would stay away from any product that makes ridiculous claims like "1344 Bit Military Strength" encryption (like DriveCrypt does).
Very good advice. Unfortunately I'm just too lazy to do it. I'm surprised I even mustered the energy to type this useless comment.
I try to never do anything I'm not proud of and would be worried about anyone else knowing.
You still don't explain why I should care if I have nothing to hide!!!
I hate Paypal. In the early days of gambling I used Paypal to send money to casinos, and Paypal would occasionally screw me over. They held all deposits to casinos for 30 days so that if the casino went under, players wouldn't get screwed. That was nice of them.
One time I deposited $10k and a casino went under. They never gave me any money despite a number of calls and e-mails. Oh well.
I use paypal when I absolutely have to, and that's it. Google checkout came along, and I was happy about that. I like Adwords, Adsense is ok, Search is awesome, etc. I figure with their "Don't be evil" motto, I'd have nothing to worry about.
I recently got an email from a friend that said simply "I am getting too many e-mails. How do I organize them? Sometimes I need to research an answer, but then forget for whom it was and I totally forget about it as they get buried. How do you manage your e mails?"
Here's how I do it:
No software email client: I used to use an email client like Outlook or Thunderbird, but I found that by switching to a web interface for email I have much more control over it. I have multiple inbound email addresses -- two work addresses, a gmail address, an Apple email address, an alumni address, etc. I have all my mail forward into my personal email account, which is a Google Apps-hosted address. Here's what that looks like:
Using the web-based email interface also lets me leverage all sorts of great advanced stuff, like using Rapportive, Boomerang, and many other email tools that I rely on. Also, using the Google Apps interface for my email allows me to use Google's powerful "important and unread" feature which prioritizes emails from people I know or that Google otherwise thinks I should see first.