************************************************************************
Security-news <security-news@resist.ca> 
A security bulletin for the inspired resistance movement 
Produced by the folks who bring you http://security.tao.ca
************************************************************************

July 23rd, 2002

Hello, and welcome to the first ever security bulletin put out by the
folks at http://security.tao.ca - Our goal is to empower activists to
make educated security decisions concerning their work and to highlight
trends in government and policing that may be of interest to those who
routinely counter the state security apparatus. We intend this to be a
bi-weekly newsletter that will include security updates, tips and
tricks, security.tao.ca updates, news stories and factoids for both
technical and non-technical audiences. Please let us know what you would
like to see, or forward us items for inclusion to secure@resist.ca (also
feedback on this bulletin would be great too!).

********************************** 
Security-news: Issue #1 - Contents
********************************** 
* Security tip of the week 
* Updates to security.tao.ca 
* News Item: US wants to use military for domestic policing 
* News Item: US development of new non-lethal weapons 
* How-to: SILC Tips and Tricks

***** 
Security Tip of the Week: Secure Storage of Private Keys 
***** 
For optimum security, private keys used in encryption schemes should be
stored on removeable media that can be carried on your person, or locked
in a secure (and secret) place. This cuts down the possibility of your
private key being stolen from your home computer or laptop. Even if
someone manages to steal your passphrase with the use of key logging
technology, they can not decrypt messages intended for you without this
private key. (Note however that floppy disks are the least reliable of
all the removeable media forms.)

***** 
Updates to http://security.tao.ca 
***** 
After a long hiatus, we have started updating security.tao.ca again!
This week we cleared out a lot of dead links (almost finished), added
new and updated links to most sections, and completed a new page on
KeyLoggers, Trojans and Backdoors which is available at
http://security.tao.ca/keylog.shtml

***** 
News Item: US wants to use military for domestic policing 
*****
U.S. Mulls Military's Domestic Role Sun Jul 21,11:31 PM ET By SCOTT
LINDLAW, Associated Press Writer

WASHINGTON (AP) - Homeland security chief Tom Ridge says the threat of
terrorism may force government planners to consider using the military
for domestic law enforcement, now largely prohibited by federal law.

President Bush ( news - web sites) has called on Congress to thoroughly
review the law that bans the Army, Navy, Air Force and Marines from
participating in arrests, searches, seizure of evidence and other
police-type activity on U.S. soil. The Coast Guard and National Guard
troops under the control of state governors are excluded from the
Reconstruction-era law, known as the "Posse Comitatus Act."

This is only snippet of an article - the complete article and others on
this topic can be found at:
*http://story.news.yahoo.com/news?tmpl=story&u=/ap/20020722/
ap_on_go_pr_wh/homeland_security_9
*http://story.news.yahoo.com/news?tmpl=story&u=/nm/20020721/ts_nm/
congress_homeland_military_dc_5
*http://story.news.yahoo.com/news?tmpl=story&u=/ap/20020722/ap_wo_en_ge/
philippines_arroyo_6

Security-news comment: We have a hard time believing that once the posse
comitatus law is changed, the US government will only use the military
in times of real crisis. Given that they want to be able to use the
military in situations involving "terrorism", and given that the US
government has increasingly defined activist work as "terrorist", we
don't think it will be long before the US military is regularly on the
streets facing off against those who dare dissent against government
policy.

***** 
News Item: US development of new non-lethal weapons 
***** 
June 21, 2002 U.S. developing new non-lethal weapons Bloomberg

WASHINGTON - The U.S. military is developing an array of futuristic
non-lethal weapons, such as an energy beam that causes pain without
burning and bacteria that will eat asphalt and body armour, Time
magazine is reporting.

The weapons are being researched to help soldiers who are increasingly
put in peackeeping roles, the magazine said. Human rights advocates say
new weapons may violate international laws banning the use of chemical
or biological agents.

The Air Force Research Laboratory has devised a $65-million Cdn energy
weapon that delivers a painful sensation without burning its target, and
the Southwest Research Institute in Texas created an anti-traction gel
so slippery no one can walk or drive on it. Other devices in the works
include ray guns, gases that emit foul odours and nets, according to the
magazine, citing interviews with scientists, public documents and
material obtained under the Freedom of Information Act.

Amnesty International and other human rights groups say some projects
such as the asphalt-eating bacteria or efforts to create fast-acting
opiates for use on crowds, may violate international laws. Those weapons
might be obtained by regimes to put down political dissent, says Steve
Wright, founder of the Omega Foundation that monitors non-lethal
weapons.


***** 
How-to: SILC Tips and Tricks 
***** 
by epsas@linefeed.org 

The full version of this with working links is at
http://notes.techfed.net/index.php/SILCTipsAndTricks
------------------------------------------------------------------------
If you don't know what SILC is - please check out
http://www.silcnet.org - basically SILC allows for encrypted real-time
conversations over networks.

Creating and Using Private Key (+k) Channels Setting a private key for
channel means that only the users on the channel who know the key is
able to encrypt and decrypt messages. Servers do not know the key at
all. -- SILC FAQ (http://www.silcnet.org/?page=faq#f3_100)

In theory, members of a private key (+k) channel can collaborate
securely even when their SILC server is compromised. Users of the +k
channel are responsible for distributing a private key between
themselves. Transmitting the secret key for a +k channel over the SILC
network is self-defeating (The SILC server may be compromised, meaning a
malicious attacker (Mallory) can steal the private key).

Instructions for creating a private key (+k) channel Join a SILC network
and create a channel: /JOIN #sekretchannel

As 'channel founder', set the mode of the channel to (+k): /CMODE
#sekretchannel +k After +k mode is set, the old channel key (originally
distributed by the SILC server) is discarded.

Set the SILC client to use a private key for this channel: /KEY CHANNEL
#sekretchannel SET oursekretkey

Other users must use the same 'passphrase' to communicate on the private
key channel: /JOIN #sekretchannel /KEY CHANNEL #sekretchannel SET
oursekretkey

The channel founder can change the 'passphrase' of a channel by issuing
a new KEY command: /KEY CHANNEL #sekretchannel SET
sekretkeywithrandomdata3DF#f3w48cnOc03

------------------------------------------------------------------------
Securely Negotiating a Shared Secret over the Internet

The Diffie-Hellman key agreement protocol (also called exponential key
agreement) was developed by Diffie and Hellman in 1976 and published in
the ground-breaking paper "New Directions in Cryptography." The protocol
allows two users to exchange a secret key over an insecure medium
without any prior secrets.

dh.py from Magaf.Org is a freely available implementation of the
Diffie-Hellman key exchange protocol. In this example, a shared secret
is negotiated between Alice and Bob; two hypothetical individuals.

More information about Alice and Bob (Mallory too!)

Using dh.py to negotiate a shared secret Alice and Bob meet each other
on a public SILC channel, #polynesian-finches. After a few hours of
enthralling conversation, Alice proposes they move discussion to a
private channel. Alice and Bob know that Mallory, their scientific
arch-nemesis, has root (Administrator priveleges) on the SILC server.
Alice and Bob decide to use Diffie-Hellman to exchange a shared secret
to use as a private channel key.

Alice and Bob install dh.py and a Python interpreter on their computers.

Alice runs dh.py, which first creates a public key: bash-2.05$ python
dh.py Copy your public key and send to other:
bDQAAACzLsg2IU9iEEFPKRgkbGYJqjnmEodJe1/yYgAxQwDJB1E3kQ/
0SOArzXL0XTwJAjwqKVVq
qGCecY8H6XuXVBd5tSn+TgEBSg8zevhP7RXdVaUMMkC5Bj8v2HnLV/UORhtdb9YZk2QHAA

Bob also runs dh.py.

Alice sends her public key to Bob over SILC: <@Alice> Bob, here is my
Public Key
<@Alice>DQAAACzLsg2IU9iEEFPKRgkbGYJqjnmEodJe1/yYgAxQwDJB1E3kQ/
0SOArzXL0XTwJAjwqKVVq
<@Alice>qGCecY8H6XuXVBd5tSn+TgEBSg8zevhP7RXdVaUMMkC5Bj8v2HnLV/
UORhtdb9YZk2QHAA==

Bob does the same: <Bob> Alice, here is my Public Key:
<Bob>bDQAAAB/
CfR4emA7Q1BLa26ScUdHNEPgQUZh02RXcuA8k1aWTlYr0SdyHQlEpQyvanUeqWMWAaQe
<Bob>+mK5PHB3YTNfHCAYoRNoCdQC7GRDROwz8z7Bb/
BAaBB9QQxMnAb4SwFeRV1pARs6qEEEAA==

Alice pastes Bob's public key into dh.py: Paste other's public key (end
with an empty line):
:bDQAAAB/
CfR4emA7Q1BLa26ScUdHNEPgQUZh02RXcuA8k1aWTlYr0SdyHQlEpQyvanUeqWMWAaQe
:+mK5PHB3YTNfHCAYoRNoCdQC7GRDROwz8z7Bb/BAaBB9QQxMnAb4SwFeRV1pARs6qEEEAA=
= : Shared secret is '752945657969338543110531'. For public
verification: '827050' (This is not secret)

Bob does the same with Alice's public key: Paste other's public key (end
with an empty line):
:bDQAAACzLsg2IU9iEEFPKRgkbGYJqjnmEodJe1/yYgAxQwDJB1E3kQ/
0SOArzXL0XTwJAjwqKVVq
:qGCecY8H6XuXVBd5tSn+TgEBSg8zevhP7RXdVaUMMkC5Bj8v2HnLV/UORhtdb9YZk2QHAA=
= : Shared secret is '752945657969338543110531'. For public
verification: '827050' (This is not secret)

Alice and Bob make sure that they created the same shared secret. They
do this by sharing the 'public verification' over SILC: <@Alice> Hey
Bob, did you get this: 827050 ? <Bob> Yup, I did! <@Alice> Meet you in
#sekretornithology

At this point, Alice and Bob can create a private key channel (+k) using
their shared secret ('752945657969338543110531') as the 'passphrase'.



************************************************************************
Security-news <security-news@resist.ca> 
A security bulletin for the inspired resistance movement 
To unsub from this list, please go to http://resist.ca/mailman/listinfo/security-news
************************************************************************