***************************************************************
Security-news <security-news@resist.ca> 
A security bulletin for autonomous resistance movements 
Produced by the folks who bring you http://security.tao.ca
***************************************************************

November 11, 2002

This week we're adding a new section called "Reading Material" to
highlight interesting books, magazines and other publications that
happen to come our way and relate to the whole activism and security
theme of this newsletter. Please forward any suggestions of reading
material you would like to see reviewed here to secure@resist.ca.


********************************** 
Security-news: Issue #10 - Contents
********************************** 
* Security tip of the week:  Wireless Keyboards 
* Reading Material: CAQ 74 & Covert Entry (book) 
* News & Analysis: How Hard Would It Be To Trace the Sniper's Phone
Calls? 
* News & Analysis: JOINING FORCES How planners are partnering with local
police, convention facilities and city officials to stage secure events
* How to: Internet anonymity for Linux newbies

***** 
Security Tip of the Week: Wireless keyboards 
***** 
Wireless keyboards are just some of the many wireless peripherals
becoming popular these days - but don't be so quick to switch without
first checking the security implications. Last week it was discovered
HP's wireless keyboards can transmit data to other computers in faraway
buildings. If you are currently using one of these, or other wireless
keyboard, be aware that if the signal emission range is too wide, you
could be broadcasting everything you type.

***** 
Reading Material: CAQ No74 & Covert Entry (book) 
*****

Covert Action Quarterly No 74 - has lots of good stuff as usual - a good
article in this issue exposing the links between George Soros and the
CIA which certainly begs the question of why radical organizations would
take money from the Soros foundation. Also an article on the decimation
of Posse Comitatus law in the United States (this was the law that
forbid US military services from taking a role in internal policing) -
happening under the guise of anti-terrorism but really being directed at
anti-globalization activists.

Covert Entry: Spies, Lies and Crims Inside Canada's Secret Service
Andrew Mitrovica Random House - November 2002 release

This book is based on the testimony and tales of an
agent-turned-whistleblower who worked for CSIS (Canadian Security
Intelligence Service) for ten years. John Farrel, who worked with the
mail intercept program, and Special Operational Services, comes forward
to tell his tale of unlawful behaviour on behalf of Canada's spy agency.
Although Mitrovica comes at the story from anything but a progressive
angle (he is outraged about taxpayer waste in the face of real terrorist
threats), there are some telling moments in the story that illuminate
the type of surveillance methods used during both major and minor
investigations. If anything - Covert Entry provides an interesting look
inside some of the operations of Canada's espionage agency and the
methods by which agents collect data on their targets - and is a
worthwhile and quick read. It's only out in hardcover currently (and
likely not available in the US), but worth tracking down a copy of.


***** 
News & Analysis: How Hard Would It Be To Trace the Sniper's Phone
Calls? 
By Brendan I. Koerner 
Thursday, October 24, 2002 
*****

Police arrested two men Thursday morning in connection with Washington,
D.C.-area sniper shootings. Someone claiming to be the sniper placed
several phone calls to police earlier this week. How easy is it for cops
to trace a phone call?

Contrary to what pulp screenwriters seem to believe, it's pretty darn
easy nowadays. Tracing problems are a relic of manual switchboards,
which required operators to physically connect circuits. In order to
track down a caller's location, police needed 10-20 minutes to figure
out the maze of circuits. This is where the cinematic stereotype of
"Keep 'em talking" comes from - shorter calls could only be traced back
part of the way, to a nearby switching station rather than the source
phone.

Digital switches have sped up the process. Beginning in the mid-1980s,
phone companies began using electronic switching systems, which can
automatically identify any caller's number within a fraction of a
second. Those numbers can then be correlated with information from an
automatic location indicator to find the phone's address. There is no
foolproof way to avoid tracing on an ESS network when making a
direct-dial call. (And don't think for a second that hitting *67, which
masks your number to Caller ID boxes, can foil a police trace; it only
works against civilians.)

Some local phone companies allow users to trace calls through a feature
called *57. Users hang up, wait 10 seconds, and then press *57. The
caller's information is immediately forwarded to the phone company's
computers, where it can later be accessed by the police. But the feature
isn't available everywhere, and in some cases it won't trace calls made
with calling cards or through operator assistance.

Mobile phones have proven harder to trace over recent years, but that is
changing, too. The Federal Communications Commission has ordered that,
by 2006, all cell-phone networks must feature location-tracking
technology, ostensibly to assist 911 operators. As a result, many new
mobiles now come equipped with chips that link them into the Global
Positioning Satellite system. Triangulation using coordinates from
adjacent cell-phone towers is another effective tracing technique.

Tracing a phone call is only half the investigative battle, of course.
Few suspects, alas, are dumb enough to stay put after placing a taunting
call to the cops.

Next question?



***** 
News & Analysis:  JOINING FORCES How planners are partnering with
local police, convention facilities and city officials to stage secure
events 
By Cheryl-Anne Sturken Photograph by Joseph Pluchino
http://www.meetings-conventions.com/issues/0902/features/feature1.html
*****

In the summer of 1968, a young police cadet in Chicago was just starting
to learn the ropes while antiwar protesters and baton-wielding patrol
officers clashed in downtown Chicago. Charles Ramsey did not take part
in the notorious street battles associated with the Democratic National
Convention that August, but the experience left an impression on him
that would help steer his career. Today, as chief of police for
Washington, D.C.’s Metropolitan Police Department, Ramsey works
proactively to prevent such mayhem. Lessons learned preserving the peace
at high-profile events in the nation’s capital have made him a
nationally respected consultant on how to handle crowds and provide
security at meetings of all kinds.

“Our goals are always the same,” Ramsey says. “We want to
protect the
rights of conference attendees to participate in their meetings — and
protect the freedom of any demonstrators to exercise their
Constitutional rights.”

Of the thousands of events held annually across the country, relatively
few are of a nature apt to incite protests. Yet, many citywides that
draw attendees by the thousands — or tens of thousands — do need
law-enforcement assistance in areas like traffic control and on-site
security. For planners of these mammoth events, a city’s local police
department becomes a crucial partner, from the early stages through the
event’s conclusion.

Start early

“It is absolutely critical to involve the security expertise of the
local police force from the very beginning,” says Cynthia Beckman,
chief
operating officer of conventions and meetings for the Washington,
D.C.-based Biotechnology Industry Organization. Beckman has been
conferring with Chief Ramsey since this past June in planning her
group’s annual convention, known as BIO 2003, to be held in the
capital
next June. “Early planning negates the need for a request for
emergency
police assistance,” she says, noting that additional security can be
expensive.

Lt. Eric Rubin of the Denver Police Department knows all about the
strategic value of early planning. This past May, he coordinated
law-enforcement measures when the city hosted the biennial conference of
the Paris-based International Chamber of Commerce — an event for which
his department spent a full year training.

ICC drew 600 delegates from around the world; it also drew 1,000
protesters. Some 700 police officers worked around the clock in 12-hour
shifts, covering a three-block radius around the Denver Marriott City
Center hotel, where the delegates were housed.

“It took time to get everything in place,” recalls Rubin.
“There was a
lot of paperwork; everything had to be in writing. We planned for the
worst and hoped for the best — and that’s what we got. Not a single
arrest was made.”

First steps

The planners’ initial point of contact should be the head of
security at
the convention center. This person is directly plugged in to the
community and its various law-enforcement factions.

“From the start, convention center officials and staff are an integral
part of the security plan,” says Beckman. “We create strong
relationships with them to efficiently share information and increase
awareness of potential problems.”

In these initial conversations, says Gladys Jones, head of security for
the Washington (D.C.) Convention Center, “We will ask a number of
questions and then determine the event’s threat level. Then we will
tell
you, ‘This is your threat level, and this is what we feel comfortable
with having in place.’”

After meeting with Beckman and her staff earlier this year, Jones flew
to Toronto in June to observe how that city’s police handled the BIO
2002 convention. Having firsthand knowledge of an event is critical to
formulating a plan, says Jones, who even attended seminars at the
convention to get a feel for issues the group was facing.

The convention center’s security expert also knows which local and
state
law-enforcement agencies have jurisdiction at the facility. “Most
people
don’t realize that because our convention center lies within the
district of the Port of San Diego, the harbor police force has
jurisdiction over it,” says Carol Wallace, president and CEO of the
San
Diego Convention Center. “But the center sits in the city, so planners
also have to work with the San Diego Police Department on security
issues.”

At times, an outside law-enforcement agency might need to be involved,
says Don Ahl, director of safety and security for the Las Vegas
Convention & Visitors Authority. For instance, for the Shot Show, a
trade event for hunters and ammunition makers, there might be issues to
be discussed with the Bureau of Alcohol, Tobacco and Firearms, he says.

History matters

“We exchange an incredible amount of information with the
police,” says
Jack Wilkerson, vice president of business and finance and convention
manager for the Nashville, Tenn.-based Southern Baptist Convention. “I
keep very detailed historical reports on the security aspect of every
one of our conventions — who protested, what group did what, how many
there were.”

Wilkerson expects protesters — the level of disruption is what he aims
to control. During the SBC’s annual convention in St. Louis this past
June, 12 protesters condemning the religious group’s conservative
social
positions infiltrated the America’s Center and disrupted the
president’s
keynote speech before a gathering of 9,000. The dozen antagonists were
immediately arrested by police on hand, as were 38 others creating a
disturbance outside the center.

In the process of sharing information, planners should never assume any
detail is inconsequential, sources agree. Think beyond mere numbers,
dates and the agenda. Even if the event itself is not a target of
protests, a controversial speaker, attendee or exhibitor might well be.

“Some of the things I need to know about a group are how they perceive
themselves, whether the CEO has ever received threats and what it is
that they perceive as a threat,” says Gladys Jones.

“We have a mandatory meeting with the Las Vegas Metropolitan Police to
let them know who is attending our event and who might attract
attention,” says Ernae Mothershed, a spokesperson for the Woodland
Hills, Calif.-based Men’s Apparel Guild in California. Mothershed’s
group meets twice a year in Las Vegas for a four-day trade show that
typically attracts from 80,000 to 100,000 attendees and exhibitors,
along with many celebrities.

“We tell the police if media is coming and if any of the celebrities
are
bringing their own security,” Mothershed adds.

Such details are critical to police. “We always want to be
prepared,”
says Sgt. Justin McCaffrey, in the intelligence division of the New York
City Police Department. “We never want to scramble.” McCaffrey was
involved in planning elaborate security for the World Economic Forum,
which the Big Apple hosted without incident this past February.

Creating a plan

“As a meeting planner,” says BIO’s Cynthia Beckman, “it is my
responsibility to ensure that our security plan is based on a
thoughtful, complete risk assessment.” Such assessments are
developed by
local law enforcement in a variety of ways.

• Agency networking. Many cities establish special-event task forces
to
develop and monitor security plans for sensitive events. Some, like San
Diego and Washington, D.C., coordinate the task force’s efforts
through
the mayor’s office. Others, such as Las Vegas, maintain a events
team on
the police force.

San Diego’s Mayor Dick Murphy created a task force of representatives
from a dozen city agencies to develop a security plan for both the BIO
2001 event and the 2000 Republican National Convention. Mandatory
monthly meetings were held in his office.

In Washington, D.C., some three dozen local, federal and specialized
agencies are part of a special-event task force created by Mayor Anthony
Williams. Says Peter LaPort, director of emergency management for the
city and leader of the task force, “We will advise you of all the
hurdles and hoops you have to jump through.”

A former New York City deputy commissioner who lost several colleagues
and friends on Sept. 11, LaPort says the tragedy has created a much more
“intense interaction” between his and other agencies. “We
even have a
representative from the hotel association, because they are now part of
the disaster recovery plan for the city, as is the convention center.”

For his part, D.C.’s Mayor Williams is aiming to add a greater medical
element to the task force. “We are working closely with the private
sector medical organizations that are vital to responding to an
emergency, such as the American Red Cross and the Washington Area
Hospital Association,” he says.

• Intelligence gathering. Local law enforcement does not rely entirely
on the information provided by event coordinators; the agencies often
research an event’s history themselves.

“A group will tell you what happened internally at the convention
center,” says Capt. Terry Sult of the Charlotte-Mecklenburg Police
Department in Charlotte, Va., “but we will check with the police
departments of other cities where a group has met to find out what
happened externally.”

“I hold regular conference calls with other police executives in the
region to share intelligence and provide updates,” says Chief Ramsey,
who last year unveiled D.C.’s newest tool in event security, the Joint
Operations Command Center. “It is a crucial resource for collecting,
evaluating, analyzing and disseminating intelligence and other
information,” he says.

The Web, notes Lt. Rubin, is a valuable window on activist planning.
“A
significant number of groups with an ax to grind will blatantly
advertise when and where they are protesting and encourage others to
join them,” he says. “It’s their legal right, but it also
helps us to
understand what might occur and to be better prepared.”

• Community outreach. Critical to an event’s security, say
police, is
actively reaching out to a community to let citizens know what they can
expect to happen. And that means reaching out to potential protesters as
well, says Chief David Bejarano of the San Diego Police Department.
“We
are very candid with the protesters we identify. We tell them we
recognize they have a Fifth Amendment right, but we make it clear that
if they cross the line into criminal activity, we will take swift
action,” he says.

• Accommodating protesters. Often, cities will establish designated
areas outside the center where demonstrators can express their views. In
San Diego, Chief Bejarano gave protesters at BIO 2001 an area “close
enough to protest, but not close enough to disrupt the
proceedings.” To
coordinate who held court and when, his office spread the word that
anyone could sign up for one-hour slots to address the crowd. “It was
pretty peaceful,” says Bejarano.

• Setting the tone. A heavy police presence might deter protesters,
but
it also can work against the event. “You have to draw the line between
being intrusive and being transparent,” says Dick MacKnight, assistant
to the president at ICC’s Denver headquarters. “The Denver
police did a
wonderful job. You never felt like you were under siege or being
guarded.”

• Using the force. Every city has its own particular rules governing
law
enforcement’s role at events. However, several areas generally require
police approval and implementation.

• Traffic control. When several thousand conventioneers descend on a
city, shuttles from the convention center to hotels can snarl traffic on
already congested streets. Talk to police about attendee transportation
plans; often, they’ll suggest alternative routes.

“Sometimes the police will say, ‘You don’t want to go that route,
because traffic gets backed up at that intersection at this time of the
day,’” says the Southern Baptist Convention’s Wilkerson.

• Putting up barriers. Installing barricades outside the convention
center might seem like a wise move, but there are a number of issues to
consider — including exactly where, when and how they can be placed.

For the ICC conference in Denver, the police erected barriers in a
three-block radius around the Denver Marriott City Center. But because
the perimeter fell within private property, the department had to get a
signed release from every citizen affected.

• Permits. When staging a parade, using loudspeakers outside, setting
off fireworks or serving alcohol in a public place, event producers must
seek police assistance. “If your event is staying within the
confines of
the Jacob Javits Center, you don’t need any special permits,”
says New
York City’s Sgt. McCaffrey. “But if you want to have a parade
on 10th
Avenue and shut down some streets, you are going to need a permit.”

Better ask early, he adds. “We won’t allow two events to take
place at
the same time, because it clogs traffic and stretches our resources. And
many annual events have first right.”

• Post-convention police report. Ask the police to create a dossier on
what services and security details they recommended and implemented for
the event, along with their assessment of how the plan worked. This can
be utilized in another city for a future event, saving the police there
a lot of legwork.

Who pays for what

High-profile events can place a tremendous financial strain on a city.
San Diego shelled out $3.5 million in police support for BIO 2001. The
tab for Denver for the ICC conference came to $900,000. In deciding
whether to host an event, city officials say they carefully weigh what
they stand to gain. Chief Bejarano came under fire from San Diego media
for his department’s hefty spending. Yet, he says, “There is a
trade-off. When you host a major event, there is the benefit of a large
number of dollars going back into the city.” In fact, BIO 2001
generated
about $14 million in hotel and sales taxes and conventioneers’
spending,
says Scott Barnett, executive director of the San Diego County Taxpayers
Association.

Toronto’s Economic Development Commission estimated that BIO 2002
poured
nearly US$20 million into city coffers. (No figures were available on
what it cost in added police protection because of the event.)

The security needs of more mainstream events, however, are individually
evaluated by police departments, who negotiate with the event organizer
to determine who covers what.

• Protection with a price tag. “Security costs depend on risk
assessment, the complexity of the program, convention center layout,
hotel locations, off-site venues and the size of the police force,”
says
Cynthia Beckman. “The more on-duty police officers a host city will
make
available for the BIO meeting, the less our overall security costs.”

“We try to look at the size of the event and a whole host of
dynamics,”
says Capt. Sult in Charlotte, Va. “If we find there will be a traffic
control issue, we may request the event organizers pay for the officers
needed to handle that traffic. If something unforeseen happens, then we
will absorb the cost.”

“Small events that want to hire off-duty police officers will have to
pay for them themselves,” says Lt. Rubin.

In Las Vegas, any request for police services, with the exception of
covering protesters, comes out of a show organizer’s pocket, according
to special-events officer Sgt. Linda Atkinson. “All of our overtime
comes from whoever is sponsoring the event,” she notes.

• At no extra charge. Before spending money to have officers control
traffic at peak convention hours or monitor an outdoor event, planners
should find out what the local police are willing to provide at no cost.
For instance, “We have a series of cameras set up around downtown
whose
initial use was crime prevention,” says Sult. “We have
discovered they
help us dramatically with traffic issues at the convention center. We
can identify potential gridlock and then electronically adjust the
traffic light.”

• Attendees on the alert. The better prepared attendees are, the
smoother the execution of the security process. “We notify attendees
to
avoid any surprises,” says Beckman. “You want them to remember the
importance of wearing their badges, of carrying photo identification and
arriving early.”

Unreasonable demands

Law enforcement has to toe the legal line and balance public safety
issues with a community’s best interests. The upshot: Some requests
simply won’t be met.

• Searches. “We are not private guards,” says Lt. Rubin.
“Everything we
do must be based on Constitutional rights. We will not search people.”

• Door checks. “We are not going to put people at the door to check
tickets,” says Sgt. McCaffrey.

• K-9 units. “If you have a high profile speaker, we might send a
bomb-sniffing dog, but it is not guaranteed,” says McCaffrey. He
suggests planners work with a security consultant who can provide that
service. But, he cautions, think twice before insisting on it, because
it will prove costly. “If the speaker comes at 8 a.m., the dogs will
have to be in at 6 a.m. to check out the room, and then you will have to
pay for a guard to seal off the room and guard it until the speaker
comes,” says McCaffrey.

• Street closures. “We will never allow the Strip to be blocked
off,”
says Sgt. Atkinson of Las Vegas. And, she adds, street closures come
with their own sub-requirements that need to be considered, like permits
for portable toilets and fees for litter collection.

• Police escorts. “Unless you’re the president, you
don’t get a blue
light escort,” says Capt. Sult. “And we never make
parking-regulation
exceptions. People are always asking us to look the other way — and we
don’t.”


***** How to: Internet anonymity for Linux newbies By Thomas C Greene in
Washington 28/08/2002 - https://theregister.co.uk *****

One of the most attractive things about Linux is the number of
installation options one is presented with and how tempting it is to
customize. But for a newbie, in terms of Web security and PC hygiene,
that's also the worst thing about it. The fact is, Windows is easier
than Linux for a casual user to make fairly secure, whereas Linux is
easier than Windows for a power user to make xvery secure.

For most home PC users, fairly secure is perfectly adequate, and that's
what we'll be concentrating on below. In a week or two I'll get into
details for power users, but for now I'm going to concentrate on a
particular presumed reader: a home user who's fairly new to the Linux
desktop, who's using a packaged distro, and who's not intimately
familiar with PC security -- a 'recovering Windows user', let's say.

Fortunately, Linux is a wise investment; you already have, or can easily
find for free, virtually everything you need to make it secure. There's
no need to buy hundreds of dollars' worth of security utilities and
services, though you do need to learn how to use what you've got. But
before we get to the Internet security matters promised in the headline,
we have some housecleaning to do.

Options up the butt For those just getting started with Linux, it's easy
to end up with a number of unnecessary services and daemons running,
some (not all) of which may make your box less secure. You've got IRC
servers, telnet servers, print servers, font servers, mail servers,
remote admin servers, Web servers, FTP servers, you name it. The
installation options can be overwhelming; and if you're new to all this,
it's a safe bet that you've got a few things going that you're not even
aware of.

The first thing I'd recommend is running a security scanner like SAINT
or Nessus, which are typically packaged free with many distros, against
localhost. This can reveal a number of things you never imagined you had
available on your machine. Most distros also have some sort of GUI
control interface which will make it reasonably easy to turn off what
you don't need. With SuSE, the distro I prefer, this is called the
'runlevel editor', available via the YaST2 control center. It likely has
the same or a similar name in the distro you're using. Alternatively you
can have a look at /etc/init.d and peruse a list of what's being loaded
(just make sure you know exactly what these scripts do before you start
editing or deleting). Shutting off unnecessary services is the most
basic first step in tightening up your machine, so take a good look at
what you'vegot, and get rid of the extraneous nonsense. If you don't
know what something is, Google on it and get hip.

Users are safer One simple thing you can do to avoid remote compromises
is to stay off the Net when you're in the root account. Running IM and
IRC clients as root is positively self destructive. Ditto for opening
mail attachments and HTML mail as root. By choosing Linux you've already
made yourself a lot less likely to get infected by a worm or virus or a
malicious script than a Windows user, so be sure to maximize that
advantage. Do all your on-line business from a user account, and save
the root account for off-line tweaking and tinkering.

Of course this discipline means little if your file permissions are
sloppy. There are lots of commands you can issue from the shell which
are relevant here, but since we're assuming a relative newbie, we'll try
to avoid too much of that. For those interested in what's possible from
the command line, I recommend the book "Linux in a Nutshell" (pun
apparently intended) from O'Reilly Publishing. It's an excellent desk
reference of shell commands. Of course, just by typing a command
followed by --help you'll get the same information, but it is nice to
have it all compiled in a handy hardcopy form.

There are a couple of ways you can set permissions with the GUI and save
yourself a lot of repetitive typing. One is to use Krusader or Nautilus
and simply right-click on a directory, and go to 'properties'. If you're
root, you can make sure that user a can't access user b's files. But
don't go wild here: there are numerous directories, config files,
executables, etc., that users need access to for Linux to run properly.
If you're at a loss to select which directories and files need strict
permissions and which don't, then your distro probably has some sort of
interface with a menu of pre-set rules which you can choose from and
apply globally as root. This will usually be called something like
'security settings', and the options will usually be named something
like 'easy, secure and paranoid'. 'Secure' is probably as far as you
need to go. Chances are this will forbid root logins except via the
command line, so it's best to get all your tinkering done beforehand in
the root GUI account, where things are more familiar to recovering
Windoze users. After that, you'll have to open a shell or supply the
root password to the distro's 'control center' from your user account.
This is definitely the right way to run a Linux machine so long as
you're basically satisfied with how it's set up.

In many households, several people may have user accounts on the same
box. Consider carefully whether these people are friends, or mere
flatmates and acquaintances. If you're using a machine you don't own,
then you have to ask yourself whether or not you trust the owner. If you
don't trust root personally, then don't use his kit for anything you
wouldn't document and publish freely. Root knows everything you do on
his machine. Worse, and far more likely, he may be a well-meaning idiot
who maintains a totally insecure machine connected 24/7 to the Net.

Conversely, if you are root and the box is shared, make sure you trust
the people using it. Giving a user account to someone you're sketchy
about is a security risk, much like leaving them in your office or
bedroom unsupervised. They may know more than you about how to
compromise a machine from within, which is a lot easier than
compromising it from without.

The best thing to do with a shared machine is to encrypt files you want
to keep private. So get familiar with GnuPG. Just remember that root has
access to your private and public keys, and can run a keystroke logger
on the box and get your crypto passphrase. So as I said, if you don't
trust root, don't use his machine for anything private. Period. Is he a
mere acquaintance? Is he a loyal little soldier of your employer? Then
screw him. Crypto is useless in that situation. Ditto for all computer
equipment you use at work, in public libraries, or Internet cafes.

On the other hand, if you're the machine's owner and you trust your
users, or you're a user and you trust the owner, then you should
encrypt, though you must be careful to choose a strong passphrase: a
nice, long one combining upper and lower-case letters, numbers and
special characters. Use a phrase that's easy to remember but extremely
difficult to guess or bruteforce. I recommend using a short,
grammatically-valid sentence that makes no sense, like 'sleazy bricks
applaud sideways'. Now misspell some of the words and substitute
characters in a way that's easy to remember, so it looks something like
this: 'sl33Z1E bR1@k$ apPL4ud s!d3w^yz'. Note that we've substituted
numbers and special characters that, at least vaguely, resemble the
letters they're standing in for to make it easier to memorize.

You should also make a backup of your GPG keys and revocation certs, and
store that on removable media in a safe place. It's also a good idea to
submit your public key and, if ever necessary, your revocation cert, to
a keyserver. If you don't know what I'm talking about, then follow that
GnuPG link above and start reading. This is a good thing, and it's free.
Use it.

Your account passwords, especially the root password, should be long and
hard, and you should use MD5 encryption for them and set a time of ten
or fifteen seconds between unsuccessul logins to prevent brute force and
dictionary attacks (you'll find these options in the 'security settings'
interface). Don't use a root password of fewer than ten characters, and
always combine upper and lower-case letters, numbers and special
characters.

But since there are a number of ways into any machine, the most
important thing of all is your crypto passphrase. Put the time and
effort into devising and memorizing one which, like our example, is very
troublesome to crack. And make sure you have strict file permissions on
the .gnupg directories. Only root and the specific relevant users should
have access.

Hygiene Every computer collects files the way a kitchen drawer collects
junk. Over time, many of these become irrelevant, yet they may contain
information one would like to keep private. A good rule of thumb is,
never encrypt when you can wipe. The last thing you need is a directory
full of useless, irrelevant files. This only makes it more
time-consuming to manage sensibly the ones you do need. Go through your
personal files regularly and use a proper wipe utility to erase the ones
you no longer need. Understand that deleting is nothing; to get rid of a
file you have to wipe it. Those files you wish to archive should be
encrypted and copied to a separate directory or removable media, and
their originals wiped. The easiest way to do a proper wipe is using
Krusader or Nautilus and selecting 'shred' instead of 'delete'.

Another notorious junk collector is the Linux swap partition, a holdover
from the days when RAM was expensive and difficult to buy in fat chunks.
It's possible to encrypt it, but probably a bit over the top for a
primer like this and certainly a performance damper. A simpler approach
is to do away with it. I'm running a 2.4.18 kernel with 512MB of RAM and
no swap partition, and I can't detect any performance hit. Indeed, if
anything the system runs better than it did. If you can afford it, and
nowadays it's easy, I recommend strapping on extra RAM and just not
swapping memory to disk. You never know what's going to end up there, or
how long it's going to remain. Crypto programs are supposed to protect
memory blocks used and not swap them out. So what? Are you absolutely
certain there's no way the designers the program you're using could have
made some obscure mistake which in turn could leave traces of crucial
data in the swap file?

I didn't think so.

The IP battle zone Now you've purged your Linux box of unnecessary
daemons, you've set your file permissions sensibly, you're working
happily from a user account, and you've got encryption protecting your
digital sanctum sanctorum. It's time to protect yourself from worms and
rootkits and malicious sites and evil scripts and the on-line pestilence
of kiddiots trying to break into your box and Web merchants who couldn't
secure a bowling ball much less your personal data on their lame II$
machine and nosey Feds and incompetent ISPs and so-called 'Trust
Authorities' who have idiotically sold digital certs to hackers.

Maybe you should buy a hardware firewall, or an Intrusion Detection
System (IDS), or an e-mail virus scanner, or an anonymous proxy service?

Or maybe you should just use your head and stop worrying. Here's how:

There are two things you need to have, and two things you need to do.
The first thing you need to have is a packet filter, otherwise known as
a firewall. Well, you've got one: in the 2.2.x kernel it's called
ipchains and in the 2.4.x kernel iptables. The frontends are called
Bastille on Mandrake (which adjusts other security options as well) and
SuSE Firewall-2 on, what else, SuSE. (Most everyone can use Bastille, by
the way.) I don't play with Dead Rat, so you guys will have to figure
out what yours is called. Now configure it and shut off everything
unless you're running a server (and if you're a newbie you really
shouldn't be doing that just yet).

The next thing you need to have is a proxy. Quite simply, a proxy is a
remote machine through which you connect to the Net, which forwards your
IP traffic, and which you then appear to be originating from. When you
contact a Web site via an anonymous proxy, it's the proxy's IP which
shows in their logs. There are huge lists of free public proxies you can
use, but most will be dead by the time you find them. Just Google on
'free proxy list' and you'll find them easily, for what that's worth.

I like a Socks proxy when I can get one because they're non-caching and
a lot of IP clients support them. But they're very hard to find and they
never last long. Once they start getting popular the admins always
figure out why their bandwidth use is going through the roof and
pass-protect them. Bastards.

On the other hand, HTTP Proxies can be chained for additional Web
anonymity. This is accomplished by constructing a URL thus and copying
it into your browser's address field:

http://firstproxy:portnumber/http://secondproxy:portnumber/
http://thirdproxy:portnumber/http://www.destination.com

There are no spaces in the above configuration. This can be done in
addition to any proxy you've loaded in your browser normally with its
setup options.

Take a look at this older article, related to Windows, in which finding
and using proxies is elaborated. The information is fairly general, and
may well be of value to a Linux user.

Because public proxies are uncertain, this is one area where spending a
bit of money may be worthwhile. Anonymizer.com has a proxy service which
uses SSH tunneling, which, unlike most security services, is IMHO worth
the investment.

Here's how it works: you use SSH (Secure Shell) to log in to
Anonymizer's proxy server. This means that your ISP can't sniff your
traffic to the proxy effectively because it will be encrypted. Once
you're on the proxy, everything you send and receive from it will be
anonymous. Only Anonymizer.com will be able to associate you with the
data you've sent and fetched. That's not perfect, but it's not bad. They
have a serious financial interest in protecting your anonymity. I would
assume that they'd only respond to a court order signed by a judge. If
they blow that, and it gets out, they'll be out of business in a 
haeartbeat.

Unfortunately, they have little in the way of Linux support available,
but through trial and error I've managed to use this service
successfully. You can forward ports to the Anonymizer proxy and use SSH
tunneling for your HTTP, FTP, POP and SMTP clients.

The way to log in is by busting out a root shell, logging in as root,
and typing [ssh -2 -L 80:cyberpass.net:80 -L 25:smtp.yourmail.com:25 -L
110:pop.yourmail.com:110 cyberpass.net -l yourpass] where yourpass is
your pw on the Anonymizer proxy at cyberpass.net.

Now you need to set up your e-mail client and browser to use these
forwarded ports. For the browser, in proxy settings, enter a proxy of
localhost and a port of 80 for HTTP and FTP. In your FTP client, do the
same. In your mail client, in 'network', enter localhost and port 25 for
SMTP and localhost and port 110 for POP. Now you should be cool.

Ah, but as for your IRC client, pray. You can select an HTTP proxy, but
it probably will fail. My favorite Linux IRC client is Xchat, but it
returns the error, 'proxy traversal failed' when i use it in conjunction
with the Anonymizer HTTP proxy. I e-mailed the x-chat guy z@xchat.org
and/or zed@xchat.org asking for insight, but he or she neglected to
reply. Perhaps you should email them too and ask what's up.

On the other hand, ICQ seems to have no problem with this, if you're
using Gaim, for example. IRC will fail, but ICQ will accept the proxy.
That's a good thing -- not a perfect thing, but a good thing.

Once you've got this proxy set up and running with SSH and port
forwarding, you can use your browser with the Anonymizer Web proxy and
their anonymous e-mail for an extra layer of distance from the Net. I've
been using the service for several days now, and I like it. That's all
I'm saying. Whether you should too is not my call.

There's one item causing me some concern which I must reveal. While
surfing the Net with an SSH connection to the Anonymizer proxy at
cyberpass.net, with Java and JavaScript disabled in my browser, but not
using the Anonymizer Web proxy, I found that ShieldsUp at grc.com and
its mighty nanoprobes were able to get my true IP address because
there's no SSL support so far as I know. For browsing I can always use
the Anonymizer Web proxy, fine. But for the rest of my services I want
to know that the SSH proxy alone is secure. After experimenting with it
for a few days, I'm not confident that it is.

Nevertheless, I like it. I just don't trust it completely, and neither
should you.

So much for the two things you need to have. Now let's discuss the two
things you need to do. The first thing you need to do is disable Java
and JavaScript in your browser, and HTML rendering in your e-mail
client. Unlike Windows, Linux makes this easy. It will leave you safe
from a vast number of malicious scripts. From time to time it will be
necessary to enable Java and Javascript for access to certain Web sites.
Turn it on when you need it, and turn it off when you're finished. Think
of it as a tax on your Internet security. Always keep it off unless you
need it, or use a Web proxy which supports it.

The second thing you need to do is shut off your modem when your box is
not in active Internet service. There are reasons why you might want to
leave the machine running 24/7, all right; but there's no reason to
leave it connected to the Net when you go away on holiday. We satirized
the PathLock Internet timer; but that doesn't mean there's no reason to
disconnect from the WibblyWobbly when it's of no use to you. Make it a
habit.

As for your browser, run it tight. Don't allow Java and JavaScript
except where necessary; don't allow the browser to save form-data; don't
allow it to save passwords to important sites like your bank. Wipe your
cookies, browser cache, URL history and typed URLs regularly. Never add
a kiddie-porn BBS to your bookmarks. Get my drift?

Paranoia without anxiety It's healthy to be paranoid, but grossly
unhealthy and quite unnecessary to be riddled with anxiety. By using
common sense and layers of protection, you can make yourself an
unattractive target. By being paranoid in a healthy way, I mean quite
simply that you must never trust anything.

I definitely don't mean 'be afraid'. There's a whole anti-virus and
computer-security indu$try devoted to frightening you with constant
reference to imminent threats to your on-line privacy and integrity.
It's very much in their financial interest that you be frightened at all
times and that new threats surface regularly to revive that profitable
public-anxiety as older threats fade into memory. Who gives a shit about
Melissa? Phear nimda...

And all the while, the word these parasites throw around most often is
'trust'. I'll pay fifty dollars US (no shit) to the first Reg reader who
forwards me an unedited press release from a security vendor in which
the word 'trust' is absent. But here's the truth -- the kernel of the
security industry's filthy little secret: the only reason you're
vulnerable is because you trust.

So for God's sake stop doing it. Don't trust your firewall; don't trust
your proxy; don't trust crypto; don't trust SSL or SSH; don't trust your
software vendor; don't trust files you get from anywhere, including your
friends and 'official' download sites; don't trust patches; don't trust
your file-wipe utility. Hell, don't trust me. Trust only what you're
absolutely certain of.

In the past month or two we've seen a back-doored version of SSH; we've
seen that SSL, universally trusted for secure Web transactions, is
vulnerable; we've seen a PGP plugin for Outlook that coughs up your
passphrase, not due to a flaw in the algorithm or cryptosystem, but
because the application is susceptible to a buffer overflow. We've also
seen a man-in-the-middle attack against PGP and GPG. You've got three
layers there, algorithm, cryptosystem and application, any one of which
might be broken in any number of ways. Do you know how to spot a flaw in
a complex piece of software like that?

I didn't think so.

And then of course there are key loggers, packet sniffers, Trojans,
rootkits, and the 0-day remote exploits which only a handful of people
know about and for which there are no patches, and for which there may
never be any patches.

Stop the insanity By all means use security utilities, but never trust
them fully. Layer them, apply common sense, and always assume that no
matter what you do, there will always be several ways to compromise your
privacy and security. The whole game is to leave the smallest footprint
possible on the Web, never to trust other people's equipment, and to
make your box a pain in the neck to crack so that ninety-five per cent
of attackers will simply move on to one of the millions of easier
targets hooked up out there. But be assured that nothing will make a
compromise impossible except keeping your computer in a locked,
heavy-duty vault with no Internet access, which of course is no fun at
all.

But to compute and to surf the Web without anxiety, there's an easy
answer: simply refuse to trust your machine, any network whether local
or remote, any security device or service, any crypto scheme, any
Draconian laws against hacking, any ridiculous claims of 'Trustworthy
Computing', any shiny digital certificate, any 'Trust Authority', any
local client, or any remote host with any scrap of data you simply can't
afford to lose control of.

Now you're paranoid in a healthy way, and blissfully free from anxiety.
Your computer, his network server, their shopping cart -- these things
aren't the digital equivalent of bank vaults. So don't listen to the
marketing-department drivel about how 'secure' these things can be made.
Never -- absolutely never -- treat these things as if they were the
digital equivalent of bank vaults, and move on and enjoy your life.
You'll find that the air smells fresher, that food tastes better, and
that you wake every day with more energy and confidence than you've had
in years.

If you're sensible and cautious, applying the common-sense suggestions
we've just considered, the odds against getting compromised will be very
much in your favor. But just remember that, regardless of the odds, it's
mad to wager something you can't afford to lose. Your credit-card number
is no big deal: your total liability is fifty bucks and you can get a
new one in a week or so. Your credit card number, Social Security
number, name, date of birth and address packaged all together is a far
greater worry, so never give out more information than absolutely
necessary to complete a transaction. Never allow merchant sites to store
such information. If they insist on it, do business elsewhere. Don't let
your browser save form-data, or passwords to important Web sites like
your bank. Use a packet-filter and a proxy. Wipe your browser history,
URL history, page cache and cookies regularly. If your browser doesn't
make all of those steps easy for you, use a different one. You've got
the power of the Penguin behind you; you've got alternatives. Shop
around for a good browser. Personally, I like Mozilla. That doesn't mean
you have to.

Now tighten up that machine, get on-line, and relax and enjoy the ride.

Security-news note: We've removed a paragraph at the end here which
advises people not to even bother using crypto on a laptop because it
might get stolen. That's exactly the reson *to* use crypto on a laptop -
so that if it gets stolen, your user data at least remains
unintelligible to the thief.



***************************************************************
Security-news <security-news@resist.ca> 
Good computer security is no substitute for good sense! 
To sub or unsub - http://resist.ca/mailman/listinfo/security-news
***************************************************************