The Edward Snowden guide to encryption: Secret 12-minute homemade video

The Edward Snowden guide to encryption: Secret 12-minute homemade video

May 15, 2014 | Anonymous, Leaks, News, Video

  • Snowden made video to teach reporter how to speak with him securely
  • It explains how to use Public Key Encryption to scramble online messages
  • Privacy campaigners call on ordinary people to learn how to use the method
+4

snowdenWhistleblower: The tutorial Edward Snowden made for reporters on to avoid NSA email surveillance has been made public for the first time

Ordinary people must learn to scramble their emails, privacy campaigners said today, as an encryption how-to video made by Edward Snowden was made public for the first time.

The former NSA employee who blew the whistle on the agency’s all-pervasive online surveillance made the video to teach reporters how to communicate with him in secret.

The 12-minute clip, in which Mr Snowden has used software to distort his voiceover, explains how to use free software to scramble messages using a technique called Public Key Encryption (PKE).

The video’s description on Vimeo says: ‘By following these instructions, you’ll allow any potential source in the world to send you a powerfully encrypted message that ONLY YOU can read even if the two of you have never met or exchanged contact information.’

Mr Snowden made the video last year for Glenn Greenwald in an effort to get the then-Guardian reporter to communicate securely with him online so he could send over documents he wanted to leak.

Viewers may find the video difficult to follow. Mr Greenwald himself admitted he wasn’t able to finish it. It took him seven weeks and help from experts to finally gather the expertise to get back to Snowden.

The video’s publication comes as more and more internet users are adopting encryption techniques after the alarm caused by Mr Snowden’s revelations about communications surveillance.

He leaked documents which showed the NSA and its UK counterpart GCHQ were able to spy on virtually anybody’s communications and internet usage, monitor social network activity in real time, and track and record the locations of billions of mobile devices.

There was outrage when it emerged that, contrary to promises the NSA made to Congress, these technologies were being used to track U.S. citizens without warrants and to tap the communications of leaders of allied countries.

One answer to the risks to freedom that such surveillance pose is to scramble online communications so that government agencies can no longer eavesdrop at will.

However, the encryption technologies currently available can be difficult to use and privacy activists have called on internet companies to include them in their products at the source.

Meanwhile, the campaign to end blanket surveillance continues as experts warn encryption tools are unlikely to make their way into the mainstream while internet firms continue to make their profits on the back of users’ personal information.

Scroll down for video

 

+4

How-to guide: The video begins with a basic outline of the theory behind Public Key Encryption. It is voiced over by Mr Snowden, who has disguised his voice to avoid detection by NSA or GCHQ spies

GPG For Journalists - Grabs

+4

Detailed: The video then explains how to use a free program called GPG4Win to scramble messages using Public Key Encryption then send them over Tor, software that allows people to use the internet anonymously

In Mr Snowden’s video, he explains how traditional emails are sent as plain text – unencrypted by default – across the internet, allowing anyone able to intercept them to easily read their contents.

‘Any router you cross could be monitored by an intelligence agency or other adversary [such as] a random hacker. So could any end points on the way there, a mail server or a service provider such as Gmail.

‘If the journalist uses a web mail service personally or its provisioned by their company, the plain text could always be retrieved later on via a subpoena or some other mechanism, legal or illegal, instead of catching it during transit. So that’s doubly dangerous

‘The solution to that is to actually encrypt the message. Now one of the problems with encryption typically  is that it requires a shared secret, a form of key or password that goes between the journalist and the source.

‘But if the source sends an encypted file across the internet to the journalist and says “Hey, here’s an encrypted file. The passwork is cheesecake,” the internet is going to know the password is cheesecake.

‘But public key encryption such as GPG allows the journalist to publish a key that anyone can have based on the design of the algorithm, and it doesn’t provide any advantage to the adversary.’

The video goes on to specifically explain how to use a free program called GPG4Win to scramble messages using Public Key Encryption then send them over Tor, a piece of software that allows people to use the internet anonymously.

It’s lessons, as well as help from experts, allowed Mr Greenwald to communicate securely with Mr Snowden to publish what has since been called the most significant leak in U.S. history. It has been made public to coincide with the release of Mr Greenwald’s book, No Place To Hide, in which he tells the story of the scoop.

Privacy campaigners told MailOnline today that all internet users should be now using encryption technology to preserve their privacy and maintain freedom of speech in the face of government spying.

Javier Ruiz, director of policy at the Open Rights Group, said: ‘Emails are like postcards and encryption is a tamper-proof envelope.

‘It’s probably obvious that journalists, MPs, doctors, lawyers or anyone transmitting confidential information online should always encrypt their emails to keep that information secure.

+4

http://youtu.be/jo0L2m6OjLA

‘But since the Snowden revelations, more and more ordinary citizens are adopting encryption software to help keep their emails private.

‘If encryption is to be used on a mass scale, it will require companies like Google, Apple and Microsoft to embed encryption in their tools.’

But TK Keanini, chief technology officer at internet security firm Lancope, said that it was unlikely that major internet companies would begin including encryption functions in their services as standard.

‘PGP and similar programs are just too complicated for the masses,’ he said. ‘Managing key pairs, understanding revocation and all that stuff is too complicated for most, and thus adoption over the past 20 years has been limited to the highly technical – the uber geeks.

‘Now, if a service like gmail.com had an option in there to perform digital signing and encryption in a way that most people could use it, that would have a huge impact; but it will never happen because Google and other ‘free’ services make their money on the fact that your data is in the clear and they can use it to market services to you.

‘People need to understand that when people offer free services, you and your information are the payment.’

‘While people can use technology to empower themselves, we must also challenge the policies of Government and intelligence agencies to end the unlawful mass surveillance of people around the world’

Mike Rispoli, a spokesman for Privacy International, echoed those sentiments, but added that there needs to be more pressure on government to stop them from snooping on the private lives of ordinary people.

‘It is critical that people use all technology at their disposal to keep their communications private and secure,’ he said.

‘We should all support the creation and widespread use of these tools. Ultimately, however, people should never have to do more or go to extra lengths to protect their rights.

‘This is why we need political, legal, as well as technological, solutions to ensure that our privacy rights are protected.

‘While people can use technology to empower themselves, we must also challenge the policies of Government and intelligence agencies to end the unlawful mass surveillance of people around the world.’

By DAMIEN GAYLE

 

via Dailymail.co.uk

VPN vs. SSH Tunnel: Which Is More Secure?

VPN vs. SSH Tunnel: Which Is More Secure?

Jul 11, 2012 | Anonymous

image

VPNs and SSH tunnels can both securely “tunnel” network traffic over an encrypted connection. They’re similar in some ways, but different in others – if you’re trying to decide which to use, it helps to understand how each works.

An SSH tunnel is often referred to as a “poor man’s VPN” because it can provide some of the same features as a VPN without the more complicated server setup process – however, it has some limitations.

How a VPN Works

VPN stands for “virtual private network,” – as its name indicates, it’s used for connecting to private networks over public networks, such as the Internet. In a common VPN use case, a business may have a private network with file shares, networked printers, and other important things on it. Some of the business’s employees may travel and frequently need to access these resources from the road. However, the business doesn’t want to expose their important resources to the public Internet. Instead, the business can set up a VPN server and employees on the road can connect to the company’s VPN. Once an employee is connected, their computer appears to be part of the business’s private network – they can access file shares and other network resources as if they were actually on the physical network.

The VPN client communicates over the public Internet and sends the computer’s network traffic through the encrypted connection to the VPN server. The encryption provides a secure connection, which means the business’s competitors can’t snoop on the connection and see sensitive business information. Depending on the VPN, all the computer’s network traffic may be sent over the VPN – or only some of it may (generally, however, all network traffic goes through the VPN). If all web browsing traffic is sent over the VPN, people between the VPN client and server can’t snoop on the web browsing traffic. This provides protection when using public Wi-Fi networks and allows users to access geographically-restricted services – for example, the employee could bypass Internet censorship if they’re working from a country that censors the web. To the websites the employee accesses through the VPN, the web browsing traffic would appear to be coming from the VPN server.

Crucially, a VPN works more at the operating system level than the application level. In other words, when you’ve set up a VPN connection, your operating system can route all network traffic through it from all applications (although this can vary from VPN to VPN, depending on how the VPN is configured). You don’t have to configure each individual application.

To get started with your own VPN, see our guides to using OpenVPN on a Tomato router, installing OpenVPN on a DD-WRT router, or setting up a VPN on Debian Linux.

How an SSH Tunnel Works

SSH, which stands for “secure shell,” isn’t designed solely for forwarding network traffic. Generally, SSH is used to securely acquire and use a remote terminal session – but SSH has other uses. SSH also uses strong encryption, and you can set your SSH client to act as a SOCKS proxy. Once you have, you can configure applications on your computer – such as your web browser – to use the SOCKS proxy. The traffic enters the SOCKS proxy running on your local system and the SSH client forwards it through the SSH connection – this is known as SSH tunneling. This works similarly to browsing the web over a VPN – from the web server’s perspective, your traffic appears to be coming from the SSH server. The traffic between your computer and the SSH server is encrypted, so you can browse over an encrypted connection as you could with a VPN.

However, an SSH tunnel doesn’t offer all the benefits of a VPN. Unlike with a VPN, you must configure each application to use the SSH tunnel’s proxy. With a VPN, you’re assured that all traffic will be sent through the VPN – but you don’t have this assurance with an SSH tunnel. With a VPN, your operating system will behave as though you’re on the remote network – which means connecting to Windows networked file shares would be easy. It’s considerably more difficult with an SSH tunnel.

For more information about SSH tunnels, see this guide to creating an SSH tunnel on Windows with PuTTY. To create an SSH tunnel on Linux, see our list of cool things you can do with an SSH server.

Which Is More Secure?

If you’re worried about which is more secure for business use, the answer is clearly a VPN — you can force all network traffic on the system through it. However, if you just want an encrypted connection to browse the web with from public Wi-Fi networks in coffee shops and airports, a VPN and SSH server both have strong encryption that will serve you well.

There are other considerations, too. Novice users can easily connect to a VPN, but setting up a VPN server is a more complex process. SSH tunnels are more daunting to novice users, but setting up an SSH server is simpler – in fact, many people will already have an SSH server that they access remotely. If you already have access to an SSH server, it’s much easier to use it as an SSH tunnel than it is to set up a VPN server. For this reason, SSH tunnels have been dubbed a “poor man’s VPN.”

Businesses looking for more robust networking will want to invest in a VPN. On the other hand, if you’re a geek with access to an SSH server, an SSH tunnel is an easy way to encrypt and tunnel network traffic – and the encryption is just as good as a VPN’s encryption.

 

SOURCE: HowToGeek.com