 Yeah, good morning, thanks for the introduction Tulima, it's about safer hacks in public places and at home. Yeah, first I'm gonna get a little bit into security, what it means in general and what it can mean to you. Then I'll talk briefly about some tools and also about data integrity and reliability because that's also related to security because you want your computer to work. Is this better now? Now? Okay, I hope it's better now. Yes, okay. Yeah, this talk was announced as a buff, I did not now I made it more or less a talk but I'm gonna set up a wiki page where I put in the tools and you can also edit it and give some useful additions. I'm sure some of you are more experienced in some tools so it would be nice if you could add some useful content. Yeah, be safe, don't play frisbee and thanks to everybody who helped me with my knees. Yeah, security is the buzzword of the 21st century, in my opinion. Scott Magnely, the son's CEO said you have no privacy, get over it. I think you can also say you have no security, get over it. Security is an illusion, there are always ways to break into it if you create. There's the hardware, the BIOS, which is the close thoughts, you don't really know what your machine is about. And security is also a chain, no screen anymore. Hello? Yeah, I can talk, but now better, now still not. Go on, okay, I said you mean going on with cycling, the things, because I'm not sure if the laptop is now still in the mode to display the slides, I think still not there. Yeah, I'm not, ah, there was something. I know I don't see it anymore. Yeah, so if you cannot get perfect security, why bother? After Foster, I met a guy who had no local password because he had a sync pad, and you can get out the hard drive out of the sync pad with just one screw, and he said it's useless to put on local password. Everybody who has physical access to his machine can get his data, and so he didn't use anything. And he was the developer of a secure application, and we talked a lot, and in the end he was from South America, and he reinstalled his laptop and created a new GPG key, and used passwords, and I don't know if he set up a crypto file system or not, but I think this, for me it was really nice story to experience that it makes sense to do something and to raise the security measures you have. Yeah, I was on the internet before, I knew it was, I was in the internet, I used bulletin board systems, and you can still find some postings of mine from 1996 or so, where I had no idea that they would be still available. I don't know, I haven't looked them up if they are, if I should bother about that. At that time, what I've seen, it's very interesting and retrospect, my mail and use clients had a feature to get the send time to midnight, so you cannot see when the person wrote the mails or the news, so you cannot get, know when they work or not. This has completely gone, in my opinion now, nobody or lots of people really don't care, especially in Debian, everything is public, so which is good because you have to, it's good to, because you rely on the software and on the person, so you must get trust in the person and you cannot, it's harder to get trust in anonymous persons, but overall I think it's also scary, and that's not only Google, but there's also Gmail and Orkut, which are run by the same company, and where I don't know how many people who use these services have read the end user license agreement, but you should read those if you use Gmail or Orkut. Yeah, 1984 is not like what it was expected, I think it's more, much more complex. It's easy to do some data traffic analysis from public data, you don't have to really analyze the contents of the data, just who talks to whom, who relates to whom, the GPG web of trust, where do people meet when, then it's also easy, and lots of people think it's impossible to store all data, but there are 3 billion minutes of voice traffic in Germany per year, most of them goes over satellite and wireless, basically wireless links, what is that the English word? Anyway, Richtfunk, is it in German? What's an English Richtfunk? Pardon? No, not the latest in the technology with wireless beams, and to store those 3 billion minutes was a voice codec with 2 kilobit per second, you only need 300 terabytes of disk storage and 300 terabytes is, I don't know how much it costs nowadays, but it's in the tens of thousands of euro, not hundreds of thousands. Then there's also internet surveillance, of course, and data retention requirements in the European Union, and they want all communication metadata to be stored for half a year or up to two years, this is still in development, and there's also no guarantee that they throw away the data because it's so easy to keep them, and tools to analyze those data exist. I've seen some, the examples they use are like to get drug dealers, so who phones whom and how the money transfers goes, but you can also use these tools for other things, companies use them as well to analyze data. In the end, it all goes down to the question, what does security mean to you or privacy? There's privacy and secrecy, data integrity and reliability, therefore you should classify and organize your data, what's private to you, what's specific to some audience, and what is really public. Also your metadata, don't use a GPG passphrase for your webmail account, you should use a strong password for your webmail account, but not the same as your GPG passphrase, I think this is clear to most of the audience here. Yeah, privacy enhancing tools, it all starts with physical security, iBooks are very secure, which I learned at this conference again, it took me one hour to get the hard drive out of my iBook, and it's also now easy to encrypt, or it's useful to encrypt, partitions which store sensitive, or not sensitive, but sensitive to you data, VAR holds log files and also Maya Squirrel databases, spot and swap partitions, the GPG passphrase can be stored if you use GPG agent, they have not set it correctly, and it's also wise to leave an unencrypted partition for unclassified stuff, because it's just faster if you compile stuff on a nonencrypted partition. You can use, you should store your GPG key and SSH keys on a USB key, so you can leave your laptop around and take that important piece with you. Some Germans, which from the DB and DE channel, have a smart card crypto USB key here, and which encrypts those keys on the crypto keys. So even if you find the key, you should not be able to find it. I don't know if the crypto on it is open and if you can read the source and how the hardware design is, but it's in any case better than a normal USB key. And it's pretty cheap, it's only 33 euros. So if you want to have it, get in contact with me and I can tell you who sells those keys, or just ask on the DB and DE channel. Yeah, it's good to play around with some tools to realize how easily it is to sniff into your data. De-sniff is a package which is in Debian and includes more than those five tools. De-sniff, Sniff's password, Cleartex password in the IP stream. Does this for IRC password, POP3, IMAP, HTTP, FTP. I don't know what else. DNS booth is also funny, with that, I think it's based on ARP spoofing, so you can use, can point the other DNS entries to people. Mail Snuff is, when I read the description of that tool, I really understood the T-shirt I read your email. Because with Mail Snuff, you can store email in mailbox folders. From every, so you get, you connect it to the, to a router and then you start Mail Snuff and it really nicely generates all the mailbox folders from every mail which goes around. SSH, Men in the Middle Attack, works on SSH1 sessions as far as I know. So use SSH2, there are some other interesting attacks on SSH1. And Web Spy gets all the URLs out of the HTTP stream. So you can see what people are browsing. DriftNet is another tool which it's nice to show other people, especially in unencrypted wave lines like here. You can capture all the images which go over the screen. So you can show your laptop around to some people if you see, they are browsing this side and you, then you show them your laptop with the same images. Iserreal has a nice feature to capture voice over IP streams and save them as .au files. So voice over IP without encryption is also totally easily to intercept with the tools on your laptop. There are much more in Debian and of course outside Debian and use them with care. Yeah, what can you do about it? There's these tools I think most of them you know. SSH port forwarding is the easiest form of setting up in VPN. Of course it's limited but I personally don't use that many protocols or services that SSH forwarding was for me at this conference pretty useful. Yeah, of course don't use the email transfer protocols without encryption but you also have to be aware that on the other end it might be unencrypted. Use GPG, I'm pretty annoyed by people who don't want to get GPG mails so as I don't have a good mean in my mail client to say these persons want encrypted mails and these don't. I now have developed the habit of not sending encrypted mails anymore which I think is stupid but I want to communicate and so I just do it because also especially with Debian people the contents is in 99% public anyway but I would like to get better to it so I can say this person wants encrypted email and this person doesn't want it. I also mentioned here control proxy or screen, screen with Irzi. Control proxy is a proxy for IRC because there are different aspects of privacy. I used to, I started using IRC a year ago only because I was aware that IRC is completely clear text so I did not like it to use but then I got more involved in Debian and everybody in Debian uses IRC so me too and I used it without control proxy so every time people could see when I get up because I locked in every day and they can see when I lock in, when I don't lock in which days and when I go to bed which is also nice, it has also nice social aspects because people said hey Holger which I don't do if I'm always on. Yeah, then there's Tor. Tor is an onion router I think for IP protocols. I've not read the documentation. I've seen a talk about it one and a half year ago but I never bothered to set it up which I then did at this conference because I was preparing this and Tor is really easy to set up. Hope no. How do I do this? You just install TSOX and Privoxy which are needed by Tor then you go to the Tor web page Tor EFF org. There you go to download. It's not in Debian Sarge. It's only in testing and unstable at the moment. You see this here? There are Debian package testing package stability. Where are those packages? I did not check this this morning but a few days ago and that it was easy to find those packages. There's Wiesel here. He knows where they are. On which link? That one? Yeah, I know there's a back port. Oh yeah, I have to put this into it. Do you have to, where this happens? I can edit the config file. You have to change them in this network a little bit but it's not that much. But I just, no, it's here. Oh, it was? No, it was wrong. Yeah, you're right. Yeah, I thought it was a deep package which I could just, which I had to download now. Okay, I'm going to edit the, I have it both commented out. See, private. So do you have to tell Pryboxy that it should use Tor? Tor sets up a Sox proxy. I can put it anywhere in the config file. It's forward minus Sox for a local host, 9,050. Dealing forward. The problem with Tor is that it's a little bit slower. It takes about five seconds or so to load a web page, maybe less, maybe three. So I don't use it for everything I do, but for things, I don't use it to download packages or watch rediviant stuff. And there's also, of course, the problem of spam with Tor because spammer can use Tor as well, which is always the problem with anonymous tools. These are the loud outgoing ports. So this, in this network, you have to adjust them a little bit. And I think that's it, yeah, that's it. Now to the browser, edit preferences. Where's the proxy in Mozilla? Is it still advanced? Yeah, it's advanced. This is not in half. Yeah, I have to restart Pryboxy. No, I don't have to set it up as a Sox proxy because I use Pryboxy. Right, yeah, thanks. Do I have to restart Tor? Yeah, let's take some time. That's right now. The first connection takes always a little bit longer. This is the first connection, then it goes faster. So the point from where you connect to the internet changes over time, I've not looked into the details how much time it takes, but if you use this web address to find out which IP you're on, you would notice that it changes over time. We have outgoing, yeah. This should work, but it doesn't work. That's right. Let's go to the next point. The next... Yeah, yeah. I'm almost at the end of my talk. The next thing is Mixmaster Onion, which was on the slide with the tools. It's an onion-write router email solution with all the solutions or tools and networks to get anonymous email, in my opinion, even more complicated to use than GPG, so almost nobody uses them. And it's also the... Pan? Penu? Mixmaster, if using Mixmaster in mud, it's just a couple key presses to tell it to use it once you have Mixmaster installed, yeah. It's very simple to set up. Okay, yeah. Actually, Joey, I tried to configure Mixmaster once for mud because the concept appealed to me and it wasn't the mud usage that gave me trouble. It was Mixmaster itself, but I don't remember what the trouble was. But yeah, it'd be cool to have tutorials on each of these technologies, but then again, I guess this isn't a conference about being paranoid as much as I wish it were. Just because I'm paranoid, it doesn't mean they're not after me. Exactly. Yeah, it shows a good point. Those tools often seem to be complicated to use, like I had the impression of Mixmaster onion and you tell me it's easy to use. So I really go back to my slides now, which, oh no, they're not in the end. Yeah, for two backups, it's really as simple. Two backups more often than you do daily and even here. I should have done this than I could have spared the need to get the hard drive out of my e-book. Encrypt your backup if you have sensible, for you sensible information on it. And regarding reliability, running SID gives you absolutely no reliability as people have noticed here. On the slides, it says SSH and X11 mostly work as they should. Some people here have experienced the opposite. That some applications don't run because of the transition and this can always happen while running SID. So use virtual machines or whatever. Yeah, as said with the Mixmaster, read the menu. It's often not that complicated and it's worse to spend some time on using those tools and proving them. Yeah, I did not have the time to set up this wiki page, but I will do this today because I've got still 50 minutes left so I could set up the wiki page now, but I won't do it here yet, now and yet. Yeah, I hope you have some more useful comments and that's what I have to say. I have a question. I rely sometimes on a web mail account. So you already said you don't like people that do not accept encrypted mail, however, from my web mail account, I cannot decrypt the encrypted mail and so for communication, for example with Debian, it's much better for the productivity to have it sometimes on web mail. So what is your theory, what should I do? There are some web mail providers where you can get the mail with IMAP or POP3 and the other suggestion is don't use a different provider. My provider supports IMAPS. No, you're a web mail provider. Yeah, I mean, okay, it's hard, the software and well, if I'm in my company, I can use only the web, not IMAP. Yeah, there are always reasons why people do like they do. As far as the issue of how to tell if somebody can accept encrypted email, I think the one good way is just, we can see if they're signing their emails. I mean, that's a good way to broadcast the fact that you are set up for encryption and that it works for you and then people will know that they can send you encrypted mail and besides you get that extra layer of, you know, secure not security so much as just validation that you've actually sent emails out. Yeah, authenticity, exactly. Yeah. But still, it does not solve the problem that I cannot remember of all people who wants to get encrypted mail and who doesn't. Of course, signing is good, yeah. A problem is, for example, if I'm at home, I can send signed mails, encrypted mails, then I'm in the company. I have only web access. So it's the same mail account, of course. So it always switches back and forth. So what should I do? What should Tolga do if he wants to write me a mail? I don't know. There is Corkscrew, which tunnels IP through HTTP but it might be too much. Maybe it should work in your... The video mixer just said there's an SMIME plugin for Mozilla. There are lots of tools out there. There are also GPG plugins for Irzi and other ISE clients which I wouldn't use because I would not trust the IRC client, my GPG key. So I've given up encrypted encryption with IRC. There's SILK, which is the secure internet something. Chat. Live. Conferencing. So there are lots of tools and please add them to the Wiki page. Maybe it would also be a good idea to have a list of tools that we should not use because they have either known security issues or are highly suspect. Good point, yeah. I would add that to the Wiki page. I would make three sections, tools, to find out your... So yet you're not secure. Tools that make you more secure and tools you should not use. I'm listening, yes. Yeah, the interesting question is maybe what are the most and biggest points that keep people from using those things and what could we do about it? So I mean, yeah, it's easy. You say you named some tools, but in the end, if I really try to get everything encrypted and secure what I'm doing, I would be really busy for a month or maybe two and I would be spending money on servers that I had to rent because providers that give me encrypted access cost more money than those that don't and things like that. So it would be nice to have a hit list and what maybe developers can do to make things easier. So maybe we could even develop a program that could help people encrypt their emails when using an unencrypted web access email by maybe having a funny, wrapping the funny GMX services into some other thing. So it could be done, but we need maybe a hit list. What, who has some spare time? What he could do? Yes, I think one of the problems is laziness of the people and that they just don't care. And the other problem is that to the tool, it's difficult to use the, I want an example. Sorry, that's too easy for me to say. It's lazy people. As I said, if I want to try it, I would be really, you have very quick invested two days in trying some not commonly used encryption software to get it running really. And it's, I think it's a wrong point to just say it's laziness. So look at the users, please. Yeah, and I think the users in general are lazy. They're, and most people really don't care. But so there are also few developers working on this and the documentation could also be improved, which is not, which also can users do, but it's still too complicated to use, or very complicated to use computers. Like there's no crypto file system support in the DB and installer right now. So you have to do it manually. So I had a crypto file system on my iBook, but when I got this machine, I didn't set it up because I knew it was only for four days and had other stuff to do, but yeah. So it's also my laziness here. This is actually the point what the usability talk was about. So it's, I don't like this word to just say people are lazy. People try to get other things done and they don't care maybe. We could more make them realize the fact how danger maybe this is. Yeah, you're right. Most people are not lazy, but try to get their work done. Sorry for you people and me. Yeah, there's nobody wants to say anything more than we can quit this and keep it in mind and improve the situation for the people who care.