Friday, July 26, 2013

Your Own DarkNet: Retroshare

There are various DarkNet systems available, for example FreeNet, Retroshare, TOR, Ricochet and GnuNet.  These are also known as Friend to Friend networks and creates a Virtual Private Mesh Network between trusted parties.

FreeNet is a little different, in that it can operate in two modes - public and private - where the private mode is a true DarkNet.  The Onion Router (TOR) is also a kind of public DarkNet proxy service which is very easy to use - do get the TOR Browser package - called Orbot on Android - very handy.

With a DarkNet, you can exchange files and chat in complete security - well, as secure as the other endpoints.  So if any of the endpoints run an untrustworthy operating system such as MS Windows, then one could argue that the whole circle is probably not secure.

Retroshare and other systems like it are not completely Black.  With a sniffer, an attacker can glean a little bit of information on who is connected to who, especially when one party is using unsecured WiFi, but they won't get far.

A private DarkNet is useful for Geeks who do support for their whole family and can set the whole mesh net up.  Same as for a corporate network, you can only go black if you have control over all the end points.  As soon as data needs to travel outside your VPN mesh net, it is free to anyone to sniff, spy, gloat and giggle over.

Always remember that the Public Internet is exactly that - it is Public...

Retroshare

The Retroshare application is cross platform and offers an easy way to transfer files between machines.  It also provides voice, video, chat and discussion fora.


You can set up multiple circles of trust, for example 'herman-work' and 'herman-home'. For me it provides a secure alternative to Dropbox and other insecure online FTP services.  Retroshare also works fine between mobile machines.   They always manage to find each other again!

First Steps

Before you start, get two or more machines that you want to be able to connect.  It could even be two virtual machines.  Make sure that the network connections between them are working properly before continuing.

Enable uPnP on your internet gateway.  This is by far the easiest way to ensure that the connection to the wide wide world will be trouble free.

If you only want to install on one machine, then you can test your connection with a public chat server, for example http://retrochat.piratenpartei.at/

Do install Keepass (Windows), KeepassX (Linux, Mac), or KeepassDroid (Android) on each of your machines.  If you put the (it is encrypted!) password database in Dropbox or Copy.com, then you can access your passwords everywhere and only need to remember the long master password.  You can then easily use random highly secure gobbledygook passwords for everything else.

As soon as you start to get serious about security, you will descend into password hell, unless you install a cross platform password manager.  I have over a hundred passwords and most of them are random sequences that are impossible to remember or type by hand.  KeepassX preserves my sanity.


Installation on a Mac

The downloads are here:
http://retroshare.sourceforge.net/downloads.html

On a Mac, download the file, run it, drag it to the Applications folder, then Ctrl-Click to run it the first time.

Installation on Windows

That should be just as easy as on a Mac, but if you are so worried about security that you want to use Retroshare, then you probably should go out and buy a Mac or a Linux machine first and dump your Windows machine in a river...

Installation on Linux

You can download Retroshare for Fedora 20 from here:


Get these files:
  • retroshare-0.5.5c-1.1.x86_64.rpm
  • retroshare-debuginfo-0.5.5c-1.1.x86_64.rpm
  • retroshare-nogui-0.5.5c-1.1.x86_64.rpm
  • retroshare-plugins-0.5.5c-1.1.x86_64.rpm
Use rpm to install them in this order:
      # rpm -ivh retroshare-nogui-0.5.5c-1.1.x86_64.rpm
      # rpm -ivh retroshare-0.5.5c-1.1.x86_64.rpm
      # rpm -ivh retroshare-debuginfo-0.5.5c-1.1.x86_64.rpm
      # rpm -ivh retroshare-plugins-0.5.5c-1.1.x86_64.rpm

Setup 

To test Retroshare, you can install it on multiple virtual machines and on each one create a new identity.  Once you are comfortable with it, you can transfer your main ID from one of your machines to every machine you own, so that you can work everywhere with the same ID.  This is done with a key Export, Import and Certificate exchange between the two locations.

You need to generate a PGP key, which is your ID in the Retroshare system.  For that, you need a strong password.  Therefore, install KeepassX, if you haven’t got it already, and generate a password of at least 16 characters for good security.  You need to enter this password 3 times,  twice at the start and once more when you generated the new identity and it wants to save it in the GPG key ring.

Once the ID key pair is generated, Retroshare should start up, you’ll have to authorize installation of the plugins and then all should be well.

More information here: http://retroshare.wikidot.com/ and here: http://retroshareteam.wordpress.com/2012/11/03/retroshares-anonymous-routing-model/

The biggest issue is that you need to use uPnP in your internet router or forward a port manually to make it work through a NAT firewall.

Some more on NAT firewalls here: http://retroshare.sourceforge.net/wiki/index.php/Frequently_Asked_Questions#Can_I_connect_from_behind_a_Firewall.3F_How_Do_I_set_the_Firewall.3F

For best results, your circle of friends should have at least one, 'always on' computer somewhere.  The initial connection IP address is exchanged together with your PGP key and thereafter your machines are tracked through a Distributed Hash Table (DHT).  Provided that at least one computer in your circle of friends is still at the last address you reached it at, your machine should be able to connect with everybody no matter how much you or them have moved around.  This static member could be a little Raspberry Pi, or a Beaglebone Black.  More on that later!


Connect to Others

Retroshare has an Add a Friend Wizard (the little blue man at the top left) which will allow you to send the friend your Certificate and he has to send you his - both of you must accept it to complete the handshake.  

The first time you do this, I suggest that you use the Enter Certificate Manually method.  Then just highlight copy and paste the certificates to each other.  At the bottom of the certificate, Retroshare appends your IP address.  This enables the receiving party to connect back to you the first time - thereafter it will consult the DHT.



You can also send the certs by email, but that requires email to be set up already, which may not be the case if you are experimenting on a new virtual machine.

If everything (uPnP and DHT) is working, you should be able to connect.  If it fails, check that the two virtual machines are in the same subnet and can ping each other, turn their firewalls off and so on, otherwise nothing is going to work.

Note that Retroshare is completely peer-to-peer.  If all the machines in a net are starting up and shutting down, or travelling around (laptops), then you will have connection problems.  A good solution is to rent a virtual server and install Retroshare with XPRA on it, so that you have at least one machine that is always on.  This machine can then be used as a central file repository.


I hope that works and you can successfully go over to the Dark Side.

May The Force be with you...

Friday, July 19, 2013

Three hops between you and the Gulag

The motivation that the NSA uses to justify its data trawling is rather disturbing.

In testimony on 18 July 2013 before the House Judiciary Committee, National Security Agency Deputy Director Chris Inglis said that the NSA’s probing of data in search of terrorist activity extendedtwo to three hopsaway from suspected terrorists. Previously, NSA leaders had said surveillance was limited to only two “hops” from a suspect.

What do they Record?

The NSA records *everything*:  Metadata, Email, Chat and Voice.  They only ever talk about metadata.  The rest of their activities are cloaked in weasel words.  For example, the chief of the NSA insists that they only analyze meta data and if it proves interesting, then they will get an order to retrieve a phone call.  He is a weasel word expert - the best - that is why he got the job.

They can only retrieve the phone call if it was already recorded.  An example is the phone call analysis of the wife of the Boston Marathon bomber, which was retrieved for analysis weeks after the last faint echoes of her voice faded away into the ether.  So obviously they must be recording everything in real time.  

Cyber Stalking

New documents that were released in October 2013 showed that the NSA was actively tapping the phone calls of dozens of world leaders.  This is getting really sordid and looks like General Alexander "cyber stalking" the President of Brazil and the Chancellor of Germany.

From Gulfnews
Of course the general is being set up as the fall guy and he already tendered his resignation effective next year, but the real culprits were the congressmen who approved the Patriot Act.  The general was just doing his job, but he should have known better - he is a grown up after all.

How much is 3 hops?

Consider that most of the readers are techo geeks and not travelling salesmen, lets say that you dear reader, talk to about 500 people.  So, Hop One will be about the number of people in a typical High School.  Now think about how many dope heads and rugby players that circle may include.

Hop 2 gets interesting at about 500 x 500 = 250,000 people.  A fair number.  About the number of people in a small prairy town in North America.  That size town should include a 2000 bed prison, a 300 bed homeless shelter and at least one trailer park.

Once we get to Hop 3, all bets are off at 500 x 500 x 500 = 125, 000, 000

If we look at the CIA World Book, that number is larger than most European countries, larger than any one American state, or about four times the total population of Canada.

So what Mr Inglis in effect said, is that as soon as the NSA has a terr on the line, they will trawl through every active phone call in North America.

With a three hop search, you are guaranteed to be guilty by association to something - several somethings.  I can hear Senator McCarthy musing: "Mmmm, I see that a friend of your second cousin twice removed is a card carrying member of The Party... That is not good, Mr Smith...".

Bad Data

The problem with overly wide data trawling, is the amplified risk of errors, misinformation and false accusations.  In the UK, five people were falsely arrested due to bad computer information last year, 2012:  http://www.iocco-uk.info/docs/2012%20Annual%20Report%20of%20the%20Interception%20of%20Communications%20Commissioner%20WEB.pdf

Extrapolating from this single government report, we could infer 5 wrongful arrests in France, 5 in Germany, 1 in Canada and 15 in the USA.  Per year.  Every year.  Do you want to have your life ruined by bad computer data?

The data analysis problem faced by the NSA is similar to issues the medical profession faces where a cancer screening test that is too sensitive, results in misdiagnosis and ruinously damaging treatment of people who were actually perfectly healthy to begin with.  The damage caused by false positives far outweigh the damage of missed positives.

I am an ex-Army Signals Officer.  I have sworn allegiance to Her Majesty QEII.  For the life of me, I can't see how having huge rooms filled with thousands of semi-literate high school drop-outs like the infamous Mr Snowden, trawling through the email and phone calls of hundreds of millions of law abiding citizens, can possibly be a good thing. The odds are totally against such a system and we are the people on the receiving end of the inevitable errors.

This is ridiculous.  Something's got to give.

What can you do about it?

In a surveillance state, your only hope is to subscribe to Twitter and start following the Pope:
http://www.richarddawkins.net/news_articles/2013/7/17/-vatican-offers-time-off-purgatory-to-followers-of-pope-francis-tweets

Now go and install Redphone, Jitsi and Mailvelope to turn your communications black!

Tuesday, July 16, 2013

Practical Security

I stuck my neck out in another post called Security Paranoia and some people asked how one could go about improving security in a business environment.
From Gulfnews


First of all, you have to realize that you can never have perfect security.  Information will always leak out.  The best you can do is to slow the leakage down to an acceptable level, but please try to remain reasonable.  There is an old joke that military IT has the motto: "We are not happy, until you are not happy".  You got to allow business to carry on somehow.

Secondly, trying to educate your users about security and trying to get them to avoid 'risky behaviour' is a total waste of time.  They will do their damndest on purpose or by accident and it is totally up to you to ensure the system integrity despite your user's best efforts to the contrary.  If you don't want them to do something, then don't give them the tool to do it and if they have to have a 'bad' tool, then give them an isolated laboratory to work in.

Divide and Conquer

Government IT uses a process of divide and conquer:  Partition a network into smaller segments that need not communicate with each other.  Provide encrypted tunnels between distant nets that do need to communicate.  An excellent source of information is the Canada IT Security Guidance here: http://www.cse-cst.gc.ca/its-sti/publications/itsd-dsti/itsd01-eng.html

In a business environment, provide separate servers, subnets and VLANs for the different departments, with deep packet inspection firewalls between them, so that if one department gets compromised, it doesn't bring the whole house of cards down.

End to End Encryption

Use end-to-end encryption wherever feasible.  When you notice that your company has developed strategic partnerships and use preferred vendors, talk to their IT and set up an encrypted tunnel between your email and phone servers, so that mail and voice between your companies turn black.  If you do it properly, the whole process of hardening your service will not be noticed by your users.

So whose end-to-end encryption should you use?  It depends on who your threat is.  If you are OK with your own government reading your mail and recording your phones, then you could use an off the shelf product made in your own country, or you could pick something from an unaligned little country on the far side of the globe in the hope that since they have no idea who you are, they likely won't do you any harm.

Some countries for example Canada, publish lists of equipment certified for government use (http://www.cse-cst.gc.ca/its-sti/services/cc/cp-pc-eng.html) - you can use those.  Me? I would avoid any off the shelf product and would rather build my own VPN gateways from a Linux distribution.

The important thing is to continually work on turning as much of your corporate communications black as you possibly can.  Monitor who your company is talking to and keep adding more VPN tunnels to the mail and voice servers of those companies.  This way, you provide transparent security service to your users - they won't even know about it and you and your counterpart at the other company can sleep better knowing that all their comms went black.

Encryption Tests

Verifying whether a VPN product is most probably good, is not as hard as you may fear.  Capture a stream of data and try to compress it (Just the data, not the datagram headers too!).  Encrypted data should be incompressible.   You can also try some statistical tests for randomness - the histograms should always be flat.   It should also only ever communicate with its opposite party.  If you sniff a VPN box with wireshark for a few days and it ever tries to communicate with anything else on the WAN, then burn the device at a stake...

Utilities for Personal Security

You should try out these projects, they are amazing and make end to end security easy:
  • Secure Telephone, Redphone - https://whispersystems.org/#encrypted_voice
  • Secure Video Phone, Jitsi - https://jitsi.org/
  • Secure mail for Thunderbird, Enigmail - http://www.enigmail.net/home/index.php
  • Secure mail plugin for Mac OSX, GPGmail - https://gpgtools.org/gpgmail/index.html
  • Secure webmail plugin for Chrome, Mailvelope - http://www.mailvelope.com/help
With the above tools, you can easily turn most of your communications black.

At first, it feels a bit weird to use email encryption, but it will soon become a habit and plaintext mail will look funny.

Monday, July 1, 2013

Fedora 18 Firewall Daemonology

Fedora 18 ships with a new firewall daemon.  While this is a commendable idea, the execution is somewhat useless, because it is not documented.  There is a nice looking wizard, which probably made perfect sense to the developer, but which doesn't help anyone else much.

If you are running a simple desktop system, then the default is probably OK, but if you use the machine for development work, then this toy is probably best disabled for the foreseeable future.  Of course, disable is not one of the wizard features.

Stake the Firewall Daemon

You can drive a silver tipped wooden stake through the daemon with two commands:
# systemctl stop firewalld.service
# systemctl mask firewalld.service

and now life should be back to normal.