Monthly Archives: June 2013

The Personal Firewall

Posted:

As the Unsene platform develops and becomes more robust, we’ll need to focus on other areas where security holes can develop.

There are three main places for security failure, not counting the humans on either end;  the sender’s computer, the transmitted message and the receiver’s computer.  We think Unsene will need to be a complete and integrated system to protect computer users and to help them develop trust for our system.

It’s fairly well known that spy agencies and other bad guys are placing software programs on mobile phones and computers that can gather information in a number of ways, including keylogging, video and audio recording, screen capture and data collection.  Some of these software payloads are delivered through malware the user finds in their email box, via web site ads, and even with the operating system itself.  Go do a search for NSAKEY and windows and you might be surprised.

 

There are a couple of ways to deal with these threats.  First, you can identify and remove them and this is how anti-virus software works.  You can also install a firewall either in the network cable (which requires hardware) or on the computer itself to monitor and block the packets leaving your computer.  Viruses and malware that can damage your computer’s software and hardware requires the anti-virus approach, while a software anti-spyware block of the departing packets looks to us to be the best approach.  This also has the advantage of being able to crowdsource the results, to detect trends.

 

We’re looking for some good developers who would like to help us develop this system for Unsene.

Read more

Is Most Encryption Cracked?

Posted:

We’ve been told by people who know (or at least by people who say they do and we believe them) that all publicly available encryption has been cracked by outfits like the NSA.  That’s probably true.  Think about it;  if you’re part of something that has the ability to print unlimited amounts of money, you can afford to hire the smartest people in the world and have the coolest gear.  Who knows, maybe you were able to get your hands on some of the out-of-this-world goodies from those alien spaceships at Area 51?  ;-)

Back to the nuts and bolts.  Here are some of the different kinds of public and proprietary encryption we use here at Unsene, with a description of what it’s good for:

• SSL – this is the original encryption used for commerce (when you use a credit card online).  We’re using 256 bit for the entire web site, so this is the minimum encryption for everything, in fact it’s also used in addition to the other encryption on our web site.

• RSA – public / private key that is very useful for many functions that involve sharing things publicly that someone can respond to and you are the only person who can read them.  This is an asymmetric key, meaning it is different on both sides and we use RSA 2048-bit.

• AES – a symmetric key that is considered to be very strong.  We’re using the 256 bit version for the free version of our site, which is the maximum bit key size for this algorithm.  We believe this is broken by the NSA and we believe it’s either real time or near real time decrypt-able.

• XAES – a more secure and advanced version of AES, ours goes up to 4096 bits, which is über-strong.  Unlikely to be broken as this has been customized from standard code libraries that aren’t widely known.

• OTP (One Time Pad) – Extremely secure because a key is only used once, then it’s thrown away.  Each individual message uses a different key, so if the key is broken, the bad guys will only get one of your messages, not the whole chain.  This is especially secure if you pass the keys face to face on a memory stick or if two people already know some non-public information that can be used to generate a key on each of their devices.  With a sufficiently long key, it’s theoretically unbreakable.  Downsides: Not convenient as you need to meet in person and difficult to manage for groups, as you’ll have to coordinate keys and lots of people.  This will be added to the site within the next 60 days at least for text chat and file transfers.

 

Here’s why we think many of these encryption algorithms are cracked;

• The largest governments have big research programs with oodles of money to figure out this problem, they’ve been doing this as long as there were spies (forever) and they have armies of very smart people to figure stuff like this out.  If the NSA has something, you can bet the Chinese, Russians and a few others have stolen it.  That’s a safe bet.

• These entities want something complicated enough to keep others out, but easy enough for them to get into.  Your secret is safe with them.

• They are using computer technology that’s at least 30 years advanced over the computer you have, including quantum computers.  These computers are at least 10 billion times faster than what you use.  If someone says “that’ll take 30 years to crack”, they mean you’ll have to take 30 years to try all the possible keys.  With a quantum computer, that’s less than a second.  Even Google is now buying quantum computers, this one for $10 million.

• Public domain encryption wouldn’t be allowed into the pubic unless it was cracked, because they wouldn’t be able to spy on you.  They wouldn’t be promoting something as good unless it was easy for them to get into it.  They’re spies after all.

 

What does this mean?  If you are trying to avoid the run of the mill hacker, or the high school kid, or a business trying to get confidential info, you’ll probably be OK with RSA and AES, but if you have something that governments or the largest corporations want to know about, you’ll need something much stronger.  There are no guarantees that something is “unbreakable”, because eventually, even the strongest encryption succumbs to technology and the human mind.  If you have something so important you can’t take any chances (your treasure map!), you probably shouldn’t put it on a computer anywhere.

 

Keep in mind, encryption is only one piece of the puzzle, a very important one.  This provides security for your information while it’s “in transit”.  It does nothing to protect your computer and the spying that can take place there.  “They quite literally can watch your ideas form as you type,” an unnamed intelligence officer told Barton Gellman and Laura Poitras of the Washington Post.  There’s another solution for that problem, a personal firewall.

Read more

NSA Spying – What You Can Do About It

Posted:

The massive data collection taking place at over 50 companies that we know of so far including Google, Yahoo, Facebook and all the other internet household names, was nothing new to anyone paying attention.   From my personal knowledge, the collection of internet data and emails has been going on since at least 1997.   I became aware that year when touring our ISP’s colocation facility.  The person who worked for the ISP told us point blank “that’s the NSA room over there” and that “they were collecting email, web site visit URLs and the like directly from the incoming and outgoing traffic”.   Our jaws hit the floor when we realized what he had said.  The scope of this spying predates 9/11 by years and it covers the entire internet, so you can’t say it started with that event.  It started from the beginning of the internet and today the public is shocked at the scope of this operation;  it’s worldwide and impacts everyone who has ever used the internet.

 

Today, we know the NSA has built a monstrous facility in Bluffdale, UT with over 1 million square feet at a reported cost of $2 billion to store and process all of these records.  This facility turns worthless raw data into actionable information by cleaning it up and processing it, like an information refinery.   This information can be used to identify individuals and their computers, track their email, comments they make, log their personal contacts networks and so on.  It’s also merged with credit card purchase information, criminal and driving records, property ownership, etc.   A person’s data can tell you quite a bit of valuable information about them that can be used in the future to determine which action to take against them (the “red list”).  With all the different places they collect information, it’s basically everything on everyone who has ever been online or used a phone and everything is combined into a highly usable data record.  Much of it is publicly available on Facebook, Linkedin and all those other places James has been warning you about for years!  You’ve done this to yourselves if you are a Facebook or social media user!  Whatever you say online is forever in a computer somewhere!

 

Is this legal?  Yes and no.  Do you remember carefully reading the terms of service  for that free email account with [name of famous high tech company here]?  Of course, you didn’t read it.  You ticked the box “Agree to our Terms” and said OK.  You contractually agreed to allow this company to hand over any data they have on you to the government if they were presented with a court order and it’s legally binding.  Now, according to Sen. Feinstein there has been a blanket order, covering nearly everyone,  “As far as I know, this is the exact three-month renewal of what has been the case for the past seven years,” Feinstein said, as if this is completely normal to spy on everyone.    All of that data has been handed over and YOU gave it your blessing by agreeing with the terms of service when you signed up!  Stop using their services, delete all the information and move to a smaller service or run your own email server, if you know how to do that.

 

However, it’s also very likely that the additional data being vacuumed up at the facilities of  ISP’s in the US and a few other countries may not be legal.   The 4th amendment to the U.S. constitution protects citizens from unwarranted searches and seizures, even though many judges and lawmakers seem to have forgotten these concepts.  If you are outside the U.S., you are still being spied on, too.  Your data may have gone through the U.S. on it’s travels because the extensive internet infrastructure here can make it cheaper to send packets from somewhere in the EU to the U.S. and back to someplace in the EU.  The NSA also routinely collects data from many locations outside of the U.S., which does provides valuable intelligence on enemies of the U.S.  To expect zero spying is probably not reasonable, but the scale of this operation make this a “wonder of the world” because there has never been this level of spying on people in history.

 

Why are some people so concerned about this?  Actually, Pew Research put out a poll yesterday that said that “A majority of Americans – 56% – say the National Security Agency’s (NSA) program tracking the telephone records of millions of Americans is an acceptable way for the government to investigate terrorism, though a substantial minority – 41% – say it is unacceptable.”  You are here at Unsene, so I’ll make the assumption that you are in the 41%.

 

The problem is this kind of data can be very valuable or damaging in the wrong hands.  The NSA leaker, Edward Snowden,  who had access to this system, was a CONTRACTOR from Booz, Allen.   If a contractor like Snowden, a high school dropout with a GED, had access to this kind of system, how many other contractors and government employees have access to this kind of information?  I’m going to guess that at least tens of thousands of people have some access to this treasure trove of information.   According to a 2012 report by the Director of the National Intelligence, an estimated 1.4 million people hold “top secret” security clearances.  Each person who has access is a potential place for a leak to occur.

 

There are many questions about the security of this data.  Could Chinese hackers break their way into this and gain information on our politicians for blackmail purposes?  Or would political opponents have this data used against them by an administration bent on crushing any dissent, like we just experienced with the IRS?   Could favored businesses gain an unfair advantage going through the private email and communications of their competitors?   Would a top secret cleared contractor take an envelope with $50,000 in it and hand over some data?  All this data in one easy to use place is a giant temptation for abuse and the track record of protecting it is not reassuring.  History shows that information like this will be abused by those in power.

 

What can you do about this?   Most electronic communications like email is transmitted “in the open”, like a post card.  Anyone who gets a copy of it can read it.  Some services like Skype use encryption, but they keep the key and they can also read your messages and legally share copies with various governments, including the Chinese (via their deal with .  A part of the solution is to encrypt or scramble your messages so only the sender and receiver can read it.  For many types of communications, this is probably the best approach, but it’s not perfect as I will explain.

 

You should never use the internet or electronic communications for your most sensitive communications as all phone calls, text messages, email, voice over IP, email, and chat are captured and stored.   We used to assume this but now we know this is true.  Even what used to be high-powered “top secret” encryption like AES256 is no longer secure from cracking.    I’ve been told by people I trust, “if it’s publicly available, it’s been cracked” and I believe it.  In the early 1980’s, while we were using 6 Mhz PC’s at work,  a friend of mine told me “at Skunkworks, they are using 2 Ghz gallium arsenide processors”.  If you look under the hood of your current computer, that’s pretty close to what you now have 30 years later.  What the spies are now using is probably 30 years ahead of what you have today, and you should assume they have massive quantum computers.  For about $10 million today, you can buy quantum computer like Google just bought, which is about 10 billion times faster than today’s desktops and the spies have a lot more than that.  For the commercially available quantum computer, this means a calculation that would take 30 years with your PC would take less than one second with a quantum computer.  It can crack the strongest publicly available encryption in seconds.  A government that can print unlimited amounts of money can buy whatever it wants, so you should assume that they and the largest corporations can easily break any publicly available encryption.

 

An updated “one time pad” encryption with very large one time use keys that are hand carried, not sent electronically, have the potential to be very secure for one to one communications because they are thought to be immune to cryptanalysis.   Wikipedia has a good explanation of this cypher here:  https://en.wikipedia.org/wiki/One-time_pad    I believe this could be a part of the future of super secure communications for Survivalblog readers because you generate very large pads of keys and distribute them face to face to the recipients of your messages on a high capacity memory stick.  This eliminates the possibility of someone grabbing the key while it’s being transmitted.  The memory stick would only be used for a few moments when encrypting the message, to prevent it from being copied by a spy while you use it.   You will no doubt see this method available in the very near future, even though it was invented in 1882 and rediscovered during WWI.    This isn’t widely used today, because of the convenience and faith most had in the security of algorithms such as AES and public/private key systems (RSA) and the fact that one time pad doesn’t scale easily to large groups of people.  We are in fact developing such a system at Unsene.com.

 

Another excellent thing to start doing is to build your own private and secure networks by stringing cables between houses or even using wireless access points in remote locations.  You could choose to keep the network off the internet or tie it in.  If you tie it in, everything on the net that isn’t secured via firewalls, etc. are at the same risk of attack.  You can also get relatively inexpensive wireless point to point networks for about $3,000 that will transport 1.4 gigabits of data/sec over 10 kilometers.  Clearly, the future is in private networks because someone can’t just look at your record at the NSA and decide you don’t deserve to use the internet anymore when you are on a private network.

 

Another major revelation from this NSA leak was:  “They quite literally can watch your ideas form as you type,” an unnamed intelligence officer told Barton Gellman and Laura Poitras of the Washington Post.   This is accomplished using keyloggers and other spyware, which record and transmit all of your key strokes and screens to the spies.  As you type in your messages, before they are encrypted, spies are grabbing them and sending them back to their computers.  The extent your own computer is likely compromised is also quite shocking.  The NSA access system is apparently built into every version of the Windows operating system since Windows 95.  There are no doubt versions for Mac and other computers, too.  If you have ever walked into your office in the middle of the night and seen screens flashing around and the hard drive whirring, it’s possible you have one of these on your computer.   If your computer is unplugged from the network (more difficult with wireless nets), nothing can be transmitted back, so that’s a stopgap measure.  Another way to defeat these will be using special firewall software to limit the transmission of information packets from your computer to the spies and I expect this will be something developed in the near future.

 

For the most important things, you should only meet face to face WITHOUT your cell phones or in earshot of anything electronic with a microphone or camera.  Even if they are turned off, the microphones can be enabled and transmit your conversation to the snoop, so at a minimum remove the battery from the cell phone or unplug the device from power.  This type of spying happens routinely with Chinese Falun Gong practitioners here in the U.S. who escaped persecution in China;  they are spied on by the Chinese government and it was discovered that cell phones that were turned off were still transmitting data back to China and used to imprison others still in China.  Remove the battery and place the phone in another room if you are concerned about this kind of spying.  If you receive an email from someone using gmail, Yahoo and the other services, these companies will be build a file on YOU, even though you never agreed to their terms of service and don’t have an account there.     Don’t reply using that email, call or arrange another way to talk.

 

There are many other ways to increase your security that involve very low or no tech methods.  Being more electronically secure can protect you against a wide range of threats, including identity thieves and spies.  It would be great to hear from readers here of their ideas on their suggestions for practical ways to increase communications security, so leave a comment!

Read more

Unsene intro video

Posted:

Read more

Unsene how it works video

Posted:

Here is how Unsene works:

Let us know if you have any more questions about how it works

Read more