Category: East Midlands

Recent­ly there was a con­fer­ence for activists inter­est­ed in secu­ri­ty issues — obvi­ous­ly some­thing that any activist should be inter­est­ed in. Notes from the gath­er­ing are being com­piled along with pre­vi­ous doc­u­ments into a print­ed book­let for activists which is expect­ed to be dis­trib­uted next year.
In the mean­time I’ve been doing a lit­tle addi­tion­al research on solu­tions spe­cif­ic to secur­ing email com­mu­ni­ca­tion…

Emails and pass­words used by activists are vuner­a­ble to snoop­ing from both the state and from pri­vate inves­ti­ga­tion. Even seem­ing­ly unim­por­tant infor­ma­tion gath­ered from emails can help build a pro­file on a per­son and their asso­ciates. Per­son­al infor­ma­tion might pro­vide your ene­mies with lever­age to turn some­body you know into a grass or make it eas­i­er to place an infil­tra­tor in a posi­tion of trust.

What most peo­ple do not realise is that by default, the vast major­i­ty of email and even pass­words are sent over the inter­net in plain text that can be rmon­i­tored by any­one. Sit down at a com­put­er in a library, col­lege or inter­net cafe and any­one else on that net­work can eas­i­ly read the emails you send and receive, not to men­tion steal your pass­word. There are sev­er­al ways to avoid this depend­ing on how you access your mail.

Most activists tend to use web based mail these days so we’ll start with those.

If you look in the address bar on your web brows­er you will see that most address­es start with the let­ters http:// but some­times you will see https://. The ‘s’ indi­cates that the con­nec­tion is using SSL, a secure encrypt­ed link between your brows­er and the web serv­er. Most browsers also dis­play a locked pad­lock sym­bol some­where to pro­vide a visu­al con­fir­ma­tion that the con­nec­tion is secure. When you are view­ing web­pages over a SSL con­nec­tion (such as on Indy­media), the data being trans­fered is no longer in plain text and can not be read by peo­ple attempt­ing to mon­i­tor you. This pro­tec­tion also applies to infor­ma­tion you sub­mit in web forms, such as user­names and pass­words when check­ing web­mail.

In oth­er words, the most basic and essen­tial thing to do to secure your email is use SSL con­nec­tions if you use web­mail. For exam­ple, if you use rise­up web­mail you should go to https://mail.riseup.net rather than http://mail.riseup.net

We should now brei­fly look at the use of POP and SMTP for those not using web­mail. If you don’t know what these are, don’t wor­ry, they are two of the most com­mon pro­to­cols used for down­load­ing and upload­ing mes­sages using an email client installed on your own com­put­er. Exam­ples of email clients include Out­look, Eudo­ra, Pega­sus and Thun­der­bird. Again, the prob­lem you need to be aware of is that these pro­to­cols are by default not secure and all emails and pass­words are sent as plain text. You need to con­fig­ure your account set­tings with­in your email client to use a secure authen­ti­cat­ed con­nec­tion such as SSL. It’s beyond the scope of this arti­cle to explain how but the help func­tion of your client plus the help pages for your email provider will pro­vide specifics.

It’s obvi­ous­ly essen­tial to use SSL (or sim­i­lar) to pro­tect your email pass­word. How­ev­er, when you send an email it will still trav­el over the inter­net in plain text as SSL only pro­tects the con­nec­tion between your com­put­er and the serv­er. To pro­tect the con­tents of the email for the entire trip it will need to be encrypt­ed so that only the intend­ed recip­i­ent can read it.

You may have heard of PGP ( http://en.wikipedia.org/wiki/Pretty_Good_Privacy), a com­put­er pro­gram that encrypts (scram­bles) and decrypts (unscram­bles) doc­u­ments and emails. The ini­tials stand for pret­ty good pri­va­cy and like it says, it’s pret­ty good! Some peo­ple claim that the worlds most pow­er­ful com­put­ers could use brute force to break the encryp­tion in a mater of just a few hun­dred of years while oth­er put the time required at longer than the age of the uni­verse. Of course, com­put­ers get faster all the time so either way the time frame might even­tu­al­ly be reduced to with­in a human life­time but even so, it’s like­ly that by the time any­one broke the encryp­tion the con­tent would no longer be valu­able. ( http://axion.physics.ubc.ca/pgp-attack.html)

I will not go into detail how PGP works as there is plen­ty of infor­ma­tion about it on the web. More impor­tant is how to use it. The trou­ble with PGP has tra­di­tion­al­ly been that peo­ple not to con­fi­dent using com­put­ers have been unable to use it effec­tive­ly. How­ev­er, over the years it has become much eas­i­er to use as it has been pro­vid­ed with a sim­ply graph­i­cal point and click inter­face and also inter­grat­ed into email clients. Once installed and con­fig­ured cor­rect­ly, it’s now a sim­ple mater of click decrypt or encrypt plus typ­ing your passphrase.

There is the say­ing that a lit­tle knowl­edge is a dan­ger­ous thing and that is cer­tain­ly true of encyrp­tion tech­nol­o­gy. PGP uses Pub­lic Key Cryp­tog­ra­phy and it is vuner­a­ble to what is known as a man in the mid­dle attack. This vuner­a­bil­i­ty exists only dur­ing the exchange of pub­lic keys required to ini­ti­ate exchange of encrypt­ed mes­sages. Again, it is beyond the scope of this arti­cle to describe the attack and you can eas­i­ly look up the infor­ma­tion else­where. The impor­tant thing is that if these keys can not be exchanged in per­son then it is vital to con­firm that the keys have not been sub­sti­tut­ed on route. This is done by com­par­ing the keys ‘fin­ger­print’ by read­ing them out on the phone etc.

Final­ly. They say mis­ery likes com­pa­ny and so, iron­i­caly, does pri­va­cy. The more peo­ple who rou­tine­ly encrypt their com­mu­ni­ca­tions the more secure every­one becomes. If you were the only one using encryp­tion then it might draw atten­tion to you and any­one you com­mu­ni­cate with. If you only use encryp­tion for ‘dodgy’ emails then this might also attract atten­tion. Once you have the soft­ware installed and con­fig­ured it makes sence to use it when­ev­er pos­si­ble regard­less of the con­tents of the email.

Fur­ther read­ing:
http://en.wikipedia.org/wiki/E‑mail_privacy
http://en.wikipedia.org/wiki/Email_Encryption
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
http://www.andrebacard.com/pgp.html
http://en.wikipedia.org/wiki/GNU_Privacy_Guard

Soft­ware
http://www.pgpi.org
http://www.gnupg.org/ (also known as gpg, open source ver­sion of pgp)
http://www.gpg4win.org/ (gpg installer for win­dows)
http://macgpg.sourceforge.net/ (Mac OSX port of GnuPG)

Addi­tion­al soft­ware sug­ges­tions

Don’t have your own com­put­er or don’t take it with you every­where you go? Well there are inter­est­ing options avail­able now util­is­ing USB mem­o­ry sticks. These have got real­ly cheap recent­ly and you can get a 1gb dri­ve for under 20 pounds. That’s a lot of space and it fits in your pock­et.

Peo­ple have been devel­op­ing what are called portable appli­ca­tions ( http://portableapps.com/). These run from the USB stick rather than need­ing to be actu­al­ly installed on a spe­cif­ic com­put­er. More impor­tant­ly they are con­fig­ured so that tem­po­rary files ect are store on the stick so as not to leave a trace on the com­put­er they are run­ning on.

With one of these sticks and the right soft­ware you can walk into a library etc and use a pub­lic com­put­er to run your own soft­ware and access your own files. It is a very use­ful way to have access to your mail etc and the data on the stick can be encrypt­ed using soft­ware such as True­Crypt.

Any­way, in the con­text of the arti­cle above I want­ed to men­tion a cou­ple of specifc portable appli­ca­tions. Both are portable email clients based on Thun­der­bird.

One is called Mobil­i­ty Email and it includes OpenPGP and S/MIME encryp­tion. It sup­ports IMAP, POP, SMTP and web based email. It is designed to from any loca­tion with no instal­la­tion or con­fig­u­ra­tion, allow­ing access your email and con­tacts on mul­ti­ple machines. Most impor­tant­ly, no per­son­al data is left behind once the appli­ca­tion is closed.

http://en.wikipedia.org/wiki/Mobility_Email
http://www.mobilityemail.net/

There is also the offi­cial Mozil­la Thun­der­bird Portable Edi­tion (for­mer­ly Portable Thun­der­bird). There are two pack­ages avail­able, one with GPG and Enig­mail pre­con­fig­ured to encrypt and sign your email.
http://portableapps.com/apps/internet/thunderbird_portable

Note. Those npeo­ple who don’t require porta­bil­i­ty may well be inter­est­ed in using the ori­nary Thun­der­bird email client plus openPGP and the Enig­mail exten­sion to pro­vide an easy to use and ful­ly interi­grat­ed email encryp­tion sys­tem. It’s cross plat­form, free and has a large com­mu­ni­ty of user and devel­op­ers. You can even use it with the Web­mail exten­sions to access yahoo, hot­mail and gmail accounts etc.
http://enigmail.mozdev.org/

——————————————————————————–

Rise­up users and PGP

It’s a lit­tle known fact but rise­up users can use PGP from with­in their web­mail accounts. I only dis­cov­ered this recent­ly and as far as I can tell it’s only been an option since rise­up upgrad­ed to ver­sion 4 of IMP in late 2005.

Only the IMP web­mail has the PGP fea­ture, not Squir­rel­mail which I guess most rise­up peo­ple use sim­ply because it’s at the top of the login page. How­ev­er, you can swap between the two with­out prob­lem if you’ve already been using Squir­rel.

The PGP fea­tures are not enabled by default and it’s a bit hid­den away which might explain why I’ve nev­er heard men­tion of it. The rise­ups doc­u­men­ta­tion on secu­ri­ty makes no men­tion of the fea­ture, not even in their PGP page. I checked on google for any­thing about pgp on rise­up but could­n’t find any­thing either so I decid­ed to write a ‘how to’.

HOW TO SET UP PGP IN RISEUP

To enable the fea­ture you have to login to the IMP web­mail (obvi­ous­ly make sure you are using a secure con­nec­tion https:// as described in the arti­cle above). When logged in you click options from the top nav­i­ga­tion menu then click ‘PGP Options’ under oth­er options on the right hand side.

Now you tick ‘Enable PGP func­tion­al­i­ty?’ then click ‘Save Options’ and the page refresh­es and you have a bunch more options. I sug­gest you don’t tick ”Should your PGP pub­lic key to be attached to your mes­sages by default?’ but you prob­a­bly should click ‘Should the body of text/plain mes­sages be scanned for PGP data?’

Fur­ther down the page you have two more sec­tions which weren’t there until you enabled PGP. One of these is ‘Your PGP Public/Private Keys’. If you already have a PGP keys then you will need to upload them here by click­ing upload and either copy and past­ing the appro­bri­ate key or brows­ing the file on your machine and attach­ing it.

How­ev­er, if you don’t have a PGP key pair then you can actu­al­ly cre­ate them now from with­in IMP. Per­son­al­ly I feel this is a bit of a secu­ri­ty risk as it requires you to trust rise­up, but then again you have to trust rise­up if you are plan­ning on using web­mail with your email in the first place. Cre­at­ing a key pair using IMP is easy, just fol­low the instruc­tions.

Once you have you keys cre­at­ed or uploaded you need to enable the address book. This is per­haps the most illog­i­cal part of the con­fig­u­ra­tion. There is a line on the page where the words ‘PGP Options’ appears on the left and the fol­low­ing on the right ’ Address Books | S/MIME Options »’

Click on the link to Address Books and then on the new page you will see a pull down menu towards the bot­tom with the words ‘Choose the address book to use when adding address­es’ writ­ten above. Change the selec­tion from ‘None’ to ‘My Address Book’ with­in the drop down menu and then click ‘Save Options’ at the very bot­tom of the page.

You can now return to the PGP Options page and upload your friends PGP pub­lic keys to the new­ly enabled address book. It’s just a mat­ter of cut and past­ing the key block from an email etc.

That should be it… click ‘Save Options’ again just incase and then return to your Inbox

USING PGP ON RISEUP

When you cre­ate a new mes­sage you will find new options below the text body, just below the Send Mes­sage but­ton. These are a drop down menu from which you can choose to sign and/or encrypt your mes­sage with PGP, and also a tick box enabling you to send a copy of your PGP pub­lic key with your mes­sage. When you click Send Mes­sage you will be asked for your passphrase in a seper­ate box and then you click Send Mes­sage again.

! It’s worth point­ing out that if you have pop­up fil­ter­ing acti­vat­ed (and you should), then you must con­fig­ure it to allow pop­ups from tern.riseup.net and petrel.riseup.net oth­er­wise you won’t get the enter passphrase win­dow appear­ing and you won’t be able to encrypt or decrypt any­thing.

When you recieve a PGP encrypt­ed mes­sage you will find a box that reads “This mes­sage has been encrypt­ed with PGP. You must enter the passphrase for your PGP pri­vate key to view this mes­sage.” (again, pop­ups must be enabled or it won’t work). Obvi­ous­ly you type your passphrase and you get to read your mes­sage.

! Don’t for­get to log out when you have fin­ished or some­body else might come along and con­tin­ue using your web­mail ses­sion with the passphrase still cached so be able to read your encyrpt­ed mes­sages!

That cov­ers it all I think. For the best secu­ri­ty it would be prefer­able to use PGP local­ly on your own machine which you are sure is secure. How­ev­er, the PGP option with rise­up is still very very use­ful. DONT FORGET.. YOU MUST USE A SECURE SSL CONNECTION TO HTTPS://RISEUP.NET

Final­ly, a few quick notes on choos­ing a PGP passphrase.

Do not use the same pass­word as you use for your email or any oth­er pur­pose. .
Do not write it down but obvi­ous­ly choose some­thing you can remem­ber.
Avoid dic­tio­nary words and names of your fam­i­ly or pets.
Aim for at least 12 to 16 char­ac­ters
Mix uper case and low­er case let­ters, num­bers and punc­tu­a­tion for the strongest passphrase.

——————————————————————————–

Use secure email providers

Fol­low­ing the link to rise­ups pages on secu­ri­ty I found this infor­ma­tion which is quite inter­est­ing. Basi­cal­ly it’s about a pro­to­cal which mail servers can use to talk to each oth­er secure­ly so that emails are passed from source to des­ti­na­tion and not be read on route. Not all mail servers offer this ser­vice but rise­up does and it lists oth­er activist tech col­lec­tives that pro­vide such mail mail servers. Obvi­ous­ly it would be bet­ter to encrypt all mail using PGP etc but that’s not cur­rent­ly real­is­tic so for those mes­sages that still go as plain text it is a very good idea to be using a mail ser­vice that pro­vides Start­TLS.

(tak­en from rise­up…)

What is Start­TLS?

There are many gov­ern­ments and cor­po­ra­tions which are sniff­ing gen­er­al traf­fic on the inter­net. Even if you use a secure con­nec­tion to check and send your email, the com­mu­ni­ca­tion between mail servers is almost always inse­cure and out in the open.

For­tu­nate­ly, there is a solu­tion! Start­TLS is a fan­cy name for a very impor­tant idea: Start­TLS allows mail servers to talk to each oth­er in a secure way.

If you and your friends use only email providers which use Start­TLS, then all the mail traf­fic among you will be encrypt­ed while in trans­port. If both sender and recip­i­ent also use secure con­nec­tions while talk­ing to the mail servers, then your com­mu­ni­ca­tions are like­ly secure over its entire life­time.

We will repeat that because it is impor­tant: to gain any ben­e­fit from Start­TLS, both sender and recip­i­ent must be using Start­TLS enabled email providers. For mail­ing lists, the list provider and each and every list sub­scriber must use Start­TLS.

Which email providers use Start­TLS?
Cur­rent­ly, these tech col­lec­tives are known to use Start­TLS:

* riseup.net
* resist.ca
* mutualaid.org
* autistici.org/inventati.org
* aktivix.org
* boum.org
* squat.net
* tao.ca
* indymedia.org
* eggplantmedia.com
* so36.net

We rec­om­mend that you and all your friends get email accounts with these tech col­lec­tives!

Addi­tion­al­ly, these email providers often have Start­TLS enabled:

* uni­ver­si­ties: berkeley.edu, johnhopkins.edu, hampshire.edu, evergreen.edu, ucsc.edu, reed.edu, oberlin.edu, pdx.edu, usc.edu, bc.edu, uoregon.edu, vassar.edu, temple.edu, ucsf.edu, ucdavis.edu, wisc.edu, rutgers.edu, ucr.edu, umb.edu, simmons.edu.
* orga­ni­za­tions: action-mail.org, no-log.org
* com­pa­nies: speakeasy.net, easystreet.com, runbox.com, hushmail.com, dreamhost.com, frognet.net, frontbridge.com, freenet.de, blarg.net, green­net (gn.apc.org)

What are the advan­tages of Start­TLS?

This com­bi­na­tion of secure email providers and secure con­nec­tions has many advan­tages:

* It is very easy to use! No spe­cial soft­ware is need­ed. No spe­cial behav­ior is need­ed, oth­er than to make sure you are using secure con­nec­tions.
* It pre­vents any­one from cre­at­ing a map of whom you are com­mu­ni­cat­ing with and who is com­mu­ni­cat­ing with you (so long as both par­ties use Start­TLS).
* It ensures that your com­mu­ni­ca­tion is pret­ty well pro­tect­ed.
* It pro­motes the alter­na­tive mail providers which use Start­TLS. The goal is to cre­ate a healthy ecol­o­gy of activist providers–which can only hap­pen if peo­ple show these providers strong sup­port. Many of these alter­na­tive providers also also incor­po­rate many oth­er impor­tant secu­ri­ty mea­sures such as lim­it­ed log­ging and encrypt­ed stor­age.

What are the lim­i­ta­tions of Start­TLS?

How­ev­er, there are some notable lim­i­ta­tions:

* Your com­put­er is a weak link: your com­put­er can be stolen, hacked into, have key­log­ging soft­ware or hard­ware installed.
* It is dif­fi­cult to ver­i­fy: for a par­tic­u­lar mes­sage to be secure, both the ori­gin and des­ti­na­tion mail providers must use Start­TLS (and both the sender and recip­i­ent must use encrypt­ed con­nec­tions). Unfor­tu­nate­ly, it is dif­fi­cult to con­firm that all of this hap­pened. For this, you need pub­lic key encryp­tion (see below).
Start­TLS

——————————————————————————–

512 bit encryp­tion bro­ken in less than a sec­ond

The prob­lem with tech­nol­o­gy as a means for secure com­mu­ni­ca­tion is it’s own advance­ment. What is secure today may not be secure tomor­row. And peo­ple who think they’re safe, using PGP or whathavey­ou, then share infor­ma­tion over email that should only be shared face-to-face.

source: http://www.khaleejtimes.com/DisplayArticleNew.asp?xfile=data/theworld/2006/November/theworld_November597.xml§ion=theworld
crypt broke

————-
“The report’s authors, Onur Aci­icmez, Cetin Kaya Koc and Jean-Pierre Seifert depict a con­crete attack on OpenSSL on a Pen­tium 4 proces­sor, albeit using a key that would be con­sid­ered quite short by today’s stan­dards (512 bit).”

Hmmm.. What is described requires the attack­er to be run­ning hiden soft­ware on the machine per­form­ing the encryp­tion oper­a­tion — in oth­er words it requires that attack­er to have installed soft­ware either with phys­i­cal access to a machine or remote access. Now cer­tain­ly, if you are using an inse­cure oper­at­ing sys­tem like win­dows then it would be a risk, how­ev­er a far eas­i­er attack in this case would be to use a key­log­ger, either soft­ware or hard­ware.

In oth­er words, Seifert and his col­leagues dis­cov­ery is unim­por­tant in rela­tion to email secu­ri­ty since much eas­i­er and more prac­ti­cal exploits exist already.

Blog­gers writ­ting about the new tech­nique have sug­gest­ed it it is the secu­ri­ty of appli­ca­tions using Dig­i­tal Rights Man­age­ment (DRM) most like­ly to be threat­ened by such tech­niques. For exam­ple, user might use the tech­nique to remove the license pro­tec­tion on WMA audio files they pur­chase so that they can share them with friends. In this sit­u­a­tion they would obvi­ous­ly be well placed to install the spy process­es required in the attack.

You attempt to dis­cour­age peo­ple from using the tech­nol­o­gy employed by finan­cial and gov­ern­ment insti­tu­tions etc is a waste of time. The weak point in all these secu­ri­ty mea­sures is the peo­ple using them. Obvi­ous­ly there is a lot to be said for low tech ‘cold war’ solu­tions like going to meet some­body face to face but it’s a lie to sug­gest they are them­selves are with­out sig­nif­i­cant risk.

Ear­li­er this month it emerged that the FBI had been remote­ly acti­vat­ing a mobile phone’s micro­phone and using it to eaves­drop on near­by con­ver­sa­tions. The sur­veil­lance tech­nique, which “func­tioned whether the phone was pow­ered on or off.” came to light as a result of a rul­ing by U.S. Dis­trict Judge Lewis Kaplan on the legal­i­ty of the “rov­ing bug”. It had been approved by U.S. Depart­ment of Jus­tice offi­cials for use against mem­bers of a New York orga­nized crime fam­i­ly who were wary of con­ven­tion­al sur­veil­lance tech­niques such as tail­ing a sus­pect or wire­tap­ping. Cell phones owned by two alleged mob­sters, John Ardi­to and his attor­ney Peter Pelu­so, were used by the FBI to lis­ten in on near­by con­ver­sa­tions.

The news that the FBI had been remote­ly acti­vat­ing mobile phones as eaves drop­ping devices con­firms what many activists have been say­ing for years.

“A cel­lu­lar tele­phone can be turned into a micro­phone and trans­mit­ter for the pur­pose of lis­ten­ing to con­ver­sa­tions in the vicin­i­ty of the phone. This is done by trans­mit­ting to the cell phone a main­te­nance com­mand on the con­trol chan­nel. This com­mand places the cel­lu­lar tele­phone in the ‘diag­nos­tic mode.’ When this is done, con­ver­sa­tions in the imme­di­ate area of the tele­phone can be mon­i­tored over the voice chan­nel.” — Nation­al Recon­nais­sance Orga­ni­za­tion newsletter,1997.

As long as I can remem­ber there has been a kind of unspo­ken rule among activists about tak­ing bat­ter­ies out of mobile phones dur­ing meet­ings to pre­vent bug­ging — along with occa­sion­al argu­ments about it being para­noid. While it has long been know to be a the­o­ret­i­cal pos­si­bil­i­ty, the mafia court case con­firms it is actu­al­ly a prac­ti­cal tech­nique and is being used.

It is not clear exact­ly how the FBI achieve their remote acti­va­tion but it is known that it is pos­si­ble to update the soft­ware on a mobile phone by send­ing an unno­tice­able SMS mes­sage to a par­tic­u­lar cell phone. Changes to the phones soft­ware than make it pos­si­ble to spy on the user around the clock, as long as the phone has pow­er. All SMS mes­sages can be read and all calls and con­ver­sa­tions can be lis­tened to, includ­ing those tak­ing place in the vacin­i­ty of the phone. It would also be pos­si­ble to access and copy address books and oth­er infor­ma­tion stored on the phone.

It should be fair­ly obvi­ous to any­one that sim­ply ‘switch­ing off’ a mobile phone could not pre­vent the soft­ware from reac­ti­vat­ing the phone at will. Like most com­put­ers, the on/off switch on a mobile phone is sim­ply a but­ton that requests the soft­ware to do some­thing, ie.. turn the phone on or off — or more acturate­ly, switch the phone between stand­by and nor­mal oper­a­tions. Many have an alarm fea­ture which can oper­ate when the phone is appar­ent­ly ‘switched off’.

Some of the vuner­a­bil­i­ties of mobile phones may only be exploitable by the state or pri­vate inter­ests with finan­cial mus­cle to obtain access to the records of mobile phone net­works. Oth­ers how­ev­er are much eas­i­er to exploit and well with­in the capa­bil­i­ties of pri­vate inves­ti­ga­tors. One exam­ple is the abil­i­ty to read mobile phone num­bers from all phones in a room as those phone rou­tine­ly poll and com­mu­ni­cate with the near­est cell phone repeater.

And lets not for­get the abil­i­ty to track cell phones (again, poten­tial­ly even when they are turned off). With the data reten­tion laws requir­ing mobile phone net­works to keep this data for a year or so, it is easy for the author­i­ties (or pri­vate agen­cies with influ­ence) to not only mon­i­tor some­bod­ies move­ments but also cross ref­er­ence that with oth­er peo­ple and build up acturate pic­tures of net­works of asso­ci­a­tion.

As repres­sion on dis­sent increas­es, it is vital that we are all aware of the infor­ma­tion we pro­vide our ene­mies and what steps we can take to lim­it the dam­age.

What advice might you con­sid­er?

Don’t take any mobile phone to a meet­ing and if you must, remove the bat­tery.
Don’t take your per­son­al mobile phone with you on actions.
Remove the bat­tery if mak­ing jour­neys oth­ers should not know about.
Bet­ter yet, don’t take the phone or send it out on a walk in the park with a friend.
Don’t pow­er up you ‘clean’ action phone in any build­ing you don’t want asso­cait­ed with an action.
Nev­er use ‘clean’ action phones to call com­rades per­son­al phone num­bers.
Don’t call a ‘clean’ action phone from any ‘non clean’ phone.
Don’t con­tin­ue to use the same set of action phones on future actions.
Only pay cash for phone cred­it and don’t not from places with CCTV (dif­fi­cult).

Fur­ther read­ing…

FBI sto­ry:
http://news.zdnet.com/2100–1035_22-6140191.html http://www.informationliberation.com/?id=18443
http://arstechnica.com/news.ars/post/20061203–8343.html

Back­ground:
http://www.wasc.noaa.gov/wrso/security_guide/cellular.htm

Some exam­ples…

Clear­ly the police are using the loca­tion records of phones to link peo­ple to actions, some recent exam­ples:

“A GANG of trav­ellers are fac­ing jail for a series of vio­lent ram-raids, rob­beries and bur­glar­ies after they were linked to the crimes through mobile phone records.”

“Mr Farmer said mobile phone records had been cru­cial in secur­ing guilty pleas and con­vic­tions…”

http://www.cambridge-news.co.uk/news/ely/2006/12/13/80f9ff15-a536-4d01-9e77-743d900618d6.lpf

“At a press con­fer­ence this morn­ing Mr Gull said that offi­cers were look­ing at mobile phone calls made and received by the girls and were also analysing DNA, but refused to go into more detail.”

“When asked about Anneli and the oth­er wom­en’s mobile phone records, Mr Gull said: “I don’t want to go into details, it’s very sen­si­tive, but it’s some­thing we’re look­ing at.â€?

http://new.edp24.co.uk/content/news/story.aspx?brand=EDPOnline&category=News&tBrand=EDPOnline&tCategory=news&itemid=NOED16%20Dec%202006%2015%3A37%3A43%3A720

“THE EADT has now filed an offi­cial com­plaint against Suf­folk police after its most senior detec­tive obtained the pri­vate mobile phone records of a jour­nal­ist in a bid to dis­cov­er his sources.”

“Edi­tor Ter­ry Hunt has request­ed a full expla­na­tion for the action tak­en by Det Supt Roy Lam­bert in a let­ter sent yes­ter­day to Chief Con­sta­ble Alas­tair McWhirter.”

“As revealed in yes­ter­day’s EADT, con­fi­den­tial mobile phone records of reporter Mark Bul­strode were obtained by Mr Lam­bert so he could find out who he had been speak­ing to.”

“The move was tak­en after the jour­nal­ist approached the force with infor­ma­tion about the reopen­ing of an his­toric inves­ti­ga­tion.”

http://www.eadt.co.uk/content/eadt/news/story.aspx?brand=EADOnline&category=News&tBrand=EADOnline&tCategory=news&itemid=IPED01%20Dec%202006%2019%3A35%3A22%3A490

A the pieces are now in place for the elec­tron­ic police state.

ID cards, injunc­tions, CCTV with voice acti­vat­ed alerts, nation­al license plate mon­i­tor­ing, face recog­ni­tion, direc­tion­al micro­phones, net­work pro­fil­ing, DNA data­bas­es, key­log­ging, phone tap­ing, bug­ging and track­ing, these are just some of the tools of repres­sion being used against those bat­tling to save the world from total dom­i­na­tion and destruc­tion.

This mes­sage will self destruct in 10 sec­onds.… 9.. 8.. 6.. 5.. 4.. 3.. 2..

One might think that this is some cloak and dag­ger spy thriller, or orwellian distopia — but todays world is one of overt and covert sur­veil­lance and repres­sion. The likes of you and me are the tar­get and this is no para­noid delus­sion — they real­ly are out to get us.

This was the stark real­i­ty pre­sent­ed at a top secret con­fer­ence on activist secu­ri­ty that took place this month. Meet­ing in a quite loca­tion some­where near the coast, dozens of cam­paign­ers from around the coun­try came togeth­er to learn about the tech­nol­o­gy and tech­niques being used by the author­i­ties and pri­vate agen­cies as they attempt to gath­er­ing infor­ma­tion and dis­rupt and destroy cam­paigns.

The aim of the gath­er­ing how­ev­er was not to make every­one para­noid and feel help­less in the face of the tech­no­log­i­cal assaults on our pri­va­cy, but rather to equipe peo­ple with the aware­ness and knowl­edge to enable them to take steps to reduce the risk to them­selves and those they asso­ciate with.

The two day con­fer­ence involved a wide vari­ety of work­shops, some dis­cus­sion-based, some prac­ti­cal or com­put­er-based. Lessons learned by those attend­ing includ­ed the impor­tance of ‘need to know’, the now proven fact that switch­ing off a mobile phone is not enough to pre­vent it being remote­ly acti­vat­ed as a bug or track­ing device. Also dis­cussed was how to spot and loss a tail, how to trap and expose infil­tra­tors, issues of secu­ri­ty for cam­paign groups and their offices such as main­tain­ing a secure con­tacts data­base. Com­put­er based skills cov­ered includ­ed encryp­tion of stored data and elec­tron­ic com­mu­ni­ca­tion, and ways to use the inter­net for research etc with­out leav­ing a trace.

Mush of the infor­ma­tion pre­sent­ed dur­ing the work­shops came from the doc­u­ment ‘Prac­ti­cal Secu­ri­ty Advice for Cam­paigns and Activists’ and this, along with the expe­ri­ences and ideas con­tributed by the par­tic­i­pants of the gath­er­ing are appar­ent­ly going to be put togeth­er as a print­ed book­let for dis­tru­bu­tion next year. Addi­tion­al­ly there are plans for a ‘walls have ears’ style poster out­lin­ing basic pre­cau­tions which can be dis­place in meet­ing spaces and social cen­tres etc to remind peo­ple of the need to con­sid­er secu­ri­ty.

info@activistsecurity.org
http://www.activistsecurity.org/