Communications Security

Please keep in mind that everything sent to IMC email lists is being publicly distributed, and that the list archives themselves are public and kept on an unsecured corporate server.

In addition, activists should realize that all internet information transmissions are encoded in plain text and are inherently insecure - anyone with access to network infrastructure can capture your "private" email, sniff your passwords, see who you are chatting with, what websites you are viewing, the video you watched last week, etc. As past movements have found out, this sort of intelligence information is routinely used by various agencies to do all sorts of bad stuff, as you can see in this transcript of "liberated" FBI documents from the '60s. If you have a few minutes to spare, please take the time to educate yourself about some common-sense steps to minimize trouble (scroll to the bottom of the page for some ideas in this regard). An excellent overview of activist communications security, covering everything from web surfing to remote computer logins to email, can be found at security.tao.ca.

Once you've glance through at least part of that, check out a few software packages that can help with keeping your communications somewhat secure. Keep in mind that no system is hack-proof, and that if someone really wants to listen in on your internet life, there are always ways to do so. Never discuss anything electronically that you wouldn't want your mother to find out about.

Note: another installation guide explaining the use of Gnu Privacy Guard's proprietary email encryption equivalent, Pretty Good Privacy (PGP), can be found here. It's probably better than this page, and is worth a read as it is much more comprehensive. There is also another GnuPG-IMC wiki page on gnupg.

There are a variety of programs that you can use to encrypt information with a passphrase, so that it becomes impossible for anyone who doesn't know that phrase to access your data - this can include files on your hard drive, or email that you send over the internet. The Free Software choice for your email encryption needs is Gnu Privacy Guard (GPG). As it conveniently states in the GPG manual,

GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate.

Basically, there's a lot of fancy math being done that allows you to send info to a friend securely. You have to get your friend's public key, and use it to encrypt the info so that only your friend's private key can unlock the message. This process can be easily handled by the various email programs listed below. Besides allowing you to encrypt your information, GPG also allows you to generate digital signatures so that it is possible to verify the identities of the sender and recipient of a document. Remember to always keep your private key secure - no one else should ever be given access to a copy of the private key file that you generate.

Don't be scared off by all of the above (or all of the below). It's actually just a matter of downloading some stuff,

Installation - MS Windows

Step One - Install GPG using WinPT^?

Windows users can get GPG easily installed using the WinPT package. Click on one of the links to download the software (probably the mirror in Belgium is closest to Cambridge). Just double-click on the installer and follow the instructions. This package will take care of GPG installation, key generation, etc.

Pick a good password, and never tell it to anyone. This is theoretically the most important password on your entire computer, because it is supposed to be used as the lynchpin of a system that claims to uniquely identify you.

Step Two - Install a GPG plug-in for your email program

MS Outlook - many people are probably using MS Outlook as their mail client. This is a highly insecure program that is probably the number one cause of computer virus infections in the world. The WinPT software above will automatically take care of plug-in installation for Outlook.

Mozilla - if you have a computer system with some horsepower, Mozilla is a good Free Software web browser/mail client. There is a GPG plug-in available; you can get the latest stable release of Mozilla from here. Once you've got Mozilla installed, you can download the Enigmail plug-in to enable GPG in the email program (make sure that you installed WinPT^? first!). Go to this page using Mozilla, and click on the "install" button to install Enigmail's sweet encryption goodness. Mozilla mail is quite handy because a friend can simply email you his/her public key and Enigmail will grab it from the email automatically and let you use it.

Mulberry - a large part of the Cambridge university community is inexplicably tied to the Mulberry email client. There is a download of the Mulberry interface to Gnu Privacy Guard available. Again, you'll need to do the WinPT^? install first.

Other operating systems

GNU/Linux

There are email encryption facilities for Linux - most free software, of course, is coded on Linux. The ever-popular Mozilla, once again, is the email encryption app of choice for those Linux users who don't spend 100% of their time maintaining their computer's X11 subsystems. Also the standard install of Kmail intergrates nicely which gpg for text, plugins need for attachments / binary files.

MacOS

You can always use Mozilla, and there are also Mac GPG plug-ins for Apple Mail and Entourage. Good MacOS^? instructions for installing GPG can be found here.

Webmail

Little can be done to secure webmail accounts. One of the major problems with these accounts is that, like other information, all passwords are sent in plain text - that is, despite the fact that your password is obscured when you type it into the box on the screen, it is sent unencrypted over the network. About the only thing that can be done if you must use webmail is to use a service that supports secure (https) connections using SSL, so that your password and the contents of your mail cannot be easily captured as they travel across the network. Hotmail, Yahoo!, etc., do not support this. One free account provider that does provide encrypted sessions, a nice webmail interface, and a decent (10mb) amount of email storage is Fastmail.

Please note that it's impossible to tell how secure your mail is on any webmail server, except ones like mutual aid, rise up!, or tao, where it's possible to state with some assurance that the server admins in question are decent and upstanding individuals despite the bad press they may receive when they get together in large groups. Any webmail system, and any email system where the server admin is an unknown person, is basically insecure, because unless it's stored in an encrypted format such as GPG, your email is sitting on the server as plain text. -- YosSarian - 21 Oct 2003

Web Mail with OpenPGP compliant java applet.

http://www.cyber-rights.net/ which is an ad free version of Hushmail

Basically it is like downloading a PGP encryption enabled mail client to your machince. The thing is the security is as good as your password unlike where some one whould have to obtain a copy of your private key if you used GPG and mail clinet on a local machince.

Another feature is Hushmail does not put your local ip in it's header. But logs are keep on server that will be reveal if warrent is presented to hushmail, and do you trust them, but at least many of your recipients can not get your ip easily.

Trouble is free account have sod all space and get deleted if not used. Also you need to have java run time environment and applet has to download each time on new machince.

But may be solution for those that roam using other puters.

Ziplip markets itself as secure web mail but is just snake oil as it is not encrypted on server. And one has to trust the people who run it, where as Hushmail is subject to peer review of open code.

-- SpaceBunny - 22 Oct 2003

-- GarconDuMonde - 21 Dec 2003 added imc gnupg link

-- BarneyLaurance - 19 Mar 2004 - corrected a little mistake in explanation of public key cryptography - you don't need a private key to encrypt.
to top