JonDonym News Center - Speaker's Corner

PRISM Brothers

nospam@example.com (cane) — Wed, 12 Jun 2013 21:44:04 +0200

The Guardian and The Washington Post recently published slides about the PRISM project of the US government’s National Security Agency (NSA). The agency is engaged in mass surveillance of users around the world. I assume, the topic is well known to readers of our blog. International protests against PRISM are mostly focusing on US spying by NSA and FBI only. But other countries have projects like PRISM too.

The NSA counterpart in Canada is the CSEC (Communications Security Establishment Canada). Like NSA the CSEC has far-reaching national security powers to monitor and map electronic communication signals around the globe. Defense Minister Peter MacKay spoke about the spying activities only: "We don’t target Canadians, okay."

The British counterpart of NSA is called GCHQ (Government Communications Headquarters). It operates in partnership with NSA, CSEC and other spying agencies, uses an own worldwide nework of monitoring station and is part of ECHELON.

The DSD (Defence Signals Directorate, Australia) and GCSB (Government Communications Security Bureau, New Zealand) are cooperating with NSA, CSEC and GCHQ too (UKUSA Agreement). Both are ECHELON partners with own monitoring station. The cooperation includes information sharing. According to Fairfax Media's sources, intelligence agencies in Australia have been receiving a high volume of valuable data from NSA, with some even coming from the PRISM program itself.

The NSA counterpart in Sweden is called FRA (Försvarets radioanstalt). In June 2008 it got the power to warrantlessly wiretap all telephone and Internet traffic that crosses Sweden's borders. Swedish people are target of FRA espionage too.

France has an own spying network called Frenchelon. Like the US counterpart Echelon it is not only used for counter terrorism but economic espionage and spying on political activists too.

The secret Onyx interception system is the Swiss intelligence gathering system for espionage and maintained by the NDB (Federal Intelligence Service). It is used to monitor telephone, fax and Internet communications worldwide. In 2006 a secret document sent by the Egyptian department of Foreign Affairs to the Egyptian Embassy in London and intercepted by Onyx was public.

The NSA counterpart in Russia is the SSSI (formerly FAPSI). It was setup in 2003 by reorganization of intelligence agencies in Russia and has unlimited power to warrantlessly wiretap all internet communications. The FBI counterpart in Russia is the FSB. The interception system SORM offers unlimited, direct access to the servers of almost all Russian ISPs for the FSB (Wired). Intercepted e-mails and phone calls were published by Russian media in 2011 to discredit opposition member. The largest social network in Russia is Vkontakte.ru with 200 million members. It cooperates with FSB and sent data of opposition member.

In Germany warrantlessly wiretapping and espionage is done by BND (Federal Intelligence Service). It is scanning 20% of all emails routed over German AS for 16,400 keywords. In 2010 the keyword scanners sent copies of 37,000,000 email to the BND for more detailed analysis. In 2008 W. Schäuble (formerly minister of the interior) recommended the setup of a spying agency like NSA or like the British GCHQ for Germany. The project was cancelled in 2010 but the recommendation was renewed by R. Wendt last days.

Minister of the interior Friedrich approved, that German intelligence services gets valuable data from NSA but he didn't know anything about a program called PRISM.

Stand up! It's time NOW!

StopWatching.Us (Mozilla Foundation)
EUhackathon 2013 (visualization of government surveillance)
Respect my Privacy (campaign for European Data Protection Regulation)
Denials Are Not Enough (ACCESS NOW)
... and others

EUhackathon 2013

nospam@example.com (cane) — Fri, 07 Jun 2013 15:39:22 +0200

The third edition of the EUhackathon takes place on 24-25 September 2013 in Brussels, Belgium.

The topic: What does government surveillance around the world look like?

The challenge: To ensure that officials are acting in the public interest, citizens should know when and why governments demand access to their information. Using data sets from network analysis, corporate Transparency Reports and freedom of information (FOI) requests, create apps and visualizations that shed light on the state of government surveillance in their country and exercise their democratic rights to due process and greater transparency.

A very nice surveillance simulation was created by re:log. During the bloggers conference re:publica this year in Germany all smartphones using the free W-LAN of the conference were tracked. The collected datasets were published without identifiable information and re:log creates a simulation of movements of participants (Javascript required). Click on a data point and follow the movements of a person.

Smartphones are tracking devices. You may replace the background in mind by a city map and you may imagine, how participants of a demonstration may be tracked or how the FBI is mapping muslim communities without any suspicion of a crime being committed (Danger Room).

"Going Dark"

The FBI would gain undetected real-time access to suspects’ Skype calls, Facebook chats, and other online communications and in "clear text". The project is called "Going Dark" and started a few years ago. Susan Landau, security expert at Harvard University, wrote in 2011 about the wishes of FBI to get backdoors into the servers of Google, Facebook, Yahoo... Actually CALEA II is the latest proposal of FBI to extent the surveillance capabilities of phone calls (since 1994) and VoIP (since 2004) to all other online communications.

The new proposal reportedly allows the FBI to listen in on any conversation online, regardless of the technology used, by mandating engineers build "backdoors" into communications software.

By publications of Washington Post and The Guardian about PRISM the CALEA II proposal looks like a small extent of a long running surveillance of foreign targets to include US citizens. The warrant-less surveillance of foreign targets is legal by the Foreign Intelligence Surveillance Act (FISA).

The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets.

All named internet companies deny directly access of NSA and FBI into own servers. First statements of Facebook, Apple and Microsoft are online. But surveillance of private communication is not really new and does not require directly access into the central servers of Internet companies:

Twitters offer all information by a commercial API interface. For $360,000 per year you may get access to all data sets of users. The DHS uses this API interface and is sharing information with other agencies.
Google will send a copy of each e-mail and each search request to the new NSA data center in Fort Bluffdale. This was public by the whistleblower William Binney.

In the EC study Fighting cyber crime and protecting privacy in the cloud the authors are warning about warrant-less spying of US authorities. All cloud and email providers with server in USA may be affected.

Stelle als JonDoBrowser-Entwickler

nospam@example.com (JonDos) — Mon, 03 Jun 2013 17:22:47 +0200

Liebe Leser des Blogs,

aktuell suchen wir jemanden, der uns bei der Entwicklung des JonDoBrowsers unterstützt. Dabei könnte diese Aufgabe im Rahmen von Telearbeit (von zu Hause aus) als Teilzeit-Stelle, nebenberuflich, oder auch in selbständiger Arbeit auf Projekt- oder Stundenbasis wahrgenommen werden. Wir freuen uns auf Bewerbungen!

Bewerbungen sind bitte per E-Mail zu richten an: rolf.wendolsky_(at)_jondos.de

Voraussetzungen:

Erfahrung mit JavaScript-Programmierung
Kenntnisse über online-Tracking-Techniken und Online-Anonymität
wünschenswert: Kenntnisse in C++
optional: Erfahrung in der Entwicklung von Firefox-Add-Ons

Am Besten liegt der Bewerbung auch ein Programmierbeispiel bei, und kurze Angaben dazu, was man bereits im Software-Bereich gemacht hat. Umfangreiche Zeugnisunterlagen sind uns dabei weniger wichtig.

Liberty Reserve closed

nospam@example.com (cane) — Tue, 28 May 2013 15:20:59 +0200

Liberty Reserve was closed a few days ago. It was one of the most frequently used Internet payment processors. The DNS record of the domain points to Shadowserver.org, an organization that fights global computer crime in cooperation with US authorities. The Tico Times reported that the money laundering investigation against the founder was a joint operation between authorities in the US and Costa Rica.

We are not happy about the closing and we are not able to accept payments with Liberty Reserve any more. The service was offering anonymous payments between customers and merchants, it doesn't apply the US embargo restrictions against 60 countries and was world wide useable. Liberty Reserve was listed as a member of the Global Digital Currency association (GDCA), a trade association of online currency operators, exchangers, merchants and users with a declared goal to help with fighting fraud and other illegal activities. In our point of view Liberty Reserve was a trusted payment processor.

The e-gold payment sites milenia-finance.com, asiangold.com, exchangezone.com, moneycentralmarket.com and swiftexchanger.com are offline too (closed by US authorities) and the DNS records point to Shadowserver.org. The payment processor Pecunix was down only for short time, it was target of DDoS attacks. The servers of Pecunix were moved to another, secure location and the service is online again. After closing of Liberty Reserve the digital payment processor PerfectMoney.com announced it was no longer accepting U.S. citizens as customers to avoid trouble with US agencies.

First-Party Cookies

nospam@example.com (cane) — Thu, 09 May 2013 17:24:40 +0200

The browser Mozilla Firefox version 22.0 will block third-party cookies by default. Content from a third-party origin will get only permission to set cookies if its origin already has at least one cookie set. (see: The New Firefox Cookie Policy). This policy will potentially block cookies from advertising networks that are used to track the browsing habits of users. Google, the main sponsor of Mozilla, is not affected by this policy because Firefox gets a Google cookie at first start.

Is blocking of third-party cookies useful to avoid the tracking of browsing habits of users by third parties? Let's make a small test. We installed a fresh Firefox and disabled third-party cookies in the configuration. This configuration setting is a little bit more restrictive than the new Firefox cookie policy, but suitable for our demonstration. Afterwards we opened 3 websites and took a look at stored cookies.

Zeit.de (online portal of a German newspaper)

All cookies were classified as first-party content but some of them are used by third-party servers.
- The cookie "rsi_segs" is used by www.audiencescience.com for behavioral based advertising.
- "wt3_eid" and "wt3_sid" are used by WebTrekk.
- The cookies "__umta" ... "__umtz" are used by Google Analytics.
- The cookie "_chartbeat2" is used by www.chartbeat.com for real-time analysis of website vistors.
The cookies are generated and send to the tracking service by Javascript. Because these cookies are used to transfer information to third parties it is a violation of user preferences.
Zalando.de (commercial webshop)

Zalando.de uses Javascript generated cookies too. But additional we found two cookies for the sub-domain "track.zalando.de". This domain is a DNS alias for "zalando-de01.webtrekk.net", an external server not related to Zalando.de. By using the DNS alias for loading a 1x1 pixel transparent image (webbug), it became first-party status and was able to set the cookies "wteid_xxxxx" and "wtsid_xxxxx".
Heise.de (German IT news portal)

Heise.de is using WebTrekk too. Both methods of Zeit.de (1.) and Zalando.de (2.) are combined:
- If Javascript is active, the cookies "wt3_eid" und "wt3_sid" are created with Javascript.
- If Javascript was disabled, a 1x1 pixel webbug will be loaded from the sub-domain "prophet.heise.de". This sub-domain is a DNS alias for "heise02.webtrekk.net" and is used to get first-party status for the webbug. The webbug sets the cookies "wteid_xxxxx" and "wtsid_xxxxx" for tracking.

Conclusion

Tracking services are using sophisticated methods to get first-party status for their tracking elements to avoid blocking. The tracking services above are only small examples. Yahoo! Web Analytics sets a one-year, first-party, persistent cookie that includes a unique visitor ID number and is able to track 99,9% of website visitors.

It is not possible, to use first-party cookies for cross-domain tracking. These cookies are only valid and accessible within the context of one domain. But by using additional tracking features, it is possible to link tracking data of multiple domains together. WebTrekk collects Geo-location by IP address, screen size and color depth of your monitor, inner size of browser window, your preferred language, browser name and version, operating system and version, settings of Java (ON/OFF), Javascript (ON/OFF) and cookies (ON/OFF). It is possible to calculate a high quality browser fingerprint with this data. The browser fingerprint will be unique for most user and it may be possible to use it for linking tracking data over multiple domains.

To avoid tracking of your browsing habits by third parties we recommend the blocking of all cookies and Javascript. Enable session cookies or Javascript only for trusted websites if required to get it working as expected. Delete all cookies after leaving the website or at least by closing your browser. JonDoFox and JonDoBrowser are configured for this behavior. During your surf session you can delete cookies with click on the menu item "Tools - Clear Recent History" or you may hit CTRL-ALT-DEL.

JonDoBrowser 0.6 - Status Report

nospam@example.com (G. Koppen) — Tue, 16 Apr 2013 09:39:58 +0200

In the future the JonDoBrowser shall replace the JonDoFox profile in order to allow an even better protection against tracking on the Web. As the development is already on its way since a while we would like to deliver a short status report every six weeks from now on. That would hopefully give users an idea about where we are now and what still remains to do:

The top 5 things we did during the last six weeks:

1) Worked on the update mechanism (full updates are working on Linux now)
2) We disabled SSL 3.0 by default. If there are problems, please report them!
3) Disabled the annoying add-on bar and moved the UnPlug icon to the toolbar.
4) Reported possible problems for the protection against tracking with HTTP authentication to Mozilla.
5) Released JonDoBrowser 0.6

Top 5 things for the coming weeks:

1) Releasing JonDoBrowser 0.7 (scheduled for May 20, 2013)
2) Integration of partial updates into the update patch for Linux systems
3) Integrating a better compression algorithm for JonDoBrowser packages on Linux systems into the build script
4) Mozilla's reftests test suite shall work flawlessly with JonDoBrowser.
5) Removing a duplicated UnPlug in the extensions directory of the profile as this is probably causing issues during the first start of JonDoBrowser on Linux

ToDo for the 1.0-Release:

1) Update mechanism for Windows, Mac OS X and Linux
2) Integration of JonDo into the JonDoBrowser (Windows only)
3) Making JonDoBrowser compatible with Mozilla's test suites

Webtracking Trends

nospam@example.com (cane) — Wed, 20 Mar 2013 13:35:22 +0100

More than 80% of Internet user dislike the tracking of their online behavior. But tracking is expanding more and more. Popular Web sites are far more aggressive in their tracking practices.

More Elements on Popular Websites

The project Web Privacy Census of University of California is watching the state of internet tracking and privacy over years. An increasing usage of tracking features was documented. For an example we want to show only the usage of cookies by the 100 most popular websites:

	Numbers of cookies
2009	3.602
2011	5.675
2012	6.485

The project observed statistically significant increases in the amount of usage of sophisticated HTML5 features like DOMstorage and other EverCookies for tracking. 38% of popular websites were using EverCookies techniques in Oct. 2012. EverCookies are not easy to manage and remove by users like third-party cookies.

Because it is easy to block third-party content with modern browser more third-party aggregators are working to hide their presence in a first-party site by serving content from what are or appear to be first party servers. This approach makes it very difficult to block tracking scripts by advertising blocker. For an example you may have a look at the easy to use tracking plug-ins offered by Webtrekk for blogs, content management systems and shops.

Some tracking services doesn't use markers like cookies or EverCookies but only browser fingerprinting for surfer recognition. The demonstration project Panopticlick featured out, that more than 80% of browser have a unique fingerprint. The recognition rate increases to 94% if Flash or Java plug-ins were enabled. (How Unique Is Your Web Browser PDF). Tracking services are using more sophisticated methods and achieve 30% higher recognition rates than cookies based approaches. Other tracking services are using browser information, screen size and other values additionally for user recognition.

An increasing number of websites is using more than one tracking service. An example is the webshop Zalando. It uses the following tracking and advertiesment services: 36YIELD, ADSCALE, APPNEXUS, ATDMT, ATEMDA, CRITED, DEMDEX, DOUBLECLICK, FACEBOOK, METRIGO, OPENX, PUBMATIC, ADSERVER, SOCIOMANTIC, YIELDLAB und YIELDMANAGER.

Decreasing number of independent tracking companies

A number of families of domains and tracking services have been created through acquisition of many companies by some global player. The families are sharing collected data and achieve a large coverage of popular websites.

The larges family is Google and associated companies. The earnings of these family are 44% of the world-wide online advertising market. During the last years Google bought the following companies:

2003	Applied Semantics
2003	Springs
2006	dMarc
2007	Adscape
2007	Feedburner
2007	DoubleClick + falkad.net
2009	Admob
2009	Teracent
2010	Invite Media
2011	Admeld
2012	Wildfire
2012	Adelphic

Because of this acquisitions tracking features of the Google family are present on more and more popular websites:

	Tracking features of the Google family
2005	present on 7% of popular websites
2006	present on 16% of popular websites
2008	present on 55% of popular websites
2009	present on 80% of popular websites
2012	present on 97% of popular websites

Other tracking families are the Overture network, Microsoft and the Yahoo! family, each with a portion of 3-8% of the world-wide online advertising market. The new cooperation of Facebook with BlueKai and Epsilon is the start of a new large tracking family.

Using of Real World Data

The tracking of our online behavior offers only an incomplete view on our interests. First steps are taken by Facebook to include real world data in profiling for proper online advertisements. A cooperation with Axciom and Datalogix was announced in February. Both databrokers operate big databases with real wold data like creditcard payments, loyalty cards at supermarkets and product warranty cards and so on.

If the information flow increased in both direction, our online activities may get more influence of our real live. A year ago Sarah Downey warns:

The harms of online tracking are real and growing. This isn't about targeted advertising, like the ad industry wants everyone to believe. This is about the collection and use of your personal information in ways you can't even imagine.

Today our online activities may decide about getting a new job or may have an influence on assurance taxes. Personally I know 3 cases of including private online activities to check job applicants by personnel managers. In one case the result was positive. In two cases the applicants were rejected mainly (but not only) because of this data.

16. Europäischer Polizeikongress

nospam@example.com (cane) — Wed, 20 Feb 2013 21:13:57 +0100

Auf einem Polizeikongress finden die Teilnehmer ein dankbares Forum, um neue Überwachungsbefugnisse zu fordern. Zentrales Thema auf dem 16. Europäischen Polizeikongress war die Wiedereinführung der Vorratsdatenspeicherung (neudeutsch: Mindestspeicherdauer). Herausragende Gedanken äußerte BKA Vizepräsident J. Maurer: Jeder Bürger müsse eine neue Sicht auf das Internet verinnerlichen und eine Speicherung von IP-Adressen sei nicht problematisch, weil:

Wer im Internet ist, hat die Privatheit verlassen.

Diese pauschale Sichtweise würde eine Aufhebung des Post- und Fernmeldegeheimnis für E-Mails und sonstige private Kommunikation im Internet bedeuten. Das Post- und Fernmeldegeheimnis wurde nach den Erfahrungen mit der faschistischen Dikatur Mitte des letzten Jahrhunderts als Grundrecht in allen übergeordneten Normenkatalogen verankert (UN-Menschenrechtskonvention, EU-Grundrechtecharta, Grundgesetz), als Schutzrecht für Bürger gegen einen übermächtigen (Polizei-) Staat. Für mich stellt sich die Frage, ob Herr Maurer die geeignete Einstellung hat, um verantwortungsvoll die Führung einer Polizeibehörde mit weitreichenden geheimdienstlichen Kompetenzen zu übernehmen.

Ein weiteres Beispiel für den Geist des Kongresses war der starke Beifall für den nordrhein-westfälische Innenminister R. Jäger, als er die Haltung von Bundesjustizministerin Leutheusser-Schnarrenberger als "nah an einer Strafvereitelung" bezeichnete. Die Bundesjustizministerin hält eine Mindestspeicherdauer von sieben Tagen für IP-Adressen und Quick Freeze für Verbindungsdaten für ausreichend (siehe Eckpunktepapier des BJM zur VDS, PDF). Außerdem ist für Frau Leutheusser-Schnarrenberger Anonymität ein Grundprinzip des freien Internets.

Medial begleitet wurde der Polizeikongress mit Horrorgeschichten über drohende Terroranschläge per E-Mail oder die schlimmen Folgen fehlender Vorratsdatenspeicherung für die Aufklärung von Mordfällen (FAZ). Der Bundesdatenschutzbeauftragte bezeichnete den FAZ-Artikel als unredlich.

Kein Sprecher auf dem Polizeikongress konnte neue Fakten oder Studien präsentieren, welche die Notwendigkeit der Vorratsdatenspeicherung wissenschaftlich belegen. Zur Erinnerung:

Das wissenschaftlichen Gutachten des Max-Planck-Instituts (MPI) für ausländisches und internationales Strafrecht kam zu dem Schluss, dass die Aufzählung spektakulärer Einzelfälle nicht als Nachweis der Notwendigkeit für eine 6-monatige Mindestspeicherdauer genügt. Die Strafverfolgungsbehörden haben nach Ansicht der Autoren bisher keine belastbaren Begründungen für eine Schutzlücke im Internet liefern können.

Die Zahlen der jährlichen Kriminalstatistiken des BKA zeigen, dass die Vorratsdatenspeicherung 2009 keinen Einfluss auf die Aufklärungsrate und die allgemeine Entwicklung der Straftaten im Internet hatte. Es gibt von Jahr zu Jahr mehr Straftaten im Internet bei abnehmender Aufklärungsrate.

	2007 (ohne VDS)	2008 (ohne VDS)	2009 (mit VDS)	2010 (ohne VDS)
Straftaten im Internet	179.026	167.451	206.909	223.642
Aufklärungsrate im Internet	82.9%	79.8%	75.7%	72,3%

Sicherheitspolitiker aller Ebenen sollten mehr Respekt vor Grundprinzipien unserer Gesellschaft zeigen, statt nicht-diskussionsfähige Maximalforderungen zu präsentieren.

JonDos does not recommend Hushmail.com

nospam@example.com (cane) — Mon, 28 Jan 2013 13:33:23 +0100

Hushmail.com enjoys a good reputation for privacy friendly e-mail services or years. The EFF.org recommended in the tutotial about anonymous e-mails accounts only Hushmail.org (Don't be a Petraeus) and the German Journalist P.Beuth wants to publish a tutorial for anonymous e-mail accounts by using Hushmail.com next days in the online newspaper ZEIT.de.

JonDos does NOT recommend Hushmail.com

Have a look at the privacy policy of Hushmail.com. The content of all emails is scanned and like an extended data retention the following data records are stored for 18 month:

all sender and recipient email addresses (data retention log)
all file names of attachments
subjects of all emails
URLs in the bodies of unencrypted email
... "and any other information that we deem necessary"

The stored records are not deleted when you cancel your account.

When you make a purchase to buy a premium account your IP address, country, city and postal code will be transfered to third party PCI compliant services. Hushmail.com is not responsible for the privacy policy of these services. The usage of PCI compliant services may be useful for payment processors like PayPal.com but it is not required for telecommunication services. JonDos GmbH operates for years successful without using PCI compliant services.

The website of Hushmail.com uses third-party services for some parts such as the help system. After login your Hushmail ID and your name is transferred to these service on purpose (not unintentionally!). For the privacy policy of third-party services Hushmail.com is not responsible.

Recommended e-mail provider

A small list of recommended e-mail provider you may find in our online help about anonymous e-mail accounts with Mozilla Thunderbird. You may send us your recommendations by using our contact form and we will add it after checking the service.

Lawful access to user-related telecommunication data in Germany

nospam@example.com (cane) — Wed, 19 Dec 2012 17:18:18 +0100

In April 2012 the security scientist Pete Swire published a paper about trends in lawful surveillance. Intelligence services and law enforcement agencies are seeking access to stored data in the cloud and on private computers because wired interception of telecommunication is less effective.

With a new drafted law (BR-Drs. 664/12) the German government is taking a leading position in this development. For the future intelligence services and law enforcement agencies may have warrant-less access to passwords of e-mail accounts and cloud-stored data, PIN codes of smartphones and to the TR-069 interface of routers provided by Internet access provider for customers. Provider with more than 100,000 customers have to offer automated interfaces for lawful access. Smaller provider have to answer a request within 6 hours. All providers are not responsible in case of unauthorized access to user-related telecommunication data.

The German Pirate Party commented:

"This draft is not supported by constitution." (Patrick Breyer, MDL)

JonDonym storage grid

We are going for development of new services to keep your data private. For premium users we offer a storage grid, which does not have all the comfortable features of DropBox and is only accessible by webinterface (at the moment). But it implements some great security concepts:

The storage nodes of the grid are operated by verified JonDonym operators. Because of splitting and encryption of data the operators can't inspect your uploads.
An account is not required and no personal data is collected.
The cryptographic keys for read/write or read-only access are included in the URI and are not linkable to a single person.
Access to the storage grid is protected by one of the strongest anonymisation services around the world.

Secure SSL encryption for webserver

nospam@example.com (cane) — Mon, 10 Dec 2012 13:39:09 +0100

The project SSL Pulse tracks nearly 200,000 high profile web sites from the Alexa top one million site list and evaluates their SSL implementation. Only 10% of all sites are genuinely secure.

We want to give some small recommedations for webmaster to improve the security of HTTPS encryption. All sample configuration snippets are working for Apache2, but you may adapt it for other web servers too.

Create a SSL certificate

At first you have to create the SSL certificate and get a signature by a certification authority (CA). You may use checkdomain to get a signed certificate.

All CAs offer a comfortable webinterface to use your browser of all steps of the certificate creation process. We do NOT recommend the use of website wizards. You do not have full control over the creation of your private key. You may use the OpenSSL library to create at first the private key and a certificate signing request (CSR) afterwards on your computer:

> openssl genrsa -out my.key 2048 > openssl req -new -key mein.key -out my.csr

Now you can send only the CSR to the CA and you will get the signed certificate (CRT) back.

Enable SSL encryption in your server configuration

To enable SSL encryption you have to load the module "ssl" and add the following lines to your virtual host configuration for port 443. The certificate chain file is only required time by time, please read the documentation of you preferred CA and download the bundle if required.

SSLEngine On SSLCertificateKeyFile /path_to/my.key SSLCertificateFile /path_to/my.crt SSLCertificateChainFile /path_to/bundle.crt

Restart your web server and SSL encryption is working. But SSL is a complex standard and contains may insecure features.

Disable insecure SSL protocols

SSL v.2.0 is "broken by design" and SSL v.3.0 is not secure any more. You have to disable both and use only TLS 1.0 - TLS 1.2. You may use the following configuration option in the file ssl.conf:
SSLProtocol TLSv1
Disable insecure cipher

Disable insecure cipher suites and weak keys in ssl.conf. A year ago the security researchers Juliano Rizzo and Thai Duong presented BEAST (Browser Exploit Against SSL/TLS). Actual browsers are not affected by this attack any more. You can ignore warnings about BEAST vulnerability of your webserver. Secure settings are:
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!EDH:!3DES:!ADH
Disbale TLS compression

This year Juliano Rizzo and Thai Duong presented a new attack CRIME (Compression and Information Leakage of Plaintext). You can avoid this attack by disable TLS cempresion and do not use SPDY. For Apache2 a patch was released in November this year to fix the problem. Keep your software up-2-date.
Enable HTTP Strict Transport Security

HTTP Strict Transport Security is a security policy mechanism whereby a web server declares that webbrowser interact with it using only secure HTTPS connections. A HTTP header field is added by the web server to the response. This will avoid an attack which was first introduced by Moxie Marlinspike at 2009 BlackHat. To add the Strict Transport Security header you have to load the module "headers" and add the following line to your virtual host configuration:
Header always set Strict-Transport-Security "max-age=31536000"

Security is a process and not an one-time action. Check your server time by time with the SSL server test for new vulnerabilities and fix it as soon as possible.

Don't be a Petraeus

nospam@example.com (cane) — Thu, 29 Nov 2012 20:51:23 +0100

The EFF.org evaluated the investigation of FBI in the personal lives of CIA Director David Petraeus, Paula Broadwell, Jill Kelly and General John Allen and published A Tutorial on Anonymous Email Accounts.

You should use an anonymisation service when setting up and accessing your webmail account. You must always use the anonymisation service. (The EFF.org recommends Tor, but JonDonym is suited too.)
Use a privacy-friendly mail provider with secure SSL encryption. GMail or Yahoo! are not acceptable, but Hushmail is not the only one proper mail provider all over the world. You may find some more recommendations in our online help.
If an email address was required for account creation you may use disposable addresses. Do not use an email address, which is traceable to you real identity - never.
Use encryption to keep you mails private. The content of emails may be used for deanonymisation. OpenPGP is recommended.
Additional we want to add a fifth point. Do not store read or sent mails or drafts on the server of your mail provider. Stored mails are not protected by privacy law like telecommunication, if the owner was able to delete them.

North American Internet Blackout

nospam@example.com (cane) — Fri, 02 Nov 2012 15:28:25 +0100

On July 06, 2012 US-President Barack Obama signed the executive order Assignment of National Security and Emergency Preparedness Communications Functions. It empower certain governmental agencies with control over telecommunications and the Web during natural disasters and security emergencies and authorized the DHS to seize private facilities when necessary and effectively shutting down or limiting civilian communications. It may be possible to disconnect private-sector computers from the Internet to keep Federal Government communication running.

You can see the feeling of a regional internet "blackout" in North America this week. On October 26 some US-router went down. The consequences were significant trouble in internet traffic. Internet Traffic Report reports that Asian and North American packet loss has jumped to an average 30-35%, compared with 9% for Europe and 0% each for South America and Australia. The volume of traffic went down by 5-10% for North America at all (USA, Canada, Mexico). Many people are barely able to connect to the network.

Fife days later on November 01 the New York main router was back in service. The volume of traffic increases (but did not reaches normal values) and the value of "packet loss" went down on November 01, 2012.

On November 02 the first router in New Jersey was back in service. The volume of traffic and the value of "packet loss" reaches normal values.

May be in this case the US government is not responsible for the local blackout. The Content Delivery Network Akamai reports that internet-based attacks are up 50% over average on October 26, 2012. The US east coast was a highest volume region.

No independent analysis of this "blackout" was published at the moment in our knowledge. But it seems the losses arising from Sandy were mainly responsible for the local blackout.

Secure Voice-over-IP (VoIP)

nospam@example.com (cane) — Fri, 26 Oct 2012 17:50:39 +0200

Telecommunications carriers and manufacturers of telecommunications equipment are required by law to conduct electronic surveillance for law enforcement and intelligence agencies. In United States the Communications Assistance for Law Enforcement Act (CALEA) wiretapping law passed in 1994. In Germany a similar law was adopted 1995 by German FEDs' initiative (it was replaced in 2002 with the Telekommunikations-Überwachungsverordnung (TKÜV)) and other countries adopted similar laws too.

Since 2005 CALEA applies to Internet access providers and providers of Voice-over-Internet-Protocol (VoIP) services with interconnections to the public switched telephone network like Skype.

Encrypted Voice-over-IP without backdoor

To answer the Total Information Awareness Project of the US administration's and other surveillance projects some nerds develop secure Voice-over-IP networks.

Open Secure Telephony Network (OSTN)

The Guardian Project is working to define a defacto standard by which a voice over internet protocol service can be considered end-to-end secured, with verifiable encryption, minimal logging, and a decentralized model of deployment and use.

At the moment the project is ready for usage but still under development. Three OSTN providers are stable working and some VoIP clients for desktop computers and smartphones offer full OSTN support. The server software is open source and it is possible to run your own VoIP server.

The configuration of your "secured" VoIP client is very simple. You have to create an account on the website of an OSTN provider and enter the login credentials you got like a SIP account. Secure SRTP/ZRTP encryption of incoming and outgoing phone calls is activated without any action required by you or your communication partner. You have to verify only a 4-digit combination of letters and numbers displayed by your VoIP client with your partner. If both of you will see the same combination of letters and numbers no man-in-middle is sniffing you call.

To avoid local surveillance with a (federal) trojan horse like Digitask trojan or FinSpy or HackingTeam RCS you may use a live-cd. The JonDo Live-CD / DVD contains the VoIP client Jitsi with full support of the OSTN protocol.
Silent Circle

Silent Circle is a commercial project of Phil Zimmermann (developer of OpenPGP for email encryption and the ZRTP protocoll for VoIP encryption), Combat-decorated Navy SEALs and privacy activists. For $20 per month it offers secure Voice-over-IP with strong encryption and without surveillance backdoor. Client software for iPhone and Windows is ready for use, an Android client is coming soon. Solutions for easy to use encrypted e-mail and SMS are under development too.

The logo of "Silent Circle", the red Enso symbol, was used by the 47 Ronin (a group of Japanese "Masterless Samurai") as a symbol of their protection of the citizens 300 years ago. It is a legendary symbol of honor, character, skill and unconventional tactics.

It is NOT possible to use JonDonym or Tor for anonymisation of Voice-over-IP calls.

SHA-3 announced

nospam@example.com (cane) — Wed, 03 Oct 2012 12:26:21 +0200

NIST has announced the winner of the SHA-3 Cryptographic Hash Algorithm Competition. Keccak has been selected as SHA-3.

We will use the new recommended hash algorithm for the further development of our software and replace old hash algorithm.