Tuesday, March 12, 2013

Security for Activists - passwords

I've been reading a lot lately about activists and their lack of knowledge about computer and on-line security is a little scary. Given the empire's long track record of attempting to suppress and silence activists (see the Wikipedia entry for COINTELPRO) it is imperative that those in the movement know how to protect themselves and prevent the status quo from disrupting us. To that end I am planning a series of blog posts about the tools and techniques we can use to protect our selfs and to try to prevent the empire from learning of our activities.   The first blog post will be about passwords.

Most computer systems and many web-sites require the user to have a password to go along with their login. While a password may not completely prevent a hacker from getting access to your information it is the first line of defense. A well-chosen and used password will stop most of the amateur. But just having a password is not enough, the password has to meet certain requirements in order to thought of as safe. Here are a few points

The password should be at least 6 characters in length. With each character added the password gets harder to crack. If a password is composed of all ASCII printable characters, thats 95, and the password is one character in length, the number of guesses a password cracking program has to make is 95. If the password is 3 characters in length the number of guess to crack the password is 857,375 (95 x 95 x 95 or 95 raised to the third power). So a 6 character password would require 735,091,890,625 guesses. There two points I am making here 1) the longer the password the harder to crack and 2) using mixed case characters, numbers and special characters makes it even harder to crack.

Use mixed case characters, numbers and special characters in your password. Again this makes the password harder to crack.

Never use an easily guessed password. Words like "sex", "money", "secret" and "password" are not passwords. Nor should the password be something about you like the city where you were born or your significant others name. A password should never be a word found in the dictionary. A common hacking technique is called a "Dictionary Attack".

A dictionary attack is system where the program that is attempting a break in will randomly pick a work from the dictionary, say the word cat, and will attempt to login to your account while changing the case of the letters like so; cat, Cat, cAt, caT, CAt, cAT, etc. if none of these combinations works the word is marked as tried and another word is randomly selected from the dictionary until either they successfully logged in or they have worked their way through the dictionary. A phrase or word with mixed case characters, numbers and special characters on the surface looks good but it contains words from the dictionary and it's just a matter of time.

One of the more secure password algorithms is what I call the "Name That Tune" algorithm. One picks a song, say "Take It Easy" by The Eagles, then one picks a phrase from that song, lets use "Standing on the corner in Winslow Arizona". Using the first letter of each word of the phrase the password would be "sotciwa". Not bad but we can make it harder to guess by changing the case of some letters and substituting numbers for letters like so, "s0tc1WA?". We have substituted a zero for a lower case o and a one for a lower case i. We have also made the letters w and a upper case and just for the hell of it tacked on a question mark.

The really beauty of the "Name That Tune" algorithm is that it's easy to remember, hard to crack and one can talk about the password without saying the password. For example, lets say we used the above example as the root password to a group of web servers. If someone who knew the password but forgot it (it happens) wanted to know what the password was all you would have to say is, "It's the Eagles song." You have just conveyed the password without saying it and even if someone knows the "Name That Tune" algorithm that don't know which song, which phrase and how the phrase was twisted.

Having a strong password is one thing it is quite another thing if used stupidly. Writing down your password is a bad idea, especially if it is written down in a place where it can be found. I've seen cases where a root password was written on a piece of paper that was taped to top of the monitor. Another bad idea is to use your password everywhere. One of the basic principles of security is compartmentalization, that is to keep things separate. One should be using different passwords for different accounts. Maybe not every account be every different class of accounts, one for social media, one for bank accounts, etc.

One last point, one should change your passwords every 3 to 6 months. The longer a password is in use the longer the hackers have to break into your account.

Friday, February 1, 2013

I Will Not Bow Down

I Will Not Bow Down America  

I will not Bow Down
to your Government
to your Religion

I will not Bow Down America
to your Materialism
to your International Corporations
to your Religious Shrines
your Stock Markets
your Shopping Malls

I will not Bow Down America
to your Coal Mines
to your Power Plants

I will not go crawling down the deep shafts at midnight

I will not Bow Down America
to your invasion of privacy
to your moral absolutes
your religious political might

I will not Bow Down America
to your Assassins
the CIA the FBI the Corporate Police State
your Killing Murdering Machines

I will not Bow Down America
to your Bureaucracies
to your schools
to your attempt to make me the model citizen
of Your State of Your Church

I will not Bow Down America
to your Hisstory
of Lies
to your Secrets
in the Best interest of
to protect
the People

I pledge allegiance
to those who were here before you
to those who will be here after you are gone

I pledge allegiance
to the woman I love
and to our children
I pledge allegiance
to my friends and allies
my guides and angels
both seen and unseen

I pledge allegiance
to poetry to music to art
to the literary renaissance
to the global literary community
I pledge allegiance to the Beat to the Outsider
I pledge allegiance to meditation to stillness
to magic to beautiful mysticism to ecstasy
to AH and AHA
to the Big Bang Epiphany
to altered states of consciousness
I pledge allegiance
to seeing
into the occult the unknown
to seeing
into everyday into the ordinary
and being amazed
I pledge allegiance to the Sacred and the Profane
to gnostical turpitude
I pledge allegiance to my physical body
and to the knowledge that I am more than
my physical body
I pledge allegiance to seeing more than
the physical world and to those
of higher frequency vibration
and consciousness
I pledge allegiance to passing through
the Sacred Fire
to entering the upper chamber of the
golden pyramid
to levitating over the open sarcophagus
to out of body experience
I pledge allegiance to the hottest sex
and to gentle affection
I pledge allegiance to fractal geometry
the geometry of clouds and coastlines
to 2x2 equaling 5
I pledge allegiance to Failure
to failing as no other dare fail
I pledge allegiance to taking risks
to holy daring
to nam myoho renge kyo
to accepting responsibility for my own actions
I pledge allegiance to not achieving
the American Dream of Success

I pledge allegiance to trees to green grass
to brown earth to wildflowers of every color
to wilderness to turquoise Native American skies
to rivers lakes and seas
to healing the earth
I pledge allegiance to the Holy Spirit
to the Word and to Silence
I pledge allegiance to Dreams
I pledge allegiance to Birth to the Journey and to Death
I pledge allegiance
to Candor to Sincerity to Laughter and to Irony
I pledge allegiance to Passion to Compassion
to Empathy and to helping those in need |
I pledge allegiance to Resurrection of the Heart

I Will Not Bow Down

copyright©2003 Ron Whitehead

Ron Whitehead, 932 Franklin Street, Louisville, Kentucky 40206 usa,

Sunday, January 20, 2013

Supporting the resistance, money

The other day I was in one of those large box hardware stores buying some nails. I found what I wanted and then went to pay at one of the self-service pay stations. I scanned the box of nails, popped a twenty into the machine, collected my change, and went out to my car. Just as I got to my car the thought occurred to me;  "How did the machine know I gave it a twenty?" That got me thinking.

For a while now I have been wondering how best to securely and anonymously support the various groups I am interested in.  Paying by credit card or check is a dead give away. Whether or not the government has access to the databases at my bank or credit card company is irreverent.  In the first place if the authorities wanted it, it would not be difficult for them to get access and in the second place a basic practice of any activist is to assume they are being watched. Accessing databases is really not difficult for people trained in programming. As long as one is given access, a login and password, and an understanding of how the data is laid out, a schema, then it becomes straight forward to make a query to the database.

So, credit cards and checks are ruled out. That leaves cash but how to donate securely and anonymously? Here is my thinking. There are a number of web pages talking about RFID tags being embedded into US currency others say that this is nonsense. Either way the point is there are other ways that currency bills can be tracked. Have a look at any US bill. Every one has two serial numbers on the front of the bill. It is possible, given a bills serial number, to determine what is the monetary value as well as it's printing year and which mint it was printed at. A clever programmer could write code that, given the serial number of a bill, return this information.

The next thought is how does one get their bills. Well, if I consider my actions to be like everyone else then you either get your paper money from a bank, most likely an ATM, or in change from some transaction like buying nails in a hardware store. Lets consider the ATM. Getting money out of the ATM is straight forward. You walk up to one of your banks ATM, put your ATM card in the machine, enter your PIN, select the amount you want and the machine spits out the cash and your ATM card.

OK, first step, putting your ATM card into the ATM. The card has an account number embossed on it as well as a magnetic strip. What is written onto the magnetic strip is a bank secret but one can guess it has the same number as the one embossed on the card and probability information identifying the bank as well as checksum to ensure the information has not been tampered with.  Next you supply your PIN. At this point you have proven your identity to the ATM and it now access your account. It determines if you have enough in your account to dispense the requested amount. The ATM counts out the requested amount, usually in twenties, and dispenses it and the same time it ejects your ATM card.

At this point an entry has been made in the bank's database that at such and such time, at a specific ATM, you withdrew a certain amount of money from your bank account. The ATM might have even taken your picture and added it the withdraw record. But you got your cash now you can safely send it to the organization your are supporting or can you? Lets consider the self-service check out at the big-box hardware store. How did it know I gave it a twenty ?

Well, the self-service machine scanned the bill. Every bill has the monetary value of the bill written in a very large font in each of the four corners. The bill also has the bills serial number in two places. This serial number is written in a standard font and might be printed in magnetic ink. Did the scanner read the serial number to determine the monetary value of the bill ? I think so, one more check to make sure the bill is not a counterfeit. The machine could also check for the plastic strip embedded in the paper, when exposed to ultraviolet light it fluoresce a specific color but what do you do about bill printed before the mint started putting that strip into the paper?  I have several one dollar silver certificates from the late 1950's that my grandfather gave me. It is still legal tender but does not have the plastic strip embedded in it plus also has the old layout. The serial numbers may or may not be printed with magnetic ink but the font is exactly the same so I'm pretty sure that the modern bill scanners do read the serial numbers of the bills.

If the self-service pay stations scan the bills, an assumption, then I think it is safe to assume that the ATM also scans the bills when it dispenses the bills. If it does read the serial numbers what does it do with the information. I can think of a couple of reasons why law enforcement would want to know which individual bills got dispensed to which person. Think about drug dealers and money laundering. If we go with that assumption, I know it sounds paranoid, then the safe thing is assume that every time you take money out of the ATM a database entry is made of each bills serial number dispensed to you.  Say you mail some of those bills to an organization that has been labeled a terrorist organization then you could be charged to giving support to a terrorist organization.

The rulers of this country have decided that any activist organization could be labeled a terrorist organization thereby making it easier for them to suppress decent and support the agenda of their true constituents, the corporations. As activists we need to support each other but how to do it without having the status quo take notice. I've given this a bit of thinking and in think about all of the above I have decided that the following is the way around this delima .

The way forward is to obtain bills that have not been tied to yourself. First step is to establish a pattern of usage. Deposit your paycheck or however you get paid in your bank every week or every other week based on how you get paid. Then take an amount of cash out of the ATM to last you the week, think of it, as my grand father used to call it, your walk-around money. Now, every time you buy anything, gas, food, what ever use that cash. Pay your bills you get in the mail with your checking account but everything else use your cash. Save the bills you get in change, when you get enough to make a twenty out those bills put them in a separate place in your wallet. Next time you are buying something with your cash pay the merchant then ask him if he can take the bills you have put aside and give you a twenty. Most merchants are always low on small denomination bills and will be happy to take your bills. That twenty that you just got from the merchant is not tied to you in any database so when you get home put it in a separate place like in a book or an envelope in your sock drawer. Over time you will put together a nice stash of bills.

Now how to send it to the organization you support? Simply putting it in the US mail I think is kinda of risky. The FBI has been known to open postal mail, see the wikipedia entry for COINTELPRO, and if the new paper money does have RFID tags embedded in them it wold be easy to scan for them. A better way would be using FedEX or UPS. Sending the money in a book would be best. Put in a box slightly larger than the book would make it just another box and not very noteworthy.

I know all of the above sounds paranoid but, if we have to live by Moscow Rules, the question is; are we paranoid enough