Safer Hex in public places and at home
A BOF held a DebConf5 in Helsinki - the slides are finally there)
Towards a moderately paranoid Debian laptop setup
Tools, that make you aware you're vulnerable
- dsniff, dnsspoof, mailsnarf, sshmitm, webspy
- driftnet
- ethereal (can safe VOIP streams as .au files)
Tools, that can help you protect your privacy
- crytofs for /home, /var and swap. crypto rootfs also doesn't hurt
- ssh, ssh port forwarding, openvpn, ipsec
- gnupg
- SILC or encrypted jabber for IM
- encrypted backups
- tor, esp. in conjunction with privocy (but make sure to keep the privocy logs short)
- for any tcp protocol, e.g.
- for browsing the web
- you can use tor for r2e too
- ctrlproxy / screen+irssi/bitchx - but the problem of people keeping irc logs forever remains
- mixminion (for email)
smartcard crypto usbsticks are becoming almost as cheap as normal usbflashdrives (33euro, ask on #debian.de, see http://lair.fifthhorseman.net/~dkg/egate/ and http://people.debian.org/~bod/)
Tools, that you shouldn't use
gpg-plugins for IRC & IM clients
- gmail (you should at least read the EULA)
- orkut (you should at least read the EULA)
HenningSprang has lots of comments:
where are the slides? (probably they make some of the following questions superflous)
- it would be nice to add reasons WHY those tools shouldn't be used
- pointing to an IRC channel to find out where to buy hardware is interesting, but does not at all raise the probability that people reading this will be using such a device soon, because it's already very complicated to only find out where to buy such a device (especially for people not willing to use the cleartext IRC protocol)
- links to the programs mentioned above would be very helpful, a google search for "tor" doesn't seem to find anything connected with crypto or security at a first glance, and that's the only one i tested now.
- p.s.: what about using google? I think it can considered harmful, also - apart from the risk that we loose lots of important information and the ways to important data, when google would be switched off today, we need an independent search engine of which we can make sure that it doesn't track who is searchign for what to eventually sell that info to marketing or otherwise bad people
- hmm, encouraging to use encrypted jabber vs. NOT using gpg-plugins for jabber? ( /me uses gpg-plugin for jabber with a special key, why not?)
- contact to the author of this page would be also very cool, to ask further questsions...
at least some info on the talk can be found at ?DebConf5Talks - the video is there: http://dc5video.debian.net/2005-07-16/Safer_Hex_in_Public-Holger_Levsen.mpeg
- last but not least: what can/should/must developers of free software do, to make it easier (say: VERY easy!, say: no additional work at all) for users to use ncrypted anmd secure alternative solution to get their work done? How can we get even more secure while flawlessly working default configurations for our software?