Qubes Tip: Opening links in your preferred AppVM

If you use Qubes like I do, you have many different AppVMs to compartmentalize different programs. You might have one VM for your email client, one for your jabber client, one for your password database. But if you click a link in any of these programs, it sure would be nice if that link opened in the browser VM of your choice. This isn’t all that hard to setup.

The command qvm-open-in-vm lets you open a document or a URL in another VM.

user@dev:~$ qvm-open-in-vm
Usage: /usr/bin/qvm-open-in-vm vmname filename

Continue reading

Usable Crypto Capture the Flag Challenge

Last week, during USENIX’s first Enigma conference, EFF hosted a small Capture the Flag hacking competition. I designed one of the challenges myself, entitled Usable Crypto. It requires you to use PGP as an attacker rather than a defender. It’s on the easy side, as far as CTF challenges go, and I think many people who have absolutely no hacking skills but some fumbling-around-with-PGP skills could beat it without too much trouble. And it might even demonstrate why verifying fingerprints really is rather important.

If you’d like to give it a go, it’s live at https://usable-crypto.ctf.micahflee.com/. The plot for Enigma’s CTF was loosely based off of Cory Doctorow’s novel Little Brother. You’re an X-NET hacker fighting the surveillance state’s Department of National Security. You win when you capture the flag, which is a string of text that starts with “FLAG_” (but please don’t post it in the comments).

Grsecurity and PaX

Hardening Debian for the Desktop Using Grsecurity

I recently built a desktop system that I think is reasonably secure. It’s running Debian sid, also known as “unstable” — though in the Debian desktop world that just means you get to use the newest software. It’s just about as stable as “stable”, and besides, #yolo. It’s also running a grsecurity-patched Linux kernel and PaX, technologies that make Linux way more secure. Grsecurity protects you against memory corruption attacks, such as buffer overflows.

Last October I traveled to Moscow and interviewed Edward Snowden. Here’s one of the things he told me:

“Something that we haven’t seen that we need to see is a greater hardening of the overall kernels of every operating system through things like grsecurity, but unfortunately there’s a big usability gap between the capabilities that are out there, that are possible, and what is attainable for the average user.”

Since I just set up Debian with a grsec kernel, I figured I’d write a tutorial for how to do it. It’s still a long way before the average user can take advantage of this stuff – it breaks everything, and the user needs to learn how to diagnose and fix it themselves – but I think that it’s well within the capabilities of Linux nerds who are comfortable using a terminal. You can probably also follow along no matter what Linux distribution you’re using. Also, I’m fairly new to grsecurity myself, so if you have tips or suggestions, or if I got something wrong, please post in the comments.

Continue reading

Members of Arc Attack watch as lightning strikes a Faraday cage at Maker Faire 2012 held in San Mateo, California on May 19th, 2012.

Some Thoughts on Faraday Bags and Operational Security

I recently took a trip to Moscow to interview National Security Agency whistblower Edward Snowden about operational security. In the article I published on The Intercept, I mentioned that I used a faraday bag.

Our first meeting would be in the hotel lobby, and I arrived with all my important electronic gear in tow. I had powered down my smartphone and placed it in a “faraday bag” designed to block all radio emissions.

Since I published my interview, many people have asked me for more information about this faraday bag — which product did I get, what does it protect against, how does it work? So here are some quick thoughts on the topic.

Continue reading

GNU and Linux, the dynamic duo

Why I say Linux instead of GNU/Linux

I’ve been writing a computer security column for the Intercept. In most of my columns I mention Linux. Even when it’s not directly relevant (though it often is), most of my columns are in the form of tutorials, and I’d like my tutorials to be equally useful for Linux users as they are for Windows and Mac users.

For one thing, I love free and open source software. These projects are critical for security, privacy, and for the ability to tinker with and learn about your own computer. As the number of people who run free (as in speech) operating systems rise, so will the development resources that get poured into those operating systems until they “just work” at least as well as Windows and OS X do, so I talk about them every chance I get. Many of my readers already run free operating systems, and I would hate to leave them out.

After writing a column about how to communicate in secret while we’re all being watched, I got an email from Richard Stallman saying when I say Linux I clearly mean the GNU system, and he asked that I start referring to Linux distributions as GNU/Linux “so as to give us equal mention when you talk about our work.” And after writing my most recent column about how VMs can be used for isolation security, Stallman wrote a comment again saying that I mean “GNU and Linux” and asking that I give GNU equal mention. This is a really common point of view (though not at all a consensus) in the free software community, and one that I shared for a long time. But I’ve come to change my mind.

Continue reading

Transitioning PGP keys

I’m switching from my old key:

pub   4096R/EBA34B1C 2014-05-08 [expires: 2016-05-05]
      Key fingerprint = 0B14 9192 9806 5962 5470  0155 FD72 0AD9 EBA3 4B1C
uid                  Micah Lee <micah@micahflee.com>
uid                  Micah Lee <micah@firstlook.org>
uid                  Micah Lee <micah.lee@firstlook.org>
uid                  Micah Lee <micah.lee@theintercept.com>
uid                  Micah Lee <micah@pressfreedomfoundation.org>
uid                  Micah Lee <micah@freedom.press>
sub   4096R/64B1D8D1 2014-05-08 [expires: 2016-05-05]

to the following key:

pub   4096R/CD994F73 2015-08-14 [expires: 2016-08-13]
      Key fingerprint = 927F 419D 7EC8 2C2F 149C  1BD1 403C 2657 CD99 4F73
uid                  Micah Lee <micah@micahflee.com>
uid                  Micah Lee <micah@freedom.press>
uid                  Micah Lee <micah.lee@theintercept.com>
uid                  Micah Lee <micah@firstlook.org>
sub   4096R/5D5F1356 2015-08-14 [expires: 2016-08-13]

Here’s a copy of my new public key, and here’s a key transition statement that I signed with my old key.

Fact-checking Pando’s smears against Tor

Neil deGrasse Tyson is a badass

If you’ve been able to ignore Pando Daily’s 100% non-technical smear campaign against the Tor Project and its developers and supporters, you’re lucky, and you may wish to stop reading now. Otherwise, read on, and perhaps prepare to lose a few brain cells.

Yasha Levine’s “investigation” against Tor unveiled what’s already prominently displayed on Tor’s website: that it was designed by the Navy and that it receives a lot of federal funding, the bulk of which comes from the Department of Defense.

To be clear, talking about Tor’s government funding is a very important discussion to have. But Yasha didn’t discuss potential threats to Tor users’ anonymity that this funding might cause, nor what potential solutions would be. Instead, he implied that there’s some sort of conspiracy between Tor developers and the US government, and that the Tor network cannot be trusted, apparently oblivious that the decentralized and open nature of the Tor network and it’s codebase makes planting backdoors nearly impossible.

Continue reading

The Universe Believes in Encryption

Our universe is built out of mathematics. Humans have been learning, discovering, and using mathematics for thousands of years because it’s the only thing that can accurately describe what happens around us. The laws of physics are written in mathematics, and they cannot be broken.

One year ago today the Snowden revelations began. Since then there has been a flood of calls for reform. A federal judge called the NSA “almost Orwellian”. Congress and President Obama have admitted that bulk surveillance of Americans is wrong and should end. But so far we haven’t seen real reform in the US, and we might never see it. Even if the US does pass meaningful surveillance reforms the problem won’t be solved. There are billions of people all over the world that rely on the Internet, and their privacy will continue to get violated by governments around the world.

Continue reading