Despite Google’s statement, they still have access to your wifi passwords

Posted July 19, 2013 in crypto mobile security

UPDATE: The Android bug tracker isn’t the correct place to ask Google to fix this bug. The backup/restore feature is part of the proprietary Google apps for Android, not the open source Android project. This thread on the Google product forums is the correct place.

Earlier this week Ars Technica covered a bug report I posted on the Android issue tracker about the “Backup and restore” feature not offering encrypted backups.

Because there’s no option to encrypt your backup data on your Android device with a passphrase that you set, Google has the capability to see the plaintext data, including all your saved wifi passwords. Google can then be compelled to give up this data (and any other user data that they store) to the US government when requested to do so.

Continue reading →

Use Android? You’re Probably Giving Google All Your Wifi Passwords

Posted July 11, 2013 in crypto mobile security

Go to your home screen, press the Menu button, select “Settings”, under “Personal” select “Backup and reset”. Is the “Back up my data” checkbox checked? If so, all of the wifi passwords that your phone remembers are being synced to your Google account.

And the passwords are in plaintext, too. When you format an Android phone and set it up on first run, after you login to your Google account and restore your backup, it immediately connects to wifi using a saved password. There’s no sort of password hash that your Android phone could send your router to authenticate besides the password itself.

Continue reading →

Opportunistic Encryption to Combat Dragnet Surveillance

Posted June 29, 2013 in crypto https

The world is in shock and anger over recent revelations that NSA and GCHQ are conducting suspiciounless spying on every human with an internet or phone network connection. One of the ways they’re spying on the entire internet is by tapping the underwater fiber-optic cables that connect the continents and parsing and logging the firehose of packets as they fly by.

If we want to keep what we do on the internet private, a good way to do that is to encrypt as much of our internet traffic as possible. End-to-end encryption is hard to do right for end users because identity verification is really, really hard to scale. It’s not practical for everyone who wants to visit an HTTPS website to meet in person and read out SHA1 fingerprints for SSL certs.

Continue reading →

Swatting is Not the Same as Doxing

Posted May 9, 2013 in hackers

Update: KTVU has taken down the story.

Recently I was interviewed about “doxing” by KTVU, a Bay Area news station based in Oakland. Doxing is when someone publishes documents (“dox”) about someone to the internet. It’s usually full of mundane info that can be found in a phone book and with a google search, but sometimes it also contains more sensitive information like the contents of personal emails, lists of passwords, etc.

I found out that the segment aired on TV last night when someone tweeted me asking if I really thought that “swatting” was protected by free speech laws. Swatting, I learned for the first time last night, is when someone dials 911 and reports something like a hostage situation or a terrorist bomb plot at someone else’s address in order to get a SWAT team to bust down their door.

Continue reading →

sudo apt-get install torbrowser

Posted April 9, 2013 in tor crypto security

TL;DR: I wrote a piece of software called Tor Browser Launcher that downloads and auto-updates Tor Browser Bundle for you, in your language and for your architecture, and verifies signatures. I’d like help finding bugs before the initial release.

Over the years, Tor Project has done an amazing job at making Tor more user-friendly. In the past if you wanted anonymity you had to download and install Tor, maybe hand-edit your torrc file, and configure your browser to use a proxy server. You had to make sure that you didn’t have browser plugins like Flash or Java enabled that would compromise your anonymity. Eventually, this got easier when you could install the TorButton Firefox add-on, but even then you had to keep manually separate your own identity and your anonymous browsing.

Continue reading →

How to Get a Tor Project T-Shirt For Less Than $65

Posted March 19, 2013 in tor

The Tor Project is awesome. It’s a network of volunteer proxy servers that make it possible for people to use the internet anonymously.

I decided to contribute to the Tor network by running my own exit node called gollum. I’m paying Gandi $16/month for a VPS in Paris, France. As of this writing the uptime on my Tor server is 69 days, 12 hours.

Continue reading →

Bradley Manning's statement shows that US intelligence analysts are trained in using Tor

Posted March 12, 2013 in tor leaks

This morning I had the opportunity to help Freedom of the Press Foundation publish the full, previously unreleased audio recording of Bradley Manning’s statement to the military court in Ft. Meade about his motivations for leaking over 700,000 government documents to WikiLeaks.

In his statement Bradley Manning not only explains his motivation for leaking documents to WikiLeaks (he contacted the Washington Post and the New York Times first), but also technically how he went about doing it, including the software and protocols he used.

Continue reading →

Using Gajim Instead of Pidgin for More Secure OTR Chat

Posted February 20, 2013 in crypto security

I’ve been using Pidgin as my chat client for many years. The one feature of Pidgin that I care about more than any other is that it supports Off-the-Record (OTR).

If you don’t know about OTR, it’s awesome. It lets you have end-to-end encrypted chat sessions with people so that only you and the person you’re chatting with can read the chat messages and all other parties—such as your chat server (often Google), your ISP, or anyone else eavesdropping on your—cannot. It also has cool features like forward secrecy that other cryptosystems like PGP don’t have. If you’ve ever been to a CryptoParty, setting up Pidgin and OTR and learning how to verify keys is always on the schedule.

Continue reading →

Unity vs. Windows 8

Posted February 2, 2013 in linux

I posted this as a comment on my previous blog post, Why I’m Leaving Ubuntu for Debian. I decided it’s worth it’s own post though.

Continue reading →

Mobile Location Anonymity: Proxying Twitter, IM, and Email through Tor on Android

Posted February 1, 2013 in crypto mobile tor

Each time your computer makes a connection to a server on the internet, you tell the remote server, as well as your ISP and every router in between, your IP address. If you’re using the internet on your phone you might be disclosing the IP of your 3G or 4G connection, or the IP of the wifi network you’re connected to.

If your phone checks for new emails or tweets every couple minutes, or keeps up a consistent connection to your instant messenger server, any of those services is almost definitely logging a history of your IP addresses.

This IP address data could be used to figure out your physical location over time. This is the information that New York City subpoenaed Twitter for, to get the private messages and IP addresses (read: location data) of Occupy protester Malcolm Harris.

Continue reading →