|
Page 1 of 2 The military-led government of Bangladesh has taken unprecedented steps to snoop on the data and lives of citizens. Such snooping occurs without judicial intervention in most cases and at the whim of the government security apparatus. Netizens and pro-democracy hackers do have ways to circumvent snooping by authoritarian governments. I want to share some of their suggestions for Bangladesh’s besieged Internet users. Watchers and snoopersFirst, let’s analyze some of the known methods of government snooping (source: e-Bangladesh, October 3rd, which included a scanned copy of the Government order).  Part of the government order on ISPs to surrender private login information. Image by e-Bangladesh.org - Provide usernames, passwords and usage statistics of internet users
- Provide administrative access on internet gateway servers and facilitate “traffic-scanners”
Furthermore, RAB and police have conducted warrantless searches on specific users (demanding usernames, passwords, file access). Now these poor ISPs do not have much choice as many of them lease bandwidth from BTTB and are dependent on operating licenses from it. The courts under emergency laws are either unwilling to stand up to executive abuse or intimidated not to do such by the military. So, Internet users must treat both ISPs and government as snoopers or data pirates. At the individual level much can be done to prevent the government’s actions. 100% security is always very hard to achieve (if someone has a gun to your head and wants a password, logic dictates you should provide the password). However a few small steps can get us close to substantial security and privacy. The trick is to raise the threshold for a potential data pirate to cross – both in terms of cost and time. To prevent mass snooping, one has to raise the expense the government has to incur in order to do mass snooping – in other words make it computationally very expensive so that the government has to get very expensive computer equipment for mass spying on citizens. The government of Bangladesh has fiscal and technological limits on the kind of hardware and specialized services it can procure. We can leverage that weakness to formulate a multi-pronged strategy. Following are some simple but effective steps. File Security – Encrypted StorageFor sensitive files we can use a simple program like ccrypt (http://ccrypt.sourceforge.net) to encrypt files. Ccrypt uses 256-bit encryption, which is hard to crack. If our pirate government gets access to such an encrypted file they will have to spend some serious CPU power and specialized services to decrypt the file. Furthermore, such decryption will not be guaranteed (they will have to get lucky). File Security – Physical DeletionWhen a file is deleted in most cases it is logically deleted. The physical file still exists and recovery programs can recover the file. However, there are tools to physically delete files to make recovery very hard (useful if our army government seizes a computer or hard-drive). One such freely available tool is Eraser (http://sourceforge.net/projects/eraser/). If we delete sensitive files using it and schedule it to “erase” all “empty” segments of a hard-drive every week by default we will make it hard and costly for Bangladesh’s prying government to recover data. Email SecurityThere are two options here. Option 1: Instead of using our local ISP’s email account we should use Yahoo Mail or Google Mail or HushMail. We should always choose the SSL or HTTPS login method and make sure the URL/web-address starts with “https”. That way regardless of how much the pirate government wants, the ISPs will not be able to provide our web-mail username and password (because they will not know). If Outlook or Thunderbird (www.mozilla.com/thunderbird) like email client is used to retrieve Google/Yahoo Mail, we should make sure the program is set to retrieve email over SSL or HTTPs (in Outlook, the advanced tab on account settings has that option). Option 2: If local ISP’s email account is used then an email client like Thunderbird should be utilized that supports PGP (Pretty Good Privacy - http://en.wikipedia.org/wiki/Pretty_Good_Privacy). Directions to setup PGP with Thunderbird can be found at http://www.mozilla.org/support/thunderbird/faq#use_encrypt. Browser SecurityInternet browsers keep a lot of files and history on computers, even when they are shut down. But we can configure them to delete such files. For example on Mozilla Firefox (http://www.mozilla.com/en-US/firefox/) we can go to “Tools à Options à Privacy” and select the “always clear private data when I close Firefox” option. Combining with point b above will make it very hard for the government to access such history from hard drives. On Internet Explorer a similar option can be found “Tools à Internet Options à Delete browsing history”. Make sure you choose to delete all internet files, cookies and caches. Data Transfer SecuritySFTP or SCP (as opposed to regular FTP) should be used for transferring data between companies or organizations. We can download a free and popular client called “Putty” to do such transfers from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. Please note that the server we are transferring the file to must also run an SSH/SFTP server (most linux/unix systems come with it, but for Windows free version can be downloaded from cygwin (http://www.cygwin.com/). Taking such steps will make it hard for the government to figure out the contents of the file even if they are snooping on the wire. Password SecurityThis step is the easiest. Every password should follow the following basic rules: - 8 characters in length atleast
- Has atleast one capitalized letter
- Has atleast one number
- Is changed atleast once every six months
Just by doing the above we will introduce 36^8 = 2821109907456 possible passwords for the government to try (they can reduce the number somewhat by using different decryption strategies, but it is still a large number of attempts to make which is computationally very expensive). Anonymous BrowsingThere are a few sites that allows anonymous surfing so that our ISP and government cannot know easily the sites we are browsing. A few such sites that aid anonymous browning are http://www.the-cloak.com, http://anon.inf.tu-dresden.de/index_en.html and www.anonymizer.com. Such tools are useful if one wants to post blogs or send messages while making it hard for the government to find out. The violation of rights Your computer in Bangladesh is shackled. The Internet on the other hand is a bastion of free thinking and expression. I hope the readers of this article will take some of these simple steps to make Internet surveillance not only costly but fruitless for dictators.
 About the author
|
