|How to Beat Internet Tapping in Bangladesh|
|By Ariana Ahmed|
|Monday, 14 January 2008|
Page 1 of 2
The military-led government of Bangladesh has taken unprecedented steps to snoop on the data and lives of citizens. Such snooping occurs without judicial intervention in most cases and at the whim of the government security apparatus. Netizens and pro-democracy hackers do have ways to circumvent snooping by authoritarian governments. I want to share some of their suggestions for Bangladesh’s besieged Internet users.
Watchers and snoopers
First, let’s analyze some of the known methods of government snooping (source: e-Bangladesh, October 3rd, which included a scanned copy of the Government order).
“RAB and Bangladesh Telecom Regulatory Commission (BTRC) have instructed all 72 Internet Service Providers (ISPs) to
Furthermore, RAB and police have conducted warrantless searches on specific users (demanding usernames, passwords, file access).
Now these poor ISPs do not have much choice as many of them lease bandwidth from BTTB and are dependent on operating licenses from it. The courts under emergency laws are either unwilling to stand up to executive abuse or intimidated not to do such by the military. So, Internet users must treat both ISPs and government as snoopers or data pirates.
At the individual level much can be done to prevent the government’s actions. 100% security is always very hard to achieve (if someone has a gun to your head and wants a password, logic dictates you should provide the password). However a few small steps can get us close to substantial security and privacy. The trick is to raise the threshold for a potential data pirate to cross – both in terms of cost and time. To prevent mass snooping, one has to raise the expense the government has to incur in order to do mass snooping – in other words make it computationally very expensive so that the government has to get very expensive computer equipment for mass spying on citizens. The government of Bangladesh has fiscal and technological limits on the kind of hardware and specialized services it can procure. We can leverage that weakness to formulate a multi-pronged strategy. Following are some simple but effective steps.
File Security – Encrypted Storage
For sensitive files we can use a simple program like ccrypt (http://ccrypt.sourceforge.net) to encrypt files. Ccrypt uses 256-bit encryption, which is hard to crack. If our pirate government gets access to such an encrypted file they will have to spend some serious CPU power and specialized services to decrypt the file. Furthermore, such decryption will not be guaranteed (they will have to get lucky).
File Security – Physical Deletion
When a file is deleted in most cases it is logically deleted. The physical file still exists and recovery programs can recover the file. However, there are tools to physically delete files to make recovery very hard (useful if our army government seizes a computer or hard-drive). One such freely available tool is Eraser (http://sourceforge.net/projects/eraser/). If we delete sensitive files using it and schedule it to “erase” all “empty” segments of a hard-drive every week by default we will make it hard and costly for Bangladesh’s prying government to recover data.
There are two options here.
Option 1: Instead of using our local ISP’s email account we should use Yahoo Mail or Google Mail or HushMail. We should always choose the SSL or HTTPS login method and make sure the URL/web-address starts with “https”. That way regardless of how much the pirate government wants, the ISPs will not be able to provide our web-mail username and password (because they will not know). If Outlook or Thunderbird (www.mozilla.com/thunderbird) like email client is used to retrieve Google/Yahoo Mail, we should make sure the program is set to retrieve email over SSL or HTTPs (in Outlook, the advanced tab on account settings has that option).
Option 2: If local ISP’s email account is used then an email client like Thunderbird should be utilized that supports PGP (Pretty Good Privacy - http://en.wikipedia.org/wiki/Pretty_Good_Privacy). Directions to setup PGP with Thunderbird can be found at http://www.mozilla.org/support/thunderbird/faq#use_encrypt.
Internet browsers keep a lot of files and history on computers, even when they are shut down. But we can configure them to delete such files. For example on Mozilla Firefox (http://www.mozilla.com/en-US/firefox/) we can go to “Tools à Options à Privacy” and select the “always clear private data when I close Firefox” option. Combining with point b above will make it very hard for the government to access such history from hard drives. On Internet Explorer a similar option can be found “Tools à Internet Options à Delete browsing history”. Make sure you choose to delete all internet files, cookies and caches.
Data Transfer Security
SFTP or SCP (as opposed to regular FTP) should be used for transferring data between companies or organizations. We can download a free and popular client called “Putty” to do such transfers from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. Please note that the server we are transferring the file to must also run an SSH/SFTP server (most linux/unix systems come with it, but for Windows free version can be downloaded from cygwin (http://www.cygwin.com/). Taking such steps will make it hard for the government to figure out the contents of the file even if they are snooping on the wire.
This step is the easiest. Every password should follow the following basic rules:
Just by doing the above we will introduce 36^8 = 2821109907456 possible passwords for the government to try (they can reduce the number somewhat by using different decryption strategies, but it is still a large number of attempts to make which is computationally very expensive).
There are a few sites that allows anonymous surfing so that our ISP and government cannot know easily the sites we are browsing. A few such sites that aid anonymous browning are http://www.the-cloak.com, http://anon.inf.tu-dresden.de/index_en.html and www.anonymizer.com. Such tools are useful if one wants to post blogs or send messages while making it hard for the government to find out.
The violation of rights
Why do we have to do all this? The reason is simple. Our military-led government has shown much disregard for free speech and free thought. The Press have been beaten and intimidated many times, editors of newspapers have been lined up on the appropriateness of stories, some types of policy discussions - hence political discussions - are not allowed. Fundamental rights of thought and expression have been suspended for one year already. Surveillance is very important to the survival of an authoritarian government as it is the first step that’s needed to silence thought and speech.
The Internet on the other hand is a bastion of free thinking and expression. I hope the readers of this article will take some of these simple steps to make Internet surveillance not only costly but fruitless for dictators.