Wednesday, August 21, 2013

Update on Tor Post

I just want to mention, I added an update with some important information to my Tor post below, in case you missed it.

And I'll just leave a link to my Encrypt Your Email on Your Mac post because for some reason Google won't index it. Conspiracy???

Tuesday, August 20, 2013

Encrypt Your Email on Your Mac

After you're done Torifying, as described in my last post, the next step in securing your online life is email encryption. As it's now common knowledge that our emails are basically government property, you'll want some technology on your side to keep your emails private when they absolutely have to be. The technology is called PGP, or Pretty Good Privacy. Most people can install it to work with their email clients relatively painlessly, but for PowerPC users, there are a few hoops to jump through first.

You're gonna need to install GnuPG. GPGTools used to be the go-to people for distributing OS X binaries, but they stopped developing for PowerPC, so we're gonna have to compile it ourselves, which requires XCode. You can then compile gnupg with Macports or Tigerbrew (see this Tigerbrew issue first), or roll your own following the easiest build instructions ever. Linux users can simply install gnupg with your package manager. Let me interject with a brief cautionary tale. If OS X users are thinking of installing gnupg2 instead, don't, unless you can work the command line to make gpg-agent play nice with Enigmail (UPDATE: Or maybe it's a pinentry problem. Hmmmm.). If you don't know what that means or don't care, stick with gnupg and you'll save yourself some serious hair-pulling.

Now that gnupg is nestled safe in one of our various /bins, it's time to start up our email client. This is where all of you are going to convert to Tenfourbird, you pissant holdouts, and use a client for grown-ups. You're gonna need the add-on Enigmail, but you can't install it the normal way 'cause it's not compiled for PowerPC. So you need to go to Tenfourbird's download page, pick up the Enigmail add-on for your processor, then install it by dragging it to Tenfourbird's Add-ons Manager (invoked by Tools --> Add-ons) or choosing "Install Add-on From File..." from the tool menu inside said Add-on Manager.

Linux users can simply install Enigmail with your package manager (I'm beginning to sense a pattern). If you're on Debian, you're using Icedove, and on Ubuntu it's Thunderbird, but Tenfourbird, Thunderbird, Icedove, they're all the same.

Now when you restart Tenfourbird, you'll see a new menu item, OpenPGP. This is where you create your public and private keys. You need one public key to share with your contacts and one private key to keep to yourself. Then you can start encrypting and decrypting like you're Julian Assange wanted by the world police. From the OpenPGP menu, select Preferences and make sure it's pointing to the correct gpg binary, whether it's in /opt/local/bin or /usr/local/bin or wherever. Close that, then from the OpenPGP menu, select Setup Wizard and from there it's pretty self-explanatory. By default it sets your keys to expire in five years, but you can change that later using gpg from the command line. In fact, you could do all this from the command line which would give you a better understanding of how all this stuff works. Anyhow, once the Setup Wizard generates your keys, you should export them to file for keeping in a safe place with OpenPGP --> Key Management and then right-clicking on your key and selecting Export Keys to File. It may also have been necessary to go into Tools --> Account Settings and select OpenPGP Security under your account to enable OpenPGP support, but I'm having a memory lapse.

In case of other memory lapses, check out this link and this one for more detailed instructions and with pictures, too. Of particular interest are how to exchange public keys and also how to revoke a key if you do something stupid like email your private key in an unencrypted attachment through a Gmail server (oops*).

Here I'll mention a few caveats. First, Tenfourbird had a GUI bug where the OpenGPG menu on the Compose window wouldn't show check marks by the "Encrypt Message" item after being selected, but the encrypt icon in the status bar illuminates and the "Encrypt Message" item in the main menu is correctly checked. So just be aware of that.

Also, Gmail users, or I guess IMAP users generally, will want to be very cautious of how your draft messages are saved. It should always prompt you to save a draft as encrypted, but if for some reason you hit the wrong button, your super-secret private message will end up unencrypted on a basically public server. Just to be safe, I have my client set to save all drafts locally like this (picture is of Tools --> Account Settings):

Tenfourbird account settings

Also, some general Tenfourbird performance tips: checking "Enable Global Search and Indexer" in Preferences --> Advanced --> General will slow performance as it's indexing, so you can uncheck it if you don't want it. And if you don't want to download all your IMAP messages locally, uncheck "Keep messages for this account on this computer" from Account Settings --> Synchronization & Storage.

What about Mail.app, you ask? There's an old GPG plug-in you can download from Mediafire. GPGTools just revamped their website and took it down literally days ago. The plug-in won't work with the gpg binary in /opt/local, so you'd need to compile it yourself into /usr/local. In that case, you may need to generate your keys from the command line as I don't see a way to generate them through the plug-in. There's more on that from this page last modified in 2009, meaning it's very unsupported and you should probably move on.

For users who prefer a web mail interface, there's a couple of Firefox add-ons. One is WebPG which has "experimental" Gmail integration, and the other is Mailvelope which is in alpha, so alpha that you have to compile it yourself. But they both look very promising for the future.

All that said, I'm really impressed with Tenfourbird. I'd always clung to Mail.app when I was just downloading from a POP account, but when I started spawning several Gmail addresses, I made the switch and it handles everything great, including encryption. And you can even torify it with Jacob Appelbaum's TorBirdy add-on. And if you ever want to suppress the user agent from email headers, GHacks has a page about it right here.

*Lucky it was just practice.

Sunday, August 11, 2013

Tor for Your PowerPC Mac

*UPDATE BELOW*

Awhile ago I wrote a post on Tor for Tiger, but since it's outdated it's time to update. In fact, I plan to follow this post with more privacy tips, including how to encrypt your email in Mail.app and TenFourBird. But for this post the focus will be on Tor.

Unless you've been under a rock, you know the NSA is collecting it all and seeking to keep permanent records of all your internet activity (cringe). While not alarming to most individuals in an immediate sense, just the awareness of all this cataloguing can have a chilling effect on how we think and act and can stifle a lot of the creativity and risk-taking that make a free society thrive. Unless you think East Germany was a model of creativity and innovation. Okay, they did use creative methods to win Olympic gold medals, but my larger point stands.

And it's not just the NSA. Many governments take a stalker's interest in what you're doing on the internet, and there are times when we need to protect ourselves. Case in point: bloggers. If you have something to say but are afraid of getting arrested (or sued), Tor will help you stay anonymous by running your traffic through proxies and masking your real identity, i.e. your IP address.

Normally the Tor Project recommends users download their browser bundle, which is the current Firefox ESR specially configured with Tor, but since they're no longer compiled for PowerPC, that puts us in a bit of a jam. Fortunately you don't need the bundle. You can just install Tor and configure your browser manually. On OS X you can install Tor with Tigerbrew or MacPorts. On Linux, just use apt-get or aptitude to install it.

For OS X, you start up Tor by entering tor in the terminal (you can also set it as a launch daemon on startup, though I've read tor has trouble regaining connections after OS X wakes from sleep). It'll give you a bunch of output messages as it establishes a connection, and once that's done, you can go to TenFourFox's Preferences-->Advanced-->Network and click the Settings button next to "Configure how TenFourFox connects to the internet". Select "Manual proxy configuration" (remember, to switch back click "Use system proxy settings") and for "SOCKS Host" enter 127.0.0.1 and 9050 for the port. Also, where it says "No Proxy for:" enter "localhost, 127.0.0.1".

TenFourFox proxy settings

Now you should be ready to browse anonymously, so go to https://check.torproject.org and it should say in bright green, "Congratulations. Your browser is configured to use Tor."

Good news, but it doesn't mean you're necessarily safe (see update below for additional information). There are certain precautions to take when using Tor, like running NoScript, which blocks all javascript by default. It was recently discovered that someone, presumably with the FBI or NSA, used a javascript hack to obtain Tor users' real IP addresses because they didn't have javascript disabled. That's fine for breaking up kiddie porn rings, but not so fine for the rest of us. So run NoScript. Also, do change your User Agent string. If it has Tiger or PPC in it, it'll make you stick out like a sore thumb. The default user agent for Tor Browser Bundle is currently "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0" and you can find how to change it in various browsers including Firefox here (or, more conveniently, there's the User Agent Switcher add-on). And one more thing, make sure Tor and your browser are updated.

On Linux, Tor automatically runs as a daemon after install, so you don't need to start it up in a terminal, but the TenFourFox instructions above apply to Iceweasel.

Also, you can set up OS X's Network Preferences to use Tor as a system-wide proxy for other applications by following steps 3 & 4 here, but I'm not sure how secure that is if the software we're talking about is no longer supported. You can torify TenFourBird by using the TorBirdy add-on instead.

Last thing I'll mention, if you don't want to use Tor all the time but want all your searches anonymous, one option is DuckDuckGo, but if you like Google better, there's Startpage. It gives you the same search results as Google, but it's done through a proxy so Google has no idea who you are. The plugin for your TenFourFox search bar is here, and many more search plugins are found here.

UPDATE: Apparently with the above TenFourFox/Iceweasel configuration, there is the threat of DNS leaks. The warning message is this:

[warn] Your application (using socks5 to port 443) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.

This can be corrected in TenFourFox and Iceweasel by going into about:config and changing network.proxy.socks_remote_dns to "true." This will force dns requests through the proxy and the warning will disappear. You could alternately install Privoxy and set it to use Socks4A like the warning recommends. This will protect you in applications other than your browser as well.

Incidentally, to avoid having to change all these preferences between Tor and non-Tor sessions, you can create a second profile in TenFourFox for just your Tor preferences/add-ons. I experienced a bug in the GUI Profile Manager, so I created a new profile in the command line with this:

/Applications/TenFourFox7450.app/Contents/MacOS/firefox-bin -CreateProfile Tor

where Tor is the name of my new profile, and TenFourFox7450.app is the name of the app in my Applications folder (yours may be different depending on your processor type). Now I have two profiles to choose from, default and Tor. To choose which one at startup, enter in the command line:

/Applications/TenFourFox7450.app/Contents/MacOS/firefox-bin -p

to bring up the Profile Manager window. Uncheck the "Don't ask at startup" box and the Profile Manager will appear every time you startup TenFourFox allowing you to choose.

There weren't any bugs in Iceweasel's Profile Manager, which you can simply invoke with iceweasel -p.