Virtual Private Networks

One useful method of increasing the security of your connections over the internet is to use a Virtual Private Network (VPN).

Many large companies and Government Departments use this technique, to tunnel an encrypted session from a home or mobile laptop computer operating in an insecure public places (such as an public WiFi hotspot or cyber café), back to a corporate network, and then via a corporate gateway, back out on to the internet.

Sometimes special client software is required e.g. from Cisco, or vendor neutral standards like an SSL/TLS web page infrastructure or IPSec can be used.

SSL/TLS web page based systems do no usually require any extra software to be installed, only a standard web browser. They might need a Client Side Digital Certificate to be installed in the browser, but this is straightforward

  • There are lots of Authentication and Encryption standards and algorithms associated with VPNs. Make sure that you disallow any configurable options which can negotiate weak or non-existent encryption between your client PC and the VPN server. e.g. "No encryption allowed..." or "Optional encryption..." etc. to ensure that your username and password or other credentials, are never sent across the wire or by radio transmission, unencrypted in the clear.

  • Use strong encryption (at least 128bit key length) , and / or a protocol which changes the encryption keys frequently. e.g. modern industry standard 802.1x authentication and AES encryption

  • For extra security, do not store or write down your password in your Network Connection / VPN client software configurations, but memorise it.

    Choose a Strong Password or passphrase. As with any other web based service, like web email, if your Commercial VPN supplier offers a "Forgotten Password" or Password Recovery or Reset option, then make sure that Answers to the Challenge / Response Questions are at least as strong as your actual password e.g. if the Question is "What is your mother's maiden name ?", you usually do not actually have to reply truthfully, or with a very short , easily guessed or easily password cracked answer. US Vice-Presidential candidate Sarah Palin's Yahoo email accounts were illegally accessed in this way.

  • Remember to make sure that the Firewall software on your PC is aware of the new VPN IP address range, as you will be sidestepping your usual broadband Private Internet Address e.g. 192.168.0.xxx or 192.168.1.xxx, and the built in firewall on your ADSL broadband / WiFi router (or other corporate firewall) will no longer be protecting you from various internet probes, port scans and attempts to connect to your local PC's shared disk drives and peripherals etc.

There are third party commercial companies which offer such VPN services, for a fee.

From a whistleblower source protection point of view, any of these corporate or commercial VPN services can improve the security of your internet connections, but they rarely provide much extra anonymity, as there are usually extensive log files of time and date and IP address connections to the encrypted VPN service. There will also be IP address logging and restriction policies applicable to the corporate or government system's internet gateway.

Even the commercial VPN service providers in foreign countries, some of which claim to "delete log files", etc. are not necessarily to be trusted in this regard, especially if faced with heavy legal pressure from their local law enforcement or government authorities.

Connecting via a VPN , over the public internet, through a high speed broadband connection, is often much faster than the use of dedicated dial in systems which have been used by corporate and government users for many years.

Commercial VPN services need to be paid for, and a Credit Card (or even PayPal) obviously leaves a financial audit trail back to the whistleblower or investigative journalist or blogger or political activist etc.

However, such VPN services do have their place in the arsenal of tools need to frustrate today's snoopers, especially if the company and their VPN host servers are based overseas, a technique which has been useful to, say, Chinese activists trying to evade the Great Firewall of China state censorship.

Remember that VPNs can be used in combination with other techniques, e.g.the use of Tor onion routing or open proxy servers.

We welcome reviews of such VPN services, and will update this blog post with reasonable, offshore VPN service suggestions.

  • SwissVPN.net, which is based in Switzerland i.e. neither in the UK, nor the EU nor the USA, so snooping by the UK authorities might be possible, but is unlikely to be automatic, and will leave an audit trail.

    They offer a Microsoft PPTP VPN (Point to Point Tunneling Protocol) VPN service for which they charge about $5 a month, (credit card or PayPal payment options).

    This has the advantage that the VPN client software is already built into most Microsoft Windows operating systems (and is also available for Apple and Linux), using Microsoft's MS-CHAP2 (Challenge Handshake Authentication Protocol) authentication.

    Sometimes your internet connection's firewall may not allow the port 1723 and type 47 IP packets needed for GRE (Generic Routing Encapsulation), but most recent home broadband or public WiFi hotspots etc. which have PPTP pass through, will usually allow this.

    Some broadband routers / firewalls / WiFi access points etc. allow this ok, without displaying any user configurable options, so it is worth checking this initially with a test account first, so as not to put your real username and password credentials at risk.

    SwissVPN.net also offer, through their own free downloadable client software (not yet available for Windows Vista), the more modern EAP-TLS (Extensible Authentication Protocol) authentication, which overcomes some of the potential authentication weaknesses of MS-CHAP2, and is popular with many public and commercial WiFi hotspots.

    N.B. with either type of authentication the actual encryption of the SwissVPN.net tunnel will use 128-bit MPPE encryption (Microsoft Point-to-Point Encryption). "It uses the RSA RC4 encryption algorithm. MPPE supports 40-bit, 56-bit and 128-bit session keys, which are changed frequently to improve security. The exact frequency that the keys are changed is negotiated, but may be as frequent as every packet."

    The SwissVPN.net website includes screenshots of all of the required configuration settings, and even offers a free test account,to check if you can connect ok to their system, before purchasing any online credit.

  • More VPN service suggestions or reviews are welcome

About this blog

We know that there are decent, honest, trustworthy individual politicians, civil servants, law enforcement, intelligence agency personnel and broadcast, print and internet journalists etc., who often feel powerless or trapped in the system. They need the assistance of external, detailed, informed, public scrutiny to help them to resist deliberate or unthinking policies, which erode our freedoms and liberties.

Some of these people will, in the public interest, act as whistleblowers, and may try to leak documents or information to the mainstream media, or to political blog websites etc.

Here are some Spy Blog "Hints and Tips", giving some basic preecautions, and some more obscure technical tips, which both whistleblowers, journalists, and bloggers need to be aware of, in order to help preserve the anonymity of whisteleblowing or other journalistic sources, especially in the United Kingdom, but applicable in other countries as well.

Whistleblower anonymity may not always be possible, or even necessary, forever into the future, but it is usuially crucial during at least the early stages of a "leak", whilst it is being evaluated by others, to see if it merits wider publication and publicity.

Email & PGP Contact

Please feel free to email your views about this blog, or news about the issues it tries to comment on.

blog@spy[dot]org[dot]uk

Our PGP public encryption key is available for those correspondents who wish to send us news or information in confidence, and also for those of you who value your privacy, even if you have got nothing to hide.

Current PGP Key ID: 0xA165A29480CFAA4C which will expire on 6th September 2014

pgp-now.gif
You can download a free copy of the PGP encryption software from www.pgpi.org
(available for most of the common computer operating systems, and also in various Open Source versions like GPG).

We look forward to the day when UK Government Legislation, Press Releases and Emails etc. are Digitally Signed so that we can be assured that they are not fakes. Trusting that the digitally signed content makes any sense, is another matter entirely.

Pages

Tag Cloud

Syndicate this site (XML):

Categories

Tor Hidden Service

In order to make censorship a little more difficult, a copy of this Hints and Tips for Whistleblowers guide is also being published as a Tor Hidden Service.

You will need to have installed the Tor software and established a working Tor connection, and then you will be able access this copy via end to end encryption and a high degree of anonymity through the Tor cloud:

http://r3lb3r3an7uj7bos.onion/

If you do not have Tor installed, you can still access this Hidden Service via the tor2web.org proxy: https://r3lb3r3an7uj7bos.tor2web.org/ still with encryption, but without as much anonymity.

Convention on Modern Liberty - 28th Feb 2009

Convention on Modern Liberty - 28th Feb 2009
Convention on Modern Liberty - 28th Feb 2009

The Convention is being held in the Logan Hall and adjoining rooms at the Institute of Education in Bloomsbury, central London.

Address:

The Institute of Education
20 Bedford Way
London
WC1H 0AL

There are video linked screenings or other parallel meetings being held across the UK in Belfast. Bristol, Cambridge, Cardiff and Manchester.

Convention on Modern Liberty blog

Campaign Button Links

Watching Them, Watching Us, UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid_150.jpg
FreeFarid.com- - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

Petition to the European Commission and European Parliament against their vague Data Retention plans
Data Retention is No Solution Petition to the European Commission and European Parliament against their vague Data Retention plans.

Open_Rights_Group.png
Open Rights Group

renew for freedom - renew your passport in 2006
Renew For Freedom - renew your Passport in the Summer Autumn of 2006.

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network
Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Tor - the onion routing network
Anonymous Blogging with Wordpress and Tor - useful Guide published by Global Voices Advocacy with step by step software configuration screenshots (updated March 10th 2009).

irrepressible_banner_03.gif
Amnesty International's irrepressible.info campaign

anoniblog_150.png
BlogSafer - wiki with multilingual guides to anonymous blogging

ngoiab_150.png
NGO in a box - Security Edition privacy and security software tools

homeofficewatch_150.jpg
Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."

rsf_logo_150.gif
Reporters Without Borders - Reporters Sans Frontières - campaign for journalists 'and bloggers' freedom in repressive countries and war zones.

committee_to_protect_bloggers_150.gif
Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

wikileaks_logo_low.jpg
Wikileaks.org - the controversial "uncensorable, anonymous whistleblowing" website based currently in Sweden.

public_concern_at_work.gif
Public Concern at Work - "(PCaW) is the independent authority on public interest whistleblowing. Established as a charity in 1993 following a series of scandals and disasters, PCaW has played a leading role in putting whistleblowing on the governance agenda and in developing legislation in the UK and abroad. All our work is informed by the free advice we offer to people with whistleblowing dilemmas and the professional support we provide to enlightened organisations."