The odd-musings of Jared, the Director of Network Security for IAPS Security Services.

Hello Folks,

As part of the largest expansion the IAPS Security Store has ever released, we are proud to add the following countries to our list of service areas effective immediately:

Ireland
Belgium
France
Italy
Spain
Poland
Denmark

The addition of these new countries marks a new era for the IAPS Security Store as one of the largest privately owned and operated security providers on the internet today. With investments totaling over $150,000 U.S. dollars in machines, man hours, technical support personnel, and network availability, we have the capacity to serve a wider global clientele and can meet even the roughest demands.

Whether your into offshore gaming, online private trading, looking to watch streaming media from abroad, or are restricted by your isp, government, university, or employer for what and where you can go on the internet, the IAPS Security Store has a solution for you.

All new locations have been started out with a 25% off introductory rate. Once you’ve seen the power of these new networks, we hope to have you aboard for a long time to come.

For the many of you that have been asking me for ages to provide an Irish server, I have now answered this request and all the Irish streaming media awaits you to start viewing it.

I have looked into the French, Spain, and Belgium services offered by Zattoo. France and Spain do require paid subscriptions to view that media. This is not a fee imposed by IAPS, but rather directly by the creators of Zattoo themselves. Zattoo in Belgium is no longer offered at all. Zattoo’s free locations are still in the United Kingdom, Germany, and Switzerland as far as I am aware. I will check on the Denmark version and post an update on my blog whether its still free or not. Or you can simply reply to this email and ask what the results were.

If you want to know if a particular streaming media site works before you purchase it, please let me know so I can go test it. I know of a great many of them, but not all of them. So I’d be happy to accomodate checking into sites that you’d like to be able to view.

If you are in the middle east, such as Qatar, Bahrain, Saudi Arabia, or United Arab Emirates etc., and cannot reach our site to place your order, (middle eastern governments are not IAPS friendly for some strange reason) please send a reply email directly to staff (at) intl-alliance.com and we will provide an alternative ordering solution for you.

For those of you not aware and use it, we do accept Liberty Reserve and Pecunix digital gold currency as a payment option. Money Bookers is also an option as well. We are considering several other payment options but are open to suggestions from the public as to payment providers who would be more convenient to you. If you have any questions, comments, or need to know if something works or not, please let us know accordingly. Thank you.

Who are our masters of surveillance today? Most are located at the National Security Agency, the giant “Crypto City” complex located off Interstate 95 between Washington and Baltimore. The agency vacuums up 650 million intercepts a day — called signals intelligence, or sigint — from satellites, ground stations, aircraft, ships and submarines around the world.

The NSA conducts broad-based surveillance indiscriminately over communications lines that few bad guys even use any longer. “Big Noddy,” as those in the know call the NSA’s vast “Ear in the Sky,” has capabilities that dwarf the Bletchley Park World War II enterprise, but it isn’t picking up much because the smartest terrorist groups have long since stopped talking about their plans over cell phones or land lines — or to the extent they do, it’s probably to plant disinformation. Today the challenge isn’t decoding an intercepted message from a known enemy; instead it’s figuring out what is and isn’t a message and who the enemy is.

Hidden behind tall earthen berms and thick forest trees halfway between Washington and Baltimore is a dark and mysterious place, virtually unknown to the outside world. Nicknamed Crypto City, it is protected from outsiders by a labyrinth of barbed wire fences, massive boulders placed close together, motion detectors, hydraulic anti-truck devices, and thick cement barriers. Should a threat be detected, commandos dressed in black paramilitary uniforms, wearing special headgear and brandishing an assortment of weapons including Colt 9mm submachine guns stand guard. They are known as the “Men-in-Black.” Telephoto surveillance cameras peer down, armed police patrol the boundaries, and bright yellow signs warn against taking any photographs or making so much as a note or a simple sketch, under the penalties of the Internal Security Act. What lies beyond is a city unlike any other place on earth, one that contains what is probably the largest body of secrets ever created. It is the home of America’s ultrasecret National Security Agency, responsible for eavesdropping on the world and breaking virtually impossible foreign code and cipher systems.

Made up of more than sixty office buildings, warehouses, factories, laboratories, and living quarters, it is a place where tens of thousands of people work in absolute secrecy. Most will live and die never having told their spouses exactly what they do. The secret community is also home to the largest collection of hyper-powerful computers, advanced mathematicians and skilled language experts on the planet. Within the city, time is measured in femtoseconds—one million billionth of a second, and scientists work in secret to develop computers capable of performing more than one septillion (1,000,000,000,000,000,000,000,000) operations every second.

Folks, it took a bit but we’ve finally added France as our newest location to date. We are pleased to offer this location to the many visitors and clients that have aggressively requested this location. Whether your into games, media, offshore privacy-minded, or just like to appear to be located in another country, then this is an excellent service for you. IAPS is offering both French TV Packages as well as French Virtual Private Networks (VPN) for this location.

Hi Folks, I just wanted to let you all know that I’m currently updating the forum area and adding new functionality over the next 6 hours. When you arrive the board may be down for maintenance, may not work correctly, or may appear to have errors. These issues will be cleared when I am done with the upgrade and the new features I have planned for the forum area. Thank you for your time and patience.

Hi Folks, the following new Swiss channels have been added to the live streams from the Zattoo client:

Eins Plus
Eins Extra
Eins Festival
ZDF Infokanal
ZDF Docukanal
ZDF Theaterkanal

The following channels are also available for the British version of the Zattoo client:

BBC One Northern Ireland
BBC One Scotland
BBC One Wales
BBC Two Northern Ireland
BBC Two Scotland
BBC Two Wales
ITV Wales
STV
Ulster TV

Enjoy these additions.

The below article was something I wrote over a year ago for this site and a topic very much relative to todays world. Enjoy the article and I’m happy to hear any comments you may have regarding it.

_____________________________________________________________________

Date: Sunday June 15, 2008
Author: Jared T.
Organization: International Alliance Privacy Services

This may become quite a large article, but it will cover many topics I have been meaning to write about for quite some time now. This article will focus on discerning the truth from lies, fact from fiction. Sit back and enjoy the article.

Looking around the internet, I see many websites in the “privacy” business making claims that are just flat out impossible to be true. I have seen claims of such high encryption levels, ultimate protection that not even Satan himself could penetrate. Yet as I see where the claims are coming from, most of them are United States based claims. As all who are internet wise, we know that the United States is pro-censorship and that the omni-present National Security Agency is ever present in as many places as possible. Many years ago the NSA had 17 acres of under-ground super computers to monitor national and international communications. Do you know how many super computers make up 17 acres of land? There must not be much soil left under Fort Meade, Maryland where the home of the NSA resides. Now what do you think they are doing nowadays with quadruple the amount of resources and black-ops funding? Lets also add non-congressional oversight.

Some of you might remember the press news articles and media attention received over U.S. President George Bush’s policy of illegal wire tapping. However, most of you didn’t hear that AT&T was one of the biggest data pushers of its clients data right into the hands of the NSA. (source # 1) (Mark Klein – Former AT&T Technician) (source # 2) Although this situation was brought to national and international attention, do you think it really stopped anything? Yes, all you SBC internet users who are now AT&T clients can rest assured that you have absolutely no internet privacy either now or in the future. But do you think it really ends there? Nope.

Now we are not only going to focus on insecurity in the United States. There are more countries than you might think engaged in this practice. We will hit on those countries soon enough. The next biggest lie we came across was the boasting of a 100% up time. Now looking at this situation a bit closer, we see how and why they can make such a claim: if you have 7 servers and 3 are down and 4 are up, then you can claim a 100% up time. Thats the basic philosophy of many in the privacy business. Now how is this an accurate or a fair assessment of their ability to keep their servers up? Its not and its an out right lie. A further analysis of these same providers is that most, if not all, of their servers are located in only one country such as the United States where privacy is non-existant and they, or their data centers can be made/forced to give up their client data or have their servers physically confiscated at any time. Our data also shows that many of these organizations do not have actual hard drive encryption on their servers which means if the law does come and take them, guess what? Your activities are going to be laid out on a silver platter for the NSA/FBI/DIA/DEA/ICE/NRA/IRS/CIA or any of the other 3 letter agencies (TLA) I may not thinking about at the moment.

But its not encryption alone that can save your hide. It is a well known fact that the NSA only makes contributions to the cryptographic world when they can crack the encryption before its released to the unsuspecting public. (source # 3) It is also a known fact that Microsoft and the NSA have collaborated and Microsoft has implanted NSA decryption keys in all its versions of the Microsoft Windows operating systems. (source # 4) (source # 5)With this knowledge in mind, how does the U.S. Government claim democracy when they have trap doors built into all Microsoft operating systems, most of the popular firewalls in use today, and they can crack your encryption keys with pretty much ease? (source # 6) This leaves the never answered question: why does the U.S. Government reserve the right to walk into the back doors of any computer it wishes world-wide? Who made them the gate keeper?

This brings me back on point here: for those of you on U.S. based “privacy servers” who are under the impression that you are completely safe and untouchable, think again. You can, and probably are, monitored all the time by the flow of data re-routed to the NSA or its affiliates. Simply put, U.S. networks are simply not safe. Bearing this in mind, you do not have to be a criminal to want your privacy while you are online. You may be a priest that likes a little porn now and then and want that secret kept a secret. Why should any government be allowed to take that privacy from you? Its my opinion that this is something that should not be allowed. Another example is if you are in a highly competitive and volatile business and have the edge on your product/service and the U.S. Government thinks they have the right to know whats on your computer even though you have not broken any laws. Again, how can you call yourselves a democratic government if your # 1 goal is to spy on every possible person you can?

Ok, getting back on topic here: another tactic used by so-called privacy organizations is through the use of “free” software. How do you know that the software they have you use is not already tainted before you get it? What if it contains a back door scripted in by either the software maker, or in cooperation with the government? If its proprietary software, you don’t know. So how do you really know what the software is actually doing? 99.9999% of all people that download ip changing programs have absolutely no clue how these programs work and where security vulnerabilities exist. Many of the “one click solution” people are happy if it just works. They don’t care how it works, as long as it does and as long as it’s not too complicated for them. So with this theory in mind, why bother? If you want to conceal your online identity, don’t you want to at least know how a program works or what you are installing on your computer? Surprisingly, most people don’t care which is just a sad example of how the world works.

The software utilized by us, International Alliance Privacy Services, is simply one program. This is an open source program released to the general public which is provided absolutely free of charge. It was not written or produced by any of our staff. Open source software is maintained by the general public that participates in the development of a project or design of a program. Open source means that the program is not proprietary and can be easily taken apart and looked at for whats under the hood and exactly how it works. This is the destiny we believe in and the methods we use to really protect your privacy are top notch. We despise the use of exploitable software based on java, which is why we simply will not use it. We believe in gaining the general public’s trust by showing you exactly how we secure your privacy. We write technical/security articles for your understanding and benefit. We owe our success to you, the reader, so why not further educate you all in the same process? Even if you choose not to use our services, at least you will be armed with the right knowledge and will know what to look for when choosing the right privacy organization to meet your needs.

Another unacceptable practice we have seen from other privacy organizations is that their servers are all marked with easily identifiable host names. Now if you are using the services of a privacy organization with servers that are shouting “I’m a proxy server and I belong to so & so” how is this protecting you? Any one who looks at the host name is automatically going to consider blocking/banning you right from the get go. International Alliance Privacy Services does not believe in this practice. All of our servers are only identifiable as code names and do not declare they are part of our networks or part of our family of domain names. We give all of our servers general names that do not call attention to themselves. We believe that if you choose to use our services, why would we put you on a server that screams “proxy!” and leads right back to us? Thats not how we operate.

One of the final topics that seem to lure potential clients in is through the usage of exotic places to have servers in. Just because a privacy organization may have servers in exotic locations or a few islands, how do you know if they are safe? Did you stop to think about the treaties those countries might have with other countries? What about data retention laws as specified by the governments of those exotic places? One particular place frequently mentioned among privacy organizations is the country of Panama. What these organizations fail to mention in their sales pitch is that Panama has treaties with the United States for sharing information. Basically put, hosting a server in Panama is no different than hosting it in the United States. Safe? Not likely.

In conclusion, we hope that you have learned something. If not much, at least something that you can use to help you make a better informed decision now or in the near future. We are always open to your questions or comments and critique of any documents/articles written by International Alliance Privacy Services. If you have questions, please ask instead of assuming! Its better to know and receive, then not to ask and just assume. When making the decision to use a privacy organization, I hope this small article helps you out. Thank you.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security and data integrity for communications over networks such as the Internet. TLS and SSL encrypt the segments of network connections at the Transport Layer end-to-end.

Several versions of the protocols are in wide-spread use in applications like web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality over the Internet using cryptography.

In typical end-user/browser usage, TLS authentication is unilateral: only the server is authenticated (the client knows the server’s identity), but not vice versa (the client remains unauthenticated or anonymous). More strictly speaking, server authentication means different things to the browser (software) and to the end-user (human). At the browser level, it only means that the browser has validated the server’s certificate, i.e. checked the digital signatures of the server certificate’s issuing CA-chain (chain of Certification Authorities that guarantee bindings of identification information to public keys; see public key infrastructure (PKI)). Once validated, the browser is justified in displaying a security icon (such as “closed padlock”). But mere validation does NOT “identify” the server to the end-user. For true identification, it is incumbent on the end-user to be diligent in scrutinizing the identification information contained in the server’s certificate (and indeed its whole issuing CA-chain). This is the only way for the end-user to know the “identity” of the server. In particular: the “locked padlock” icon has no relationship to the URL, DNS name or IP address of the server – thinking otherwise is a common misconception. Such a binding can only be securely established if the URL, name or address is specified in the server’s certificate itself. Malicious websites can’t use the valid certificate of another website because they have no means to encrypt the transmission such that it can be decrypted with the valid certificate. Since only a trusted CA can embed a URL in the certificate, this ensures that checking the apparent URL with the URL specified in the certificate is a valid way of identifying the true site. Misunderstanding this subtlety makes it very difficult for end-users to properly assess the security of web browsing (though this is not a shortcoming of the TLS protocol itself — it’s a shortcoming of PKI).

TLS also supports the more secure bilateral connection mode (typically used in enterprise applications), in which both ends of the “conversation” can be assured with whom they are communicating (provided they diligently scrutinize the identity information in the other party’s certificate). This is known as mutual authentication. Mutual authentication requires that the TLS client-side also hold a certificate (which is not usually the case in the end-user/browser scenario). Unless, that is, TLS-PSK, the Secure Remote Password (SRP) protocol, or some other protocol is used that can provide strong mutual authentication in the absence of certificates.

TLS involves three basic phases:

1. Peer negotiation for algorithm support
2. Key exchange and authentication
3. Symmetric cipher encryption and message authentication

During the first phase, the client and server negotiate cipher suites, which determine the ciphers to be used, the key exchange and authentication algorithms, as well as the message authentication codes (MACs). The key exchange and authentication algorithms are typically public key algorithms, or as in TLS-PSK preshared keys could be used. The message authentication codes are made up from cryptographic hash functions using the HMAC construction for TLS, and a non-standard pseudorandom function for SSL.

Typical algorithms are:

* For key exchange: RSA, Diffie-Hellman, ECDH, SRP, PSK
* For authentication: RSA, DSA, ECDSA
* Symmetric ciphers: RC4, Triple DES, AES, IDEA, DES, or Camellia. In older versions of SSL, RC2 was also used.
* For cryptographic hash function: HMAC-MD5 or HMAC-SHA are used for TLS, MD5 and SHA for SSL, while older versions of SSL also used MD2 and MD4.

Typically, the key information and certificates necessary for TLS are handled in the form of X.509 certificates, which define required fields and data formats.

History and Development:

Early research efforts toward transport layer security included the Secure Network Programming (SNP) API, which in 1993 explored the approach of having a secure transport layer API closely resembling sockets, to facilitate retrofitting preexisting network applications with security measures. The SNP project received the 2004 ACM Software System Award.

The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released; version 2.0 was released in February 1995 but “contained a number of security flaws which ultimately led to the design of SSL version 3.0″, which was released in 1996. This later served as the basis for TLS version 1.0, an Internet Engineering Task Force (IETF) standard protocol first defined in RFC 2246 in January 1999. Visa, MasterCard, American Express and many leading financial institutions have endorsed SSL for commerce over the Internet.

SSL operates in modular fashion. It is extensible by design, with support for forward and backward compatibility and negotiation between peers.

Security:

TLS/SSL have a variety of security measures:

* The client may use the certificate authority’s (CA’s) public key to validate the CA’s digital signature on the server certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate issued by a trusted CA.

* The client verifies that the issuing CA is on its list of trusted CAs.

* The client checks the server’s certificate validity period. The authentication process stops if the current date and time fall outside of the validity period.

* Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite.

* Numbering all the Application records with a sequence number, and using this sequence number in the message authentication codes (MACs).

* Using a message digest enhanced with a key (so only a key-holder can check the MAC). This is specified in RFC 2104. TLS only.

* The message that ends the handshake (“Finished”) sends a hash of all the exchanged handshake messages seen by both parties.

* The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm (MD5 and SHA-1), then XORs them together to create the MAC. This provides protection even if one of these algorithms is found to be vulnerable. TLS only.

* SSL v3 improved upon SSL v2 by adding SHA-1 based ciphers, and support for certificate authentication. Additional improvements in SSL v3 include better handshake protocol flow and increased resistance to man-in-the-middle attacks.

How It Works:

A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this handshake, the client and server agree on various parameters used to establish the connection’s security:

* The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, and presents a list of supported ciphers and hash functions.

* From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of the decision.

* The server sends back its identification in the form of a digital certificate. The certificate usually contains the server name, the trusted certificate authority (CA), and the server’s public encryption key.

The client may contact the server that issued the certificate (the trusted CA as above) and confirm that the certificate is authentic before proceeding.

* In order to generate the session keys used for the secure connection, the client encrypts a random number (RN) with the server’s public key (PbK), and sends the result to the server. Only the server can decrypt it (with its private key (PvK)): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data. The client knows PbK and RN, and the server knows PvK and (after decryption of the client’s message) RN. A third party may only know PbK, unless PvK has been compromised.

* From the random number, both parties generate key material for encryption and decryption.

This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key material until the connection closes.

If any one of the above steps fails, the TLS handshake fails, and the connection is not created.

Government-imposed Protocol Limitations:

Some early implementations of SSL used 40-bit symmetric keys because of US government restrictions on the export of cryptographic technology. After several years of public controversy, a series of lawsuits, and eventual US government recognition of cryptographic products with longer key sizes produced outside the US, the authorities relaxed some aspects of the export restrictions.

Hi Folks, hope all is well with you and yours. I just wanted to let you know we have replaced the network card on the IAPS Eagle U.S. server yesterday. The card that was in there finally gave out. It took a bit longer in replacing it than we originally thought it was going to be and once the new card was activated we had to complete some technical work and put all the ip addresses and network information in.

Once all this was done, we tested to make sure all services were once again operational. We are very pleased with the new network card and the server seems to be responding very well and network speeds are impressive at this point. If you are an IAPS client assigned to this server, you should notice the difference very quickly. Thank you for your time and have a pleasant day.

The CIA’s assassination plan, which it chose to keep secret from Congress, brings to mind Operation Condor, a similar plan run by DINA, which was Chile’s counterpart to the CIA under the dictatorial regime of military strongman Augusto Pinochet.

After Pinochet took power in a coup, his agents proceeded to round up communists and other opponents to his regime and torture, sexually abuse, rape, indefinitely incarcerate, and kill them, without any trials or due process of law. It was during that time, in fact, that the CIA, which supported Pinochet, played a role, as yet undetermined, in the murder of a young American journalist named Charles Horman.

Pinochet knew that his war on communism, however, could not be limited to Chile, given that communists were located all over the world. Thus, Chile, along with other South American right-wing regimes, established Operation Condor, a secret program of assassination, torture, and political repression. According to Wikipedia, files discovered in 1992 in Paraguay revealed that Operation Condor succeeded in murdering 50,000 people, “disappearing” another 30,000, and incarcerating 400,000.

One day in 1976, however, Operation Condor hit a stumbling block here in the United States. As part of its global war on communism, it took out Chilean citizen Orlando Letelier with a car bomb that succeeded in killing not only him but also his American assistant, Ronni Moffitt. The killing took place on the streets of Washington, D.C.

What’s wrong with that, you ask? Weren’t Chile and the other members of Operation Condor involved in a major war? Didn’t they have the right to kill the enemy, wherever the enemy happened to be found? Wasn’t the entire world, including the United States, a battlefield in the global war on communism?

After all, what was different about the Letelier assassination and the CIA’s firing of a missile into a car in 2002 in Yemen that was carrying suspected terrorists, including one who was an American citizen? Didn’t the car in Yemen contain people who the CIA was sure were terrorists or terrorist sympathizers? Didn’t the car in Washington contain people that DINA was sure were communists or communist sympathizers, one of whom was a Chilean citizen?

There were some Americans who didn’t feel that Operation Condor should be permitted to extend its global war on communism to the United States. Orlando Letelier and Ronni Moffitt were murder victims, they argued. The wartime analogy was hogwash, they said. Letelier, after all, was really just a former member of the cabinet in Chile’s Salvador Allende regime, which had been ousted in the Pinochet coup, who had continued his political battle against Pinochet’s dictatorship in the United States.

The Operation Condor agents who killed Letelier and Moffitt were ultimately indicted for murder in a U.S. District Court in Washington.

As it turned out, the DINA agent who orchestrated the murder of Letelier and Moffitt was a man named Michael Townley, who also — surprise, surprise — had worked for the CIA. Owing to public pressure, Townley was extradited to the United States to stand trial. The feds ultimately offered him a plea bargain that required him to testify against his underlings and that enabled him to live the rest of his life here in the United States under the federal witness protection program.

Assuming the CIA is telling the truth in its claim that it never carried out its assassination program, did the CIA factor in the Letelier-Moffitt case in deciding not to carry through with its assassination program? Perhaps. After all, if CIA assassins were to be arrested in a foreign country and indicted for murder, how would they be able to distinguish what they did from what Operation Condor did to Letelier and Moffitt?

______________________________________________

With this in mind, isn’t turnabout fair play? The CIA seems to think its shit smells like roses and they are indemnified against any prosecution, whether it be on foreign or American soil.

Folks, we’re finally supporting the Mac iPhone from this point on. I’m looking into supporting the Blackberry mobile device next and over the next week I’ll be looking into that. If you have the Mac iPhone and you are a current client of IAPS please let us know and we’ll send you illustrated instructions.