The odd-musings of Jared, the Director of Network Security for IAPS Security Services.

A California court has issued a subpoena demanding Google reveal the IP addresses of journalists writing for a corruption busting journal from the Caribbean.

The August 28 subpoena, issued by the Superior Court, County of Santa Clara, as part of a “libel tourism” action taken by non-US property developers, demands detailed information about the operators of “tcijournal@gmail.com”. The account is the main email address of the TCI Journal, the most influential journal covering the Turks & Caicos Islands. The Islands are a tourist mecca and tax haven in the Caribbean sea, and until August 14 were an independent British protectorate.

Exposures in the Journal culminated in a dramatic UK governance takeover of the Islands on August 14.

A trail of evidence dug up by the TCI Journal, a UK commission of inquiry, and others, showed that foreign property developers were giving millions in secret loans and payments to senior Islander politicians, including an alleged $500,000 cash payment to the Island’s now former Premier, Michael Misick.

The Commission of Inquiry Final Report was released on the 18th of July this year in significatly redacted form. A full version was released by WikiLeaks. A High Court case ensued which initially enjoined all media in the Islands from reporting the redacted findings, however within a few days this restriction was overturned.

The Gmail subpeona applicant, property developer Dr. Cem Kinay, along with his two companies, Turks Ltd, and Star Platinum Island, were mentioned several times during public oral hearings of the Commission of Inquiry and featured significantly in the redacted portions of the Commission’s Final Report.

In particular there are allegations of bribery of public officials (e.g of the Premier with an irregular payment of $500,000), in the acquisition of public land valued by the government appraiser at approximately $60 – $100 million dollars U.S., for a price of $3.2 million dollars.

On August 14, the UK announced that it had taken direct rule over the Islands and suspended its parliament.

According to the notifying letter from Google to the Journal, Google intends to hand over the requested records in just over two weeks, without any defense, and states that the Journal may file a counter-motion with the Santa-Clara court itself.

Subpoenas for records are rubber-stamped by US courts, meaning that anyone in a position to start law suits in California can obtain private information about Gmail users who are not in a position to respond in kind, including cash-strapped corruption busting journalists from the Caribbean.

Google has elected to keep extensive, non-anoymized records on its users, but not defend these records from disclosure. This combination, together with inequitable access to justice in Californian courts, is toxic.
________________________________________________________________________

From: Google Legal Support
Date: Thu, Aug 27, 2009 at 6:18 PM
Subject: Re: [#498732750] Subpoena Notice from Google (internal reference
#67723)
To: tcijournal@gmail.com

Thank you,
Google Legal Support
_______________________________________________________________________

Your good pals at Google are further promoting censorship by complying with this court order. It just goes to show how much Google values your privacy. They are nothing short of a joke!

Folks, I wanted to hit on this topic again as it is very critical in these days and times. You do not have to carrying state secrets, be a criminal, or any other devious act to want private communications within your email account. You also don’t have to be a technical expert either. This blog post is intended to be a step by guide in setting up a FREE encrypted email account.

I always recommend purchasing your own domain name. I say this because its always preferred to run your own email services on a private server rather than using the services provided by Hotmail, Yahoo, or Gmail. For those of us in the technical security field, we know who’s in bed with the U.S. Government and who’s not. Let’s look at Gmail, provided by the good folks at Google. Who runs Google’s technical department? None other than ex-NSA (U.S. Government National Security Agency) Matt Cutts. Now why would an ex-NSA agent quit the National Security Agency to run the technical side of things for Google? Its the world’s largest database and guess what? Uncle Sam wants constant access to it! With their own man running the show, they have it. Even though he claims he got out, we all know there’s no official out for agents. Once Uncle Sam owns you, he always owns you.

There’s not much to say in regards to the Microsoft Hotmail brand. Again, this is another U.S. corporation well documented as being in bed with the U.S. Government. Yahoo doesn’t have a clean past either. The makers of Hushmail surely have just as bad a record as well, currently only offering 2048 bit encryption keys at best that reside on their own servers so that they can capture your passphrase when decrypting your emails which will then allow them instant access to all past and future emails that are encrypted with your key.

This step by step guide will show you how to use encrypted email that doesn’t require a key to remain on any server, uses the strongest encryption known to man (currently 4096-bit RSA), and uses a completely open-source application infrastructure. It is currently not known if the NSA can yet crack a 4096-bit key, but it is highly unlikely. Even the best super computers would have quite a difficult time at it. Some estimate it would take nearly 200 years to crack a 4096-bit encryption key while others think it may only be 20-30 years away. Either way, this is excellent news for the common folk that wish to have truly private email correspondences.

Ok, now on to the guide. You will need to obtain the following tools before we get started. These tools are based on the most common operating systems currently in use: Microsoft Windows XP and Vista (all versions). All these things are completely free of charge.

Mozilla Thunderbird
GTK+
Mozilla Enigmail
GNU Privacy Guard

The first thing we want to do after obtaining the above pieces of software is to install them one at a time. Start with GTK+ and GNU Privacy Guard. Once these are installed, move on to the Thunderbird installation and then finally the Enigmail add-on for Thunderbird.

Before we go any further its best to reboot your computer. This way all the pieces of the puzzle have a proper chance of being formally initialized. Once that’s done, we can proceed with the rest of the setup.

As I recommended above, it’s better to own your own domain name and operate your email services from your own server rather than a public one where you don’t know who has administrative access to it. While I understand that that is not always the ideal situation for every one, I’ll dab a little into what we can do with Gmail to make it compatible.

If you cannot obtain your own domain and a private server that hosts that domain, then you need to use a free email service that is POP3 (Post Office Protocol version 3) compatible. Gmail is just such a service. Yahoo wants you to pay for it so they will not be included in this article. At this time I’m not sure if Hotmail offers free POP3 services or not.

Once you’ve rebooted, open up the Thunderbird application. Add your POP3 compatible email accounts into Thunderbird. Once all your account(s) are loaded in there and you’ve properly tested them to make sure they are working, then we can proceed to the next step. You will see a tab for OpenPGP in the upper left hand tab. Click on that. Now scroll down to “Key Management” and click on that as well. A mini screen will appear. Click on “Generate” and then “New Key Pair.” Now a third box appears with a lot of options.

With this third box, we select one of our email addresses that we wish to generate an encryption key for. Once that’s selected, we assigned a passphrase for this encryption key. (This passphrase is like a password and will be needed to decrypt all future emails that are encrypted to your private key.) I wholly recommend a 10-15 character alpha-numeric passphrase. Anything less than that can be considered insecure. Do not use dictionary words, pet names, birthdays, pin numbers, your address or street name. Use something very unique. I highly recommend a 20 character alpha-numeric passphrase.

Now we choose when the key will expire. The default is 5 years. I’ve personally set mine to never expire and recommend all of you to do the same. Now we can click on the Advanced Tab. You’ll see “Key Size.” There are several options here and I highly recommend setting a 4096-bit key size. Directly below that is “Key Type.” There are 2 choices in this section. RSA and DSA El Gamal and I recommend going with the RSA key.

Now we click on the “Generate” button. It will take your computer some time to generate a random key based on your computers ability. Some computers are quick to do it and others take a few minutes and this is primarily based on your computers processing power. Once the key generation is complete, it will ask you if you want to back up these new keys so you can create revocation certificates if you ever lose control of your private keys. I highly suggest you take this option. Save the revocation certificates any where but your main hard drive. A pen drive, usb thumb drive, or an external hard drive are ideal places to keep these.

Once your revocation certificates are safely tucked away in an external location, we need to go back to the main screen of Thunderbird. On the left hand side of the screen you’ll see a pane for your email accounts. Click on the name of one of the email accounts. You’ll be taken to another screen where there are several options. Click on “View Settings For This Account.” A new mini screen will pop up. You’ll see an option for “OpenPGP Security.” Click on that.

Make sure the box is ticked for: Enable OpenPGP Support (Enigmail) For This Identity.” Directly below that, make sure the circle is tick for: “Use Specific OpenPGP Key ID.” Your specific encryption key should automatically be in the box already. Directly below that you’ll see 4 options. Make sure the first 2 boxes are always checked. This is just the signature part and is an integral part of letting others know that you have encryption ability. Since not every one uses encryption, don’t check the other boxes just yet.

Remember, you must exchange public keys with anyone that you plan on sending and receiving encrypted emails to and from. You cannot decrypt email in a normal free email account and this email must reside on a POP3 compatible email service. Using this particular method, emails can only be decrypted and encrypted from within Thunderbird. There is no server interaction here in the actual encryption or decryption as that resides on your individual computer only. This is the most absolute secure way to use encryption.

I will write another article later this week regarding the transport of your email and how TLSv1 (Transport Layer Security version1) can provide much better security than the traditional SSLv3 (Secure Socket Layer version 3) could ever do and how we can integrate SSHv2 (Secure Shell version 2) to help us achieve this effect. (SSHv2, besides providing transport security under an immense amount of encryption can also be used to completely hide the origin of where the email actually originated.)

Written by: Jared @ IAPS

As most of you know, I highly support encryption in all things internet. As such, this article will focus on encrypting our instant messenger sessions and will talk about the Pidgin instant messenger system with a focus on Pidgin OTR (Off-The Record Messaging) and how your chat sessions can be completely encrypted and protected at all times. Before we go any further, I need to tell you that Pidgin supports multiple instant messengers all at once so if you use more than one messenger, you can run them all from within the one Pidgin client. Ok, lets take a look at what Pidgin supports:

MSN
AIM
ICQ
Yahoo
Bonjour
Gadu-Gadu
Google-Talk
Novell GroupWise
IRC
MySpace IM
QQ
SILC
Simple
SameTime
XMPP

Now keep in mind that even if you have multiple accounts with any instant messaging services, you can run them all at once through this system. The direct download for the Pidgin Messenger can be found at http://www.pidgin.im You can get the Pidgin OTR add-on from here.

You may now be wondering what Off-The-Record Messaging is all about. Let me explain:

*Encryption
No one else can read your instant messages.

*Authentication
You are assured the correspondent is who you think it is.

*Deniability
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

*Perfect forward secrecy
If you lose control of your private keys, no previous conversation is compromised.

It should be noted that Pidgin & OTR are completely free. It is licensed under the GNU General Public License which means you will never be charged for it. Every one likes something for free right?

Ok, the “No Digital Signature” means complete deniability. This means that in a court of law, no one can prove that an instant messenger conversation actually originated by you. All instant messengers, even the hugely popular ones by MSN, Yahoo, Google, & ICQ all contain digital signatures that go out with each message you send and can be personally traced back to you by an expert. Pidgin & OTR eliminate this possibility if implemented correctly. The main functionality of the OTR add-on is to encrypt all messages between two users. This means that you and the person you are talking to via instant messenger must both have the Pidgin instant messenger and OTR installed. This is a two way system.

Once you and the other person(s) are encrypted, you are assured of a completely private and highly secure instant messenger chat session. Proxy options are fully compatible with this instant messenger. The IAPS SSH 768-bit Encrypted Service is especially useful with this service.

Are you interested in becoming a reseller for IAPS products? Then we’re happy to explain how it all works and the benefits available to you! With the world-wide need for privacy products and online media viewing accounts, the potential for success is unlimited. IAPS fully supports our resellers and associates with the following benefits:

1.) An IAPS provided website hosting account. (We provide the server space and you provide your own website designed any way you want.

2.) Technical support provided by IAPS Security Technicians. (You don’t need to know anything technical.)

3.) Flexible payments options including Pay Pal, Google Check-Out, Pecunix, Liberty Reserve, Credit Cards, & More.

4.) Bi-monthly account review and performance reports.

5.) Discounts based on reseller/associate performance.

6.) Huge discounts based on bulk purchases of 10 accounts or more.

7.) Live remote support for your clients by IAPS Security Technicians. (You don’t have to be technically inclined to sell. IAPS will provide support for your clients.)

8.) Reseller/associate payments are due on the 1st and 15th of every month unless otherwise indicated.

9.) All reseller/associate requests for information can be done from here.

10.) Resellers can request an exclusive distributorship for their preferred country at any time after an initial 60 day period.

11.) The IAPS Schedule of Reseller Fees is available upon request.

12.) Reseller/associate personal accounts are provided free of charge as long as you are an active reseller for more than one month. Active resellers can select accounts from the United States, United Kingdom, Canada, Switzerland, & Luxembourg.

13.) Secure/encrypted FREE storage space is available to any reseller/associate that needs it. This is something that must be specifically requested. Under this program, any files you upload to the designated server are automatically encrypted while being stored. For additional security you may encrpyt any files before uploading them. Each reseller/associate will be granted up to 500 MB of free storage space.

Remember, you don’t need to know a single thing about technical details. IAPS technicians will support your clients. The only thing you have to know how to do is sell. If you are located in any country with a big expat population or know people looking for privacy, secured hosting, or that have a need for online tv viewing while in a restricted country, then you have the potential for success. As long as you work at it, you can go very far in the online world. Since the internet provides a global clientele, success is only limited by you!