• On CBS MoneyWatch: 6 Things Never to Post on Facebook

Surveillance State

Read all 'Practical Tips' posts in Surveillance State
May 5, 2008 9:00 AM PDT

There is no right to privacy at international borders. For those of us with laptops, this presents a pretty major problem: How do we get through U.S. Customs with our beloved portable devices, without having Uncle Sam peeking at every e-mail we've sent, every MP3 we've listened to, and every "home movie" we've made?

The obvious solution, encryption, is not enough. Non-Americans have no right to enter the U.S. Don't want to hand over your encryption keys? No problem--but you will be put on the next airplane back to your home country (if you're lucky...If the government really doesn't like you, you may end up getting sent to Syria).

Those of us "lucky" enough to have a U.S. passport may be forced to enter the password for the data, if we want to avoid having the devices seized and never returned.

For travelers heading to countries other than the U.S., it can be even worse. Refusing to hand over your encryption key to a lawful request by British Police can result in jail time. Ouch.

CNET News.com's Declan McCullagh posted a guide to securing laptops for border searches back in March. The Electronic Frontier Foundation's Jennifer Granick wrote a blog post on the subject recently, in which she broke down the case law and offered a bit of advice. While both of these are interesting reads, neither includes the practical solution which I use.

Chris' Guide to Safe International Data Transport

  1. Before going on any international trip, back up all of your important and potentially embarrassing, incriminating, or troubling data. This includes any copyrighted content which you may not be able to prove you own.
  2. Create an encrypted disk image/encrypted folder of that data. This can be done with Pretty Good Privacy, Truecrypt, or software built into many operating systems.
  3. Remember the password. This is very important, as if you forget it, you lose all your data.
  4. Upload the encrypted data to a reliable place on the Internet (or two). Personally, I use Amazon S3, which charges 15 cents per GB-month of storage plus 17 cents per GB of data transfer.
  5. Wipe your laptop clean (do this properly, or the data may be accessible after the fact with forensics software), and install a fresh copy of your OS onto it.
  6. Travel. You should have no problem at U.S. Customs (or in any other country) as you won't have anything problematic on your computer.
  7. At your hotel/office, fire up your Web browser and download the encrypted data file from Amazon's servers.
  8. Decrypt the data.

Once you are done with your trip, you can simply re-encrypt the data, upload it to Amazon again, and wipe the disk clean.

For those of you traveling to countries (or places in the U.S.) with slow Internet connections, you may wish to burn your encrypted data to a DVD and FedEx it to your destination. Do it a few days before you leave, and you should know before you get on the airplane if the disk made it to your destination safely by checking the delivery status online.

I realize that I take paranoia to a more extreme level than most, but I find that this technique works really, really well for me. For those of you who are even more paranoid, and are worried about customs agents being able to recover the deleted data from your laptop disk, you may wish to avoid keeping the decrypted data on your laptop at all (while on the trip). Portable flash drives are quite cheap these days, and can be easily destroyed (a microwave, a hammer, driving over them in a rental car, etc.) once your trip is done.

Disclosure: Jennifer Granick represented me, pro-bono, in my civil troubles with TSA back in 2006 and 2007.

February 21, 2008 8:00 AM PST

Minor update: Boost uses the Nextel/Sprint network, not Alltel.

Apple's iPhones seem to have a monopoly when it comes to usable mobile Web browsing. Until now, freedom-loving users not wishing to get into bed with Steve Jobs were, for the most part, out of luck. This article explains how to get an even better mobile Internet experience, without having to do business with either AT&T or Apple--with no contracts and no $60 per month bill just to surf the Net.

Apple's iPhone: No user apps for you!

The iPhone is clearly the must-have device of the digerati. All of my colleagues seem to have one, and frankly, I'm rather jealous. However, I have several deep moral problems with the iPhone that have prevented me from giving Apple my money.

Steve Jobs treats his customers with contempt. On a "stock" iPhone, you have no control over the applications you can install, cannot use MP3 ringtones, and can't even download songs to iTunes over the 802.11 connection. Yes, you can join the customer vs. company arms race, and try to hack your phone. However, the next time a software update is released, you may find yourself the owner of a $400 brick.

In addition to my problems with Apple, I really dislike the wireless carrier it's gotten into bed with--AT&T. My complaints about AT&T's profit-motivated collaboration with the NSA's warrantless wiretapping program have been frequently aired on this blog. Furthermore, the company only really offers practical data services to customers who sign up for a two-year contract--something I am unwilling to do. Finally, I see no reason to hand over $15 of my monthly wireless bill to Steve Jobs.

I want a device that gives me freedom, that does not lock me into a specific platform, and that is sold by a company that treats its customers with respect. I want to be able to leverage the significant base of existing Linux/open-source applications. I want to be able to run Firefox and the hundreds of community-made extensions for the browser. I want to download MP3s and podcasts directly to the device, and I'd prefer a real GPS chip, not some triangulation hack.

Furthermore, I am extremely nomadic. I can rarely plan more than six months into the future, and can't predict the country I'll call home a year from now. Thus, a two-year contract with AT&T is simply not an option.

Help from Helsinki

Luckily, help has arrived. The solution to my problems does not come from Cupertino, Calif., but Finland.

N810 Internet Tablet

(Credit: Nokia)

Nokia has gotten quite a bit of press over the last year for its N800 and N810 Internet Tablets. The devices run Linux, and are built on an open-source core. They include 802.11 Wi-Fi support, Bluetooth (including A2DP stereo audio) and a built-in Webcam that can be used for videoconferencing.

On the software side, the devices ship with a Mozilla/Firefox-derived browser and support the hugely popular Web-advertisement blocking extension Adblock Plus. Internet telephony is made possible through Skype and Gizmo, both of which come preinstalled. Prefer to use someone else (or your own Asterisk server)? No problem--SIP-based voice over IP software is also included.

What else?....

A BitTorrent client? Yep. Encrypted instant messaging for AIM and Google talk users? Yep.

Want to sniff a wireless network, break a WEP encryption key, or hack into a server? No problem. Metasploit, Kismit, and nmap are all supported.

Would you like to hook up an external hard disk, an Ethernet adapter, or a thumb drive? No problem. The tablets all include a USB port that supports "host mode."

The N800 ($200) and N810 ($400) have practically the same hardware powering them, the only real difference is the GPS chip and slide-out hardware keyboard that is included with the N810.

In terms of technology and software, the N810 does everything and more that the iPhone does. The only real problem thus far has been the issue of Internet connectivity. That is, when there is no open Wi-Fi access point nearby, my N810 has been pretty useless.

The data problem

The data offerings from U.S. mobile providers are, sadly, pretty awful. While users on some expensive plans can surf the Web from their phones, tethering (the act of sharing your phone's data connection with another device) is often forbidden. Verizon went so far as to totally cripple the Bluetooth functionality in several of its Motorola phones.

Worse, to get data, users are often required to sign lengthy contracts with the wireless carriers. A few do offer data services to prepaid users, but at rates that'll make you cry. For example, AT&T prepaid customers can purchase monthly allotments of bandwidth--1MB for $5 and 5MB for $10. Data hungry users who go over their 5MB per month are charged 1 cent per kilobyte. Want to use AT&T;'s prepaid plan to look at a few Flickr photos? That'll be $24.07 please.

The Boost connection

Thanks to YoDude from the Internet Tablet Talk forums, I now have a solution that works, with no contract, and at a price that I can afford.

Boost is a prepaid wireless company that resells access to the Sprint/Nextel nationwide wireless networks. Their voice services aren't particularly attractive (at 20 cents per minute). However, the Sprint/Nextel network uses Motorola's iDEN technology and provides a free, always-on data connection to phone customers. The data service isn't speedy, at 19.2 kbps, it harks back to the days of dial-up. For a free service, however, it simply can't be beat.

Following YoDude's advice, I went onto eBay and purchased a used Nextel/Motorola i605 phone. There are plenty of these listed for sale online, and can be found for about $40 including shipping. I also purchased a new Boost phone SIM (subscriber identity module) card for $2 including shipping.

A week later, with the phone and SIM in hand, I called up Boost to activate. The process took about 20 minutes, required no hacking of devices, flashing of firmware, or anything similar. I gave Boost my credit card number, and the company loaded $20 onto my account.

I then followed YoDude's simple instructions for setting up the Nokia Tablet with a Boost iDEN phone, and within minutes, I was using my N810 to check my e-mail via the Bluetooth-provided cellular data link.

Boost requires that you load up your phone with a minimum of $20 in credit at least once every 90 days. Voice service costs 10 to 20 cents a minute, depending on the time of day. Interesting enough, incoming text messages are free--which is not something I've seen any other prepaid carrier offer. Thus, for a little bit more than $6 per month, mobile users can get access to an always-on data connection that is perfect for e-mail, IM, and Google searches.

I won't lie. It's not speedy. But for airports, waiting rooms, and the bank lobby--it's perfect. By switching to IMAP based e-mail and an offline RSS reader, it's actually surprisingly usable.

For those of you with a thirst for faster data, and a willingness to pay for it, there may be other options. The uber-phone hackers at HowardForums report that Verizon offers prepaid users access to its 115KB/s EVDO data service for 99 cents per day. Setting this up seems to require a fair bit of hackery, including re-flashing special firmware onto your phone. Furthermore, at $30 per month, this is quite a bit more than I want to pay just to be able to google in line at the grocery store.

Got a better solution? Found a way to get a high-speed Bluetooth tethered connection at a low price? Leave a note in the comments, and I'll be sure to update this post.

Disclaimer: While I paid retail for a Nokia N800, the company did give me a heavily discounted N810 as part of a developer program. I interviewed with Nokia for a summer internship last week. I interned with Apple (along with several other companies) in the past.

February 8, 2008 7:50 AM PST

With all of the attention that the Foreign Intelligence Surveillance Act (FISA) update (and the administration's vigorous attempts to immunize the criminals telcos), it seems like a good time to explore the issues surrounding surveillance and privacy in America today.

NSA: We're watching you....

(Credit: National Security Agency)

While there are so many scary things being done by intelligence and law enforcement, hope is not far away. Easy to use privacy technologies are upon us, and with them, comes a radical shift in the balance of power. As this article will explain, the scalable techniques with which the NSA, FBI and other agencies can spy on innocent Americans may soon be made useless - forcing them to go back to the old school (and labor intensive) black bag job.

First, a few facts:

As the debate over FISA and telco immunity has demonstrated, the telecom companies are willing to completely eviscerate consumer privacy in order to help law enforcement and the intelligence community. With the telcos getting handsomely paid for their participation in illegal surveillance programs, its clear that consumers cannot rely upon AT&T; and Verizon to protect their privacy.

Consumers will need to take matters into their own hands - and luckily, secure communication technology is finally user-friendly enough to be usable by non-geeks.

In addition to enabling the average Joe to regain a bit of his privacy, the rapid deployment of easy to use crypto will have a major impact on our society: The end of large scale surveillance.

Raising The Bar: The Black Bag Job

The big problem with the surveillance techniques currently used by the NSA, aside from the fact that they are creepy and illegal, is that they scale so well.

Just like Google, if the NSA wants to expand its surveillance abilities, it simply has to build another data center. Want real-time spying on the phone calls of 10 million more people? No problem -- just buy another 10,000 computers, and set them up with NSA's existing pattern recognition software

In the old days, the spooks would have to rely on the so called 'black bag job' -- a term to describe the act of breaking into a suspect's house in order to install bugs and other listening equipment. The team doing it, at least in Hollywood movies, were, like ninjas, dressed in all black.

The nice thing about the black bag job - is that it is labor intensive. Want to install bugs in the home of a suspected Soviet agent? That'll take a team of five agents, plus around the clock surveillance for a few days beforehand. Using traditional techniques, spying on an additional 10,000 Americans would require an additional 50,000 NSA black-bag-job agents to install the bugs.

As large as the NSA is, it simply doesn't have that level of resources. Thus, simply due to the man hours required, the NSA's surveillance net was limited in scope.

Unfortunately, due to computers, and the willing assistance of telecom companies - this is no longer a problem. Surveillance today scales very very easily, and it is almost trivial for the NSA to spy on an additional 100,000 Americans.

The deployment of easy to use cryptography for the average user will significantly upset the status quo. Large scale surveillance will no longer be possible, and the spooks will have to return to the days of the black bag job. Will they still be able to focus on high-profile terrorist targets? Sure. However, their days of spying on the average American, simply because it's easy, could be over.

I'll now explore the technologies that will make that possible.

Secure Instant Messaging

I've written extensively about this form of secure communication before. Adium, one of the most popular instant messaging applications for the Mac, ships with high-end encryption out of the box. Similarly, Pidgin, an IM application shipped with practically every Linux distribution, also includes support for the same encryption protocol that Adium uses. A port of Pidgin is also available for Windows users.

An encrypted conversation in Adium

(Credit: The Adium Dev Team)

These IM applications and the off-the-record encryption standard they use are protocol independent. That is, they work with AOL Instant Messenger, Google Talk, Yahoo IM, and others. By using one of these applications, your IM communications are encrypted, authenticated, and completely deniable.

No amount of telecom company assistance will enable the Feds to passively snoop on an encrypted IM conversation. In order to have any chance at getting a copy of the messages, Uncle Sam will need to resort to a significantly more invasive (and riskier) surveillance techniques.

Secure Voice over Internet Protocol (VOIP)

Unfortunately, out of the box, most internet based telephony services are horribly insecure. Use Vonage, Packet8, or one of the other popular VOIP services? Your calls are going over the wire in the clear. Using one of several open source hacking tools, it's trivially easy for an attacker or nosey neighbor to snoop on your calls.

With regard to the mainstream voice solutions, Skype is the clear exception to the rule. All Skype communications are encrypted (as long as you don't live in China, where the government has forced the eBay owned software company to install some fairly suspect filters).

Skype has been extremely secretive about the technical details of their encryption technologies. They paid a few security consultants to conduct a review of the system, which, not surprisngly, was rewarded with rave reviews. However, some crypto geeks have been able to reverse engineer Skype, and have determined that by and large, the program does a pretty good job.

Skype's security is good enough, it seems, to stump the police and intelligence agencies in Germany. They've had to resort to paying 2500 euros per victim suspect to install malware that secretly records the audio as its recorded and played on the user's PC during a Skype call.

Thus, for most users, Skype is more than good enough - and a complete pain in the ass for law enforcement.

For those users not willing to trust their communications to a closed-source communications system, the gold standard really is Zfone, an encrypted VOIP solution made by famed cryptographer and cypherpunk Phil Zimmerman. While it's easily the best tool out there, it unfortunately suffers from the network effect -- that is, there really isn't anyone using it right now.... and Skype has, in a few years, become the most widely deployed cryptographic application ever.

If you can get your pals to install it, go for Zfone, but for those you can't, Skype is probably good enough.

Anonymous Web Surfing

One word: Tor. If you're not using it already, you need to be.

Encrypted Computer Data

Both Microsoft Windows Vista and Mac OS X include encrypted disk support out of the box. While I can't speak to the Windows experience, I can say that encrypted disk support is a piece of cake on the Mac. As recent court cases have shown, this disk encryption can be a total roadblock for law enforcement, and can completely derail any attempted investigation or prosecution.

Mobile phones

As fans of the HBO show The Wire will already know, mobile phone privacy and anonymity is something that there is a significant market need for. For now, psuedo-anonymity can potentially be achieved through the use of prepaid phones, but this provides no safety against a government agent with a wiretap order (or a spying agency willing to break the law).

For now, we as consumers are left out in the cold. However, the rise of devices such as the iPhone and Google's Android OS do give me some hope. If we get Skype on mobile phones (a not so unrealistic possibility), law enforcement is going to have a very very tough time. Furthermore, if we can replace SMS text messages with off-the-record encrypted IMs, users will finally get the privacy they deserve.

While we can't rely on Steve Jobs to bring this to us, there is a decent chance that Google's Android system may end up having these features. It's an open platform, right? So it's just a matter of time until someone hacks it up, and releases it.

November 27, 2007 8:30 AM PST

Over the past month, AT&T; has quietly started to offer reasonably priced unbundled "naked" DSL Internet service to customers around the country. The company's website makes no mention of the service, nor do its Internet phone sales representatives offer or even discuss the service. Customers wishing to sign up will need to call a specific department at AT&T; to request the secret plan. Two tiers are offered, a 3Mbit down/1.5 Mbit up plan for $28.99 per month, and a 1.5Mbit down/768k up for $23.99. Those who opt for the stand-alone DSL service will be able to avoid paying the myriad of mandatory fees associated with a phone line.

The service is available to customers in at least the following states: AL, AR, CA, FL, GA, IN, IL, KY, LA, MI, MO, OH, NC NV, SC, TN, TX

Customers wishing to sign up for the service should do the following:

  • Call the AT&T; Dry Loop department directly at 888-800-4095.
  • Ask to switch to "DSL direct".
  • If they give you a hassle, say it's a retention offer.

The Real AT&T;

(Credit: EFF)

The Federal Communications Commission ordered AT&T; to begin offering stand-alone DSL service as one of a handful of conditions that allowed for the merger of SBC Communications and AT&T; in October 2005. While it technically met the conditions it agreed to, the services were offered at such an obscenely high price that few actually opted to drop their telephone service.

The company has been widely criticized in the past for its unbundled service pricing structures. Back in 2006, the company began offering stand-alone DSL for $44.99 a month. At the same time, the company offered bundled DSL service for $29.99 a month, but subscribers were also required to purchase telephone service in a package that totaled about $46 a month. Customers could essentially save $1 per month by choosing to go with the unbundled Internet service.

In December of 2006, the company agreed to offer a low priced bundled DSL service, as part of several conditions negotiated with the FCC in order to complete a merger with BellSouth. While technically meeting the promises it made to the FCC, the company did its best to make it almost impossible for customers to locate information on the much hyped $10 per month DSL plan. Furthermore, at 768Kbps down and 128Kbps up (compared to the 3-6Mbit down speeds that the company advertisers on its website), the service barely qualified as broadband.

As part of the same BellSouth merger deal, AT&T; also agreed to offer reasonably priced unbundled DSL service to customers in the 22 states that it serves. The company is required to offer the service for 30 months. After that, it can force everyone to go back to bundled DSL.

According to a number of postings by users on the Fatwallet and DSL reports web forums, AT&T; has been quietly offering the previously announced unbundled DSL for at least one month. Two services are offered, a 3Mbit down/1.5 Mbit up plan for $28.99 per month, and a 1.5Mbit down/768k up for $23.99. These prices are roughly $3-5 more expensive than the bundled plans. However, customers will not need to pay $12+ per month for the required phone service as well as the myriad of mandatory phone related taxes and fees. That is, for the first time, DSL subscribers can actually save real money by ditching their phone line.

Regular readers of this blog will know that I am no fan of AT&T.; The company's willing (and highly profitable) participation in the illegal NSA wiretapping program is disgraceful, and should the US Congress actually let the lawsuits proceed, AT&T; could be looking at $21,000 in damages for every customer they let the NSA listen to (i.e. all of its 100+ million customers). A successful class-action would probably result in a lovely situation where customers could choose between having the Electronic Frontier Foundation or the ACLU as their long distance carriers...

The FCC: A revolving door to Corporate America

(Credit: Flickr / sillygwailo)

AT&T; has dragged their feet in offering unbundled DSL service. Even under this new, cheaper service offering, it is still impossible to get the company's highest tier of service, "up to" 6Mb downstream, without getting a phone line. Only 3Mb and 1.5Mb services are offered to those who refuse a dial-tone. The blame for this, however, does not lie with AT&T;, but with the FCC.

As the first few paragraphs of this blog post should have made clear, AT&T; has only ever offered lower priced, pro consumer services when it was absolutely forced to. This was usually done as part of terms negotiated with the FCC. AT&T; wanted to merge with another of it's Ma-Bell siblings, and in order to do so, the company had to agree to a few token offerings requested by the FCC. The only reason AT&T; is offering snail-speed DSL for $10 per month, or unbundled DSL service at all, is because it was forced to.

To expect the company to do anything else would be insane. AT&T; is a corporation, which by its very definition is a for-profit entity. Furthermore, AT&T; enjoys a near monopoly in many markets. If it did anything other than try to milk every last cent out of its customers, its shareholders would file suit and demand the heads of the CEO and the other members of the board. Simply put, corporations exist to make a profit. If we as consumers want reasonably priced pro-consumer products and services, we cannot rely upon monopolist corporations to provide them.

The solution to this problem, of course, is government regulation which encourages competition. If AT&T;'s customers could choose from 10 other companies, prices would fall, and consumer demands for unbundled services would have been met long ago. Unfortunately, instead of passing pro-consumer regulations, the FCC bends over backwards to help the telecom companies. With AT&T; spending over $19 million on lobbying in 2006 (1/3 of the total contributed by the telecom industry that year), is it any surprise that the FCC looks out for the telcos?

According to the nonpartisan Center for Responsive Politics, more than 100 former FCC employees have also worked in the private sector. At least 50 percent of them have lobbied on issues related to telecom, communications and broadcast at some point in their careers. The Center's Revolving Door Database lists the FCC as the agency with the third-highest number of employees who have shuffled between the public and private interests focused on the federal government, behind only the White House and the House of Representatives.

What is the end result of this? US consumers lack access to real high speed access, pay through the nose, and are stuck with one or two companies who have little incentive to compete. According to the Information Technology and Innovation Foundation, French broadband connections are, on average, more than three times as fast as ours. Japanese connections are a dozen times faster. Oh, and access is much cheaper in both countries than it is here. As an example, 52% of French homes subscribe to VOIP based telephone service. Furthermore, over 1.1 million French subscribers pay as low as $40 monthly for a "triple play" package that includes 81 TV channels, unlimited phone calls within France and to 14 countries, and blazing fast 28Mbit Internet connection. For that same price, AT&T; customers can get a 3Mbit connection and a local phone line.

The reason for this is pro-competition government regulation. In 2000, France's national telecom regulator forced former state-owned monopoly France Telecom to open up its network to rival operators. That encouraged telecom upstarts and carriers from other countries to rent access to France Telecom's wires and start offering competing broadband services. And that, in turn, spurred France Telecom to improve its own prices and services.

The US has sadly fallen far behind other western nations when it comes to broadband adoption and availability. The telcos offer us crappy, overpriced slow service, while consumers in Japan can stream HDTV live to their computers. The blame for this of course, falls squarely on the FCC. Now... how do I go about moving to France?

November 14, 2007 11:10 AM PST

Updated Again:Nokia has released a legitimate upgrade for the N800 tablets. N800 owners no longer need to follow these instructions to update their OS. Instead, go visit the official Nokia website for info.

Updated: This post was edited for clarity, and to provide an alternative method for generating a N810 serial number (see below).

Details of a major operating-system upgrade for Nokia's Linux-based N800 Internet Tablet device was leaked Wednesday afternoon. Fans of the N800 (and soon-to-be-released N810) have been waiting eagerly for the last few weeks for any word of a final release date.

Nokia N800 Internet Tablet

(Credit: Nokia)

While the N800 and new N810 device share the same software, recent reports indicated that the update for the N800 was to be held back for a couple weeks to give the N810 time to shine. Fans had been told to expect the N800 update sometime in December.

On Tuesday afternoon, members of the Internet Tablet Talk community forum posted a link to the official software download location for the new N810 device, which itself is yet to hit store shelves.

The two devices made by Nokia run the same software, and so it was only a matter of hours before hackers had found a way to install the software update on their own N800 Internet tablets. Forum posts included some fairly nudge-nudge, wink-wink instructions for evading the serial number check required to download the software.

The new operating system is fantastic (at least from this blogger's few minutes of playing with it). It's faster, includes a Mozilla-derived Web browser, and boosts the speed of the N800's internal processor from 320MHz to 400MHz. After months of waiting, YouTube is finally usable.

While all eyes are on the new N810 Internet Tablet, this operating-system release makes the N800 one of the best buys on the market--and an iPhone competitor. The Internet-enabled wireless device now includes support for video-based chat using the built-in Webcam, Skype, voice over Internet Protocol, or VoIP, service , as well as a very active developer community.

At less than $250, compared to the N810's $450-plus price tag, the improved N800 gives the average user far more bang for their buck.

Brave N800 owners wishing to upgrade to the latest operating system will need to follow a few steps (this may brick your device, of course. This is only for the fearless, and any tears or financial loss are your own problem):

  1. Go to the N810 software download page.
  2. Enter the serial number for a valid N810 device. To get one of these, pick any number between 001d6e9c0000 to 001d6e9cffff. Pick any random 4 digits (between 0-9 and a-f hex) as the last 4 digits.
  3. Download the file named "RX-44_2008SE_1.2007.42-18_PR_COMBINED_MR0_ARM.bin."
  4. Download the latest firmware-upgrading software, "flasher-3.0".
  5. Now that you have the firmware flasher and the 2008 N800 software update in the same directory, open up a terminal (on a Linux desktop/laptop), and type:
    chmod a+x ./flasher-3.0
    ./flasher-3.0 -u -F RX-44_2008SE_1.2007.42-18_PR_COMBINED_MR0_ARM.bin.
  6. That will unpack the software, and it may take a few seconds. Once that is done, plug the N800 into your computer, using the included USB cable, then reboot the Nokia device while holding the home button. Now execute the following commands:
    sudo ./flasher-3.0 --enable-rd-mode
    sudo ./flasher-3.0 -k zImage -f
    sudo ./flasher-3.0 -n initfs.jffs2 -f
    sudo ./flasher-3.0 -r rootfs.jffs2 -f -R
  7. That should be it. Your device should now boot up with the new 2008 version of the Nokia Maemo operating system.
October 19, 2007 7:30 AM PDT

With the majority of the Democrats caving in to the Bush administration's demands for full immunity for the telecom companies for-profit collusion in the NSA's illegal wiretapping program, it seems to be clear that the Fourth Amendment and federal antiwiretapping laws are no longer enough to keep our communications secure. Laws stating that "thou shalt not listen to your customers phone calls" no longer seem to have any bite. Or at least, they don't as long as teleco lobbying coupled with massive political contributions can turn once critical senators into kindly old men willing to forgive and forget.

AT&T;: Your World. Delivered. To the NSA

(Credit: Electronic Frontier Foundation)

Thus, now that AT&T; and Verizon are free to provide the NSA with a full copy of all Internet traffic that flows over their networks, I thought that perhaps it'd be a good idea to discuss proactive technical solutions that users can utilize to protect their own privacy. The primary focus of today's blog post is on one small area of user privacy, but one which is perhaps the least well known by the average joe, yet which is extremely vulnerable: instant messaging. The question to be answered today is: how can nontechnical users secure their own instant-messaging conversations such that an attacker is unable to listen in (be it the government or a nosy neighbor sniffing the wireless network from next door).




The major IM networks, which include AOL IM/iChat, MSN, and Google Talk (when using the gmail embedded chat function) all send data over the clear. Using IM over an unencrypted wireless network (such as at a coffee shop or hotel lobby) is an open invitation for nasty folks to read your conversations. Those people using the downloadable Google Talk client will at least have their conversations encrypted between their own computers and Google's servers - but that doesn't solve the problem of the NSA forcing/paying Google to hand over your data. Likewise, AOL confirmed in 2005 that if presented with a court order, it would let the government eavesdrop on IM conversations between customers.

The solution then, is to use an encrypted instant-messaging program--one made by a third party and not one of the major IM networks. That is, a software client with which the conversation is encrypted from one user's computer all the way to the recipient--and not just to the central servers of the IM network. While the popular Trillian multinetwork client does offer encryption, its design is flawed, and is subject to a number of attacks. The tool of choice for privacy-conscious geeks everwhere is a protocol known as Off The Record (OTR). This scheme, designed by a team of security researchers including professors Ian Goldberg and Nikita Borisov, provides a number of really cool features. The benefits of OTR include:

  • Encryption: No one else can read your instant messages.
  • Authentication: You are assured the correspondent is who you think it is.
  • Deniability: The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
  • Perfect forward secrecy: If you lose control of your private keys (such as if your computer is hacked, for example), no previous conversation is compromised.

An encrypted conversation in Adium

(Credit: The Adium Dev Team)

The OTR team don't actually produce its own instant-messaging client. Instead, they have released an open-source library that other IM programs can include--which hopefully means that as more and more clients adopt it, users will be able to conduct safe and encrypted conversations with people who use an IM program different than their own. Right now, the OTR team distribute a plugin for Pidgin, the popular multiplatform IM client. Adium, a popular IM client for Mac OS X, has OTR support built in. There are third-party plugins for the Kopete, Miranda and Trillian IM clients. Best of all: OTR is IM-protocol-independent. That is, once you have an OTR-enabled client installed, you can communicate with friends on different IM networks, be it AIM, Google Talk or others, as long as your friends also have OTR-friendly IM software.

Linux and Windows users are probably best off using the Pidgin IM client, which works with all of the popular IM networks and then installing the OTR plugin. For Linux users, it should be as simple as installing the Pidgin-OTR package with your respective package manager. Windows users will want to download the Pidgin-OTR plugin from the OTR Web site. Mac users: you're in luck. You can be lazy, and simply download Adium, which has OTR out of the box.

Once you have an OTR-enabled client installed, its as simple as clicking on the lock icon in any conversation window. You'll be asked to accept an encryption key the first time you chat--which you should verify with your pal by some form of non-IM conversation (the phone, in person, etc). After that, all future communications with that person should be encrypted without any more work. That's it. Secure communications, free from prying next-door neighbors or privacy-invading spooks.

October 17, 2007 11:09 AM PDT

Do you consider yourself to be a privacy aware Internet user? Are you concerned about your security online?

You've installed antivirus and spyware software, which you also keep updated. You regularly update your operating system for any security patches. You have a firewall on your home computer and have locked down your home wireless network with a WPA2 password. Most importantly, you've ditched Internet Explorer and jumped on the Firefox bandwagon.

Your job is done, right? Think again.

While installing Firefox (and not using IE) is one of the most important steps users can take towards a safe online experience, Firefox is (alas) not totally safe out of the box. Luckily, Firefox provides a very flexible framework for open-source programmers and commercial vendors to create their own software add-ons for the browser. A number of these software extensions fix critical design flaws in Firefox--or simply improve transparency so that users have a better idea of where they are and which sites they're interacting with. I've selected a few of the best ones, which I highlight below.

... Read More

October 10, 2007 11:08 AM PDT

Caller ID information is not to be trusted. Judging by the reactions I've gotten from colleagues and friends recently after they've been the victims of spoofed-ID demonstrations, it's not common knowledge that caller ID information, primarily the phone number that often appears on the recipient's telephone display, can be easily faked. Best of all for the mysterious caller, it's not illegal in the U.S. (except in cases where fraud occurs). Calls for the purpose of amusement or revenge are perfectly legal.

This phone is tapped.

(Credit: Andrew McConachie)

With the help of easy-to-use Internet calling card services, it's possible to call up your friends, and have the originating caller number be something completely different, say, the White House switchboard (202-456-1414). For many of the services, it's as simple as punching in three phone numbers: your own number, your pal's number, and the number you want to show up on their phone's display when you call.

The calling card companies providing these services charge a fair bit--approximately 60 minutes of calls for $10. One of the major firms, SpoofCard, is nice enough to let users try their service out for free--two minute calls can be initiated for free from the company's Web site. For those of you doing the home-brew VOIP thing using an Asterisk server at home, faking your Caller ID information is as simple as editing a configuration file.

Being able to change the originating call number can actually be really useful--for the bad guys.

Many voice mail systems do not prompt you for a PIN or password when you appear to be calling from the number associated with that voice mail account. Some credit card companies require that new cards be activated upon receipt by calling up an automated phone system from the cardholder's home phone number. Many people screen their calls, looking first at the display before deciding if they will pick up the phone. Such people can be tricked into picking up the phone by someone who would ordinarily get ignored. Caller ID spoofing is a priceless technique when conducting social engineering or industrial espionage. Being able to call someone else in a company and have the number come up as as an internal office phone number can make it much easier to pretend to be "Bob from accounting."

Anonymous

(Credit: Doublebug / Flickr)

Using a fake caller ID service, it should be possible for a motivated criminal to stalk someone, listen to their voice mail and then activate a credit card stolen from the victim's mailbox. Creepy stuff

So what about the law? Caller ID spoofing services do not appear to violate any federal criminal law, according to an interview published with Orin Kerr, a law professor at the George Washington University Law School, and a former Justice Department computer crime lawyer. "It doesn't violate the Wiretap Act or the Computer Fraud and Abuse Act or anything like that," said Kerr.

Congress attempted to pass legislation earlier in 2007 making it illegal to spoof caller ID. The bill, The Truth in Caller ID Act of 2007, sailed through the House of Representatives but has yet to make it through the Senate. The law would outlaw causing "any caller identification service to transmit misleading or inaccurate caller identification information" via "any telecommunications service or IP-enabled voice service." Law enforcement is exempt from the rule.

Ma Bell: Got the ill communication

(Credit: TheTallest / Flickr)

With the legislation apparently stalled at the federal level, some states have begun to pas their own laws. According to USA Today: "Florida Gov. Jeb Bush signed a law banning commercial telemarketers from using ID spoofing. Violators can be fined up to $10,000 per incident. Alaska and New York have considered anti-spoofing legislation. Delaware has no law that specifically bars people from misrepresenting their name and number on the recipient's caller ID. If done for commercial purposes, however, the practice could be treated as a violation of the state's Deceptive Trade Practices Act or the Consumer Fraud Act, says Barbara Gadbois, who directs the Consumer Protection Unit of the Delaware Attorney General's Office. Extracting personal information that is then used to steal money or commit another crime is a felony punishable by up to eight years in prison, Gadbois says."

Even the state laws that have been proposed only ban the commercial use of caller ID spoofing and cases of fraud. The use of such services by individuals for amusement or revenge is still perfectly legal. Thus, until the feds can agree upon and pass stronger legislation, fake caller ID is here to stay.

September 13, 2007 6:00 AM PDT

NBC's recent withdraw from the iTunes store leaves the millions of users of Apple iPods without a legitimate way to purchase and watch NBC's content. Could this be the push that brings easy-to-use 'piracy' to the masses? This article discusses the issues, and then provides step-by-step instructions to setup a computer to automatically download any of hundreds of TV shows as soon as they are broadcast and put online.





With Apple's recent lovers's spat with NBC making the headlines, it seems like a good opportunity to examine the state of the online TV downloads, be they paid or 'pirated'. The end result of the dispute between the companies is that NBC's shows, which currently count for approximately one third of iTunes' TV show sales will no longer be available for sale at Apple's iTunes store. Customers wishing to purchase NBC's shows will now need to go through Amazon's Unbox service. While Unbox supports users of Windows and TiVo, Mac users, as well as those millions of iPod users are left out in the cold. Linux geeks, and those customers who have purchased divx/avi capable portable music players are also excluded, but this small subset of the market were equally ignored by Apple.

The Apple/NBC dispute, of course, only affects US based consumers. Foreigners, due to the lengthy delay between a show airing in the US in markets abroad, have already been driven to illegal file sharing. In Australia, where the broadcast of US shows is typically delayed between 22-30 months, many viewers have given up on waiting for their favorite shows to appear on the tube, and have instead turned to BitTorrent. According to a report published in 2006, "Australians are responsible for 15.6 percent of all online TV piracy, bested only by Britain, which accounts for 38.4 percent. The US lags behind in third position at 7.3 percent."

The legitimate and legal online media stores cannot compete with file sharing on price. Furthermore, as iTunes, Amazon, Walmart and the other stores all wrap their media in restrictive Digitial Rights Management (DRM), they cannot compete on freedom, flexibility and the ability to transfer purchased media to other devices. The only areas where they have the upper hand are in quality, and ease of use.

Warner Brothers' China division, in a rare act of intelligence on the part of a major media company, demonstrated significant savvy last year when they began selling cheap, legitimate, high quality DVDs of movies within days of the theatrical release. By pricing the discs at around 12 yuan (approximately US$1.50), Warner is hoping to make cost a non-issue, thus allowing them to compete in one area where they hold the upper hand: Quality. Instead of taking a chance with on a low quality, shaky-camcorder copy of a film, Chinese consumers can get a high quality copy of the movie at a reasonable price, all while enjoying the warm fuzzy feeling that you can get knowing that you've helped to pay for some small portion of a a Hollywood star's private jet.

Apple's iPod makes up more than 70 percent of the overall mobile player market. With those customers now completely cut-off from NBC's offerings, the ease-of-use advantage of legitimate purchase has been lost. While camcorder copies of films still make up a decent portion of movies on file sharing networks, the widespread availability of digital television and TV tuners in PCs means that it is trivially easy to find high-quality copies of TV shows on BitTorrent sites such as The Pirate Bay.

It's taken some time, but the 'piracy' path has finally gotten to be more user-friendly and easy to use than iTunes and the other pay-services. Miro, a multi-platform RSS and BitTorrent enabled media client is now very stable, polished and fast. Using a tool such as this, and a couple minutes of configuration to subscribe to your favorite shows, it's now possible for users worldwide to wake up to the latest episode of The Daily Show, without paying a penny, or being locked into a restrictive DRM scheme. It's still illegal of course, but that hasn't stopped the millions of file sharers who have made BitTorrent responsible for more than 25% of all Internet traffic.

It's worth noting at this point, that for people in India, the Middle East and other markets ignored by the major players, Linux users (for which iTunes, Amazon and Walmart's media stores do not work), Apple customers who wish to watch shows made by NBC or another network that won't play ball with Apple, or Windows users who are simply not willing to submit themselves to the shackles of DRM, illegal downloads are the only way to watch TV shows on their computers and portable media players. I'm not advocating illegal activity, but merely stating the facts.

If a user wishes to break the law (or they live in a country that doesn't respect US copyright law), lets see exactly how they could go about setting up their computer to auto-download their favorite TV shows. This information is, of course, for educational purposes only and I in no way encourage anyone to violate copyright laws.

Step 1: Download and install the Miro media player, which is available for Linux, Mac and Windows.

Step 2: Locate an RSS feed for a TV show you want to watch. One fantastic source of these is the website tvRSS.net

Navigate through the list of TV shows on the tvRSS website, and find a desired show.

Screenshot of tvRSS website

(Credit: tvRSS.net)

On the web-page for the show, right click on the link to the RSS feed of that show, and copy the URL location.

Screenshot of tvRSS website

(Credit: tvRSS.net)

Step 3: Open up Miro, and go to the Channels menu, and select Add Channel. The RSS address that was copied previously should already be displayed. If it's not, paste it.

Screenshot of Miro media player

(Credit: Miro)

Miro should now automatically download the latest episode of that show, which it will continue to do every time a new episode appears online.

Screenshot of Miro media player

(Credit: Miro)

For ease of use, a user will probably want to rename the channel to something recognizable. This can be done by going to the Channels menu and selecting Rename.

Screenshot of Miro media player

(Credit: Miro)


By following these three steps, its possible for a user to wake up to their favorite TV shows already downloaded to their computer, waiting to be watched and without the restrictions of DRM. Users of Apple's iPods will need to re-encode them into Apple's proprietary Quicktime format, while those users with a Linux based Nokia N800 or one of the many low-cost .avi compatible portable media players should be able to transfer the files with little to no additional work.

As I said before, this is all totally illegal under US copyright laws, and most other western countries that have agreed to adopt similar rules. In addition to the standard risks of file sharing, US based users should take special care not to download any leaked pre-broadcast episodes of TV shows, which occasionally show up online. The Family Entertainment and Copyright Act passed in 2005 makes mere possession of such media a felony. First time offenders can face up to three years in jail. Caveat emptor.

September 11, 2007 6:05 AM PDT

The New York Times recently covered the already over-hyped dispute between Danny Carlton, an obscure Web site designer, and the makers of the popular Adblock Plus Firefox browser extension.

Adblock Plus is something akin to a TiVo for Web-browsing. Users who install the extension will find that their Web experience is radically changed--in that the vast majority of graphical Web advertisements will no longer be displayed within the Web-pages that they visit.

For those of you with short memories, it's worth noting that before TiVo was the only major game in town, there used to be another TV advertisement skipping technology. ReplayTV was vastly superior to the TiVo, in that it completely skipped commercials, instead of permitting users to fast-forward. Following a similar tactic to that was used by the major media companies (who had previously gone after Napster and the VCR), the TV networks essentially sued ReplayTV out of existence. The moral of the story: companies that have built their business models on advertising revenue do not take kindly to others who permit customers to skip those advertisements.

With that little walk down memory lane over, let us focus on the issue at hand--Web advertisement skipping technology. Essentially, it boils down to this: Web site designers depend upon advertising revenue to pay their bandwidth bills as well as to pay for the staff time that goes into making a successful site. Users do not particularly want to see advertisements, but except in a few cases where advertisements are extremely annoying, will for the most part put up with the ads in order to view the Web content that they are seeking.

There is a pretty big difference between the TV and Web site business models. A broadcast TV network, by and large, has fixed costs, no matter how many customers actually tune into the show. The same amount of electricity will flow to the TV transmitter, and the satellites above will still beam down the same number of 1s and 0s. Internet content is different, as each person's computer makes an individual connection to the remote server hosting whatever Web content the user is seeking. Each time users visit a Web site, the server consumes bandwidth to send the content of the Web page back to the user--and that bandwidth costs money.

Thus, every time someone uses advertisement-blocking software to avoid the graphical ads embedded within a Web site, they are denying the Web site operator revenue that would otherwise have gone to pay for the bandwidth that is consumed during that browsing session. While it could be said that TiVo users are freeloading from the broadcast networks, users of Web advertising skipping technology are far closer to theft than they are to freeloading. This is not a clearly defined issue, but there are a significant number of moral issues at play.

Which now brings us to the technical issues involved in this particular story...

... Read More

  • prev
  • 1
  • next
advertisement

Apple announces free case for iPhone 4 users

Apple CEO says "we've been working our butts off" in the wake of antenna issues that were "blown way out of proportion." Still, iPhone 4 buyers will now get free cases.
• Full iPhone 4 coverage

Costly data plans; Android vs. BBerry

CNET's Maggie Reardon answers question about how to avoid getting a data contract on a family plan and comparing the new Droids to BlackBerry devices, as well as the future of Google's Nexus One.

About Surveillance State

Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society, and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure.

Add this feed to your online news reader

Surveillance State topics



advertisement

Inside CNET News

Scroll Left Scroll Right