Privacy

From Organic Design wiki
Revision as of 21:18, 13 August 2010 by Nad (talk | contribs) (See also: A paper trail of betrayal: Google's net neutrality collapse)

Privacy & Security

Both terms come to this same page, but they have a slightly different meaning. Privacy is the resource that is made available by Security. Security is a global organisation in the network composed of methods and computational, storage and bandwidth resource which is used to make the resource of privacy available according to local dynamic need.

Why do we need security?

Having good security is an important aspect of the network architecture because it is designed to handle financial accounting and budgeting of its member organisations. Also, the users of the network need to be confident that private information such as passwords or personal details really are private.

Many people believe that, if you have nothing to hide, there is nothing to fear from all this scrutiny. But if you resist the urge to pick your nose while others are present, or close the door when you go to the toilet, you are a privacy advocate. "When you realise that your whole life is under view," says the Tory MP David Davis, "it’s inhibiting." (from Can you disappear in surveillance Britain?)

Real security a myth?

There isn't much confidence in real privacy these days with all the rumors and/or facts of "back doors" and quantum computers which can achieve seemingly miraculous computational power. But before getting sucked into all the hype, bear this simple foundation in mind - if two people share a private random block of information used one time only to encrypt a message of the same size, it is mathematically impossible to break, even by quantum computation - it is said to exhibit information theoretic security. It is only the level of organisation required amongst participants that currently makes this method impractical - in practice the network would usually combine this method with traditional methods.

Forms of security

  • Internet browsing
  • Email and communications
  • Financial transactions

Anonymous Internet browsing

Apart from the standard practice of using HTTPS connections when working with private content, it is also important to preserve anonymity - i.e. not giving away any information about the source of the web page requests. We use the Firefox browser with the TorButton add-on. There also another called FoxTor but I haven't tried that one yet. These solutions both use the TOR (The Onion Router) to achieve anonymity.

The add-on is easy enough to install, but I found that I also needed to apt-get install polipo and change the port settings in the TorButton preferences. The HTTP and SSL had to be changed from 8118 to 8123 and the SOCKS from 9050 to 4424. I found the ports that polipo was using with netstat -lp|grep polipo. After installation, you can check if it's working by switching it on and then checking your ip address and it's estimated geographical location.

Another useful related addon to Firefox is the User Agent Switcher.

PGP Email

For email privacy we use PGP with the Enigmail add-on. See the quick start guide and the Enigmail manual for more details on usage. Try the official downloads for your architecture and OS, if they don't work here are some alternative 64bit binaries which I've found successful in the past, version 1.5 version 2 version 3.

To initially configure PGP on Thunderbird, start with the Setup Wizard from the "OpenPGP" menu which appears after Enigmail has been successfully installed. We use the following options:

  • sign all outgoing mail (you can turn off signing before sending an email if you wish)
  • use per-recipient rules for whether to encrypt outgoing mail
  • Allow it to apply the optimal settings for you when it asks
  • Use your email account password for your private key's access pass-phrase
  • Allow it to create a revocation certificate so you can cancel your key-pair if you need to

At the end of the wizard it spends a few minutes generating a 2048 private/public key pair. To send a signed or encrypted message, the recipient must have your public key installed. You can save keys to file or send them over email to selected recipients from the "Key Management" option in the "OpenPGP" menu. You can also import a key from the clipboard.

Here's some screenshots of the main operations you'll use when sending or receiving a message...

ThunderbirdSignPGP.jpg
ThunderbirdSendPGP.jpg
ThunderbirdImportPGPKey.jpg
Check/set the signing and encryption status when composing a message Attach your public key when composing a message to a new recipient Import a public key attached to an incoming message by right-clicking on it


P2P Method

The privacy concept uses a portion of its global bandwidth resource to distribute private keys over all available data streams. This resource comes from the support that the privacy concept gains from usage.

This privacy is handled with any of the standard algorithms such as DES or AES, but using the inherent organisational methods to generate and maintain a diverse population of private keys so that any context of information can be made arbitrarily secure dynamically and independently. A small portion of bandwidth is dedicated to random connectivity for creating keys with more diverse properties, and for finding new efficient routes.

When a context requires its connected streams to be authenticated, it generates random content along with a randomly selected key it shares in common with the peer. The context expects a hash of the random content and private value associated with the key. This can happen any number of times and can also occur independently of the context directly between peers.

Available key properties/constraints

  • Age - must be younger than X, must be older than X
  • Media it has resided on (RAM, HDD, Removable etc)
  • Peers it has resided on
  • Protocols it has travelled through

See also