From secure at resist.ca  Tue Jul 23 22:28:33 2002
From: secure at resist.ca (Security News Admin)
Date: Tue, 23 Jul 2002 22:28:33 -0700 (PDT)
Subject: [security-news] Security-News Bulletin #1 - July 23, 2002
Message-ID: <Pine.LNX.4.21.0207232225380.26842-100000@resist.ca>

*****************************************************************************
Security-news <security-news at resist.ca>
A security bulletin for the inspired resistance movement
Produced by the folks who bring you http://security.tao.ca
*****************************************************************************

July 23rd, 2002

Hello, and welcome to the first ever security bulletin put out by the folks 
at http://security.tao.ca - Our goal is to empower activists to make educated security
decisions concerning their work and to highlight trends in government and 
policing that may be of interest to those who routinely counter the state security
apparatus. We intend this to be a bi-weekly newsletter that will include security updates,
tips and tricks, security.tao.ca updates, news stories and factoids for both technical and
non-technical audiences. Please let us know what you would like to see, or forward us
items for inclusion to secure at resist.ca (also feedback on this bulletin would be great too!).

**********************************
Security-news: Issue #1 - Contents
**********************************
* Security tip of the week
* Updates to security.tao.ca
* News Item: US wants to use military for domestic policing
* News Item: US development of new non-lethal weapons
* How-to: SILC Tips and Tricks

*****
Security Tip of the Week: Secure Storage of Private Keys
*****
For optimum security, private keys used in encryption schemes should be stored on removeable
media that can be carried on your person, or locked in a secure (and secret) place. This cuts
down the possibility of your private key being stolen from your home computer or laptop. Even
if someone manages to steal your passphrase with the use of key logging technology, they can
not decrypt messages intended for you without this private key. (Note however that floppy
disks are the least reliable of all the removeable media forms.)   

*****
Updates to http://security.tao.ca
*****
After a long hiatus, we have started updating security.tao.ca again! This week we cleared out
a lot of dead links (almost finished), added new and updated links to most sections, and
completed a new page on KeyLoggers, Trojans and Backdoors which is available at
http://security.tao.ca/keylog.shtml

*****
News Item: US wants to use military for domestic policing
*****
U.S. Mulls Military's Domestic Role 
Sun Jul 21,11:31 PM ET
By SCOTT LINDLAW, Associated Press Writer 

WASHINGTON (AP) - Homeland security chief Tom Ridge says the threat of terrorism may force
government planners to consider using the military for domestic law enforcement, now largely
prohibited by federal law. 

President Bush ( news - web sites) has called on Congress to thoroughly review the law that
bans the Army, Navy, Air Force and Marines from participating in arrests, searches, seizure
of evidence and other police-type activity on U.S. soil. The Coast Guard and National Guard
troops under the control of state governors are excluded from the Reconstruction-era law,
known as the "Posse Comitatus Act." 

This is only snippet of an article - the complete article and others on this topic can be
found at: 
*http://story.news.yahoo.com/news?tmpl=story&u=/ap/20020722/ap_on_go_pr_wh/homeland_security_9
*http://story.news.yahoo.com/news?tmpl=story&u=/nm/20020721/ts_nm/congress_homeland_military_dc_5
*http://story.news.yahoo.com/news?tmpl=story&u=/ap/20020722/ap_wo_en_ge/philippines_arroyo_6

Security-news comment: We have a hard time believing that once the posse comitatus law is
changed, the US government will only use the military in times of real crisis. Given that
they want to be able to use the military in situations involving "terrorism", and given that
the US government has increasingly defined activist work as "terrorist", we don't think it
will be long before the US military is regularly on the streets facing off against those who
dare dissent against government policy.

*****
News Item: US development of new non-lethal weapons
*****
June 21, 2002
U.S. developing new non-lethal weapons 
Bloomberg

WASHINGTON - The U.S. military is developing an array of futuristic non-lethal
weapons, such as an energy beam that causes pain without burning and bacteria
that will eat asphalt and body armour, Time magazine is reporting.

The weapons are being researched to help soldiers who are increasingly put in
peackeeping roles, the magazine said. Human rights advocates say new weapons may
violate international laws banning the use of chemical or biological agents.

The Air Force Research Laboratory has devised a $65-million Cdn energy weapon
that delivers a painful sensation without burning its target, and the Southwest
Research Institute in Texas created an anti-traction gel so slippery no one can
walk or drive on it. Other devices in the works include ray guns, gases that emit
foul odours and nets, according to the magazine, citing interviews with
scientists, public documents and material obtained under the Freedom of
Information Act.

Amnesty International and other human rights groups say some projects such as the
asphalt-eating bacteria or efforts to create fast-acting opiates for use on
crowds, may violate international laws. Those weapons might be obtained by
regimes to put down political dissent, says Steve Wright, founder of the Omega
Foundation that monitors non-lethal weapons.


*****
How-to: SILC Tips and Tricks
*****
by epsas at linefeed.org 
The full version of this with working links is at
http://notes.techfed.net/index.php/SILCTipsAndTricks
--------------------------------------------------------------------------------
If you don't know what SILC is - please check out http://www.silcnet.org - basically SILC
allows for encrypted real-time conversations over networks. 

Creating and Using Private Key (+k) Channels
Setting a private key for channel means that only the users on the channel who know the key
is able to encrypt and decrypt messages. Servers do not know the key at all.
-- SILC FAQ (http://www.silcnet.org/?page=faq#f3_100)

In theory, members of a private key (+k) channel can collaborate securely even when their
SILC server is compromised. Users of the +k channel are responsible for distributing a
private key between themselves. Transmitting the secret key for a +k channel over the SILC
network is self-defeating (The SILC server may be compromised, meaning a malicious attacker
(Mallory) can steal the private key).

Instructions for creating a private key (+k) channel
Join a SILC network and create a channel:
/JOIN #sekretchannel

As 'channel founder', set the mode of the channel to (+k):
/CMODE #sekretchannel +k
After +k mode is set, the old channel key (originally distributed by the SILC server) is
discarded.

Set the SILC client to use a private key for this channel:
/KEY CHANNEL #sekretchannel SET oursekretkey

Other users must use the same 'passphrase' to communicate on the private key channel:
/JOIN #sekretchannel
/KEY CHANNEL #sekretchannel SET oursekretkey

The channel founder can change the 'passphrase' of a channel by issuing a new KEY command:
/KEY CHANNEL #sekretchannel SET sekretkeywithrandomdata3DF#f3w48cnOc03

--------------------------------------------------------------------------------
Securely Negotiating a Shared Secret over the Internet

The Diffie-Hellman key agreement protocol (also called exponential key agreement) was
developed by Diffie and Hellman in 1976 and published in the ground-breaking paper "New
Directions in Cryptography." The protocol allows two users to exchange a secret key over an
insecure medium without any prior secrets.

dh.py from Magaf.Org is a freely available implementation of the Diffie-Hellman key exchange
protocol. In this example, a shared secret is negotiated between Alice and Bob; two
hypothetical individuals.

More information about Alice and Bob (Mallory too!)

Using dh.py to negotiate a shared secret
Alice and Bob meet each other on a public SILC channel, #polynesian-finches. After a few
hours of enthralling conversation, Alice proposes they move discussion to a private
channel. Alice and Bob know that Mallory, their scientific arch-nemesis, has root
(Administrator priveleges) on the SILC server. Alice and Bob decide to use Diffie-Hellman to
exchange a shared secret to use as a private channel key.

Alice and Bob install dh.py and a Python interpreter on their computers.

Alice runs dh.py, which first creates a public key:
bash-2.05$ python dh.py
Copy your public key and send to other:
bDQAAACzLsg2IU9iEEFPKRgkbGYJqjnmEodJe1/yYgAxQwDJB1E3kQ/0SOArzXL0XTwJAjwqKVVq
qGCecY8H6XuXVBd5tSn+TgEBSg8zevhP7RXdVaUMMkC5Bj8v2HnLV/UORhtdb9YZk2QHAA

Bob also runs dh.py.

Alice sends her public key to Bob over SILC:
<@Alice> Bob, here is my Public Key
<@Alice> DQAAACzLsg2IU9iEEFPKRgkbGYJqjnmEodJe1/yYgAxQwDJB1E3kQ/0SOArzXL0XTwJAjwqKVVq
<@Alice> qGCecY8H6XuXVBd5tSn+TgEBSg8zevhP7RXdVaUMMkC5Bj8v2HnLV/UORhtdb9YZk2QHAA==

Bob does the same:
<Bob> Alice, here is my Public Key:
<Bob> bDQAAAB/CfR4emA7Q1BLa26ScUdHNEPgQUZh02RXcuA8k1aWTlYr0SdyHQlEpQyvanUeqWMWAaQe
<Bob> +mK5PHB3YTNfHCAYoRNoCdQC7GRDROwz8z7Bb/BAaBB9QQxMnAb4SwFeRV1pARs6qEEEAA==

Alice pastes Bob's public key into dh.py: 
Paste other's public key (end with an empty line):
:bDQAAAB/CfR4emA7Q1BLa26ScUdHNEPgQUZh02RXcuA8k1aWTlYr0SdyHQlEpQyvanUeqWMWAaQe
:+mK5PHB3YTNfHCAYoRNoCdQC7GRDROwz8z7Bb/BAaBB9QQxMnAb4SwFeRV1pARs6qEEEAA==
:
Shared secret is '752945657969338543110531'.
For public verification: '827050' (This is not secret)

Bob does the same with Alice's public key:
Paste other's public key (end with an empty line):
:bDQAAACzLsg2IU9iEEFPKRgkbGYJqjnmEodJe1/yYgAxQwDJB1E3kQ/0SOArzXL0XTwJAjwqKVVq
:qGCecY8H6XuXVBd5tSn+TgEBSg8zevhP7RXdVaUMMkC5Bj8v2HnLV/UORhtdb9YZk2QHAA==
:
Shared secret is '752945657969338543110531'.
For public verification: '827050' (This is not secret)

Alice and Bob make sure that they created the same shared secret. They do this by sharing the
'public verification' over SILC:
<@Alice> Hey Bob, did you get this: 827050 ? 
<Bob> Yup, I did!
<@Alice> Meet you in #sekretornithology

At this point, Alice and Bob can create a private key channel (+k) using their shared secret
('752945657969338543110531') as the 'passphrase'.



***********************************************************************************
Security-news <security-news at resist.ca>
A security bulletin for the inspired resistance movement
To unsub from this list, please go to http://resist.ca/mailman/listinfo/security-news
***********************************************************************************



From security-news-admin at resist.ca  Mon Jul 29 11:07:33 2002
From: security-news-admin at resist.ca (security-news-admin at resist.ca)
Date: Mon, 29 Jul 2002 11:07:33 -0700 (PDT)
Subject: [security-news] Bulletin #2 - July 29, 2002
Message-ID: <Pine.LNX.4.21.0207261407060.11454-100000@resist.ca>

***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

July 29, 2002

It's issue #2 already! Even though we said this would be a bi-weekly
bulletin, it looks like we will try to put this out weekly when we have
the content to do it. Please send any contributions, feedback or
suggestions to secure at resist.ca and also let other people know that this
bulletin exists! We want the largest possible activist audience thinking
about and acting on security issues - our activist context today certainly
demands it.

**********************************
Security-news: Issue #2 - Contents
**********************************
* Security tip of the week: Passphrase Security
* News Item: Giant Spy Eye Opens on World's Biggest Rainforest
* News Item: PGP Vulnerability exposed by Outlook Plug-In
* How-to: Limit Your WWW Search Exposure

*****
Security Tip of the Week: Passphrase Security
*****
A secure passphrase consists of one or more words comprising 12 characters
or more. It should utilize random characters, upper and lowercase letters,
numbers, punctuation and special characters (~!@#$ etc). In addition, it
should not contain data traceable to you such as birthdates, names or
other information. Do not write your passphrase down anywhere, or store it
in plaintext on your computer (it should be stored in an encrypted
password safe if you must record it somewhere). For more info -
http://security.tao.ca/pswdhygn.shtml

*****
News Item: Giant Spy Eye Opens on World's Biggest Rainforest 
Wed Jul 24, 2002 
*****

BRASILIA, Brazil (Reuters) - Scanning a dense rainforest the size of
Western Europe, a mammoth radar system set to crank up this week will spy
on drug runners, diamond miners and illegal loggers that infest Brazil's
Amazon. 

But the story behind the $1.4 billion network of radar, control towers and
aircraft that form a spider's web over the jungle has its own share of
espionage, riddled with allegations of CIA interference, phone bugs,
bribes and dodgy diplomacy. 

Designed by U.S. defense contractor Raytheon Co., the System for the
Vigilance of the Amazon, or SIVAM, will fill a black hole in Brazilian
surveillance that has exposed its borders to international crime and rebel
activity. 

SIVAM, built under Brazil's most costly defense contract, will scan 1.9
million square miles of the world's largest rainforest, also cataloging
its widest diversity of wildlife and pinpointing Indian populations. 

For the rest of this story go to:
http://story.news.yahoo.com/news?tmpl=story&u=/nm/20020724/sc_nm/brazil_amazon_dc_1
or http://www.guardian.co.uk/international/story/0,3604,565714,00.html

Security-news note: That's right, this whole surveillance project is being
touted as a way of environmentally protecting the Amazon - because as we
all know the US government has a real sincere interest in that..... We
also think they have a really sincere interest in gathering as much data
as possible on Brasil's neighbour Colombia. Even the Yahoo article notes
CIA assistance with Raytheon (a major US defense contractor) being awarded
the contract for this project. Even though the US doesn't officially own
this network - they might as well, given the fact that one of their own
companies did all the spec and design for the project and thus has access
to all the data.

***** 
News Item: PGP Vulnerability exposed by Outlook Plug-In 
By ComputerWire 
*****

One the most important secure email standards used to encrypt messages
could be vulnerable to attack through a plug-in used by the Microsoft
Outlook email suite.

It is claimed that certain commercial and freeware products supplied by
Network Associates Inc that use the Pretty Good Privacy encryption
standard contain a flaw that could leave systems exposed.


From security-news-admin at resist.ca  Mon Aug  5 13:33:39 2002
From: security-news-admin at resist.ca (security-news-admin at resist.ca)
Date: Mon, 5 Aug 2002 13:33:39 -0700 (PDT)
Subject: [security-news] Bulletin #3 - August 5, 2002
Message-ID: <Pine.LNX.4.21.0208010907190.29092-100000@resist.ca>

***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

August 5, 2002

It's Bulletin # 3 and an interesting week for it given the raid on an ALF
spokesperson's home last week and continuing Grand Jury investigations in
Portland. Not to mention the news articles we came across this time
around. Submissions, feedback and support can all be sent to us at
secure at resist.ca - please let us know what type of how-to and tips you
would like us to write about in the future! 


**********************************
Security-news: Issue #3 - Contents
**********************************
* Security tip of the week: Office Lock & Key Security
* News Item: Spy Watch - Big Brother Incorporated
* News Item: A New Code for Anonymous Web Use
* How-to: Prepare for a Police Raid *Before* it Happens

*****
Security Tip of the Week: Office Lock & Key Security
*****
When you take over a new space/office/warehouse the first thing
you should do is change all the locks. You have no way of knowing who
still has keys to the place and what benefit they might derive from
continuing access. Your organization should establish a regular re-lock
and keying procedure. Groups concerned about security should change all
locks and keys every six months or once a year. For more information on
building security go to http://security.tao.ca/personal/building.shtml.

*****
News Item: Spy Watch: Big Brother Incorporated
*****

Big Brother Incorporated
by Eveline Lubbers

For years, activist groups in Europe thought that Manfred Schlickenrieder
was a leftist sympathizer and filmmaker. He traveled around Europe,
interviewing a broad spectrum of activists, and even produced a
documentary video, titled Business As Usual: The Arrogance of Power, about 
human rights groups and environmentalists campaigning against the Shell
oil company.

In reality, Schlickenrieder was a spy, and Shell was one of his
clients. His film and his activist pretensions were merely cover designed
to win the confidence of activists so that he could infiltrate their
organizations and collect "inside information" about their goals and
activities.

Schlickenrieder's cover was blown when the Swiss action group
Revolutionaire Aufbau began to distrust him. Its investigation uncovered a
large pile of documents, many of which were put online at the beginning of
2000 (http://www.aufbau.org ).These documents proved that Schlickenrieder
was on the payroll of Hakluyt & Company Ltd., a London-based "business
intelligence bureau" linked closely to MI6, the British foreign
intelligence service. In addition to spying on behalf of multinational
corporations, the documents also indicate strongly that Schlickenrieder 
was working simultaneously for more than one German state intelligence
service.

Full article archived at nettime.org -
http://amsterdam.nettime.org/Lists-Archives/nettime-l-0207/
msg00135.html

Security-news note: This article reports on and analyzes events that
took place in 2000, but it only gets more relevant as "independent
media" is welcomed into activist channels with open arms. Alternative
media definitely has its place in supporting and advancing activism and
global change - but it's never a bad idea to check out the people who you
are allowing to capture all your movements, demos, meetings etc. on
film. Of course, it goes without saying, that you should never allow
activities of an illegal nature to be filmed except in the most
controlled circumstances. 


*****
News Item: A New Code for Anonymous Web Use
July 12, 2002 (code to be released this week)
*****

NEW YORK -- Peer-to-peer networks such as Morpheus and Audiogalaxy have
enabled millions to trade music, movies and software freely. A group of
veteran hackers is about to unveil a new peer-to-peer protocol that may
eventually let millions more surf, chat and e-mail free from prying eyes. 

Hacktivismo, a politically minded offshoot of the long-running hacker
collective Cult of the Dead Cow, will announce the protocol -- called
"Six/Four," after the June 4, 1989 massacre in Beijing's Tiananmen Square
-- in a presentation Saturday at the H2K2 hacker conference in New York
City. 
 
The group will publish the Six/Four code on its website in early August to
coincide with Las Vegas' DefCon security confab. 

Six/Four combines peer-to-peer technologies with virtual private
networking and the "open proxy" method for masking online identities to
provide ultra-anonymous Internet access. 

Article online at
Wired: http://www.wired.com/news/privacy/0,1848,53799,00.html
Hactivismo (and their code) can be found at http://www.hacktivismo.com/



*****
How to: Prepare for a raid *before* it happens
kendra at resist.ca
*****

The RCMP raid of an ALF spokesperson's home last week got me to 
thinking; how would such an event impact me? What would i lose if a
state agency were to raid my home tomorrow? Am I holding any data that
could impact the work of other people? How soon could I get back to work
if my computer, equipment and files were seized? 

To most people, even activists, a police raid seems an unlikely
occurrence. True, it is not something that happens on a regular basis in
North American activist communities - however, that doesn't mean it never
happens. As raids on both David Barbarash and Craig Roseborough show us -
even speaking out in support of direct action can lead to equipment and
materials seizures that can be personally and organizationally 
disruptive. Activists involved in organizing demonstrations and gatherings
have also found themselves on the wrong end of a search warrant in recent
years. Often these warrants are gained on bogus grounds, and searches are
carried out as harassment tactics or "fishing" expeditions. In the last
two years, a number of searches have been carried out against activists
where no charges were ever laid.  

So, in the spirit of this week's events, the following tips are meant to 
assist you in preparing for the worst - a raid on your home, office, or
infoshop. (many of these strategies are useful in defeating surreptitious
data collectors as well)

**Use scenarios to strategize: Only you know the work that you do and what 
specifics would be impacted in a search and seizure operation. Build 
scenarios for yourself - what do you need to access daily that could be
seized, what is your strategy for dealing with that? Do you have other
illegal items (such as drugs) that could be used to bolster police
criminalization of you - do you care about things like this? Walk yourself
through what you would do from the moment that the police show up with a
search warrant, who you would call, what you would do immediately
following the raid to inform people (if you weren't arrested). Scenario
building helps you to mentally and physically prepare for an event like
this - though you will never be fully ready for an invasion of this scale.    

**Encrypt and wipe: All files (not just those that are sensitive) on your
computer hard drive should be encrypted using a program such as PGP disk
(available at www.pgpi.org). This includes cache files, email (your whole
email program should be set up on an encrypted partition), image archives
and text documents. Wipe all free space on your hard drive weekly using a
program such as PGP or Burn (for Macs), this makes retreiving data from
your drives difficult if not impossible. See http://security.tao.ca for
more information on file security.
 
**Backups backups backups: If you lost all your data tomorrow - how would
you function? Your best strategy for getting back to work (and thwarting
organizational disruption), is making regular backups and storing them
with a trusted friend, or in a safety deposit box not connected to 
you. You don't want it to be common knowledge who keeps your backups for
you - as police could obtain a warrant to search that person's home for
materials belonging to you as well. Don't just back-up your computer
files, but make copies of any paper files that you could not live without
and store them in a sealed envelope in a safe place.

**Clean up your desktop and filing cabinets: Ever write down a password on
a piece of paper and then shove it into a file? Ever write down a phone
number of a person you don't want to be officially connected to? All those
little bits of paper start to add up to a lot of information after awhile,
especially if cleaning office isn't your strong point. Go through all
the paper bits on your desk and transfer that data into a secure place
(like an encrypted disk or pda), and then securely dispose of the 
paper. Likewise, go through filing cabinets once every few months and pull
out old phone lists, research that is no longer useful or needed, and
anything else you don't want the police to get their hands on.

**Know your home and it's contents: Had a lot of roomates or travelling
friends over the years? That means that there is a good chance that things
you are unaware of have been left behind in closets. Clean up after
someone stays or moves out, so you aren't storing items you don't want to
be. No one wants to get caught with someone else's stolen goods or
incriminating evidence - so keeping a clean house is essential.      

**Your PDA and Cel Phone: Are all your phone numbers stored on your cel
phone or palm pilot? Where would you get that info if the police had a
warrant to seize those items as well? A back-up zip disk containing 
important information of this type (encrypted) should go along with your
computer backups. 

** Emergency numbers & Support: Keep a lawyer's number on hand, as well as 
the numbers of any people who would support you during and after a 
raid. Make sure that the people you live with know where they can get that
info if  necessary, and also that they know what to do in case of a
raid. If you live in a house with other activists, you should all
participate in planning your security strategy and know what to do, and
how to get in touch with other housemates if they aren't home.

Most important, don't forget that you should not talk to police before,
during or after the raid (whether or not you are being arrested), and you
should contact a lawyer for assistance as soon as possible.

Nothing can truly prepare one for a full-scale invasion of privacy such as
a raid - but taking a few of these steps will help ensure that you don't
compromise your own freedom or that of others in the course of your
activist life. 

For info on last week's raid of ALF spokesperson David Barbarash's home
and support info see 
http://resist.ca/.archive00455.html



***************************************************************
Security-news <security-news at resist.ca>
Good security is no substitute for good sense!
To unsub go to http://resist.ca/mailman/listinfo/security-news
***************************************************************











From security-news-admin at resist.ca  Mon Aug 12 10:54:50 2002
From: security-news-admin at resist.ca (security-news-admin at resist.ca)
Date: Mon, 12 Aug 2002 10:54:50 -0700 (PDT)
Subject: [security-news] Bulletin #4 - August 12th, 2002
Message-ID: <Pine.LNX.4.21.0208081307510.18247-100000@resist.ca>

***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

August 12th, 2002

There is no how-to included in this week's bulletin owing to a lack of
time all around. Submissions of security how-tos are particularly welcome
since they take the most time to put together - they can be send to
secure at resist.ca for inclusion in this bulletin. 

**********************************
Security-news: Issue #4 - Contents
**********************************
* Security tip of the week: Dealing with police at the door
* Updates to security.tao.ca
* News & Analysis: Unleashing the FBI - Cointelpro Redux
* News & Analysis: Unions Sell Out to TIPS, Cozy Up With Government
* News & Analysis: SSL defeated in IE and Konqueror

*****
Security Tip of the Week: Dealing with police at the door
*****
If the police, csis or the fbi come to your door *without a warrant
of any kind* you are not legally obligated to talk to them. Do not act
suspiciously or aggressively (these things may give an officer a legal
right to enter your home under grounds of "suspicion"), but do act firmly
and let them know that you are not interested in talking to them. DO NOT
let them into the house house. Once you have invited them in it is
dificult to get them to leave - and they may find reasons to come back
with a warrant later on once inside. (more info at
http://security.tao.ca/personal/investigations.shtml)

*****
Updates to http://security.tao.ca
*****
No major updates this week, but we've posted some interesting stories on
the front page. We'd like more content in some of our sections, so if you
feel like writing for the site, please let us know!

*****
News & Analysis: Unleashing the FBI - Cointelpro Redux
August 6th, 2002 (Real Audio)
*****

The FBI's mishandling of leads prior to September 11th and lethargy in
pursuing the anthrax killer have been widely reported. Less coverage has
been given, however, to the bureau's dismissal of other acts of terrorism,
death threats and assaults against US citizens, and the FBI's attempts to
silence its critics. The assault against Barbara Bocek, a case worker for
a Native American tribe in Washington State, and volunteer Guatemala
Country Specialist for Amnesty International is a case in point. In May
this year, Bocek had been bound and gagged in her car. After initially
discrediting Bocek's account, the FBI now suggests that Jennifer Harbury,
the human rights advocate whose work over the last 10 years implicated the
CIA and State Department in the abduction and torture of her Guatemalan
husband, is a possible suspect. 

Radio story in RealAudio format at
http://stream.realimpact.org/rihurl.ram?file=webactive/freespeech/fsrn20020806.ra&start="10:51.3"

Security-news note: CointelPro-like operations have never ceased, although
the program was officially ended when it was exposed by anonymous document
leak. One of the best sites out there for information about ongoing
counter intelligence operations in the US is at 
http://www.derechos.net/paulwolf/cointelpro/cointel.htm

*****
News and Analysis: Unions Sell Out to TIPS, Cozy Up With Government
August 7, 2002
*****

NEW YORK  A type of neighborhood anti-terror program launched by the Bush
administration will be up and active this month in 10 cities across the
country and some of those recruited could be neighborhood truck drivers,
utility employees and train conductors. 
Those are just some of the jobs taken by Teamsters union members, which
has signed up to help the Justice Department with its Operation TIPS. 

TIPS -- the Terrorism Information and Prevention System -- is one of the
core elements of President Bush's Citizen Corps Program. The national
system for reporting suspicious and potentially terrorist-related activity
is predicated on the assistance of do-good local citizens who would be in
positions to witness unusual or suspicious activity in public
places. Volunteers will hand tips over to the Justice Department via a
toll-free hotline or online. 

The Teamsters union is throwing its support behind Operation TIPS not only
as a means to show its nonpartisan stripes, but to lend an effort to
homeland security, said Teamsters spokesman Rob Black. 

Read the rest of this article at
http://www.infoshop.org/inews/stories.php?story=02/08/07/2509994
also read: On the Subject of Informants
http://www.infoshop.org/inews/stories.php?story=02/07/20/1282119

Security-news note: A number of people complained when this story went up
on infoshop because they felt it made Teamsters unionized workers look
bad, and this TIPS deal is being made by the union executive, not the
workers themselves. While this is true, it is the responsibility of people
inside unions and workplaces to protest the decisions of those who claim
to speak for them. Unions in the US and Canada (and certainly everywhere
else in the world) are ongoing subjects of investigation by state
governments. Union leaders in the global South are routinely murdered 
for their organizing activities (and don't think the CIA hasn't been
involved in some of that!). For a large union like the Teamsters to
cozy up to the state security apparatus is unconscionable and a sell out
to unions everywhere.

*****
News & Analysis: SSL defeated in IE and Konqueror
August 12, 2002 - taken from the register online
*****

A colossal stuff-up in Microsoft's and KDE's implementation of SSL (Secure
Sockets Layer) certificate handling makes it possible for anyone with a
valid VeriSign SSL site certificate to forge any other VeriSign SSL site
certificate, and abuse hapless Konqueror and Internet Explorer users with
impunity. 

In more detail, we have a certificate chain issue discovered by Mike
Benham of thoughtcrime.org. A chain is formed when an intermediate
certificate is trusted between server and client. Supposedly, the
intermediate is accepted only if it's signed by the certificate authority
as safe for the purpose. If it's merely signed by another certificate's
key, it ought not to be trusted, or at least the user should be
warned. Unfortunately, due to a preposterous security engineering
oversight, IE and Konqueror don't bother to check this, so if a tricky
site owner signs an intermediate cert with another valid cert, users will
be none the wiser. 

To read the rest of this article - go to
http://www.theregister.co.uk/content/4/26620.html

Security-news note: Apparently Mozilla is not vulnerable to this security
weakness - but we're not sure about Netscape. It generally seems a good
idea however to stop using Internet Explorer or Konqueror is you want to
be sure that your connection is being protected by SSL (secure socket
layer).

***************************************************************
Security-news <security-news at resist.ca>
Good security is no substitute for good sense!
To unsub go to http://resist.ca/mailman/listinfo/security-news
***************************************************************









From security-news-admin at resist.ca  Mon Aug 19 12:26:26 2002
From: security-news-admin at resist.ca (security-news-admin at resist.ca)
Date: Mon, 19 Aug 2002 12:26:26 -0700 (PDT)
Subject: [security-news] Canadian Secret Police Raid Activist's Home for U.S. Authorities
Message-ID: <Pine.LNX.4.21.0208191224180.10608-100000@resist.ca>

***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

August 19, 2002

**********************************
Security-news: Feature Article
**********************************

Canadian Secret Police Raid Activist's Home for U.S. Authorities

Political police continue harassment campaign against Animal Liberation
Front spokesperson

By David Barbarash (otter at tao.ca)
North American A.L.F. Press Office
Aug. 18, 2002

On Tuesday July 30, 9 members of the RCMP, Canada's national police
agency led by Cpl. Derrick Ross of the Integrated National Security
Enforcement Team (see sidebar article, "Insidious INSET" below),
executed a Search Warrant and raided my home and office in Courtenay,
British Columbia. The search and seizure was carried out on behalf of
law enforcement from two counties in the State of Maine, under the
auspices of the Mutual Legal Assistance in Criminal Matters Treaty.

Although no one was home at the time, and access to the house could
easily have been gained by breaking a window or picking a lock (the
latter of which they would normally do to install electronic
eavesdropping devices), the RCMP felt it somehow necessary to kick in
the door. The wood was shattered, the window was cracked, and the
doorframe and wall were damaged, all of which made the door completely
unusable. When the police completed their search at 6:30 pm, ten and a
half hours after they began, they screwed in a sheet of chipboard over
the doorway, leaving behind ransacked rooms, scattered files and
garbage, and probably a few more bugs in the walls and ceilings.

Seized from my home were both my computers, dozens of computer disks,
hundreds of videos, miscellaneous photos, files, and papers, four U.S.
postal mail bags, plus documents and files seized (and later returned)
from previous RCMP raids.

One might reasonably suspect that there was some recent ALF action of
immense and costly proportions in which I was suspected of having some
involvement to warrant such a cross-border raid, but in fact the
incidents Kennebec and Sagadahoc County Sheriffs are investigating took
place three years ago in the summer of 1999, and the damages from the
relatively minor actions total no more than $8700.


From security-news-admin at resist.ca  Wed Aug 21 14:43:19 2002
From: security-news-admin at resist.ca (security-news-admin at resist.ca)
Date: Wed, 21 Aug 2002 14:43:19 -0700 (PDT)
Subject: [security-news] Bulletin #5, August 21, 2002
Message-ID: <Pine.LNX.4.21.0208151458060.6776-100000@resist.ca>

***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

August 21, 2002

You know, it's been a bad couple of weeks for crypto - first the SSL
problem, followed by the PGP flaw uncovered by the counterpane
folks (link to that below).... fantastic reminders really that good sense
rather than good technology is indeed the foundation of all activist
security. We're a bit late with the bulletin this week - and apologies for
that - hope you find these collected articles relevant to your struggles
and campaigns.


**********************************
Security-news: Issue #5 - Contents
**********************************
* Security tip of the week: Peer to Peer Networks
* News & Analysis: War on Terror Being Used as a Fig Leaf
* News & Analysis: Camps for Citizens: Ashcroft's Hellish Vision
* News & Analysis: PGP Flaw Leaves E-mails Vulnerable
* How-to: Recognize and Counter Police Harassment in your Community

*****
Security Tip of the Week: Peer to Peer networks offer no identity security
*****
Peer to Peer (P2P) networking and filesharing systems such as KaZaa,
Morpheus and Gnutella offer *no* security at all. Any other user on the
internet connected to the P2P network that you are on has the ability to
see your ip address and all sorts of other information about your
computer. Activists should be wary of using any of the current P2P
networksfor group filesharing, and also recognize that even though you
may choose an alias while using those systems, you actually have very
little identity protection. 

*****
News & Analysis: War on Terror being used as a fig leaf
August 20, 2002 - Toronto Star
*****

Thomas Walkom - THE SO-CALLED war on terrorism continues to spill into
other areas. In the wake of Sept. 11, critics warned that police and
government would use tough new powers to settle old scores.

The critics appear to be correct.

The latest case comes from Courtenay, B.C.

On July 30, members of the RCMP's spanking new Integrated National
Security Enforcement Team broke down the door of a man named David
Barbarash. When he returned home, he found his house ransacked, his cat
gone and his computers and files missing. A copy of the search warrant had
been left on his kitchen table.

Barbarash has long been a thorn in the side of authority.

An animal rights activist, he was convicted in 1988 for vandalizing
Kentucky Fried Chicken outlets in Toronto. Later, as a member of the
Animal Liberation Front, he did jail time after freeing cats from a
University of Edmonton research lab.

In 1997, he and another animal activist were charged with sending letters
containing razor blades to an odd assortment of neo-Nazis and hunting
industry executives.

Testimony at the subsequent Vancouver trial revealed that neither the
RCMP's National Security Investigations Service nor the Canadian Security
Intelligence Service had covered themselves in glory during the razor
blade investigation.

To read the rest of this story - go to http://www.torontostar.com and
search for the title (the url is too long to post here)

Security-news note: Like it's been said - If it can happen in Canada it
can happen anywhere.... Stories of RCMP and CSIS investigations of
activists, that have transgressed civil rights and overstepped all legal
bounds, are numerous. It appears from this case that the RCMP's new
anti-terrorist team "INSET" is little more than a puppet for US control in
their war against civil liberties and freedoms worldwide.

*****
News & Analysis: Camps for Citizens: Ashcroft's Hellish Vision
LATimes Headlines  
*****
       
By JONATHAN TURLEY, Jonathan Turley is a professor of constitutional law
at George Washington University.


Atty. Gen. John Ashcroft's announced desire for camps for U.S. citizens he
deems to be "enemy combatants" has moved him from merely being a political
embarrassment to being a constitutional menace.

Ashcroft's plan, disclosed last week but little publicized, would allow
him to order the indefinite incarceration of U.S. citizens and summarily
strip them of their constitutional rights and access to the courts by
declaring them enemy combatants.

The proposed camp plan should trigger immediate congressional hearings and
reconsideration of Ashcroft's fitness for this important office. Whereas
Al Qaeda is a threat to the lives of our citizens, Ashcroft has become a
clear and present threat to our liberties

To read the rest of this article go to:
http://www.infoshop.org/inews/stories.php?story=02/08/14/2716921

Security-news note: not to be alarmist - but we think this is about the
scariest thing we've heard in a long time. now, it could turn out that
Ashcroft is just the next Ollie North, and will end his political career
in crackpot disgrace - but given the political climate today (as opposed
to that of the 80s), there's no telling how serious this could be. since
9-11 hundreds of people have been illegally detained in the US, and
Ashcroft's plan just seems to be an extension of what is already working.
resistance is imperative.

*****
PGP Flaw Leaves E-mails Vulnerable
By Ryan Naraine - esecurityplanet.com
*****

Security researchers have unearthed a flaw within the popular PGP
encryption tool that could allow snoopers to decode sensitive e-mails. 

PGP , or Pretty Good Privacy, is the defacto standard for encryption on
the Internet and is widely thought of as invincible but researchers at
Counterpane Internet Security Inc and Columbia University say they have
found a way to modify a PGP-encrypted e-mail without having to
descrambling it. 

In an advisory, Counterpane said an attacker could repackage the message
and pass the modified message on to the intended recipient of the original
message. 

It said the text within the message would appear as gibberish and could
lead to a request for a resent. If the original text is included in the
resend request, the adversary may be able to determine the original
message. 

Read the rest of this article at
http://www.esecurityplanet.com/trends/article/0,,10751_1444351,00.html
and check out the advisory on this at
http://www.counterpane.com/pgp-attack.pdf

Security-news note: It is easy enough not to fall victim to this sort of
attack. You must remember two things: 
1) do not turn off data compression in your PGP or GPG client - they are
defaulted on and should be left that way, as these attacks are
unsuccessful against compressed data, and 
2) If you receive a message from someone that appears encrypted, but you
can't open it - when you email the person back to ask them for more info -
do *not* include the original apparently encrypted message, as you may be 
unwittingly assisting someone in a person-in-the-middle attack.

*****
How-to: Recognize and Counter Police Harassment in the Community
by kendra at resist.ca
*****

INTIMIDATION AND HARASSMENT 

Police harassment and intimidation of activist communities is on the
increase and has been marked with a demonstrated rise in the level of
aggression that law enforcement agencies have been enacting on
protesters. Recent examples of harassment and intimidation include: 

* raids on activist houses and shared spaces with little pretense (bogus
  drug warrants and fire inspections being the two favorite reasons to
  search/shut down a space) 
* neighbours being notified that "terrorists" live in the neighbourhood 
  police showing up unannounced at the homes of activists and threatening
  them with physical or legal repercussions 
* (if the activist is under the age of majority) police showing up to warn
  parents that their child is involved with dangerous groups 
* police spreading lies, rumours and mistrust in the community (telling
  activists lies about other activists - in some cases very extreme lies) 
* mass arrests of organizers prior to actions 

There is a much longer list than this - and all of these situations must
be dealt with very differently, but below are a few general tips on how to
deal with police harassment and situations of intimidation. 

General Police Hassles 

***In your home: If the police, csis or the fbi come to your door - unless
they have a warrant to search your home, or a warrant for your arrest,
they have no reason to be there (in normal circumstances). You are not
even legally obligated to give a police officer your name. Do not act
suspiciously or aggressively (these things may give an officer a legal
right to enter your home under grounds of "suspicion"), but do act firmly
and let them know that you are not interested in talking to them (see the
rest of the section on Interrogation for more info). 

If for some reason, you do talk to them for a moment - DO NOT let them in
your house. Once you have invited them in it is next to impossible to get
them to leave - and they are looking for anything that may give them
insight into you or your housemates (to use against you later). 

***In your vehicle: If the police pull you over in your vehicle you do
have to give them your name, address, licence and registration. Again,
being polite and efficient is the key here to keep yourself from being
searched. You do not have to tell the police where you are coming from or
where you are going to, or any other information that does not pertain to
your vehicle and its safety on the road. DO answer any and all questions
about your vehicle that the officer might ask. 

***On the street: If you are under arrest - a police officer must tell you
so. Otherwise, you do not have to give the officer your name or address
and you have the right to walk away at any time. The only exception to
this is if you have committed a non-arrestable offence and they want to
serve a summons on you or give you a ticket. They must tell you this is
the case. 

***In a public activist space: Spaces such as warehouses or offices are in
a different category than private residences and thus are open to
inspections by the city or the fire department. In many cases the police
request that the fire dept. do a safety inspection or that the city go in
to ensure that the building is safe etc. There is very little that you can
do in this case other than deal with the inspector(s) politely and show
them what they want to look at. A group should designate one or two people
to speak with the inspector and limit it to that. The people speaking for
the group should be very familiar with the space itself and any
renovations or work that have been done there since taking
occupancy. Necessary permits should be stored in one easy-to-reach
location in case they are required. Keep drugs and weapons out of activist
spaces as a general rule as they are prone to search. 

Generally, to stop and search you, or your vehicle, a police officer must
give their grounds for having reasonable suspicion that drugs, offensive
weapons or stolen goods are on your person, or in your vehicle, or that a
Breach of the Peace is going to occur. You cannot be searched on private
land unless you are a trespasser. In public places they can only search
outer clothing, more thorough searches must be made out of sight, in a
police van or station. Reasonable minimum force may be used to effect a
search. In practise it can be hard to stop the police searching you when
there are few witnesses about but stay calm and confident and they may
back down. 

Community Response 

Overall community harassment, which includes the spreading of lies by
police officers and covert agents, the sowing of mistrust among
neighbours, threats and intimidation etc. can be fought by strengthening
our political communities considerably. Activists must learn that law
enforcement and the media are generally not telling the truth and that
unless they know information first-hand, it is not to be believed coming
out of a police officer's mouth. Practising good security culture is an
essential part of this. 

Activists must resist the temptation to spread rumours or to speculate on
the actions or crimes of other activists no matter what the situation as
it only feeds mistrust in the community allowing police agents to exploit
these weaknesses and divide us from each other. 

Inside our physical communities, it is important to interact with
neighbours when it makes sense to do so. Your next door neighbour is a lot
less likely to believe the police who say you're a terrorist if they are
coming to your monthly vegan potlucks (for example)! Activists must work
to be fully integrated in their communities so that if something does
happen, they are not isolated from where they live. Living in areas that
have good community support networks is essential to not only building
activism but protecting it from outside intervention. 

Most of all, it is important for the political community to discuss
harassment when it is happening. Make sure that incidents of police
harassment are discussed in the wider community and that there are
strategies in place for verifying information and strengthening trusted
networks. 

COPWATCH

COPWATCH organizations can be an excellent vehicle for having community
discussions and organizing neighbourhoods to stand up to police harassment
- esp. in areas where police bullying affects large numbers of
people. Following and documenting (with cameras and other
witnesses) officers conducting their "rounds" (such as community sweeps,
and routine harassment of street people) can be an extremely effective
strategy as it lets to police know that you are watching them as much as
they are watching you. In more than one case, COPWATCH campaigns and
spontaneous incidents have lead to police backing off of a targetted
neighbourhood (at least for a short period of time). Remember, if you
confront officers in these situations (or are acting as a witness to
harassment), make sure that you do not get in their way physically, or
touch them in any way - as this can lead to charges of obstruction and
assault. As well, you shouldn't go out and do COPWATCH activities on your
own, but with a group, to protect your own personal safety. For more
information on COPWATCH organizations, check out http://www.copwatch.com/

Above all, be empowered and intentional in your actions and you will find
it much easier to stand-up against police harassment - Be conscious about
your resons for being an activist and use that consciousness to stay
strong in bad situations.... 

that's it for this week... as always, send how-to suggestions and other
relevant info for inclusion in this bulletin to secure at resist.ca.

***************************************************************
Security-news <security-news at resist.ca>
Good security is no substitute for good sense!
To unsub go to http://resist.ca/mailman/listinfo/security-news
***************************************************************










From security-news-admin at resist.ca  Tue Sep  3 08:20:39 2002
From: security-news-admin at resist.ca (security-news-admin at resist.ca)
Date: Tue, 3 Sep 2002 08:20:39 -0700 (PDT)
Subject: [security-news] Bulletin #6 - September 3,2002
Message-ID: <Pine.LNX.4.21.0209021042280.30836-100000@resist.ca>

***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

September 03, 2002

We've had a few comments this week that not including the *whole*
article in these bulletins means that folks with patchy web access
don't get to read the whole thing.... so from now on we're going to be
inclucing full-text articles in these bulletins where possible. That makes
it a bit longer, but it also means that you don't have to leave the
comfort of your email client to get the full scoop. Hope you enjoy the
reading this week - by far the scariest thing we've come across lately is
the article (included) on changes the Canadian government wants to make to
digital access law. If anything is a legacy of September 11th - it's
regressive legal changes like that (and the PATRIOT Act, and Bill C-36,
and the list goes on and on).


**********************************
Security-news: Issue #6 - Contents
**********************************
* Security tip of the week: Mobile Phones
* News & Analysis: FBI on the Run (EF!J Interview with Darryl Cherney)
* News & Analysis: Will Canada's ISPs become spies?
* How-to: Conduct secure research and investigations

*****
Security Tip of the Week: Mobile Phones
*****

Mobile phone tips adapted from - http://secdocs.net/manual/lp-sec/. Mobile
phones can be used to track movements, and used as listening devices. Tips
for mobile phone use include:
	* If in doubt, turn it off.
	* If travelling to a sensitive location, in an urban area do not
	use your phone within two or three miles of the location, or in
	rural areas do not use it within ten or fifteen miles of the
	location. This will prevent the creation of a trail that
	associates you with that location on that day.
 	* If the location you are going to is nowhere near a route you
	regularly travel, turn off your phone before you start your
	journey there. 

*****
News & Analysis:  FBI on the Run (Earth First Journal Interview with
Darryl Cherney)
June-July Issue Earth First! Journal
*****

The afternoon of June 11 will not soon be forgotten by Darryl Cherney, the
Earth First! legal team nor their ardent supporters. It was on this day
that a federal jury returned a verdict in favor of Earth First! activists
Judi Bari and Cherney in their historic lawsuit against four FBI agents
and three Oakland Police Department (OPD) officers (see EF!J June-July
2002).

The night before they made their final decision, at least one juror prayed
to God to help her do the right thing. Mary Nunn would later recall that
after listening to the testimony, she believed that the FBI and OPD had
clearly lied about their investigation. Im surprised that they seriously
expected anyone would believe them, she said. 

Feeling that the FBI lacked any credibility, the jury awarded nearly
four-and-a-half million dollars in damages to Bari and Cherney for
violations of their First and Fourth Amendment rights. 

Through this verdict, a clear message has been sent to the FBI that it
does not have free reign to trample peoples civil rights, whatever
political views an individual may hold. In this moment, with the tables
turned, the FBI is on the run. 

And with this huge victory in his pocket, I jumped at the opportunity to
talk with Cherney about the trial, its relevance to the movement, how he
endured such an exhausting process and what his future holds. 

EF!J: After anticipating this day for 12 years, word reaches you that the
jury had arrived at a verdict after three weeks of deliberation. It is
said that those minutes when you are called into the courtroomwhen you
know the jury has come to a unanimous decision, and you are merely waiting
for it to be announcedare the longest moments in the entire legal
process. What was your gut feeling that day, prior to the verdict being
read? 

DC: My gut feeling was always that the jury would never rule in favor of
the FBI and OPD. The lies that the OPD and FBI told about Judi Bari and
myself were legion, obvious, and they were just not going to fly in the
face of, really, any reasonable person on any jury. 

All of the signs indicated that we were going to prevail. When the jury
spent that long deliberating, it meant that they were giving very careful
thought to the charges we filed. If the jury had come back with a decision
in two or three days, we would have been worried. But after
three-and-a-half weeks, it was clear that this was an intelligent jury
that wanted to do the right thing. 

My greatest fear was that the jury might come up with a hung verdictthat
the reason they were taking so long was that they were arguing and couldnt
reach a decision. A hung verdict would have been worse than a defeat
because then we would have had to try the whole thing over again. Let me
assure you that spending six weeks in court with the FBI is a profoundly
unpleasant experience. Even though our lawyers got to call the FBI and OPD
officers liars on the stand, and even though great gobs of truth were
revealed on the record, it was still a very dismal experience being in a
federal courthouse, in a windowless room, with a bunch of really hostile,
mean-spirited agents and copswho probably would just as soon take out a
gun and shoot you long before they would ever dream of upholding the US
Constitution. 

EF!J: It is true that many people have been stunned by the magnitude of
the verdict and the jurys courage to deliver such a strong message against
the FBI. What do you believe Judi would have to say in response to the
verdict if she were alive today? 

DC: It is always dangerous terrain asking and answering the question: What
would Judi do? However, on one hand, Judi would be absolutely pleased as
punch that we won and that we brought six out of seven agents to
justice. On the other hand, Judi Bari would say, Get Richard Held. Helds
next. She passed away before Judge Claudia Wilken dismissed Richard Held
from this lawsuit. Ultimately, the judge dismissed six of the FBI agents
we had charged, including all of the top brass. Judi would have been
outraged by that. 

Not speaking for Judi, but speaking for myself, I can tell you that the
victory was bittersweet and melancholy. We received a modicum of justice,
but having to wait 12 years to receive a small bit of justice is too long
in a democracy. During that entire time, the old expression came to
mind: Justice delayed is justice denied. So really, Judi would acknowledge
the inadequacies of the court system, and she would point out that the
court system allowed the real culprit, Richard W. Helda COINTELPRO
architect and possibly the man next in line, at the time, to become the
director of the FBIoff the hook. 

EF!J: With striking implications for the Earth First! and global justice
movements, can you share your thoughts on what the verdict means to the
movements future? 

DC: First of all, it means that the movement can fight back. We dont have
to take this crap from the FBI. 

I can tell you that the FBI probably finds nothing in the world more
distasteful than to pay any activists in the Earth First! movement
four-and-a-half million dollars. That, in and of itself, is very
sweet. Now we havent exactly gotten that money yet, and it might be years
before we see a penny, nevertheless the concept is probably driving the
FBI up the wall. 

Secondly, it shows that Earth First! was targeted by the FBI, and that we
are victims of FBI terrorism, as opposed to being terrorists
ourselves. That the real terrorists are in government. This news is
certified in the record, and the FBI is going to have to live with that no
matter what. 

It also shows that 10 members of the American public can look at Earth
First! and look at the FBI and OPD and make a decision that the Earth
First! activists were trustworthy and that the police officers were not. 

And, may I say, that the issue of monkeywrenching dominated this trial. In
fact, when I was on the stand, I defended the concept and practice. Quotes
from both Judi Bari and myselfeither advocating monkeywrenching, talking
about monkeywrenching workshops or praising the monkeywrenching that other
folks have donewere brought into evidence repeatedly. The jury saw that,
and they still ruled in our favor. 

EF!J: Was there an instant during the trial, with all of its unforgettable
stories, that particularly stands out in your mind? 

DC: If one day stood out beyond all others, it was the day that the jury
got to walk outside, beneath the sunny skies, and look at the bombed
car. I think another highlight was Judi Baris video testimony, which
really brought the jury to tears and also showed how thoughtful and honest
Judi was. 

The jury got to hear over and over again how Judi Baria single mother of
two children and an advocate of nonviolenceallegedly took a pipe bomb,
stuck it underneath her drivers seat and then went cruising through the
streets of Oakland as if it was nothing. 

With eight members of the jury being women, it seemed very clear that they
knew, as mothers and as women, that Judi Bari would never do such a
thing. And to see the car itself and to see how the bomb ripped through
the sheet metal, blew out the windows and blasted out the door in the
front, really made an impression on the kind of violence against Judi Bari
that this bomb perpetrated. 

EF!J: Do you wish anything could have happened differently? 

DC: I would have done a few things different. One, we would have brought
the DNA evidence into trial. The judge limited our time so drastically
that we had to start bailing things out of our ship in order to stay
afloat during our limited time schedule. So we did not present the fact
that we had genetic material that traced a fake Earth First! press release
to Candy Boak of Boak Logging. Shes a subcontractor to Pacific Lumber. We
also matched a police informant letter to a death threat. We could have
shown the jury that solving this crime could have been a lot easier than
the FBI and OPD made it out to be, but we didnt present that
material. Thats a regret. 

On the witness stand, I sang Spike a Tree for Jesus. Some Earth First!ers
may be very proud of that, others may hold their mouths agape in horror. I
was planning on singing Who Bombed Judi Bari?, but the FBI essentially
made a motion that limited the song I sang to one of three songs. 

My lawyer, unfortunately, didnt fight hard enough to try to allow me to
sing Who Bombed Judi Bari?, and so we boxed ourselves into a corner and I
wound up singing Spike a Tree for Jesus. If I had it to do all over again,
I would have sang This Monkeywrench of Mine. 

EF!J: It seems like the trial must have provided subject material for new
songs. Do you have any ideas about what we might expect as a creative
outcome? 

DC: Toward the end of this year, I plan on writing a book about the story
of the campaign to save Headwaters Forest. I plan on recording two more
CDs, one of original music and one of parodies Ive written. 

When I create my next album, I do plan on having some new material. The
trial was laden with humor and with creative inspiration. In fact, Ive
developed a new career as an improvisational stand-up comic. Almost every
week, Id get up on a stage to do a trial update and sort of spontaneously,
I just started doing stand-up comedy lampooning the FBI and OPD. It wasnt
hard. 

Musically, I see the trial as being an incredible song. But as of this
moment, I havent had a single second to myself to rest, relax and compose
my thoughts. So I do plan on taking a year to archive the history of what
weve experienced, both through songs and literature. I also hope to make a
movie. 

EF!J: Lets talk about the stamina needed to endure such a tedious, drawn
out process. The determination of yourself and the legal team certainly
deserves recognition. What kept you going throughout the trial? 

DC: When I first moved to Humboldt County, I made a pledge to myself that
if I was going to start a campaign to take on Charles Hurwitz and to
protect some ancient redwoods, then I would see that campaign through to
the end. 

Of course, I didnt think the Headwaters campaign was going to take at
least 16 years. I didnt think that we would get bombed and have a lawsuit
that would take 12 years. 

When it comes down to the stamina to endure the six weeks of trial and the
three-and-a-half weeks of jury deliberation, I can attribute it to the
incredible support team and network that backed this trial up. 

And of course, we had the inspiration of Judi Bari, who was a very
magnetic personality and charismatic leader. I will use the word
leader. She led a lot of people to do the right thing by example. That is
what leaders do: they lead by example, not by telling other people what to
do. 

I think there was just the moment itselfthat we had to get through
this; that we worked all this time. You know, hardship has been endured
for lifetimes, whether you are a Palestinian refugee living in a decrepit
camp or whether youre a spotted owl looking for a home. Lasting six weeks
through a trial is relatively mild compared to the suffering that people
and creatures go through in this world. Putting it in perspective really
helped me get through this. 

Then, our lawyers were thoroughbreds; they were like racehorses. They were
built for the long haul. Alicia Littletree, who lived with Judi Bari off
and on for seven years, was the Zen paralegal. Nothing would phase her. If
anybody ever saw the movie White Men Cant Jump with Woody Harrelson,
Alicia was in the zone. 

So I think a lot of things kept this lawsuit together for that entire
time. What actually almost broke our spirit was the jury
deliberation. People were going pure nuts with nothing to do. Waiting was
much harder on the psyche than going through the trial. Earth First!ers
arent used to doing nothing. 

EF!J: In hindsight, now that this hurdle has been crossed, how do you
believe this has changed you, either for better or worse? 

DC: In so many ways, Id rather be known as the person who helped protect a
portion of Headwaters Forest than the person who got bombed and almost
framed by the FBI. Im getting a lot of recognition now for being part of a
team that defeated the FBI. Id rather be known as a preserver of
wilderness. 

Nevertheless, the learning experience has been profound. For starters, we
learned that environmentalism and civil rights overlap because the civil
rights of environmentalists are being violated. And so, in a sense, we
have become civil rights activists in part whether we want to be or
not. Im a biocentrist, a deep ecologist and an Earth First!er, but gosh
darn it, all of the sudden Ive had to wage a civil rights battle in order
to defend our movement. 

The other learning experience has involved just seeing the inner workings
of the FBI and understanding the kinds of infiltration that actually take
place, as opposed to the kinds we imagine in our paranoid states. Seeing
how incompetent they are, how corrupt and criminal they are from a front
row seatit has been an incredible education. 

One more thing is that even though we won, this trial kicked my ass. It
really humbled me tremendously. It broke me on many days, on many
levels. I did manage to maintain my composure for the four-and-a-half to
five hours we were in court every day. But I had many distressing moments
during the remaining parts of the day. 

I learned my own breaking points, my own vulnerabilities. And I learned
that as much as I would like to lead by example, that I am terribly human
and very imperfect even in the middle of the World Series of lawsuits. I
made errors. I struck out. I got into a brawl on the mound. 

I dont feel particularly bad ass or on top of the world having won this
case. I feel very humbled and incredibly grateful to our lawyers, our
paralegal team, all of our supporters and to the jury. 

EF!J: While our movement continues to put this into perspective and
figures out what comes next, I am wondering if you have any last words
that youd like to share with Journal readers? 

DC: So many people have walked up to me and expressed the deepest kind of
gratitude. And I have to say that took me back a little bit. I knew people
would be happy and celebratory, but when we said we were waging this
lawsuit for all the people who had ever been attacked by the FBI, I didnt
fully understand how personally people really took that to heartthat
people really did feel that we were fighting this for them. 

I also want to say that if anything highlighted the trial in the bigger
sense, it was the degree to which the FBI lied along with the OPD. The
degree to which they really thought these lies were going to be
believed. The fact that they just werent used to being held
accountable. The absolute shock that they felt when they lost told me how
out of touch they are. 

But at the same time, I realized how much it is really the FBI thats a
threat to our national security. In this case, I saw how Earth First! has
really become the defenders of our national security. What is our national
security but the land we live on, the air that we breathe, the water we
drink, the forests that modify our climate and all the wonderful things
that the Earth provides us? 

Something Ive said many times, and Ill say it again to the Earth
First! Journal readers: Earth First! was blockading the FBI from
clearcutting the constitution. I think that we can all rest a little bit
easier knowing that when given an opportunity to look at the FBI up close,
the jury of our peers, of average Americans, chose to believe Earth
First! over the FBI. 

The lawsuit saga continues on November 1, when the next court hearing is
set to rule on the post-trial motions. The FBI has indicated that it is
going to appeal. Cherney and the Earth First! team have also mentioned
that they plan to appeal a number of issues, including the dismissal of
the FBIs top brass and Richard Held. Whether or not the FBI will want to
have its horns locked with Earth First! for several years to come is a
question the FBI needs to be asking itself and remains to be seen. 


*****
News & Analysis: Will Canada's ISPs become spies?
By Declan McCullagh 
http://news.com.com/2100-1023-955595.html
*****

WASHINGTON--The Canadian government is considering a proposal that would
force Internet providers to rewire their networks for easy surveillance by
police and spy agencies. 

A discussion draft released Sunday also contemplates creating a national
database of every Canadian with an Internet account, a plan that could
sharply curtail the right to be anonymous online. 

The Canadian government, including the Department of Justice and Industry
Canada, wrote the 21-page blueprint as a near-final step in a process that
seeks to give law enforcement agents more authority to conduct electronic
surveillance. A proposed law based on the discussion draft is expected to
be introduced in Parliament late this year or in early 2003. 


Arguing that more and more communications take place in electronic form,
Canadian officials say such laws are necessary to fight terrorism and
combat even run-of-the-mill crimes. They also claim that by enacting these
proposals, Canada will be following its obligations under the Council of
Europe's cybercrime treaty, which the country is in the process of
considering. 

If the discussion draft were to become law, it would outlaw the possession
of computer viruses, authorize police to order Internet providers to
retain logs of all Web browsing for up to six months, and permit police to
obtain a search warrant allowing them to find "hidden electronic and
digital devices" that a suspect might be concealing. In most
circumstances, a court order would be required for government agents to
conduct Internet monitoring. 

Canada and the United States are nonvoting members of the Council of
Europe, and representatives from both countries' police agencies have
endorsed the controversial cybercrime treaty, which has drawn protests
from human rights activists and civil liberties groups. Of nearly 50
participating nations, only Albania has formally adopted, or ratified, the
treaty. 

Michael Geist, a professor at the University of Ottawa who specializes in
e-commerce law, says that the justification for adopting such sweeping
changes to Canadian law seems weak. 

"It seems to me that the main justification they've given for all the
changes is that we want to ratify the cybercrime treaty and we need to
make changes," Geist said. "To me that's not a particularly convincing
argument. If there are new powers needed for law enforcement authority,
make that case." 

Geist added that "there's nothing in the document that indicates (new
powers) are needed. I don't know that there have been a significant number
of cases where police have run into problems." 

Probably the most sweeping change the legal blueprint contemplates is
compelling Internet providers and telephone companies to reconfigure their
networks to facilitate government eavesdropping and data-retention
orders. The United States has a similar requirement, called the
Communications Assistance for Law Enforcement Act, but it applies only to
pre-Internet telecommunications companies. 

"It is proposed that all service providers (wireless, wireline and
Internet) be required to ensure that their systems have the technical
capability to provide lawful access to law enforcement and national
security agencies," according to the proposal. Companies would be
responsible for paying the costs of buying new equipment. 

Sarah Andrews, an analyst at the Electronic Privacy Information Center
(EPIC) who specializes in international law, says the proposal goes beyond
what the cybercrime treaty specifies. "Their proposal for intercept
capability talks about all service providers, not just Internet
providers," Andrews said. "The cybercrime treaty deals only with computer
data." EPIC opposes the cybercrime treaty, saying it grants too much power
to police and does not adequately respect privacy rights. 

Another section of the proposal says the Canadian Association of Chiefs of
Police recommends "the establishment of a national database" with personal
information about all Canadian Internet users. "The implementation of such
a database would presuppose that service providers are compelled to
provide accurate and current information," the draft says. 

Gus Hosein, a visiting fellow at the London School of Economics and an
activist with Privacy International, calls the database "a dumb idea." 

"Immediately you have to wonder if you're allowed to use anonymous mobile
phones or whether you're allowed to connect to the Internet
anonymously," Hosein said. 

A representative for George Radwanski, Canada's privacy commissioner, said
the office is reviewing the blueprint and does not "have any comments on
the paper as it stands." 

Comments on the proposal can be sent to la-al at justice.gc.ca no later than
Nov. 15. 

Security-news note: The full text of this proposal and instructions on how
to participate in the consultations are available online at
http://www.canada.justice.gc.ca/en/cons/la_al/ - read it and comment
before the November 15th deadline.

*****
How To: Conduct Secure Research and Investigations
kendra at resist.ca
*****

No matter what type of action you are planning, there is a good chance
you don't want a corporate or government official to identify you as the
person doing the research. On more than one occasion, research records
have been used to track people back to specific events, largely because
the individuals have not been aware of how their digital & physical trails
lead to them. Over the past few years, with the digitization of all forms
of data, this danger has increased - not only because so much research is
being conducted online, but because library & other database driven
requests databases are now linked and easily accessible by law
enforcement. 

The following tips are important to keep in mind if you have a vested
interest in keeping your connection to some research or a later action
private. For more information on general research, and security -
http://security.tao.ca/personal/saferesearch.shtml. 

The key thing is not to leave a document trail (digital or physical), and
the following tips are designed not to give an exhaustive run-through, but
to highlight some of the issues you should be thinking about when
conducting secure research. 

1) Who bought those books and materials? Don't use your credit or debit
cards to make purchases related to your research. These can be used later
by law enforcement to construct patterns of reading and also timing 
between research and actions.

2) Watch those library records. During the Gulf War (1991) Canadian law
enforcement pressured libraries to turn over records of what Canadians of
Arabic background were reading. We're pretty sure that in these heightened
days of "national security" these practices continue. Read the book in the
library and make sure you are not on CCTV while you are doing it.

3) Securely surf the internet. If you must conduct your research from home
(which is up to your discretion), make sure you are doing it  
securely. ALWAYS use a proxy when doing web research, make sure your
history files and caches are purged, and wipe your that your hard
drive regularly. If you go out to an Internet Cafe or other location to do
research, don't use places that ask for ID or sport CCTV cameras, and
make sure the screens are well-shielded from prying eyes. Please check out
http://security.tao.ca for more information on each of these topics.

4) FOI/ATIP (and other government) Requests. These are traceable because
they require your full legal name and address. It is possible to do these
using a false name and PO box, though it can depend from agency to
agency (some require ID to pick up data from them). If you are able to do
this using a PO box, make sure that box is not linked to you. 

5) Telephone when possible, written requests provide clues. Phoning from a
*payphone* is better than writing a letter requesting  
information.  Letters provide a document trail and tools for later
analysis, telephone calls do not always - it is still unusual for phone
calls to most government agencies and corporations to be automatically
recorded. Make sure your timeline is appropriate if placing
information-related phone calls.

6) Physical Research. Need to do recon on a building or location? That's a
whole other how-to (that we'll be doing in the future). Suffice to say
that you want to do this with utmost caution, practice active
counter-surveillance and steer as clear as possible from 
cameras. Appearance altering is obviously a good course of action in these
instances.

7) Secure Storage. Don't leave your collected data lying around where
anyone can read it. A locked filing cabinet in your home is *not* secure
storage (you know how easy it is to pick those?). You may opt for off-site
storage if the data is particularly sensitive - which is a judgement
call. Electronic data should be stored securely on a palm pilot or laptop
if possible (something that rarely leaves your personal posssession), and
encrypted using PGPdisk or other disk encryption tools. Never leave data
on an unecrypted hard drive or within a network if you don't want anyone
to access it.

8) Timeline. It's a good idea to leave some time between the research and
the action itself. This counts especially if you have been on the phone or
doing reconnaissance on physical locations, and someone could remember
you. Again, it's your call, but distance of a few months can assist in
helping people forget that they talked to or saw you.

9) Destroy Destroy Destroy. Normally when conducting research the
principle is to document every little thing - but in the case of secure
research you want to follow a principle of destroying any data or
research linked to an action. Secure destruction includes burning paper
documents in a safe area, wiping hard drives clean, and purging any cached
information. In addition, destroying floppy disks, cds, or other portable
media used to carry information is extremely important. Don't just write
over them - destroy them as completely as possible and throw the pieces
out separately so that disks and data can't be reconstructed.

As always the degree to which you take security should be proportional
to the value and sensitivity of the data you are collecting. Doing
research for a public demonstration usually requires a different
security level than doing research with the intention of carrying out more
covert activities. If you have any tips on secure research to share,
please email secure at resist.ca so they can be included in further updates
and on our websites.  

***************************************************************
Security-news <security-news at resist.ca>
Good computer security is no substitute for good sense!
To sub or unsub - http://resist.ca/mailman/listinfo/security-news
***************************************************************








From security-news-admin at resist.ca  Mon Sep 16 16:47:52 2002
From: security-news-admin at resist.ca (security-news-admin at resist.ca)
Date: Mon, 16 Sep 2002 16:47:52 -0700
Subject: [security-news] Bulletin #7 - September 16, 2002
Message-ID: <20020916234752.GA14846@resist.ca>

***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

September 16th, 2002

Far be it from us to promote a right-wing rag like the Economist, but
there is a really interesting article in the August 31st edition of that
magazine about the crackdown of civil liberties in the US and around the
world. The best thing about the article is the world map diagram that
shows what laws have been changed and where in the world repression has
increased. We have scanned the picture and posted it at
http://security.tao.ca/post911legal.jpg for y'all to check out.


**********************************
Security-news: Issue #7 - Contents
**********************************
* Security tip of the week: Bug Checking
* Updates to security.tao.ca
* News & Analysis: Colorado Activists Look at Police Files
* News & Analysis: Aussie Cops Flex Their New DNA Powers
* How-to: Discover a vehicle tracking device

*****
Security Tip of the Week: Bug checking
*****
High-tech bug checking devices may seem interesting and useful, but more
often serve the purpose of giving a false sense of security rather than
actually proving that an office or dwelling is bugged. Line-tap checkers
are equally useless, particularly in the face of "legal" taps (those done
via warrant at the switch source). Practicing common sense when speaking
in a dwelling, office, vehicle, or on the phone - is the only way to
defeat planted monitoring devices - one should always assume the walls
have ears.

*****
Updates to security.tao.ca
*****
At the top of the index page, there is now a link to the current
security bulletin which will be kept current, so you can always check
out the site for the latest activist security-news.


*****
News & Analysis: Colorado Activists Look at Police Files
Associated Press, September 4 2002
*****

DENVER (AP) - Holding the just-released 18-page file that had been
secretly compiled on her by police, activist Barbara Cohen smiled and
shrugged her shoulders. "Don't I look like a dangerous criminal?" the
barely 5-foot tall, 53-year-old gray-haired legal secretary asked.

About 200 people crowded the lobby of Police Department headquarters     
Tuesday after officials opened 3,200 "spy files" on local activists and
organizations.

City officials have conceded police went too far when they began
documenting individuals and groups some three years ago. Mayor Wellington
Webb, himself the subject of police surveillance when he was a young
activist, has condemned the practice. He said it violated city policy.

Many who waited for up to an hour to see their file received papers that
still smelled of black marker where police had deleted the names of
people linked to them. Some of these files, which were categorized by
groups, individuals and incidents, contained inaccurate information, some
said.               

Cohen, who belongs to the group End the Politics of Cruelty, said she is
considering a lawsuit after police linked her to a motorcycle group she
never heard of.

News that religious and peace groups were among those placed under
surveillance since about 1999 drew charges of police misconduct, an
investigation by a three-judge panel and the decision to let some people
see their files before the reports are purged.

Mark Silverstein, legal director of the Colorado chapter of the American
Civil Liberties Union, had a file for speaking at a rally in February
2000, which he insisted he didn't attend.

"It sounds like I ran my mouth off at a rally, but I wasn't there," he
said.

The American Friends Service Committee, a Quaker group and a Nobel Peace
Prize winner, was listed as a criminal extremist group by police,
according to the ACLU.

So was the Chiapas Coalition, which supports the Mayans of the Chiapas
state in Mexico where there have been guerrilla uprisings.

Amnesty International was listed as a civil disobedience group. Some
officers were not properly trained in intelligence gathering and some
people and groups may have been misclassified as criminal extremists,
said C.L. Harmer, spokeswoman for the Department of Safety, which 
oversees the police department. The system has been examined by outside
auditors and training is under way, she said.

Criminal intelligence gathering, however, remains an important police
tool, Harmer added.

"As we approach 9-11, I think it reaffirms the legitimate use of         
legitimate criminal files," she said.

Records of people not suspected of crimes will be released to those
people, then purged after Nov. 1. However, the city attorney's office   
will keep copies of all files, including those eliminated by police.

The names of people or groups considered legitimate targets of           
surveillance, as determined by an outside auditor, will remain in the
files and won't be released.

Security-news note: The only thing at all unusual about this case is that
the state admitted to some wrong-doing. There are numerous
examples of state, provincial and federal government agencies spying on
agencies as "radical" as christian peace groups and legal entities such
as trade unions. We find it interesting that while the police have
been ordered to destroy these "wrongful" files, the state attorney's
office will be keeping copies of them... doesn't sound like the
government is making much of an apology for several years of ill-informed
and heavy-handed data collection. Oh well, 9-11 certainly justifies it...
doesn't it?


*****
News & Analysis: Aussie Cops Flex Their New DNA Powers             
posted by ABC Melbourne to infoshop.org, September 03 2002              
*****

Police in Victoria (Australia) have announced that they will be         
forcibly collecting DNA from almost 4000 ex-offenders living in the  
community. Under draconian new laws that were passed in May, those
ordered to give their DNA will be arrested if they fail to do so once a
four-week deadline has expired. Once in police custody they will be  
given a second chance to provide a sample.

If they still refuse, the police are now legally entitled to use        
so-called "extraction teams" to remove prisoners from their cells and
forcibly restrain them while a nurse takes a blood test. All testing will
be videotaped and the police are banned from taking samples, apparently
this has to be done by a nurse. But the testing will be conducted at
police stations in the presence of police. Apparently the samples will
then be placed in "tamper-proof" containers and sent to the Victorian
Forensic Science Centre where they will be matched against the Victorian
DNA database of unsolved crimes before being passed on to the Federal
Government's "CrimTrac" system.

People who will be forced to comply with this violation of their human 
rights are any persons who have been convicted of a list of 36 serious
offences. What all of these offences actually are has not been made
public yet; what is known so far is that anyone convicted for murder,
arson, burglary, serious assault, rape and drug offences will be forced
to give DNA.

Information has not yet been provided as to what type of 'drug offences'
the new laws will target.

It is worth pointing out that the last time mass DNA testing took place 
in Victoria that it took place in the prison system. This testing was
done illegally however the government moved swiftly to change the law and
to backdate it meaning prisoners were left without a legal leg to stand  
on. A great majority of the prisoners who were forced to provide DNA were
not 'serious offenders' as the police and media would have us believe but
mainly those convicted of drug-related crimes against property. No doubt
this will be the case once more.



*****
How to: Discover a vehicle tracking device 
Taken from portland.indymedia.org, September 9, 2002
*****

(This isn't really in how-to format, it actually comes from an email to a
list of technical security professionals - but it provides enough info so
that you know what to look for)

Summary:Spooks commonly use tracking devices installed in private
vehicles to monitor travel and associations of individuals. This detailed
description of vehicle tracking devices and their installation reveals
just how it's done!

Weblink: http://cryptome.org/track-this.htm

To: tscm-l at yahoogroups.com
From: \"Greg H. Walker, Attorney At Law\" <gwalker at riskontrol.com>    
Date: Fri, 06 Sep 2002 10:17:59 -0500
Subject: [TSCM-L] Re: Tracking device detection

Dear Group:

I am a major user of RF tracking devices which just sit and wait for a 
signal to respond and then their response is done so in a burst of about
20 microseconds.  In 5 years of using these devices I have never had one
found that was installed inside of the interior of the vehicle and the
cars have been in for repairs of every kind and nature, including      
electrical repairs. We have had them on police cars (for the internal
affairs people) and on former military counter-intelligence people
(marital).

Steve and James are so correct when they say that only a really well
trained TSCMer will find them -- anybody else trying is just lucky if
they find one because of the very short burst -- some of are units are
queried every five minutes and others every 30 minutes and the schedule
changes from time of day and the day of the week depending on what we
expect the  vehicle to be engaged in.

We have had PI's with their toys try to find them, but never a hardcore
TSCM professional.

Since I never see anyone on this list within my operating area let me
give you some information.

We install the unit inside of the vehicle and actually take the interior
apart to put them in underneath the plastic panels that make up modern
vehicle interiors, on rare occasions we will put the unit in the trunk
back near the wall separating the trunk and the passenger compartment,but
on the side panels.  A favorite place in a truck is in the passenger's
side front kick panel.  Some vehicles also lend themselves nicely to
taking out the glove box and putting them deep inside of the dash. On
SUV's we often put them to either side of the large tailgate type back
door. We have been forced to put them under the back seat, our least
favorite spot and usually carve out some of the foam in the seat to slip
the unit into.

The units will have two wires coming from it, one will be a coaxial cable
which is the antenna (there is the unit and the antenna and the unit can
go darn near anywhere where it can be concealed, but the placement of the
antenna is absolutely key).  Our preferred spot is to bring the cable up
a sidepost of the vehicle nearest where we put the unit and then put the
antenna between the headliner and the metal roof with the working end of
the antenna (our antennas are either a flat square or flat round and are
about the size of a 3-1/2 inch floppy disk and about 1/2 inch thick)
pointing down into the passenger compartment so that the burst will have
plenty of glass to exit through.  In some instances we have had to put
them underneath the shelf between the back seat and the rear window and
on occasion in a side panel itself and once or twice high up into the
dashboard (usually a van or large truck without a headliner).           

By the way, you usually cannot find the antenna by palpating the
headliner or even visually examining the headliner because today
headliners are thick and foam padded.

The second wire will be a power supply wire and it will either go to a
battery set (ours are specially made and shrunk wrapped in a heavy black  
plastic -- we have two sizes one consisting of 8 D size regular alkaline 
batteries, usually Duracell, and the other consisting of, as I recall (I
can't find one to look at right now) 16  2/3 AA lithiums -- quite        
expensive and also specially built and shrunk wrapped or it will go to
the vehicle's own power supply (which is what we do almost 100% of the
time today) {Steve and I have a friendly difference of opinion on the
legality of this, however, since under Texas law we have to the
permission of an owner or lessee of the vehicle to even install the
device it includes the consent to connect to the vehicle electrical
system} -- we will connect either to a full time live wire near where the
unit is placed or we will run a wire under the carpet, side molding, etc.
to the fuse box and we have a special little hook like thing that fits
into the fuse box underneath a regular fuse and is difficult to detect.
On rare occasions we have went direct to the battery.

Since most of our installations last a month or more we prefer the       
hardwire so we don't have to keep getting the vehicle back to change     
battery packs.  We have some installations that go on for a couple of
years.

One of the problems with the battery packs is their life span (the D
packs if queried every 15 minutes 24/7 will last anywhere from 12 to 14
days depending the how hot the area where they are placed gets (down here
in Texas the Summer heat reduces their time by about one day); the 2/3 AA
lithiums run about the same length of time, but we only trust them for 10
to 12 days. The lithium packs are small about 2-1/2" wide by 5" long and
1/2" thick and are light weight, but they are very expensive -- the D
packs are bulky and heavy.

I use a commercial radio shop that does fleet radio systems to make my  
installs because they understand RF technology and are good at
disassembling and reassembling interiors of vehicles.  I do not recommend
that anyone use a car stereo shop or a mobile phone shop.              

I hope that this is of help to true professional TSCMer's, again, Steve
and James are correct, leave this to true professional TSCMer's they know
what to look for and have the correct equipment.

Greg H. Walker, ARM*
Attorney At Law       
President
RisKontroL -- Risk Management, Security Consulting & Investigations   
Houston, Texas
(713) 850-0061

* Associate in Risk Management Designation (Insurance Institute of       
America's Center For Advanced Risk Management Education)                  

WARNING NOTICE BY GHW:  Greg H. Walker's comments are not intended to be 
and should absolutely not be taken as legal advice.  Unless you have   
entered into a specific written agreement with him for legal services,   
signed by both you and him, and paid him a retainer in good funds, then   
he is not your Attorney, does not intend to be your Attorney and you    
should not act nor refrain from acting based, in whole or in part, on his
comments.

***************************************************************
Security-news <security-news at resist.ca>
Good computer security is no substitute for good sense!                  
To sub or unsub - http://resist.ca/mailman/listinfo/security-news        
***************************************************************      





From security-news-admin at resist.ca  Mon Oct  7 13:53:57 2002
From: security-news-admin at resist.ca (security-news-admin at resist.ca)
Date: Mon, 7 Oct 2002 13:53:57 -0700
Subject: [security-news] Bulletin #8 - October 7th, 2002
Message-ID: <20021007205357.GA18826@resist.ca>

***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

October 7th, 2002

It really hasn't taken long to see the ramifications of 9/11 on activism
in North America. Two of the articles in this week's issue are news about
specific incidents which would not have been publically allowable
pre-terrorism hysteria in North America. The crackdown on civil liberties
in the United States, Canada, and elsewhere is becoming more and more
apparent every day. Activists not allowed on airplanes? A new "Aboriginal
Extremism Unit" in Canada? Anti-terrorist state forces being used to raid
activist's homes? Here we find the daily intensification of the police
state as it impacts the lives of those who dissent. Good security culture
in our movements is important now like ever before - communities
everywhere need to start dialogues about how to protect and support each
other in the onslaught of state repression.


**********************************
Security-news: Issue #8 - Contents
**********************************
* Security tip of the week: Introducing counter-surveillance
* News & Analysis: Anti-Terrorist Unit Uses Excessive Force On   	  
Indigenous Family 
* News & Analysis: No-fly blacklist snares political activists   
* How-to: Talk about security culture and practice in your community

*****
Security Tip of the Week: Counter-surveillance
*****
Counter-surveillance is the practice of avoiding or making surveillance
difficult to carry out. A central component of surveillance relies on
pattern analysis - the examination of a subject's patterns to determine
aspects about their method of operation, locations at key points in time
and many other "clues". Central to any counter-surveillance efforts
breaking personal patterns as much as is possible. This masks regular
activity, so making it harder to practice routine surveillance. But it
also masks the times when you may undertake activities out of the
ordinary. (For more on this topic, check out http:// )


*****
News & Analysis: Anti-Terrorist Unit Uses Excessive Force On Indigenous
Family
Press Release, October 3, 2002
*****
PRESS RELEASE STATEMENT

At 6:00 am Saturday, September, 21st 2002, members of the Integrated
National Security Enforcement Team (INSET) raided the residence of
Nitanis Desjarlais and John Rampanen in Port Alberni, British Columbia.
With the assistance of the RCMP Emergency Response Team, local RCMP,
ambulance, and fire departments, a warrant to search for unauthorized
firearms was executed.

This police raid was conducted as a follow-up to allegations that Mr.
Rampanen was "stockpiling arms". The quiet neighborhood of Mr. Rampanen
and his common-law wife Ms. Desjarlais, located on the outskirts of Port
Alberni, was evacuated during the early hours of September 21st, as a
safety precaution during the police raid. Fortunately, Mr. Rampanen and
Ms. Desjarlais along with their twelve year old son, two year old
daughter and new-born son were not present in their home during the time
of incursion.

At 9:45 am on the same day, members of INSET along with local RCMP
officers, visited the residence of Mr. Rampanens' parents, also located
in Port Alberni. Upon arrival, INSET officers became aware of the
presence of Ms. Desjarlais and Mr. Rampanen and immediately began
questioning Ms. Desjarlais. Ms. Desjarlais was taken outside of the house
and asked if she knew that John Rampanen was involved in Native Issues.
She replied that she did and that she herself was involved and
sarcastically asked if it was a crime to be involved in Native Issues, to
no reply from INSET. Approximately 10 minutes into the questioning, the
inquiring INSET officer received a telephone call reporting that the
searched residence was "clear". At which point Ms. Desjarlais was
informed by an INSET member that "it would be a shame for (her) children
to grow up without parents".

At this point, INSET officers approached Mr. Rampanen and informed him of
the execution of a search warrant on his residence. They further informed
him that allegations were made that he was "stockpiling arms" and that
they did not know the identity of the person or persons behind the
"malicious allegation". They included that there was considerable damage
inflicted upon the front entrance to the house and that any damages
incurred would be covered by the RCMP. Mr. Rampanen was reminded of the
"concern that he should have towards the safety of (his) children" and
that if he was in possession of any unauthorized firearms that he would
be given the opportunity to surrender them without repercussions. Mr.
Rampanen replied that he does not possess any firearms, that his house
and all of his belongings had already been thoroughly searched, and that
that should be evidence that he was not "stockpiling arms".

When asked if this sort of action was to be expected every time a
malicious allegation was made in regards to Mr. Rampanen, INSET replied
that, "after today's actions, we would have to say yes". Mr. Rampanen
stated that "it was because of (his) concern for the safety of (his)
children that he did not stockpile weapons", and further, suggested that
there are more civilized methods that could be applied when dealing with
these types of concerns.

Mr. Rampanen and Ms. Desjarlais have been actively involved in Indigenous
issues for a number of years through organizations such as; the Union of
BC Indian Chiefs, United Native Nations, Native Youth Movement,
Indigenous Sovereignty Network, and the Westcoast Warrior Society. Mr.
Rampanen has also been actively involved in drug and alcohol
rehabilitation programs directed towards Indigenous youth, as well as,
educational and informational workshops throughout Indigenous
communities. Ms. Desjarlais is an emerging videographer and specializes
in documentaries focusing on concerns and issues arising from various
Indigenous Nations. The young couple have just recently moved to
Vancouver Island where they plan on raising their children.

Later, during the evening of the same day and the morning of Sunday,
September 22nd, other members of the Westcoast Warrior Society and their
families were also approached by INSET officers. Similar remarks
regarding the safety and concern of their children, and suggestive
statements regarding firearms were also expressed during these visits.

After incidents arising from the weekend of September 21st, Mr. Rampanen
and Ms. Desjarlais are still trying to ensure that these types of
aggressive actions are not wrongfully exercised upon those involved
within matters relating to Indigenous rights. They feel that these sorts
of unnecessary tactics only contribute negatively towards the already
fragile relationship between Indigenous Nations and the Government of
Canada.

INSET is a unit that emerged after September 11th and has a budget of 64
million dollars for a five year period. more info on INSET at RCMP
website.


*****
News & Analysis: No-fly blacklist snares political activists 
by Alan Gathright, Chronicle Staff Writer
Friday, September 27, 2002 
*****
A federal "No Fly" list, intended to keep terrorists from boarding
planes, is snaring peace activists at San Francisco International and
other U.S. airports, triggering complaints that civil liberties are being
trampled. 

And while several federal agencies acknowledge that they contribute names
to the congressionally mandated list, none of them, when contacted by The
Chronicle, could or would say which agency is responsible for managing
the list. 

One detainment forced a group of 20 Wisconsin anti-war activists to miss
their flight, delaying their trip to meet with congressional
representatives by a day. That case and others are raising questionsv
about the criteria federal authorities use to place people on the list,
and whether people who exercise their constitutional right to dissent are
being lumped together with terrorists. 

"What's scariest to me is that there could be this gross interruption of
civil rights and nobody is really in charge," said Sarah Backus, an
organizer of the Wisconsin group. "That's really 1984-ish." Federal law
enforcement officials deny targeting dissidents. They suggested that the
activists were stopped not because their names are on the list, but
because their names resemble those of suspected criminals or terrorists. 

Congress mandated the list as part of last year's Aviation and
Transportation Security Act, after two Sept. 11 hijackers on a federal
"watch list" used their real names to board the jetliner that crashed
into the Pentagon. The alerts about the two men, however, were not
relayed to the airlines. 

The detaining of activists has stirred concern among members of Congress
and civil liberties advocates. 

They want to know what safeguards exist to prevent innocent people from
being branded "a threat to civil aviation or national security." 

NO ACCOUNTABILITY 

And they are troubled by the bureaucratic nightmare that people stumble
into as they go from one government agency to another in a maddening
search to find out who is the official keeper of the no-fly list. 

"The problem is that this list has no public accountability: People don't
know why their names are put on or how to get their names off," said
Jayashri Srikantiah, an attorney with the American Civil Liberties Union
of Northern California. "We have heard complaints from people who
triggered the list a first time and then were cleared by security to fly.
But when they fly again, their name is triggered again." 

Several federal agencies. including the CIA, FBI, INS and State
Department, contribute names to the list. But no one at those agencies
could say who is responsible for managing the list or who can remove
names of people who have been cleared by authorities. 

Transportation Security Administration spokesman David Steigman initially
said his agency did not have a no-fly list, but after conferring with
colleagues, modified his response: His agency does not contribute to the
no- fly list, he said, but simply relays names collected by other federal
agencies to airlines and airports. "We are just a funnel," he said,
estimating that fewer than 1,000 names are on the list. 

"TSA has access to it. We do not maintain it." He couldn't say who does.
Steigman added he cannot state the criteria for placing someone on the
list, because it's "special security information not releasable (to the
public)." 

However, FBI spokesman Bill Carter said the Transportation Security
Administration oversees the no-fly list: "You're asking me about
something TSA manages. You'd have to ask TSA their criteria as far as
allowing individuals on an airplane or not." In addition to their alarm
that no agency seems to be in charge of the list, critics are worried by
the many agencies and airlines that can access it. 

"The fact that so many people potentially have access to the list," ACLU
lawyer Srikantiah said, "creates a large potential for abuse." 

At least two dozen activists who have been stopped -- none have been
arrested, say they support sensible steps to bolster aviation security.
But they criticize the no-fly list as being, at worst, a Big Brother
campaign to muzzle dissent and, at best, a bureaucratic exercise that
distracts airport security from looking for real bad guys. 

"I think it's a combination of an attempt to silence dissent by scaring
people and probably a lot of bumbling and inept implementation of some
bad security protocols," said Rebecca Gordon, 50, a veteran San Francisco
human rights activist and co-founder of War Times, a San Francisco
publication distributed nationally and on the Internet. 

Gordon and fellow War Times co-founder Jan Adams, 55, were briefly
detained and questioned by police at San Francisco International Airport
Aug. 7 after checking in at the American Trans Air counter for a flight
to Boston. While they were eventually allowed to fly, their boarding
passes were marked with a red "S", for "search"which subjected them to
more scrutiny at SFO and during a layover in Chicago. 

Before Adams' return flight from Boston's Logan International, she was
trailed to the gate by a police officer and an airline official and
searched yet again. 

While Gordon, Adams and several of the detained activists acknowledged
minor past arrests or citations for participating in nonviolent sit-in or
other trespassing protests, FBI spokesman Carter said individuals would
have to be "involved in criminal activity"not just civil disobedience, to
be banned from U.S. airlines. 

DEFINING AN ACTIVIST 

But, Carter added, "When you say 'activists,' what type of activity are
they involved in? Are they involved in criminal activity to disrupt a
particular meeting? . . . Do you plan on blowing up a building? Do you
plan on breaking windows or throwing rocks? Some people consider that
civil disobedience, some people consider that criminal activity." 

Critics question whether Sister Virgine Lawinger, a 74-year-old Catholic
nun, is the kind of "air pirate" lawmakers had in mind when they passed
the law. Lawinger, one of the Wisconsin activists stopped at the
Milwaukee airport on April 19, said she didn't get upset when two
sheriff's deputies escorted her for questioning. 

"We didn't initially say too much about the detainment, because we do
respect the need to be careful (about airline security)," the nun
recounted. 

"They just said your name is flagged and we have to clear it. And from
that moment on no one ever gave me any clarification of what that meant
and why. I guess that was our frustration." 

Five months later, the 20 members of Peace Action Wisconsin still haven't
been told why they were detained. Even local sheriff's deputies and
airline officials admitted confusion about why the group was stopped,
when only one member's name resembled one on the no-fly list. 

At the time, a Midwest Express Airlines spokeswoman told a Wisconsin
magazine, the Progressive, that a group member's name was similar to one
on the list and "the (Transportation Security Administration) made the
decision that since this was a group, we should rescreen all of them." 

At a congressional hearing in May, Wisconsin Sen. Russ Feingold pressed
FBI Director Robert Mueller about the Milwaukee incident, asking him
pointedly for an assurance that the agency was not including people on
the list because they had expressed opinions contrary to the policies of
the U.S. government. 

Mueller's response: "We would never put a person on the watch list solely
because they sought to express their First Amendment rights and their
views." 

DATABASE OF SUSPICION 

The law orders the head of the Transportation Security Administration to
work with federal intelligence and law enforcement agencies to share
database information on individuals "who may pose a risk to
transportation or national security" and relay it to airlines, airports
and local law enforcement. It also requires airlines to use the list to
identify suspect passengers and "notify appropriate law enforcement
agencies, prevent the individual from boarding an aircraft or take other
appropriate action." 

In November, Nancy Oden, a Green Party USA official in Maine, wound up
being a suspect passenger and was barred from flying out of the Bangor
airport to Chicago, where she planned to attend a Green Party meeting and
make a presentation about "pesticides as weapons of war." Oden said a
National Guardsman grabbed her arm when she tried to help a security
screener searching her bags with a stuck zipper. The middle-aged woman,
who said she was conservatively dressed and wore no anti-war buttons,
said the guardsman seemed to know her activist background. "He started
spouting this pro-war nonsense: 'Don't you understand that we have to get
them before they get us? Don't you understand what happened on Sept. 11?" 

Airport officials said at the time that Oden was barred from boarding
because she was uncooperative with security procedures, which she denies.
Instead, Oden pointed out that the American Airlines ticket clerk, who
marked her boarding pass with an "S" had acknowledged she wasn't picked
by random. 

"You were going to be searched no matter what. Your name was checked on
the list," he said, according to Oden. 

"The only reason I could come up with is that the FBI is reactivating
their old anti-war activists' files," said Oden, who protested the
Vietnam War as a young office worker in Washington, D.C. "It is
intimidation. 

It's just like years ago when the FBI built a file about me and they
called my landlord and my co-workers. . . . They did that with everyone
in the anti-war movement." 

A TOOL FOR TERROR 

In his testimony before Congress, Mueller described the watch list as an
necessary tool for tracking individuals who had not committed a crime but
were suspected of terrorist links. "It is critically important," he said,
"that we have state and locals (police) identify a person has been
stopped, not necessarily detained, but get us the information that the
person has been stopped at a particular place." 

None of this makes the peace activists feel any safer -- about flying or
about their right to disagree with their government. 

"It's probably bad for (airport) security," said Sister Virgine.
"Stopping us took a lot of staff away from checking out what else was
going on in that airport." 

Ultimately, she said, "To not have dissent in a country like this would
be an attack on one of our most precious freedoms. This is the essence of
being an American citizen, the right to dissent." 


*****
How to: Talk about security culture and practice in your community
by: kendra at resist.ca
*****
Security practice and culture are the type of topics that if handled
badly can be offensive to the individuals involved, and divisive within
communities struggling to build trust. How we handle security discussions
in our communities is as important as the type of security culture we
practice - because it is only through supportive education that our
communities will learn and grow in a healthy and secure way.

Usually, the topic of security only comes up when someone has
unmistakably breached it in a way that community members feel the need to
discuss it with the individual. This of course leads to a situation where
someone is put on the spot and will inevitably become defensive and angry
about being "called out". In communities where other people are
practicing bad security culture, the individual may feel they are being
unfairly targeted. These feelings are not particularly conducive to a
mode of learning or receiving direction from fellow travellers and
friends. To compound the problem, it is often the case that those who are
most "concerned" with security take a very macho approach to the subject
and may be using their own security conciousness as a way of showing
others they are "in the know" or politically experienced in other ways.

The central problem is that security discussions aren't happening
regularly in our movements as community-based dialogues and workshops,
and so often we wait until someone has breached security in a significant
way before we speak about the lack of security practice. Realisticaly, we
cannot expect people who are new to activism or the concept of security
culture to have this specialized knowledge unless we are being proactive
in providing community-based education.

The following recommendations are some things to think about when
preparing security practice and culture workshops in your community.
Workshop facilitators should be trusted and respected members of their
community - otherwise information won't be taken seriously. As a workshop
facilitator you should:

* Structure discussions about security culture as a dialogue with other
members of the community rather than lecturing to people about what is
"right" and "wrong". 

* Provide (if possible) local community examples of surveillance or
infiltration and ways the community defeated it. If you have no local
examples, there are many interesting stories out there to gather - it is
important to show how good security practices have protected others.

* Provide hand-outs or point people to online resources that can look at
on their own time.

* Break workshops down in a way that makes sense. If demand exists in
your community, doing a workshop on security culture and then following
it up with workshops on specific workshops on security practices is the
best approach. Trying to cram a full discussion of how to use PGP into a
workshop on general security culture is a bad idea and will ultimately
confuse people into believing that security culture is solely about
technology.

* Keep discussions open and stop people from looking around the room for
the "spook". These are community educationals, not paranoia inducing
sessions.  

* Keep machismo and bravado in the room to a minimum. The most effective
workshops in this respect are those which have a good gender balance and
different cultural perspectives represented. Outreach is key to involving
a healthy cross-section of the local community.

* Use role-playing wherever possible. Many legal collectives across North
America carry out role-playing workshops to teach activists how to deal
with police interrogation and other nasty situations. It would be worth
teaming up with your local legal collective to do a series of workshops.
Role-plays are an effective way to keep people engaged in a topic and
really learning in a hands-on way.

* Allow participants to practice what they are being taught in all areas
- particularly technical. A lecture about using PGP will not be nearly as
effective as a hands-on demonstration. 

* Try to do workshops tailored to organizational needs where possible. 

If communities regularly allow disucssions and education about security
practice and culture to become part of the fabric of community
organizing, necessary discussions with individuals who have breached good
security practice will be easier to handle. 

No matter what type of security training a community has as a whole,
there will always be individuals who engage in poor practice either
because the lack knowledge and training or because they don't take the
subject seriously. It may become necessary to talk to individuals
one-on-one about their security problems if they persist. The following
tips may help in this situation:

* Approach the subject as soon as possible after the security
breach/incident occurs. Sometimes simply saying quietly to someone "i
don't know if i would talk about that here" is enough to let them know
they are talking about something they shouldn't. Not every breach
requires a "formal" discussion so use your discretion in dealing with a
given incident. 

* Individuals may be delegated to deal with a certain discussion. These
people should be trusted and respected in the community.

* The individual should be approached as non-confrontationally as
possible, and in a discreet setting. Individuals should not be called out
in public meetings or on mailing lists for their behaviour (except
possibly in chronic cases - but this can be risky). A one-on-one is
usually the best method since it prevents a person from feeling they are
being ganged up on.

* Security discussions are not an opportunity to brow-beat or cut-down
the work of individuals in a community. They should not be used as a way
to undercut work when other political motivations are at play. 

Generally, respect for each other is paramount to any sticky political
situation. Maintaining respect for the person you are talking to will
generally help to keep defensiveness and hostility to a minmum. 

There are many other points that could be made on the topic of how to
talk about security culture and practice in our communities, however I
hope this article provides a starting place for thinking about when,
where and how you will make these discussions happen where you are. 

***************************************************************
Security-news <security-news at resist.ca>
Good computer security is no substitute for good sense!                  
To sub or unsub - http://resist.ca/mailman/listinfo/security-news        
***************************************************************      





From security-news-admin at lists.resist.ca  Mon Oct 28 08:35:14 2002
From: security-news-admin at lists.resist.ca (security-news-admin at lists.resist.ca)
Date: Mon, 28 Oct 2002 08:35:14 -0800
Subject: [security-news] Bulletin #9 - October 28, 2002
Message-ID: <20021028163514.GA28018@resist.ca>

***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

October 28th, 2002

There are weeks when activism seems more of a challenge and these last 
few have been some of those for us here at security-news which is why we 
weren't able to put last week's bulletin out and there's no how-to in 
this edition. As usual we are asking that those of you with security 
experience, ideas and expertise please email us with tips, how-tos, 
articles and suggestions at secure at resist.ca - it really helps to have 
input!

**********************************
Security-news: Issue #9 - Contents
**********************************
* Security tip of the week: Surveillance and Society - Issue 1 
* News & Analysis:  PGP 8.0 BETA Release
* News & Analysis: Infiltration of the British Left from the 60s-80s

*****
Security Tip of the Week: Surveillance and Society - Issue 1
*****

So this is less of a tip than a "check this out" - a new academic 
journal called Surveillance and Society - all articles from the first 
issue are available online at  http://www.surveillance-and-society.org/, 
and make for some interesting reading. The site will apparently also 
have a discussion forum running to follow-up on articles published in 
the journal. And while we're on the topic of society and surveillance, 
also check out the Minnesota Public Radio page and radio series on the 
Surveillance Society at 
http://news.mpr.org/features/199911/15_newsroom_privacy/ - they have 
some really interesting stuff posted there too!


*****
News & Analysis: PGP 8.0 BETA Released - PGP reborn makes its pitch for 
the mainstream
October 22, 2002
http://www.theregister.co.uk/content/55/27729.htm
*****

Encryption products need to become as easy and transparent to use as AV
software packages. 

That's the goal of Phil Dunkelberger, President and CEO of PGP
Corporation, who's over in London this week for the European launch of
the newly-formed company. 

PGP Corporation was created to market PGP Desktop and Wireless 
encryption products bought from Network Associates back in August. The 
deal ended month of speculation over the future of the technology 
following Network Associates' decision to mothball it back in March. 

Network Associates canned development of PGP after failing to
commercialise the package, which is well known to security conscious
individuals. NAI said commercial sales were affected by the perception 
of PGP as a freeware only product. 

PGP Corporation can succeed where NAI failed by being more focused on 
the development of the package, Dunkelberger told us. He added that NAI 
was always more focused on its McAfee antivirus and Sniffer network
monitoring tools, whereas PGP Corporation's goal is to bring innovation
to encryption. 

Earlier this month, the beta of version 8 of PGP became available. This
brought support for Mac OS X and (crucially) windows XP. 

Integration with Lotus Notes (thanks to a server-side plug in) is much
improved with this rev of the product, which is due for release later
this quarter. 

The source code of PGP 8.0 will be made available at that time, allowing
cryptographers (including PGP inventor Phil Zimmermann, who does some
consulting work for PGP Corporation) to review the security of the
product. This is an important point, made more significant by
Zimmermann's dispute with NAI (when it still owned PGP) over backing 
away from this commitment. 

In the first five days after making the beta available the software was
downloaded 300,000 times, according to PGP Corporation. 

With PGP 8.0 there been a concerted effort to make the software easier 
to manage and administer. As well as the enterprise package, they'll 
also be PGP Personal, targeted at small business and individual 
commercial users and a freeware version for non-commercial use (to be 
made available from the PGP Web site). 

Dunkelberger acknowledged factors like ease of us, deployment,
manageability and the cost of rollout have held back the use of
encryption products and hurt Public Key Infrastructure vendors. 

Going forward, transparency of use and manageability will be a focus for
PGP Corporation's development efforts. Dunkelberger pledged to deliver
these benefits in the first half of next year. 

That's a bold claim. 

For the last five years, if not longer, we've heard claims that next 
year will be the year PKI technology goes mainstream. Every year we've 
been disappointed. 

Maybe, just maybe 2003 will finally see this promise fulfilled. 

Security-news note: This means having PGP for OS X finally on the way! 
We have installed this on our OS X-running macs and have had no problems 
integrating, openings and using pgp key files and pgp disks that we had 
created using PGP 6.5 under the "Classic" Mac OS. Of course, this is 
just a *beta* which means it hasn't been fully tested yet - so exercise 
caution. 


*****
News & Analysis: Infiltration of the British Left from the 60s-80s
Inside Job 
Wednesday October 23, 2002 The Guardian 
*****

When Dan joined the Metropolitan police special branch in 1964, he was
astonished when a senior officer warned that it was "quite likely that 
in 10 years Britain could become a Communist state". The new police 
recruits were being introduced to the subversive agenda of the Communist 
party of Great Britain, the prototype "enemy within". Its intention, 
they were told, was to use the trade unions as a revolutionary 
instrument to undermine parliamentary democracy. "It felt as if you were 
paddling in a pool of subversion," Dan says. Soon the pool deepened as 
the Vietnam war radicalised thousands of young people and swelled the 
ranks of Trotskyite organisations. 

The climax came in 1968, when tens of thousands marched on Grosvenor
Square and laid siege to the American embassy. The ensuing violence
between police and demonstrators had never been seen before on British
streets. The police were completely unprepared. They had no training and
weren't given any detailed briefing on what was likely to happen.
Intelligence on the marchers' intentions was rudimentary. 

For the Metropolitan police, Grosvenor Square was a wake-up call. 
Special branch needed to rethink its intelligence-gathering techniques. 
Sources within the revolutionary left who'd traditionally passed on the 
odd titbit in return for a few pounds and a pint simply weren't enough. 
As a result, an elite unit was set up within special branch whose 
existence has been kept a closely guarded secret until now. It was known 
as the "special demonstration squad" - or less prosaically as the 
"hairies" because of the way its officers dressed, looked and lived. "It 
was a shadowy section of the branch where people disappeared into a 
black hole for several years," says Richard, a veteran hairy. 

Members of the squad adopted new identities, or "legends", lived away
from their families in grotty flats, took real jobs as cover and
gradually infiltrated the hard left. Later, when the hard right also
became a growing public order problem, there were skinhead hairies with
rather less hair. Wilf, who became one of the hairy handlers - a contact
point in the outside world - had great respect for his undercover
colleagues. "They were true spies. What the SAS did for the army, the
hairies did for special branch." 

Sometimes MI5 was also a recipient of the political intelligence they
gleaned. "Occasionally somebody from MI5 would come to a meeting and 
ask, either individually or generally, if anybody could help with the 
identity of a photograph," says Brian. 

As most police officers at the time sported short back and sides, 
certain adjustments had to be made to fit their new personae. Brian says 
he looked "outrageous with shoulder-length hair and bushy beard six 
inches beneath the chin". Geoff had a problem because his hair was so 
fine, so he went to hairdressers and had a perm. "I ended up looking 
like Marc Bolan - big hair!" 

Dan was "slightly dirty and slightly smelly". Richard was a long-haired,
shabby manual worker with dirty jeans and boots. "I made sure my
fingernails were always dirty and cracked." On one occasion, the
Metropolitan police commissioner was taken to a secret location to meet
the hairies. He clearly wasn't ready for what he saw. "I've never seen a
person more flabbergasted in my life," says Geoff. "You could see his 
jaw dropping lower and lower. I think he could see his knighthood
disappearing out of the window." 

Each hairy worked out his own legend and memorised. Richard had just 
read The Day of the Jackal and decided to adopt a new persona like 
Frederick Forsyth's assassin who assumed the identity of someone who had 
died young. "I spent weeks and weeks at St Catherine's House studying 
birth and death records. I was looking for child who'd been born about 
the same time as myself and died soon after. I found him and resurrected 
him."

Richard visited the town where the boy who was providing his cover was
born - and from which the family had conveniently moved away - and
researched every detail of the family's history. 

Being a hairy was nerve-wracking and dangerous. Infiltrating the Troops
Out Movement, with its Irish republican connections (as Brian did) or 
the Anti-H Block campaign (as other hairies did), or working on the 
fringes of terrorist organisations such as the Angry Brigade or the Free 
Wales Army was a high-risk and potentially life-threatening operation. 

There's no doubt that most hairies believed that the organisations they
penetrated were genuinely subversive, however dismissive of the notion 
we may be today. "They were interested in seizing power, and not by
parliamentary means. They saw the police and army as tools of the state
to be defeated and overthrown," says Geoff. 

Geoff and his colleagues found that infiltrating these organisations was
relatively easy. They would go along to meetings, look interested and
gradually be drawn in. The groups were hungry for new recruits. Dan
infiltrated the International Marxist Group (IMG) as the Vietnam war
raged. Brian infiltrated the Troops Out Movement in the early days of 
the Irish conflict. Richard joined the Socialist Workers Party at the 
time of the Falklands. Hairies were never pushy and would wait to be 
approached so that the initiative always appeared to lie with the 
so-called subversives. 

They became experts in dialectical materialism and the different
ideologies of the far left. Some even confessed they became so involved
they almost went native. And they made very good friends, many of them
women. But sex was strictly off-limits. "They were nice people but
wrong," says Geoff. 

Once inside the organisations, they could gradually work their way up
because they were prepared to do the boring jobs. They rose to become
membership secretaries, treasurers and trusted comrades with access to
the vital records that MI5 was interested in. Some admit they could have
been almost running the organisation, but that was strictly taboo. "As a
rule of thumb, you could allow yourself to run with the organisation,"
says Richard, "but you had to stop short of organising or directing it." 

Street cred could also enhance a hairy's cover. At one demonstration
Geoff, who had also infiltrated the Socialist Workers Party, had an
altercation with a police officer. "Seeing me with my long hair and
beard, he grabbed me in a vice-like grip and started to pummel and drag
me towards a police vehicle. So I grabbed hold of one particular part of
his anatomy and squeezed it rather hard which made him leap up and
release me. I legged it and everybody thought I was a hero of the 
working class." 

On one occasion, Geoff found himself collecting money for the Anti-Nazi
League next to the young Peter Hain at the huge Rock Against Racism
concert in London's Victoria Park in 1978. "I can remember sitting next
to him on a large sack of cash. There was money everywhere. We had to 
get Securicor to take it back to ANL headquarters." Hain had no idea who 
his fellow collector was. Nor did he know that this wasn't the first 
time he'd been sitting next to a hairy. 

During the Stop the 70 Tour campaign, which first brought Hain to
national prominence in 1970, a hairy called Mike was virtually Hain's
second-in-command. Special branch had targeted the campaign after
warnings that there was likely to be "blood on the streets". Mike has
since died but his handler, Wilf, is still very much alive. "I don't
think Hain ever realised he had a hairy as his number two," he says. 

Mike provided the intelligence that enabled the police to deal with the
disruption planned for a big rugby game between the Springboks and the
Barbarians at Twickenham. The demonstrators planned to throw smoke bombs
and metal tacks onto the pitch, but thanks to Mike the police were ready
with sand and electric magnets. News film of the time clearly shows them
being used. There was the inevitable inquest into how the plan had been
thwarted. "Hain felt, quite rightly, that there was a spy in their
midst," says Wilf. "Mike looked down the room at one poor devil and 
said: 'I think it's him!' He was thrown out and Mike survived. Bless 
him." 

On occasions, the hairies were of more practical use to MI5 in helping
provide covert access to premises where the all-important membership
lists and financial records were stored. Dan, who'd infiltrated the
fringes of the IMG, spent a few evenings baby-sitting the offices of the
Vietnam Solidarity Campaign, an offshoot of the IMG. The bunch of keys 
he was given also contained the keys to other IMG premises - he copied 
them. The offices, he says, were subsequently "visited", presumably by 
MI5 who normally did burglaries. 

When I told Tariq Ali about what had happened to his keys (at the time 
he was editor of the IMG's paper, Black Dwarf) he was almost lost for 
words as he searched to remember who the hairy could possibly have been. 
"It's quite amazing. It's a betrayal. He must have been trusted to have 
had a key to that office. He must have been liked and must have made 
friends."

But Dan has no regrets about what he did. "There was always a policeman
within me, so I didn't have a problem about exposing people if
necessary." All the hairies agree. Betrayal was part of the job
description. 

Whereas most thrived on the adrenalin-pumping work, in the end Dan found
the strain too great, not least because of the eternal fear of being
compromised. The final straw came in a pub. He'd been tipped off as the
result of a telephone tap on the IMG warning that Dan had come under
suspicion. He was taken to a pub where he had to drink nine pints of 
beer under intense questioning from his comrades. Remarkably, his cover 
held. "My thought processes remained ice-cold," he says. The ordeal 
over, he staggered off to meet his handler. "That's when my legs 
collapsed." By then, Dan had decided that enough was enough. "It took a 
huge toll on my family life. On reflection, I didn't enjoy it." 

But most hairies felt very differently. "It was the best job I ever did
in my police service," says Geoff. "It was salaried schizophrenia but I
think we did prevent serious disorder on the streets of London and even
stopped innocent people being killed. But I think our major role was to
stop people from trying to short circuit parliamentary democracy and,
yes, perhaps overthrowing the government. I'm very proud of what we 
did." 

Not surprisingly, those on the receiving end take a different view. Ali
is appalled at the revelation. "That's the undemocratic nature of the
intelligence agencies," he says. "The state is defending itself against
its own democratic citizenry. In order to do so, it has to disregard 
some of the democratic values it believes in." He still can't believe 
that it happened. But it did. 


***************************************************************
Security-news <security-news at resist.ca>
Good computer security is no substitute for good sense!                  
To sub or unsub - http://resist.ca/mailman/listinfo/security-news        
***************************************************************      





From security-news-admin at lists.resist.ca  Mon Nov 11 20:06:39 2002
From: security-news-admin at lists.resist.ca (security-news-admin at lists.resist.ca)
Date: Mon, 11 Nov 2002 20:06:39 -0800
Subject: [security-news] Bulletin #10 - November 11, 2002
Message-ID: <2515E1D0-F5F4-11D6-A650-00039393408E@resist.ca>

***************************************************************
Security-news <security-news at resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************

November 11, 2002

This week we're adding a new section called "Reading Material" to 
highlight interesting books, magazines and other publications that 
happen to come our way and relate to the whole activism and security 
theme of this newsletter. Please forward any suggestions of reading 
material you would like to see reviewed here to secure at resist.ca.


**********************************
Security-news: Issue #10 - Contents
**********************************
* Security tip of the week:  Wireless Keyboards
* Reading Material: CAQ 74 & Covert Entry (book)
* News & Analysis: How Hard Would It Be To Trace the Sniper's Phone 
Calls?
* News & Analysis: JOINING FORCES How planners are partnering with 
local police, convention facilities and city officials to stage secure 
events
* How to: Internet anonymity for Linux newbies

*****
Security Tip of the Week: Wireless keyboards 	
*****
Wireless keyboards are just some of the many wireless peripherals 
becoming popular these days - but don't be so quick to switch without 
first checking the security implications. Last week it was discovered 
HP's wireless keyboards can transmit data to other computers in faraway 
buildings. If you are currently using one of these, or other wireless 
keyboard, be aware that if the signal emission range is too wide, you 
could be broadcasting everything you type.

*****
Reading Material: CAQ No74 & Covert Entry (book)
*****

Covert Action Quarterly No 74 - has lots of good stuff as usual - a 
good article in this issue exposing the links between George Soros and 
the CIA which certainly begs the question of why radical organizations 
would take money from the Soros foundation. Also an article on the 
decimation of Posse Comitatus law in the United States (this was the 
law that forbid US military services from taking a role in internal 
policing) - happening under the guise of anti-terrorism but really 
being directed at anti-globalization activists.

Covert Entry: Spies, Lies and Crims Inside Canada's Secret Service
Andrew Mitrovica
Random House - November 2002 release

This book is based on the testimony and tales of an 
agent-turned-whistleblower who worked for CSIS (Canadian Security 
Intelligence Service) for ten years. John Farrel, who worked with the 
mail intercept program, and Special Operational Services, comes forward 
to tell his tale of unlawful behaviour on behalf of Canada's spy 
agency. Although Mitrovica comes at the story from anything but a 
progressive angle (he is outraged about taxpayer waste in the face of 
real terrorist threats), there are some telling moments in the story 
that illuminate the type of surveillance methods used during both major 
and minor investigations. If anything - Covert Entry provides an 
interesting look inside some of the operations of Canada's espionage 
agency and the methods by which agents collect data on their targets - 
and is a worthwhile and quick read. It's only out in hardcover 
currently (and likely not available in the US), but worth tracking down 
a copy of.



*****
News & Analysis: How Hard Would It Be To Trace the Sniper's Phone Calls?
By Brendan I. Koerner
Thursday, October 24, 2002
*****

Police arrested two men Thursday morning in connection with Washington,
D.C.-area sniper shootings. Someone claiming to be the sniper placed 
several phone calls to police earlier this week. How easy is it for 
cops to trace a phone call?

Contrary to what pulp screenwriters seem to believe, it's pretty darn 
easy nowadays. Tracing problems are a relic of manual switchboards, 
which required operators to physically connect circuits. In order to 
track down a caller's location, police needed 10-20 minutes to figure 
out the maze of circuits. This is where the cinematic stereotype of 
"Keep 'em talking" comes from - shorter calls could only be traced back 
part of the way, to a nearby switching station rather than the source 
phone.

Digital switches have sped up the process. Beginning in the mid-1980s, 
phone companies began using electronic switching systems, which can 
automatically identify any caller's number within a fraction of a 
second. Those numbers can then be correlated with information from an 
automatic location indicator to find the phone's address. There is no 
foolproof way to avoid tracing on an ESS network when making a 
direct-dial call. (And don't think for a second that hitting *67, which 
masks your number to Caller ID boxes, can foil a police trace; it only 
works against civilians.)

Some local phone companies allow users to trace calls through a feature 
called *57. Users hang up, wait 10 seconds, and then press *57. The 
caller's information is immediately forwarded to the phone company's 
computers, where it can later be accessed by the police. But the 
feature isn't available everywhere, and in some cases it won't trace 
calls made with calling cards or through operator assistance.

Mobile phones have proven harder to trace over recent years, but that is
changing, too. The Federal Communications Commission has ordered that, 
by 2006, all cell-phone networks must feature location-tracking 
technology, ostensibly to assist 911 operators. As a result, many new 
mobiles now come equipped with chips that link them into the Global 
Positioning Satellite system. Triangulation using coordinates from 
adjacent cell-phone towers is another effective tracing technique.

Tracing a phone call is only half the investigative battle, of course. 
Few suspects, alas, are dumb enough to stay put after placing a 
taunting call to the cops.

Next question?



*****
News & Analysis:  JOINING FORCES How planners are partnering with local 
police, convention facilities and city officials to stage secure events
By Cheryl-Anne Sturken Photograph by Joseph Pluchino
http://www.meetings-conventions.com/issues/0902/features/feature1.html
*****

In the summer of 1968, a young police cadet in Chicago was just 
starting to learn the ropes while antiwar protesters and baton-wielding 
patrol officers clashed in downtown Chicago. Charles Ramsey did not 
take part in the notorious street battles associated with the 
Democratic National Convention that August, but the experience left an 
impression on him that would help steer his career. Today, as chief of 
police for Washington, D.C.?s Metropolitan Police Department, Ramsey 
works proactively to prevent such mayhem. Lessons learned preserving 
the peace at high-profile events in the nation?s capital have made him 
a nationally respected consultant on how to handle crowds and provide 
security at meetings of all kinds.

?Our goals are always the same,? Ramsey says. ?We want to protect the 
rights of conference attendees to participate in their meetings ? and 
protect the freedom of any demonstrators to exercise their 
Constitutional rights.?

Of the thousands of events held annually across the country, relatively 
few are of a nature apt to incite protests. Yet, many citywides that 
draw attendees by the thousands ? or tens of thousands ? do need 
law-enforcement assistance in areas like traffic control and on-site 
security. For planners of these mammoth events, a city?s local police 
department becomes a crucial partner, from the early stages through the 
event?s conclusion.

Start early

?It is absolutely critical to involve the security expertise of the 
local police force from the very beginning,? says Cynthia Beckman, 
chief operating officer of conventions and meetings for the Washington, 
D.C.-based Biotechnology Industry Organization. Beckman has been 
conferring with Chief Ramsey since this past June in planning her 
group?s annual convention, known as BIO 2003, to be held in the capital 
next June. ?Early planning negates the need for a request for emergency 
police assistance,? she says, noting that additional security can be 
expensive.

Lt. Eric Rubin of the Denver Police Department knows all about the 
strategic value of early planning. This past May, he coordinated 
law-enforcement measures when the city hosted the biennial conference 
of the Paris-based International Chamber of Commerce ? an event for 
which his department spent a full year training.

ICC drew 600 delegates from around the world; it also drew 1,000 
protesters. Some 700 police officers worked around the clock in 12-hour 
shifts, covering a three-block radius around the Denver Marriott City 
Center hotel, where the delegates were housed.

?It took time to get everything in place,? recalls Rubin. ?There was a 
lot of paperwork; everything had to be in writing. We planned for the 
worst and hoped for the best ? and that?s what we got. Not a single 
arrest was made.?

First steps

The planners? initial point of contact should be the head of security 
at the convention center. This person is directly plugged in to the 
community and its various law-enforcement factions.

?From the start, convention center officials and staff are an integral 
part of the security plan,? says Beckman. ?We create strong 
relationships with them to efficiently share information and increase 
awareness of potential problems.?

In these initial conversations, says Gladys Jones, head of security for 
the Washington (D.C.) Convention Center, ?We will ask a number of 
questions and then determine the event?s threat level. Then we will 
tell you, ?This is your threat level, and this is what we feel 
comfortable with having in place.??

After meeting with Beckman and her staff earlier this year, Jones flew 
to Toronto in June to observe how that city?s police handled the BIO 
2002 convention. Having firsthand knowledge of an event is critical to 
formulating a plan, says Jones, who even attended seminars at the 
convention to get a feel for issues the group was facing.

The convention center?s security expert also knows which local and 
state law-enforcement agencies have jurisdiction at the facility. ?Most 
people don?t realize that because our convention center lies within the 
district of the Port of San Diego, the harbor police force has 
jurisdiction over it,? says Carol Wallace, president and CEO of the San 
Diego Convention Center. ?But the center sits in the city, so planners 
also have to work with the San Diego Police Department on security 
issues.?

At times, an outside law-enforcement agency might need to be involved, 
says Don Ahl, director of safety and security for the Las Vegas 
Convention & Visitors Authority. For instance, for the Shot Show, a 
trade event for hunters and ammunition makers, there might be issues to 
be discussed with the Bureau of Alcohol, Tobacco and Firearms, he says.

History matters

?We exchange an incredible amount of information with the police,? says 
Jack Wilkerson, vice president of business and finance and convention 
manager for the Nashville, Tenn.-based Southern Baptist Convention. ?I 
keep very detailed historical reports on the security aspect of every 
one of our conventions ? who protested, what group did what, how many 
there were.?

Wilkerson expects protesters ? the level of disruption is what he aims 
to control. During the SBC?s annual convention in St. Louis this past 
June, 12 protesters condemning the religious group?s conservative 
social positions infiltrated the America?s Center and disrupted the 
president?s keynote speech before a gathering of 9,000. The dozen 
antagonists were immediately arrested by police on hand, as were 38 
others creating a disturbance outside the center.

In the process of sharing information, planners should never assume any 
detail is inconsequential, sources agree. Think beyond mere numbers, 
dates and the agenda. Even if the event itself is not a target of 
protests, a controversial speaker, attendee or exhibitor might well be.

?Some of the things I need to know about a group are how they perceive 
themselves, whether the CEO has ever received threats and what it is 
that they perceive as a threat,? says Gladys Jones.

?We have a mandatory meeting with the Las Vegas Metropolitan Police to 
let them know who is attending our event and who might attract 
attention,? says Ernae Mothershed, a spokesperson for the Woodland 
Hills, Calif.-based Men?s Apparel Guild in California. Mothershed?s 
group meets twice a year in Las Vegas for a four-day trade show that 
typically attracts from 80,000 to 100,000 attendees and exhibitors, 
along with many celebrities.

?We tell the police if media is coming and if any of the celebrities 
are bringing their own security,? Mothershed adds.

Such details are critical to police. ?We always want to be prepared,? 
says Sgt. Justin McCaffrey, in the intelligence division of the New 
York City Police Department. ?We never want to scramble.? McCaffrey was 
involved in planning elaborate security for the World Economic Forum, 
which the Big Apple hosted without incident this past February.

Creating a plan

?As a meeting planner,? says BIO?s Cynthia Beckman, ?it is my 
responsibility to ensure that our security plan is based on a 
thoughtful, complete risk assessment.? Such assessments are developed 
by local law enforcement in a variety of ways.

? Agency networking. Many cities establish special-event task forces to 
develop and monitor security plans for sensitive events. Some, like San 
Diego and Washington, D.C., coordinate the task force?s efforts through 
the mayor?s office. Others, such as Las Vegas, maintain a events team 
on the police force.

San Diego?s Mayor Dick Murphy created a task force of representatives 
from a dozen city agencies to develop a security plan for both the BIO 
2001 event and the 2000 Republican National Convention. Mandatory 
monthly meetings were held in his office.

In Washington, D.C., some three dozen local, federal and specialized 
agencies are part of a special-event task force created by Mayor 
Anthony Williams. Says Peter LaPort, director of emergency management 
for the city and leader of the task force, ?We will advise you of all 
the hurdles and hoops you have to jump through.?

A former New York City deputy commissioner who lost several colleagues 
and friends on Sept. 11, LaPort says the tragedy has created a much 
more ?intense interaction? between his and other agencies. ?We even 
have a representative from the hotel association, because they are now 
part of the disaster recovery plan for the city, as is the convention 
center.?

For his part, D.C.?s Mayor Williams is aiming to add a greater medical 
element to the task force. ?We are working closely with the private 
sector medical organizations that are vital to responding to an 
emergency, such as the American Red Cross and the Washington Area 
Hospital Association,? he says.

? Intelligence gathering. Local law enforcement does not rely entirely 
on the information provided by event coordinators; the agencies often 
research an event?s history themselves.

?A group will tell you what happened internally at the convention 
center,? says Capt. Terry Sult of the Charlotte-Mecklenburg Police 
Department in Charlotte, Va., ?but we will check with the police 
departments of other cities where a group has met to find out what 
happened externally.?

?I hold regular conference calls with other police executives in the 
region to share intelligence and provide updates,? says Chief Ramsey, 
who last year unveiled D.C.?s newest tool in event security, the Joint 
Operations Command Center. ?It is a crucial resource for collecting, 
evaluating, analyzing and disseminating intelligence and other 
information,? he says.

The Web, notes Lt. Rubin, is a valuable window on activist planning. ?A 
significant number of groups with an ax to grind will blatantly 
advertise when and where they are protesting and encourage others to 
join them,? he says. ?It?s their legal right, but it also helps us to 
understand what might occur and to be better prepared.?

? Community outreach. Critical to an event?s security, say police, is 
actively reaching out to a community to let citizens know what they can 
expect to happen. And that means reaching out to potential protesters 
as well, says Chief David Bejarano of the San Diego Police Department. 
?We are very candid with the protesters we identify. We tell them we 
recognize they have a Fifth Amendment right, but we make it clear that 
if they cross the line into criminal activity, we will take swift 
action,? he says.

? Accommodating protesters. Often, cities will establish designated 
areas outside the center where demonstrators can express their views. 
In San Diego, Chief Bejarano gave protesters at BIO 2001 an area ?close 
enough to protest, but not close enough to disrupt the proceedings.? To 
coordinate who held court and when, his office spread the word that 
anyone could sign up for one-hour slots to address the crowd. ?It was 
pretty peaceful,? says Bejarano.

? Setting the tone. A heavy police presence might deter protesters, but 
it also can work against the event. ?You have to draw the line between 
being intrusive and being transparent,? says Dick MacKnight, assistant 
to the president at ICC?s Denver headquarters. ?The Denver police did a 
wonderful job. You never felt like you were under siege or being 
guarded.?

? Using the force. Every city has its own particular rules governing 
law enforcement?s role at events. However, several areas generally 
require police approval and implementation.

? Traffic control. When several thousand conventioneers descend on a 
city, shuttles from the convention center to hotels can snarl traffic 
on already congested streets. Talk to police about attendee 
transportation plans; often, they?ll suggest alternative routes.

?Sometimes the police will say, ?You don?t want to go that route, 
because traffic gets backed up at that intersection at this time of the 
day,?? says the Southern Baptist Convention?s Wilkerson.

? Putting up barriers. Installing barricades outside the convention 
center might seem like a wise move, but there are a number of issues to 
consider ? including exactly where, when and how they can be placed.

For the ICC conference in Denver, the police erected barriers in a 
three-block radius around the Denver Marriott City Center. But because 
the perimeter fell within private property, the department had to get a 
signed release from every citizen affected.

? Permits. When staging a parade, using loudspeakers outside, setting 
off fireworks or serving alcohol in a public place, event producers 
must seek police assistance. ?If your event is staying within the 
confines of the Jacob Javits Center, you don?t need any special 
permits,? says New York City?s Sgt. McCaffrey. ?But if you want to have 
a parade on 10th Avenue and shut down some streets, you are going to 
need a permit.?

Better ask early, he adds. ?We won?t allow two events to take place at 
the same time, because it clogs traffic and stretches our resources. 
And many annual events have first right.?

? Post-convention police report. Ask the police to create a dossier on 
what services and security details they recommended and implemented for 
the event, along with their assessment of how the plan worked. This can 
be utilized in another city for a future event, saving the police there 
a lot of legwork.

Who pays for what

High-profile events can place a tremendous financial strain on a city. 
San Diego shelled out $3.5 million in police support for BIO 2001. The 
tab for Denver for the ICC conference came to $900,000. In deciding 
whether to host an event, city officials say they carefully weigh what 
they stand to gain. Chief Bejarano came under fire from San Diego media 
for his department?s hefty spending. Yet, he says, ?There is a 
trade-off. When you host a major event, there is the benefit of a large 
number of dollars going back into the city.? In fact, BIO 2001 
generated about $14 million in hotel and sales taxes and 
conventioneers? spending, says Scott Barnett, executive director of the 
San Diego County Taxpayers Association.

Toronto?s Economic Development Commission estimated that BIO 2002 
poured nearly US$20 million into city coffers. (No figures were 
available on what it cost in added police protection because of the 
event.)

The security needs of more mainstream events, however, are individually 
evaluated by police departments, who negotiate with the event organizer 
to determine who covers what.

? Protection with a price tag. ?Security costs depend on risk 
assessment, the complexity of the program, convention center layout, 
hotel locations, off-site venues and the size of the police force,? 
says Cynthia Beckman. ?The more on-duty police officers a host city 
will make available for the BIO meeting, the less our overall security 
costs.?

?We try to look at the size of the event and a whole host of dynamics,? 
says Capt. Sult in Charlotte, Va. ?If we find there will be a traffic 
control issue, we may request the event organizers pay for the officers 
needed to handle that traffic. If something unforeseen happens, then we 
will absorb the cost.?

?Small events that want to hire off-duty police officers will have to 
pay for them themselves,? says Lt. Rubin.

In Las Vegas, any request for police services, with the exception of 
covering protesters, comes out of a show organizer?s pocket, according 
to special-events officer Sgt. Linda Atkinson. ?All of our overtime 
comes from whoever is sponsoring the event,? she notes.

? At no extra charge. Before spending money to have officers control 
traffic at peak convention hours or monitor an outdoor event, planners 
should find out what the local police are willing to provide at no 
cost. For instance, ?We have a series of cameras set up around downtown 
whose initial use was crime prevention,? says Sult. ?We have discovered 
they help us dramatically with traffic issues at the convention center. 
We can identify potential gridlock and then electronically adjust the 
traffic light.?

? Attendees on the alert. The better prepared attendees are, the 
smoother the execution of the security process. ?We notify attendees to 
avoid any surprises,? says Beckman. ?You want them to remember the 
importance of wearing their badges, of carrying photo identification 
and arriving early.?

Unreasonable demands

Law enforcement has to toe the legal line and balance public safety 
issues with a community?s best interests. The upshot: Some requests 
simply won?t be met.

? Searches. ?We are not private guards,? says Lt. Rubin. ?Everything we 
do must be based on Constitutional rights. We will not search people.?

? Door checks. ?We are not going to put people at the door to check 
tickets,? says Sgt. McCaffrey.

? K-9 units. ?If you have a high profile speaker, we might send a 
bomb-sniffing dog, but it is not guaranteed,? says McCaffrey. He 
suggests planners work with a security consultant who can provide that 
service. But, he cautions, think twice before insisting on it, because 
it will prove costly. ?If the speaker comes at 8 a.m., the dogs will 
have to be in at 6 a.m. to check out the room, and then you will have 
to pay for a guard to seal off the room and guard it until the speaker 
comes,? says McCaffrey.

? Street closures. ?We will never allow the Strip to be blocked off,? 
says Sgt. Atkinson of Las Vegas. And, she adds, street closures come 
with their own sub-requirements that need to be considered, like 
permits for portable toilets and fees for litter collection.

? Police escorts. ?Unless you?re the president, you don?t get a blue 
light escort,? says Capt. Sult. ?And we never make parking-regulation 
exceptions. People are always asking us to look the other way ? and we 
don?t.?


*****
How to: Internet anonymity for Linux newbies
By Thomas C Greene in Washington
28/08/2002 - https://theregister.co.uk
*****

One of the most attractive things about Linux is the number of 
installation options one is presented with and how tempting it is to 
customize. But for a newbie, in terms of Web security and PC hygiene, 
that's also the worst thing about it. The fact is, Windows is easier 
than Linux for a casual user to make fairly secure, whereas Linux is 
easier than Windows for a power user to make xvery secure.

For most home PC users, fairly secure is perfectly adequate, and that's 
what we'll be concentrating on below. In a week or two I'll get into 
details for power users, but for now I'm going to concentrate on a 
particular presumed reader: a home user who's fairly new to the Linux 
desktop, who's using a packaged distro, and who's not intimately 
familiar with PC security -- a 'recovering Windows user', let's say.

Fortunately, Linux is a wise investment; you already have, or can 
easily find for free, virtually everything you need to make it secure. 
There's no need to buy hundreds of dollars' worth of security utilities 
and services, though you do need to learn how to use what you've got. 
But before we get to the Internet security matters promised in the 
headline, we have some housecleaning to do.

Options up the butt
For those just getting started with Linux, it's easy to end up with a 
number of unnecessary services and daemons running, some (not all) of 
which may make your box less secure. You've got IRC servers, telnet 
servers, print servers, font servers, mail servers, remote admin 
servers, Web servers, FTP servers, you name it. The installation 
options can be overwhelming; and if you're new to all this, it's a safe 
bet that you've got a few things going that you're not even aware of.

The first thing I'd recommend is running a security scanner like SAINT 
or Nessus, which are typically packaged free with many distros, against 
localhost. This can reveal a number of things you never imagined you 
had available on your machine. Most distros also have some sort of GUI 
control interface which will make it reasonably easy to turn off what 
you don't need. With SuSE, the distro I prefer, this is called the 
'runlevel editor', available via the YaST2 control center. It likely 
has the same or a similar name in the distro you're using. 
Alternatively you can have a look at /etc/init.d and peruse a list of 
what's being loaded (just make sure you know exactly what these scripts 
do before you start editing or deleting). Shutting off unnecessary 
services is the most basic first step in tightening up your machine, so 
take a good look at what you'vegot, and get rid of the extraneous 
nonsense. If you don't know what something is, Google on it and get hip.

Users are safer
One simple thing you can do to avoid remote compromises is to stay off 
the Net when you're in the root account. Running IM and IRC clients as 
root is positively self destructive. Ditto for opening mail attachments 
and HTML mail as root. By choosing Linux you've already made yourself a 
lot less likely to get infected by a worm or virus or a malicious 
script than a Windows user, so be sure to maximize that advantage. Do 
all your on-line business from a user account, and save the root 
account for off-line tweaking and tinkering.

Of course this discipline means little if your file permissions are 
sloppy. There are lots of commands you can issue from the shell which 
are relevant here, but since we're assuming a relative newbie, we'll 
try to avoid too much of that. For those interested in what's possible 
from the command line, I recommend the book "Linux in a Nutshell" (pun 
apparently intended) from O'Reilly Publishing. It's an excellent desk 
reference of shell commands. Of course, just by typing a command 
followed by --help you'll get the same information, but it is nice to
have it all compiled in a handy hardcopy form.

There are a couple of ways you can set permissions with the GUI and save
yourself a lot of repetitive typing. One is to use Krusader or Nautilus 
and simply right-click on a directory, and go to 'properties'. If 
you're root, you can make sure that user a can't access user b's files. 
But don't go wild here: there are numerous directories, config files, 
executables, etc., that users need access to for Linux to run properly. 
If you're at a loss to select which directories and files need strict 
permissions and which don't, then your distro probably has some sort of 
interface with a menu of pre-set rules which you can choose from and 
apply globally as root. This will usually be called something like 
'security settings', and the options will usually be named something 
like 'easy, secure and paranoid'. 'Secure' is probably as far as you 
need to go. Chances are this will forbid root logins except via the 
command line, so it's best to get all your tinkering done beforehand in 
the root GUI account, where things are more familiar to recovering 
Windoze users. After that, you'll have to open a shell or supply the 
root password to the distro's 'control center' from your user account. 
This is definitely the right way to run a Linux machine so long as 
you're basically satisfied with how it's set up.

In many households, several people may have user accounts on the same 
box. Consider carefully whether these people are friends, or mere 
flatmates and acquaintances. If you're using a machine you don't own, 
then you have to ask yourself whether or not you trust the owner. If 
you don't trust root personally, then don't use his kit for anything 
you wouldn't document and publish freely. Root knows everything you do 
on his machine. Worse, and far more likely, he may be a well-meaning 
idiot who maintains a totally insecure machine connected 24/7 to the 
Net.

Conversely, if you are root and the box is shared, make sure you trust 
the people using it. Giving a user account to someone you're sketchy 
about is a security risk, much like leaving them in your office or 
bedroom unsupervised. They may know more than you about how to 
compromise a machine from within, which is a lot easier than 
compromising it from without.

The best thing to do with a shared machine is to encrypt files you want 
to keep private. So get familiar with GnuPG. Just remember that root 
has access to your private and public keys, and can run a keystroke 
logger on the box and get your crypto passphrase. So as I said, if you 
don't trust root, don't use his machine for anything private. Period. 
Is he a mere acquaintance? Is he a loyal little soldier of your 
employer? Then screw him. Crypto is useless in that situation. Ditto 
for all computer equipment you use at work, in public libraries, or 
Internet cafes.

On the other hand, if you're the machine's owner and you trust your 
users, or you're a user and you trust the owner, then you should 
encrypt, though you must be careful to choose a strong passphrase: a 
nice, long one combining upper and lower-case letters, numbers and 
special characters. Use a phrase that's easy to remember but extremely 
difficult to guess or bruteforce. I recommend using a short, 
grammatically-valid sentence that makes no sense, like 'sleazy bricks
applaud sideways'. Now misspell some of the words and substitute 
characters in a way that's easy to remember, so it looks something like 
this: 'sl33Z1E bR1 at k$ apPL4ud s!d3w^yz'. Note that we've substituted 
numbers and special characters that, at least vaguely, resemble the 
letters they're standing in for to make it easier to memorize.

You should also make a backup of your GPG keys and revocation certs, 
and store that on removable media in a safe place. It's also a good 
idea to submit your public key and, if ever necessary, your revocation 
cert, to a keyserver. If you don't know what I'm talking about, then 
follow that GnuPG link above and start reading. This is a good thing, 
and it's free. Use it.

Your account passwords, especially the root password, should be long 
and hard, and you should use MD5 encryption for them and set a time of 
ten or fifteen seconds between unsuccessul logins to prevent brute 
force and dictionary attacks (you'll find these options in the 
'security settings' interface). Don't use a root password of fewer than 
ten characters, and always combine upper and lower-case letters, 
numbers and special characters.

But since there are a number of ways into any machine, the most 
important thing of all is your crypto passphrase. Put the time and 
effort into devising and memorizing one which, like our example, is 
very troublesome to crack. And make sure you have strict file 
permissions on the .gnupg directories. Only root and the specific 
relevant users should have access.

Hygiene
Every computer collects files the way a kitchen drawer collects junk. 
Over time, many of these become irrelevant, yet they may contain 
information one would like to keep private. A good rule of thumb is, 
never encrypt when you can wipe. The last thing you need is a directory 
full of useless, irrelevant files. This only makes it more 
time-consuming to manage sensibly the ones you do need. Go through
your personal files regularly and use a proper wipe utility to erase 
the ones you no longer need. Understand that deleting is nothing; to 
get rid of a file you have to wipe it. Those files you wish to archive 
should be encrypted and copied to a separate directory or removable 
media, and their originals wiped. The easiest way to do a proper wipe 
is using Krusader or Nautilus and selecting 'shred' instead of 'delete'.

Another notorious junk collector is the Linux swap partition, a 
holdover from the days when RAM was expensive and difficult to buy in 
fat chunks. It's possible to encrypt it, but probably a bit over the 
top for a primer like this and certainly a performance damper. A 
simpler approach is to do away with it. I'm running a 2.4.18 kernel 
with 512MB of RAM and no swap partition, and I can't detect any 
performance hit. Indeed, if anything the system runs better than it 
did. If you can afford it, and nowadays it's easy, I recommend 
strapping on extra RAM and just not swapping memory to disk. You never 
know what's going to end up there, or how long it's going to remain. 
Crypto programs are supposed to protect memory blocks used and not swap 
them out. So what? Are you absolutely
certain there's no way the designers the program you're using could 
have made some obscure mistake which in turn could leave traces of 
crucial data in the swap file?

I didn't think so.

The IP battle zone
Now you've purged your Linux box of unnecessary daemons, you've set 
your file permissions sensibly, you're working happily from a user 
account, and you've got encryption protecting your digital sanctum 
sanctorum. It's time to protect yourself from worms and rootkits and 
malicious sites and evil scripts and the on-line pestilence of kiddiots 
trying to break into your box and Web merchants who couldn't secure a 
bowling ball much less your personal data on their lame II$ machine and 
nosey Feds and incompetent ISPs and so-called 'Trust Authorities' who 
have idiotically sold digital certs to hackers.

Maybe you should buy a hardware firewall, or an Intrusion Detection 
System (IDS), or an e-mail virus scanner, or an anonymous proxy service?

Or maybe you should just use your head and stop worrying. Here's how:

There are two things you need to have, and two things you need to do. 
The first thing you need to have is a packet filter, otherwise known as 
a firewall. Well, you've got one: in the 2.2.x kernel it's called 
ipchains and in the 2.4.x kernel iptables. The frontends are called 
Bastille on Mandrake (which adjusts other security options as well) and 
SuSE Firewall-2 on, what else, SuSE. (Most everyone can use Bastille, 
by the way.) I don't play with Dead Rat, so you guys will have to 
figure out what yours is called. Now configure it and shut off 
everything unless you're running a server (and if you're a newbie you 
really
shouldn't be doing that just yet).

The next thing you need to have is a proxy. Quite simply, a proxy is a 
remote machine through which you connect to the Net, which forwards 
your IP traffic, and which you then appear to be originating from. When 
you contact a Web site via an anonymous proxy, it's the proxy's IP 
which shows in their logs. There are huge lists of free public proxies 
you can use, but most will be dead by the time you find them. Just 
Google on 'free proxy list' and you'll find them easily, for what 
that's worth.

I like a Socks proxy when I can get one because they're non-caching and 
a lot of IP clients support them. But they're very hard to find and 
they never last long. Once they start getting popular the admins always 
figure out why their bandwidth use is going through the roof and 
pass-protect them. Bastards.

On the other hand, HTTP Proxies can be chained for additional Web 
anonymity. This is accomplished by constructing a URL thus and copying 
it into your browser's address field:

http://firstproxy:portnumber/http://secondproxy:portnumber/
http://thirdproxy:portnumber/http://www.destination.com

There are no spaces in the above configuration. This can be done in 
addition to any proxy you've loaded in your browser normally with its 
setup options.

Take a look at this older article, related to Windows, in which finding 
and using proxies is elaborated. The information is fairly general, and 
may well be of value to a Linux user.

Because public proxies are uncertain, this is one area where spending a 
bit of money may be worthwhile. Anonymizer.com has a proxy service 
which uses SSH tunneling, which, unlike most security services, is IMHO 
worth the investment.

Here's how it works: you use SSH (Secure Shell) to log in to 
Anonymizer's proxy server. This means that your ISP can't sniff your 
traffic to the proxy effectively because it will be encrypted. Once 
you're on the proxy, everything you send and receive from it will be 
anonymous. Only Anonymizer.com will be able to associate you with the 
data you've sent and fetched. That's not perfect, but it's not bad. 
They have a serious financial interest in protecting your anonymity. I 
would assume that they'd only respond to a court order signed by a 
judge. If they blow that, and it gets out, they'll be out of business 
in a  haeartbeat.

Unfortunately, they have little in the way of Linux support available, 
but through trial and error I've managed to use this service 
successfully. You can forward ports to the Anonymizer proxy and use SSH 
tunneling for your HTTP, FTP, POP and SMTP clients.

The way to log in is by busting out a root shell, logging in as root, 
and typing [ssh -2 -L 80:cyberpass.net:80 -L 25:smtp.yourmail.com:25 -L
110:pop.yourmail.com:110 cyberpass.net -l yourpass] where yourpass is 
your pw on the Anonymizer proxy at cyberpass.net.

Now you need to set up your e-mail client and browser to use these 
forwarded ports. For the browser, in proxy settings, enter a proxy of 
localhost and a port of 80 for HTTP and FTP. In your FTP client, do the 
same. In your mail client, in 'network', enter localhost and port 25 
for SMTP and localhost and port 110 for POP. Now you should be cool.

Ah, but as for your IRC client, pray. You can select an HTTP proxy, but 
it probably will fail. My favorite Linux IRC client is Xchat, but it 
returns the error, 'proxy traversal failed' when i use it in 
conjunction with the Anonymizer HTTP proxy. I e-mailed the x-chat guy 
z at xchat.org and/or zed at xchat.org asking for insight, but he or she 
neglected to reply. Perhaps you should email them too and ask what's up.

On the other hand, ICQ seems to have no problem with this, if you're 
using Gaim, for example. IRC will fail, but ICQ will accept the proxy. 
That's a good thing -- not a perfect thing, but a good thing.

Once you've got this proxy set up and running with SSH and port 
forwarding, you can use your browser with the Anonymizer Web proxy and 
their anonymous e-mail for an extra layer of distance from the Net. 
I've been using the service for several days now, and I like it. That's 
all I'm saying. Whether you should too is not my call.

There's one item causing me some concern which I must reveal. While 
surfing the Net with an SSH connection to the Anonymizer proxy at 
cyberpass.net, with Java and JavaScript disabled in my browser, but not 
using the Anonymizer Web proxy, I found that ShieldsUp at grc.com and 
its mighty nanoprobes were able to get my true IP address because 
there's no SSL support so far as I know. For browsing I can always use 
the Anonymizer Web proxy, fine. But for the rest of my services I want 
to know that the SSH proxy alone is secure. After experimenting with it 
for a few days, I'm not confident that it is.

Nevertheless, I like it. I just don't trust it completely, and neither 
should you.

So much for the two things you need to have. Now let's discuss the two 
things you need to do. The first thing you need to do is disable Java 
and JavaScript in your browser, and HTML rendering in your e-mail 
client. Unlike Windows, Linux makes this easy. It will leave you safe 
from a vast number of malicious scripts. From time to time it will be 
necessary to enable Java and Javascript for access to certain Web 
sites. Turn it on when you need it, and turn it off when you're 
finished. Think of it as a tax on your Internet security. Always keep 
it off unless you need it, or use a Web proxy which supports it.

The second thing you need to do is shut off your modem when your box is 
not in active Internet service. There are reasons why you might want to 
leave the machine running 24/7, all right; but there's no reason to 
leave it connected to the Net when you go away on holiday. We satirized 
the PathLock Internet timer; but that doesn't mean there's no reason to 
disconnect from the WibblyWobbly when it's of no use to you. Make it a 
habit.

As for your browser, run it tight. Don't allow Java and JavaScript 
except where necessary; don't allow the browser to save form-data; 
don't allow it to save passwords to important sites like your bank. 
Wipe your cookies, browser cache, URL history and typed URLs regularly. 
Never add a kiddie-porn BBS to your bookmarks. Get my drift?

Paranoia without anxiety
It's healthy to be paranoid, but grossly unhealthy and quite 
unnecessary to be riddled with anxiety. By using common sense and 
layers of protection, you can make yourself an unattractive target. By 
being paranoid in a healthy way, I mean quite simply that you must 
never trust anything.

I definitely don't mean 'be afraid'. There's a whole anti-virus and 
computer-security indu$try devoted to frightening you with constant 
reference to imminent threats to your on-line privacy and integrity. 
It's very much in their financial interest that you be frightened at 
all times and that new threats surface regularly to revive that 
profitable public-anxiety as older threats fade into memory. Who gives 
a shit about Melissa? Phear nimda...

And all the while, the word these parasites throw around most often is 
'trust'. I'll pay fifty dollars US (no shit) to the first Reg reader 
who forwards me an unedited press release from a security vendor in 
which the word 'trust' is absent. But here's the truth -- the kernel of 
the security industry's filthy little secret: the only reason you're 
vulnerable is because you trust.

So for God's sake stop doing it. Don't trust your firewall; don't trust 
your proxy; don't trust crypto; don't trust SSL or SSH; don't trust 
your software vendor; don't trust files you get from anywhere, 
including your friends and 'official' download sites; don't trust 
patches; don't trust your file-wipe utility. Hell, don't trust me. 
Trust only what you're absolutely certain of.

In the past month or two we've seen a back-doored version of SSH; we've 
seen that SSL, universally trusted for secure Web transactions, is 
vulnerable; we've seen a PGP plugin for Outlook that coughs up your 
passphrase, not due to a flaw in the algorithm or cryptosystem, but 
because the application is susceptible to a buffer overflow. We've also 
seen a man-in-the-middle attack against PGP and GPG. You've got three 
layers there, algorithm, cryptosystem and application, any one of which 
might be broken in any number of ways. Do you know how to spot a flaw 
in a complex piece of software like that?

I didn't think so.

And then of course there are key loggers, packet sniffers, Trojans, 
rootkits, and the 0-day remote exploits which only a handful of people 
know about and for which there are no patches, and for which there may 
never be any patches.

Stop the insanity
By all means use security utilities, but never trust them fully. Layer 
them, apply common sense, and always assume that no matter what you do, 
there will always be several ways to compromise your privacy and 
security. The whole game is to leave the smallest footprint possible on 
the Web, never to trust other people's equipment, and to make your box 
a pain in the neck to crack so that ninety-five per cent of attackers 
will simply move on to one of the millions of easier targets hooked up 
out there. But be assured that nothing will make a compromise 
impossible except keeping your computer in a locked, heavy-duty vault 
with no Internet access, which of course is no fun at all.

But to compute and to surf the Web without anxiety, there's an easy 
answer: simply refuse to trust your machine, any network whether local 
or remote, any security device or service, any crypto scheme, any 
Draconian laws against hacking, any ridiculous claims of 'Trustworthy 
Computing', any shiny digital certificate, any 'Trust Authority', any 
local client, or any remote host with any scrap of data you simply 
can't afford to lose control of.

Now you're paranoid in a healthy way, and blissfully free from anxiety. 
Your computer, his network server, their shopping cart -- these things 
aren't the digital equivalent of bank vaults. So don't listen to the 
marketing-department drivel about how 'secure' these things can be 
made. Never -- absolutely never -- treat these things as if they were 
the digital equivalent of bank vaults, and move on and enjoy your life. 
You'll find that the air smells fresher, that food tastes better, and 
that you wake every day with more energy and confidence than you've had 
in years.

If you're sensible and cautious, applying the common-sense suggestions 
we've just considered, the odds against getting compromised will be 
very much in your favor. But just remember that, regardless of the 
odds, it's mad to wager something you can't afford to lose. Your 
credit-card number is no big deal: your total liability is fifty bucks 
and you can get a new one in a week or so. Your credit card number, 
Social Security number, name, date of birth and address packaged all 
together is a far greater worry, so never give out more information 
than absolutely necessary to complete a transaction. Never allow 
merchant sites to store such information. If they insist on it, do 
business elsewhere. Don't let your browser save form-data, or passwords 
to important Web sites like your bank. Use a packet-filter and a proxy. 
Wipe your browser history, URL history, page cache and cookies 
regularly. If your browser doesn't make all of those steps easy for 
you, use a different one. You've got the power of the Penguin behind 
you; you've got alternatives. Shop around for a good browser. 
Personally, I like Mozilla. That doesn't mean you have to.

Now tighten up that machine, get on-line, and relax and enjoy the ride.

Security-news note: We've removed a paragraph at the end here which 
advises people not to even bother using crypto on a laptop because it 
might get stolen. That's exactly the reson *to* use crypto on a laptop 
- so that if it gets stolen, your user data at least remains 
unintelligible to the thief.



***************************************************************
Security-news <security-news at resist.ca>
Good computer security is no substitute for good sense!
To sub or unsub - http://resist.ca/mailman/listinfo/security-news
***************************************************************