[security-news] Security-News Bulletin #1 - July 23, 2002

[Security News Admin]

*****************************************************************************
Security-news <security-news at resist.ca>
A security bulletin for the inspired resistance movement
Produced by the folks who bring you http://security.tao.ca
*****************************************************************************

July 23rd, 2002

Hello, and welcome to the first ever security bulletin put out by the folks 
at http://security.tao.ca - Our goal is to empower activists to make educated security
decisions concerning their work and to highlight trends in government and 
policing that may be of interest to those who routinely counter the state security
apparatus. We intend this to be a bi-weekly newsletter that will include security updates,
tips and tricks, security.tao.ca updates, news stories and factoids for both technical and
non-technical audiences. Please let us know what you would like to see, or forward us
items for inclusion to secure at resist.ca (also feedback on this bulletin would be great too!).

**********************************
Security-news: Issue #1 - Contents
**********************************
* Security tip of the week
* Updates to security.tao.ca
* News Item: US wants to use military for domestic policing
* News Item: US development of new non-lethal weapons
* How-to: SILC Tips and Tricks

*****
Security Tip of the Week: Secure Storage of Private Keys
*****
For optimum security, private keys used in encryption schemes should be stored on removeable
media that can be carried on your person, or locked in a secure (and secret) place. This cuts
down the possibility of your private key being stolen from your home computer or laptop. Even
if someone manages to steal your passphrase with the use of key logging technology, they can
not decrypt messages intended for you without this private key. (Note however that floppy
disks are the least reliable of all the removeable media forms.)   

*****
Updates to http://security.tao.ca
*****
After a long hiatus, we have started updating security.tao.ca again! This week we cleared out
a lot of dead links (almost finished), added new and updated links to most sections, and
completed a new page on KeyLoggers, Trojans and Backdoors which is available at
http://security.tao.ca/keylog.shtml

*****
News Item: US wants to use military for domestic policing
*****
U.S. Mulls Military's Domestic Role 
Sun Jul 21,11:31 PM ET
By SCOTT LINDLAW, Associated Press Writer 

WASHINGTON (AP) - Homeland security chief Tom Ridge says the threat of terrorism may force
government planners to consider using the military for domestic law enforcement, now largely
prohibited by federal law. 

President Bush ( news - web sites) has called on Congress to thoroughly review the law that
bans the Army, Navy, Air Force and Marines from participating in arrests, searches, seizure
of evidence and other police-type activity on U.S. soil. The Coast Guard and National Guard
troops under the control of state governors are excluded from the Reconstruction-era law,
known as the "Posse Comitatus Act." 

This is only snippet of an article - the complete article and others on this topic can be
found at: 
*http://story.news.yahoo.com/news?tmpl=story&u=/ap/20020722/ap_on_go_pr_wh/homeland_security_9
*http://story.news.yahoo.com/news?tmpl=story&u=/nm/20020721/ts_nm/congress_homeland_military_dc_5
*http://story.news.yahoo.com/news?tmpl=story&u=/ap/20020722/ap_wo_en_ge/philippines_arroyo_6

Security-news comment: We have a hard time believing that once the posse comitatus law is
changed, the US government will only use the military in times of real crisis. Given that
they want to be able to use the military in situations involving "terrorism", and given that
the US government has increasingly defined activist work as "terrorist", we don't think it
will be long before the US military is regularly on the streets facing off against those who
dare dissent against government policy.

*****
News Item: US development of new non-lethal weapons
*****
June 21, 2002
U.S. developing new non-lethal weapons 
Bloomberg

WASHINGTON - The U.S. military is developing an array of futuristic non-lethal
weapons, such as an energy beam that causes pain without burning and bacteria
that will eat asphalt and body armour, Time magazine is reporting.

The weapons are being researched to help soldiers who are increasingly put in
peackeeping roles, the magazine said. Human rights advocates say new weapons may
violate international laws banning the use of chemical or biological agents.

The Air Force Research Laboratory has devised a $65-million Cdn energy weapon
that delivers a painful sensation without burning its target, and the Southwest
Research Institute in Texas created an anti-traction gel so slippery no one can
walk or drive on it. Other devices in the works include ray guns, gases that emit
foul odours and nets, according to the magazine, citing interviews with
scientists, public documents and material obtained under the Freedom of
Information Act.

Amnesty International and other human rights groups say some projects such as the
asphalt-eating bacteria or efforts to create fast-acting opiates for use on
crowds, may violate international laws. Those weapons might be obtained by
regimes to put down political dissent, says Steve Wright, founder of the Omega
Foundation that monitors non-lethal weapons.


*****
How-to: SILC Tips and Tricks
*****
by epsas at linefeed.org 
The full version of this with working links is at
http://notes.techfed.net/index.php/SILCTipsAndTricks
--------------------------------------------------------------------------------
If you don't know what SILC is - please check out http://www.silcnet.org - basically SILC
allows for encrypted real-time conversations over networks. 

Creating and Using Private Key (+k) Channels
Setting a private key for channel means that only the users on the channel who know the key
is able to encrypt and decrypt messages. Servers do not know the key at all.
-- SILC FAQ (http://www.silcnet.org/?page=faq#f3_100)

In theory, members of a private key (+k) channel can collaborate securely even when their
SILC server is compromised. Users of the +k channel are responsible for distributing a
private key between themselves. Transmitting the secret key for a +k channel over the SILC
network is self-defeating (The SILC server may be compromised, meaning a malicious attacker
(Mallory) can steal the private key).

Instructions for creating a private key (+k) channel
Join a SILC network and create a channel:
/JOIN #sekretchannel

As 'channel founder', set the mode of the channel to (+k):
/CMODE #sekretchannel +k
After +k mode is set, the old channel key (originally distributed by the SILC server) is
discarded.

Set the SILC client to use a private key for this channel:
/KEY CHANNEL #sekretchannel SET oursekretkey

Other users must use the same 'passphrase' to communicate on the private key channel:
/JOIN #sekretchannel
/KEY CHANNEL #sekretchannel SET oursekretkey

The channel founder can change the 'passphrase' of a channel by issuing a new KEY command:
/KEY CHANNEL #sekretchannel SET sekretkeywithrandomdata3DF#f3w48cnOc03

--------------------------------------------------------------------------------
Securely Negotiating a Shared Secret over the Internet

The Diffie-Hellman key agreement protocol (also called exponential key agreement) was
developed by Diffie and Hellman in 1976 and published in the ground-breaking paper "New
Directions in Cryptography." The protocol allows two users to exchange a secret key over an
insecure medium without any prior secrets.

dh.py from Magaf.Org is a freely available implementation of the Diffie-Hellman key exchange
protocol. In this example, a shared secret is negotiated between Alice and Bob; two
hypothetical individuals.

More information about Alice and Bob (Mallory too!)

Using dh.py to negotiate a shared secret
Alice and Bob meet each other on a public SILC channel, #polynesian-finches. After a few
hours of enthralling conversation, Alice proposes they move discussion to a private
channel. Alice and Bob know that Mallory, their scientific arch-nemesis, has root
(Administrator priveleges) on the SILC server. Alice and Bob decide to use Diffie-Hellman to
exchange a shared secret to use as a private channel key.

Alice and Bob install dh.py and a Python interpreter on their computers.

Alice runs dh.py, which first creates a public key:
bash-2.05$ python dh.py
Copy your public key and send to other:
bDQAAACzLsg2IU9iEEFPKRgkbGYJqjnmEodJe1/yYgAxQwDJB1E3kQ/0SOArzXL0XTwJAjwqKVVq
qGCecY8H6XuXVBd5tSn+TgEBSg8zevhP7RXdVaUMMkC5Bj8v2HnLV/UORhtdb9YZk2QHAA

Bob also runs dh.py.

Alice sends her public key to Bob over SILC:
<@Alice> Bob, here is my Public Key
<@Alice> DQAAACzLsg2IU9iEEFPKRgkbGYJqjnmEodJe1/yYgAxQwDJB1E3kQ/0SOArzXL0XTwJAjwqKVVq
<@Alice> qGCecY8H6XuXVBd5tSn+TgEBSg8zevhP7RXdVaUMMkC5Bj8v2HnLV/UORhtdb9YZk2QHAA==

Bob does the same:
<Bob> Alice, here is my Public Key:
<Bob> bDQAAAB/CfR4emA7Q1BLa26ScUdHNEPgQUZh02RXcuA8k1aWTlYr0SdyHQlEpQyvanUeqWMWAaQe
<Bob> +mK5PHB3YTNfHCAYoRNoCdQC7GRDROwz8z7Bb/BAaBB9QQxMnAb4SwFeRV1pARs6qEEEAA==

Alice pastes Bob's public key into dh.py: 
Paste other's public key (end with an empty line):
:bDQAAAB/CfR4emA7Q1BLa26ScUdHNEPgQUZh02RXcuA8k1aWTlYr0SdyHQlEpQyvanUeqWMWAaQe
:+mK5PHB3YTNfHCAYoRNoCdQC7GRDROwz8z7Bb/BAaBB9QQxMnAb4SwFeRV1pARs6qEEEAA==
:
Shared secret is '752945657969338543110531'.
For public verification: '827050' (This is not secret)

Bob does the same with Alice's public key:
Paste other's public key (end with an empty line):
:bDQAAACzLsg2IU9iEEFPKRgkbGYJqjnmEodJe1/yYgAxQwDJB1E3kQ/0SOArzXL0XTwJAjwqKVVq
:qGCecY8H6XuXVBd5tSn+TgEBSg8zevhP7RXdVaUMMkC5Bj8v2HnLV/UORhtdb9YZk2QHAA==
:
Shared secret is '752945657969338543110531'.
For public verification: '827050' (This is not secret)

Alice and Bob make sure that they created the same shared secret. They do this by sharing the
'public verification' over SILC:
<@Alice> Hey Bob, did you get this: 827050 ? 
<Bob> Yup, I did!
<@Alice> Meet you in #sekretornithology

At this point, Alice and Bob can create a private key channel (+k) using their shared secret
('752945657969338543110531') as the 'passphrase'.



***********************************************************************************
Security-news <security-news at resist.ca>
A security bulletin for the inspired resistance movement
To unsub from this list, please go to http://resist.ca/mailman/listinfo/security-news
***********************************************************************************