The Squirrel project
Privacy is one of the basic human rights. Most of people would
agree with this statement.
The problem today is that our privacy is under attack.
In theory our governments should guard our rights. Rights
which most governments have agreed to and ratified:
United Nations Declaration of Human Rights (UDHR) 1948,
Article 12: “No one shall be subjected to arbitrary
interference with his privacy, family, home or correspondence,
nor to attacks upon his honor and reputation.
Everyone has the right to the protection of the law against
such interference or attacks.”
International Covenant on Civil and Political Rights (ICCPR)
1966, Article 1: No one shall be subjected to arbitrary
or unlawful interference with his privacy, family, home or
correspondence, nor to unlawful attacks on his honor or
reputation.
Everyone has the right to the protection of the law against
such interference or attacks.
In practice, big corporations such as Facebook, Google,
Microsoft have taken away our privacy. They monitor what we
search for
on the internet and when. Governments should uphold their
respective constitutions and laws, but in practice they too
participate
in mass surveillance of their citizens. When Edward Snowden
exposed the problem and pointed out that mass surveillance is
a direct
violation of U.S. Constitution he became a public enemy number
one, a "traitor" vilified by the media and a fugitive.
You can forget about a fair trial in a case like that, expect
a witch hunt, all in the name of "national security".
If you have android phone on you, chances are that Google
knows where you are, and it doesn't matter
whether you have switched GPS off in your phone. They wrote
the software, and they can secretly switch
on your GPS, microphone, camera, etc. without telling you.
Perfect spy device, except the user is the victim, not the
controller.
I never had an account on Facebook, so I am not willingly
participating in big data collection, but I do have android
phone.
I resisted for a long time, but there are real-life situations
when having internet access while traveling can be really
helpful.
These days you can look for bus and train schedules online,
find hotels. Obvious things I don't have to explain here.
Normally I leave my android phone at home. I have second
phone, good old Nokia without GPS and I use this one everyday.
For a long time I was wondering how to communicate secretly
and securely over an insecure medium such as Internet.
There are free and open source tools such as PGP, but for most
users they will be hard to use since they require
the knowledge of the terminal command line. There are free
mail clients, which use PGP for encryption,
but configuration of such tools takes time and is not easy for
a non technical person.
There is very nice OpenPGP encryption applet in the Linux
distribution I use, but it stopped working in the most recent
version.
Is it by mistake or by design? Is somebody trying to
discourage people from using cryptography? I don't know.
There is one more thing to consider. Encrypted communication
in emails may be viewed as suspicious and attract
unwanted attention and even questioning in some situations or
some countries. Here is where steganography helps
by hiding even the very fact that such secret communication
takes place. Perfect plausible deniability.
What is steganography?
If I was to explain it in one sentence:
Steganography is an art (and a science) of concealing secret
messages in images, sounds and videos.
It was and still is used by spies and secret agents all over
the world.
There are hundreds if not thousands of steganographic
techniques, including secret inks, microdots and
photosensitive glass.
With the advent of personal computers, a new field of digital
steganography appeared.
If you haven't heard about it, then I can recommend wikipedia
article:
https://en.wikipedia.org/wiki/Steganography
Wikipedia also explains:
"The advantage of steganography over cryptography alone is
that the intended secret message
does not attract attention to itself as an object of scrutiny.
Plainly visible encrypted messages, no matter how unbreakable
they are, arouse interest
and may in themselves be incriminating in countries in which
encryption is illegal."
That is it. Secret hidden in a plain sight.
I decided to write a program that would facilitate use of
digital steganography and cryptography.
Program is called Squirrel and if used correctly can provide
way of covert communication over the internet.
But the program itself is not a silver bullet. There are other
things to consider to achieve internet security and anonymity.
First such thing is the web browser itself. Most browsers give
away information in form of tracing cookies.
There is a good web page explaining the problem with most web
browsers:
https://digdeeper.neocities.org/ghost/browsers.html
At the very least use uBlock Origin add-on in your browser
which will filter out most of the tracking
such as Google, Facebook and many others.
Second thing is the operating system. I would not use Windows
for Internet, if I were you.
Use Linux. There are distributions such as Ubuntu and OpenSuse
which are as easy to use as Windows,
and they are less likely to spy on you.
Third thing is the VPN. Good thing to have. It will hide your
IP address, but again, it is not a silver bullet.
Things you search for in Google or on youtube will help to
identify you.
Please also bear in mind that most VPN providers keep logs of
your TCP/HTTP connections
and will provide them to authorities in case you are doing
something illegal.
I am not trying to encourage illegal behaviour, it is just a
warning.
https://www.iplocation.net/find-ip-address
Here is what that website knows about me (The browser reports
its name, version, operating system,
and even the monitor resolution I use) At least my IP address
is the VPN's IP address, not my own.
| IPv4 Address | 194.99.106.XX |
| IPv6 Address | Not detected |
| IP Location | Paris, Ile-de-France (FR) |
| Proxy | 194.99.106.XX, 194.99.106.XX |
| Device Type | Linux |
| OS | Ubuntu |
| Browser | Firefox |
| User Agent | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0)... |
| Screen Size | 1920px X 1080px |
| Cookie | Enabled |
| Javascript | Enabled |
Fourth thing is TOR. Better thing than VPN, but again, not a
silver bullet. It will provide better anonymity than
VPN, but American three letter agencies run some TOR nodes and
are capable of performing de-anonymising
attacks. Hard to know for sure what their capabilities are,
they are not bragging about it. I guess it costs them
money to do perform such an attack, so they have to have a
good reason to do it. Therefore TOR should be safe
for most normal users most of the time.
Fifth thing is Tails Linux operating system. I would suggest
to get familiar with this distribution of Linux.
https://tails.boum.org/
https://tails.boum.org/about/index.en.html
Here is the warning, I will discuss it later:
https://www.youtube.com/watch?v=sNYsfUNegEA
Sixth thing to consider is to compartmentalization of your
everyday internet activities. For instance you can use
virtual machine for browsing the internet, separate virtual
machine for chats, IRC, XMPP etc. If a virtual machine
contains just a fresh installation of an operating system and
a browser, then even if somebody breaks into that
virtual machine through the browser or chat client they won't
be able to steal any information, because simply
that information won't be there. I suspect that three letter
agencies will be able to perform an attack where they
can escape the virtual machine into the host computer, but
most normal users are not their target, so they can
sleep well. The reason why such attacks are even possible is
that unfortunately all computers we are running are
corrupt - there is a secret RISC processor within your Intel
or AMD processor. That secret processor is running
Minix operating system and has access to all resources of your
computer even before you computer has booted
your operating system. Because it is secret, you have to
assume the worst scenario - it is spying on you, logging
your keystrokes even before your operating system has booted
(so forget about your hard drive encryption
password - it can be intercepted). Also you have to assume
worst case for all your firewalls - three letter agencies
are probably capable to break through all of them, which
brings me to last (but not least) thing:
Seventh thing to consider is to use air-gap communication:
https://en.wikipedia.org/wiki/Air_gap_(networking)
https://en.wikipedia.org/wiki/Red/black_concept
where all your encryption and steganography activities are
performed on a "Red" computer which IS PERMANENTLY
DISCONNECTED from the network (with wifi card completely
removed), and then images containing secret messages
are securely transmitted to a "Black" computer by means other
than Ethernet / IP protocol.
The idea is that no unencrypted (or even encrypted as text)
data should exist on a black computer. Only the images.
How to transfer images between Red and Black computers?
Either through USB stick, or Zmodem protocol between two
serial terminals. Ideally red computer would be in a
Faraday cage, but you must have a very good reason to go this
far - or be very a paranoid person. Normally
disconnecting wifi and bluetooth card from your "Red" laptop
should do the trick. Connect serial ports between
Red and Black computers only during transmission of the file.
USB Serial ports these days are much faster than
115'200 baud. You should get 921'600 baud on a FTDI USB to
serial adapter, and even more on Prolific PL2303
USB to serial adapter. These adapters do not require any
drivers on Linux - support is built into the Linux kernel.
USB stick is not secure on Windows, but this goes without
saying. If you went this far then you are surely not
using Windows, are you?
Anyway, computer security is only part of a general security.
If three letter agencies are after you
I would be equally concerned about physical security at this
point if I were you. If they know your name and they
are actively trying to find you, then air-gap communication is
not going to help you, it is already too late for that.
The chances are you will be found.
VPN is not going to help you, most likely you have paid for it
with your credit card, which again, helps to identify you.
Don't get me wrong. I am not trying to encourage criminal
activity here. Criminals already know this stuff way better
than I do.
To be honest, you don't have to be a criminal these days to be
a wanted fugitive. Just name J. Assange or E. Snowden.
In case of Julian Assange if exposing government corruption is
a crime for which you can get extradited to the U.S.
then there might be something wrong with a country which calls
itself a democracy.
