Economic Privacy

The purpose of this blog will be to discuss how you can have greater individual liberty and economic privacy. The entries in this blog may later form the basis for a school of privacy, or a series of courses in how to stay safe from the surveillance state.

SilentVault Helps You Resist During the War on Cash

Tyrone Sunday February 28, 2016

Several recent news articles and essays on sites like Zerohedge.com and LewRockwell.com reveal a persistent pattern of increasing vehemence in the war against economic privacy, especially in the area of having physical cash or digital cash alternatives. We believe SilentVault has the best technology for securing your economic privacy.

Is there a war on cash?
Yes, there is a war on cash. It is a direct descendant of the war on gold and silver which played out in developed markets between roughly 1872 and 1971. If you want more information about its antecedents, consider the Coinage Act of 1873 and Nixon's abrogation of the Bretton Woods agreement. Since the Nixon Shock of 1971, even copper has been removed from the American one cent coin. Most money in the world, including the Special Drawing Rights which make up the core currency of global finance, are now computer generated values rather than actual paper or specie.

Partly in reaction to the events of the time, Nobel prize-winning economist FA Hayek wrote in 1976, and revised through a third edition in 1990, a short book "The Denationalisation of Money." You can get a copy from Amazon, ABEbooks, or a free download at Mises. If you want to understand the theory of competing currencies, why central bank monetary policies persistently fail, and why people suffer as a result of bad money being issued by governments, Hayek's book is a good place to go.

For some people, there are still traditional types of money. People in Somalia, for example, continue to herd sheep, goats, cows, and camels. Judges in their traditional culture assess compensation from criminals for victims in fines denominated in cattle. Many people still accept gold and silver coins as payment. Since the 14th Century when the mulberry-bark paper money of China became non-redeemable, people in traditional cultures in India and Southeast Asia have preferred payment in copper, silver, and gold coins, or in links of pure gold chain jewellery. At other times, both ancient and recent, people have used tulips, cigarettes, chocolate, animal skins, hunks of iron, silks, salt, and many other things as money. For a time in the first part of this century people in Argentina used warehouse receipts for wheat as a type of money.

Nor has the world been short of innovators in this field. Ithaca Hours and LETS are two examples of local currency concepts, of which there are an enormous number today. Beginning in 1996 with e-gold and continuing with many other examples, a host of digital gold currencies used to be available. And since 2009 a great many crypto-currencies, most notably Bitcoin, have been created.

Meanwhile, credit cards and debit cards have been developed, so that money sometimes is represented by a hunk of plastic. More recently, smart phones have replaced credit and debit cards, illustrating that a great deal of what we think of as money is actually accounting records stored in computer. If you take a look at how central banks and the most central of all, the Bank for International Settlements, work, you can see computer entries form the basis for nearly all the money in the world.

In addition to digitally representing money, banks and publicly traded markets have developed digital representations for stocks, bonds, and commodities. In the gold bug world, we often speak of the "paper gold" market, but it is really not very much on paper. It is more of a digital promissory note gold market, with the understanding that major commodities exchanges, such as Comex, don't require sellers to be able to deliver physical gold. Trades are often settled in "cash" which means more of those computer data entries. Instead of "paper gold," we think of it more as a "garbage gold" market.

The purpose of central banks has been to centralise monetary policies. Monetary policies include how much money is in circulation and what interest rates are charged by the central bank to the member banks of that country or region (in the case of the European central bank). One of the interesting facts about banking is that you cannot lend money at interest, nor accept deposits from other people, without a special licence, in most countries. Nor can ordinary mortals sell financial instruments such as stocks, bonds, or commodities, without broker and dealer licences. It remains possible to create entirely private exchanges, but these are not advertised for fear of falling afoul of the regulatory agencies that watch over the financial industry.

For a very great many years, since at least Alan Greenspan became chairman of the Federal Reserve in 1987, it has been a policy of that central bank, and others around the globe, to keep interest rates artificially low in order to stimulate both financial markets and, in some respects, the economy generally. Today, as a result of decades of such policies, and the related booms and busts caused by these policies, most countries stand at "the zero bound" where interest rates paid by central banks to member banks are either zero or very nearly zero. And, today, it is clear that zero percent interest is not sufficiently attractive to stimulate economic growth.

In several European countries and very recently in Japan, interest rates have been reduced below zero. Now, what does a negative interest rate mean?

Well, if a central bank pays 1% interest to member banks who are required to hold "excess reserves" at that central bank, and there are a trillion dollars on reserve, then that central bank pays ten billion dollars in interest, per year. Suppose they take interest rates to zero? Then they pay no interest on those reserves. Suppose they take interest rates to negative 1%? Then they charge $10 billion a year on those same reserves.

Which means that instead of receiving a benefit for holding onto money, the banks are punished for having money on hand. Of course, the central banks still *require* the banks to have reserves on hand, but with negative interest rates, are motivating banks to go out and lend more, or, at least, that's the theory that is promoted by some in the banking cartel. Of course, since holding capital has a higher cost, the banks are motivated to increase fees, charge interest on deposits, and make up for these losses by lending at higher rates.

Those facts mean that banks will lend to other banks in a different way, and smaller banks that have fewer resources within the system will continue to place money on deposit with larger banks so they can arrange wire transfers and other services for their customers. The same is true for credit unions - and eliminating smaller banks and many credit unions may be an objective of those in the banking sector who wish to further consolidate the industry. People with savings accounts and certificates of deposit are likely to see penalties and fees for having money in the banks. With negative interest rates, the more negative, the worse things get. Everyone with money is penalised for having money.

Aha! You can see there are some loopholes. Obviously, if you have $45,000 in your savings account, and your bank tells you it is going to start charging you interest, you can take your money out of the bank. And maybe you do so, and put it with a stock broker, who, because of his bank's policies, has to charge you interest. So you buy stocks, maybe. Or you buy gold or silver. Or, maybe, you simply go get cash from the bank.

There are, however, already a number of laws in nearly every country that make this attempt to save yourself from punitive negative interest rates very difficult. Banks can, in many countries, refuse to provide you with cash. They can require that you only receive a few thousand dollars at a time, so you would have to go to the bank again and again. Banks have charged fees for taking money at an automatic teller machine (ATM) and as negative interest rates become the way of the world, expect ATM fees to skyrocket.

Into this situation comes the war on cash. Larry Summers, one of the nastiest little rich kids ever in our view, recently proposed, in an editorial eagerly accepted by Jeff Bezos and the Washington Post, that the $100 bill be removed from circulation. Others, in Europe, have called for the elimination of the 500 euro note. In Japan, the stores that sell home safes and vaults have sold out, in recent weeks, and there is a huge demand for the largest bank notes available in Japan. (Part of this situation in Japan relates to recent announcements of negative interest rates; part of it relates to the implementation of the "My Number" policy which forces everyone in Japan to use a slave identity number like the social security number in the USA.) In Cyprus, as recently as 2013, troubled banks were allowed by their government to confiscate deposits from people generally in order to meet some of their obligations during a time when ATMs were shut down and people were not allowed to withdraw all of their funds.

Please don't take our word for it. Go look at around for additional details. The war on cash, which is part of the war on freedom, has been going on for decades. It is coming to a head, because if people and companies can remove their deposits, bankers won't be able to extract money from depositors whenever monetary policies are changed. And, although a great many people are going to be harmed, including elderly people who have been relying on the interest they earn from their savings in banks, the bankers don't care.

The harm to other corporations, especially smaller banks and credit unions, will be enormous. You should expect to see smaller banks going out of business in record numbers allowing for even further consolidation of the banking industry. Alternatives like credit unions may also be eliminated through these negative interest rate policies.

So, what can you do? Actually, there are a lot of good choices, today, that you don't have to try to invent something new or hunt in distant countries, or on other planets, for answers.

One thing that I've seen since 2011 is a small laminated card with a silver dime or silver quarter inside. Any coin store in the United States can provide you with "junk silver" meaning the 90% silver coins of the United States minted prior to and including the year 1964. There are still many millions of these coins available, and while they are still usable in general circulation, they are worth many times their face value because of their silver content. Dime cards and a related invention from 2009, Ron Helwig's Shire Silver and gold wire in a laminated card, represent a reasonable alternative to other forms of cash. If you go to a farmer's market in a smaller community, you can generally find farmers who are quite eager to accept gold and silver as money.

At roughly the same time, 2009 or so, Bitcoin was being developed as a software protocol by Satoshi Nakamoto and others. It was initially disregarded by most people, and only after several years of development did its price increase to the highly attractive $1200+ per bitcoin in December 2013. Because Bitcoin is simply a software protocol, though one that requires considerable "proof of work" to mine into existence, it was immediately possible for other software on similar lines to be developed. For example, where Bitcoin has an upper limit of 21 million Bitcoins, ever, Litecoin has an upper limit of 84 million coins.

Today there are over 630 different "crypto-currencies" and you can go to coinmarketcap.com to learn quite a lot about them. The most widely used is still Bitcoin, which has the largest market cap, the most total transactions, and the largest dollar volume of transactions. You can go to blockchain.info for further details on Bitcoin.

But, as the team here at SilentVault has known and written about for many years, there are difficulties. First, Bitcoin and many other crypto-currencies have a public block chain, so your transactions are not private. Second, that block chain has gigabytes of data, and more every day. Third, many companies that buy and sell Bitcoin attempt to comply with the anti-money-laundering and know-your-customer laws that effectively prevent you from having any economic privacy unless you take a great number of careful steps. And, because of the nature of the mathematics involved, there are upper limits on how many transactions Bitcoin, Litecoin, or the others like them, can actually manage to transact in one hour.

Happily, there are good alternatives. SilentVault allows you to move your Bitcoin, Litecoin, silver, or gold into our SVSpark wallet technology. Our wallets are not new, they have been around for years. The technology is not only designed, it is fully implemented, stress tested, and in active use. SVSpark wallet users don't connect over HTTP, but over a different protocol, XMPP. Strong cryptography and strong log-in techniques protect your wallet contents. Nobody tracks your use, your transactions are not recorded on any central server, there are no records to demand, there is no way to link your IP address to your particular activities, so you have considerable economic privacy.

Transactions in SVSpark are immediate. You don't have to await confirmations after your funds are in your wallet. Payments are irrevocable, once the receiving wallet picks them up. If someone loses control of a wallet, there is no lost payment, since those payments that are not picked up within seven days are returned to the sender. There is a built-in exchange system so people can buy and sell vouchers for gold, silver, Bitcoin, and Litecoin. That exchange, built for the SilentVault enterprise and, thus, called SVX or SilentVault Exchange, has a built-in escrow capability. Similarly, there is a marketplaces aspect of the wallet where businesses can establish store-fronts to offer goods, services, games, or information. SilentVault team members are in contact with prospective currency issuers, merchants, and users and expect to expand the number and types of currencies available.

We believe that because the different types of money available in SilentVault wallets have similar properties of anonymity, immediacy of use, and privacy of ownership, that it is accurate to describe them as cash. So, in the war on cash, we are very much on your side and against the oligarchs, central banks, Keynesians, and government agencies seeking to destroy your wealth.

Quote from Tyrone Johnson on philosophical issues

Be Motivated

Tyrone Thursday December 3, 2015

Whenever I see a news story or essay about privacy, I am motivated to convey that information to others. You can keep up with some of my findings by following the @SilentVault or the @DigitalCashAlly Twitter feeds, for example. As well, I find these articles to be very motivating in the area of protecting my privacy.

Just as talk of gun control seems to inspire ever larger numbers of Americans to go out and buy more guns (reaching a new record, as far as those having instant background checks, on "Black Friday" this year), talk of invasions of privacy inspire me to protect my privacy.

Here's an article that you should read. As William Grigg reports, drone pilots who spoke out against the slaughter of civilians by American military drone operators, including themselves, have had their bank accounts and credit cards frozen. Now, if you think that speaking out was bad for Chelsea Manning, and I believe she has suffered egregious consequences for speaking out about US government behaviour, do keep in mind that at least there was a military tribunal before sentence was passed. In the case of these drone operators, they are being punished even before being tried.

How should you go about protecting yourself from such outrages? Flee to Moscow, as Edward Snowden has done? That might work out, but I suspect that it is not congenial to everyone.

I suggest that if you are concerned about violent crime, including terrorism, including violent actions by your own government, you should buy guns, body armour, and other tools for self-defence, and learn how to use them. Then keep them, bear them, and as needed, use them. Be aware of your situation. Understand threats and know how to see them coming. Don't walk down the street, unarmed, staring into your smart phone. Do keep a phone with you (take out its battery if you think you might say something you don't want monitored) so you can summon additional assistance as needed.

Similarly, if you are wandering around the Internet, do so intelligently. Don't expose your IP address and other information if you can avoid it. Use a virtual privacy network. View the secure connection for every site that allows it. Don't browse web sites without safeguarding your web browser using NoScript and a good Ad Block Plus software. Use a security certificate patrol plug-in to examine the security certs your browser is presented with and avoid man-in-the-middle attacks. If a site presents many security certs, don't accept them. Don't trust secure connections unless you can be sure they are actually secure. Evaluate the digital signatures of the security certs you are presented.

There are a great many tools and techniques for privacy. One of the advisers of the Digital Cash Alliance, Jim Davidson, has been teaching a comprehensive class in some of these privacy tools through the Individual Sovereign University. Another of our advisers, Paul Rosenberg, built the Cryptohippie VPN service. And our most recent adviser, Bruno Delpeuc'h (one says "dell puck") has been working with Digital Cash Alliance founder Kevin Wilkerson to build ElanVPN, to provide virtual private network services integrated with audio-video VoIP, Tor, and other features. ElanVPN is building a system to interface encrypted VoIP with international direct dialing through their IndieGoGo campaign.

Finally, if you are concerned that you may have your economic privacy attacked, as the whistleblowing drone operators have had, then you should use a secure system for digital cash. We recommend the SVSpark and Digital Cash Spark wallet systems. They offer end-to-end encrypted chat, secure conference rooms, and XMPP-based data flow. They keep no records of your transactions, all of which occur in the wallet - where you are free to keep receipts or not have them stored.

Yes, it is a frightening world out there. There are crazy people in charge of major governments who believe that they should enslave you, saddle you, and ride you, while whipping you mercilessly. But you don't have to put up with it.

Choose freedom. Choose digital cash. Choose digital privacy. You'll be glad you did.

Your Wireless Router

Tyrone Monday March 2, 2015

You should think very carefully before setting up a wireless router. Yes, I'm well aware that you have a lot of devices which use wireless routers to communicate with the Internet. So, you want to have great connectivity, at home, at your office, all the time. Go ahead and set up that router, but do so thoughtfully, and do not leave the default username and password settings as they are from the factory.

What you do not want is to have your private information escape from your control. And, criminal hackers do want that private info.

So, you should never, ever click on any link that is sent to you in e-mail by an unknown person. You should probably use AdBlocker and other software to limit how many links you see on browsing the web. You should not click on everything you see on the web, either. If you cannot see the destination URL, or if it looks strange, or if it looks like it would take you somewhere unrelated to the graphic or text of the link, don't click on it. Perhaps copy it to your clipboard and paste it into a search window to see what you can find out about it.

But, you may not be the only person in your home. Guests, children, people across the way, and in an office situation any number of people, vendors, customers, interns, or visitors may be using your wireless router to connect their devices to the Internet. Tell them all you want about not clicking on links they get in e-mail, or weird links on the web, and they will still click. Either they are oblivious to the dangers, or they don't care, or the allure of the graphic or text of the link is so great they cannot resist.

Ok, so what happens if one of these links gets clicked? In a recent situation reported at Krebs on Security, the destination page executes some scripts that hack the wireless routers available to the device (laptop, tablet, cell phone) reaching the site from the clicked link. Those scripts use the known factory default settings for username and password to force the wireless router to set the criminal hackers in charge of domain name service (DNS).

They use their DNS server for secure links to sites they know would ask for your credit card info or other private data. The criminals know enough to set Google's DNS server to feed your device all other traffic, so you don't become suspicious, or report your troubles to a competent computer tech.

Using their DNS server and their web servers, the criminal hackers send your secure traffic not to the actual sites you want to buy from, but to look-alike sites which then harvest all the credit card or other data. And then you get a huge credit card bill, and your howls of lament are heard all over your neighbourhood.

In my essay "Central Security" you'll find a number of tips about ways to disable scripts, block ads, and protect yourself from cookies and other stuff used to compromise your privacy. Obviously, if you are blocking scripts, and only allowing those scripts from sites and services you trust, you are doing what you can to limit even the bad results that obtain if you click on a link sent to you in e-mail by an unknown person.

But, if your wireless router is open to other users, you cannot prevent them from leaving their web browser open to running scripts. And you cannot really prevent them from clicking on links, either. So, although the attack in question seems to have originated in and been isolated to Brazil, there is no reason to suppose it won't show up elsewhere.

That should mean, to the very careful user, that hotels and restaurants with open or easy-to-access (just ask your waiter or the front desk clerk for the info) wireless routers may become vulnerable. If you are tech-in-charge of such a site, you should safeguard the router by changing the default access username and password, of course. And don't privilege the random usernames that you'll be giving out to customers. But if you aren't the tech in charge, you should be very careful about trusting open wireless networks.

The privacy you protect may be your own.

Central Security

Tyrone Thursday February 19, 2015

Security cameras

Numquam ponenda est pluralitas sine necessitate.
(Plurality must never be posited without necessity.)
~ William of Ockham, ''Quaestiones et decisiones in
quattuor libros Sententiarum Petri Lombardi'', 1323

Every few weeks, I encounter a site or server security “warning.” You've probably come across one or more of these in your work with secure web sites, secure mail servers, and other security apps. What you may not know is that the entire concept of security certificates is very badly implemented. Security certificates are supposedly issued by trusted “security authorities.” But, what do you actually know about these authorities? If your web browser automatically trusts every security certificate it is presented with, are you actually secure?

Invalid security cert warning

For example, earlier today, I learned from my e-mail client that the server for one of my e-mail clients has updated its security certificate. Because the people I work with are technically adept, and in several cases technically superlative in ways that language doesn't justly describe, they tend to know all about the weaknesses in the security certificate architecture, disregard them, and issue their own certificates (also known as “certs”). So, my e-mail client presented this disturbing information:

You are about to override how Icedove identifies this site.
Legitimate banks, stores, and other public sites will not ask you to do this.
This site attempts to identify itself with invalid information.
Unknown identity.
Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.

You can see where I was unable to stop laughing. Legitimate banks?! What on Earth could that mean? A bank is a group of thieves who have a licence from a government to engage in theft on a wholesale, and sometimes also on a retail basis. Unless it is the bank of a river, there is no such thing as a legitimate bank.

Security Certs

You may not be aware of it, but your web browser is probably lying to you. You see, your browser takes you to “secure” sites which have a signed security certificate. But, signed by whom? Why, signed by a trusted authority. So, when your browser displays that little padlock, and shows you the web address with a preceding https, does that mean that you are actually secure?

No, it means nothing of the sort. What it means is, your web browser trusts a signed certificate because it was signed by some supposed authority. So the site you visit is on a server which has a signed security certificate. If you don't know who wrote the site, and you don't know who wrote your browser software, and if your browser software isn't open source, and if you don't know who signed the security certificate, how do you know your private information is actually secure?

You don't. And that may be a really big problem, because trusting a signed certificate, trusting a web site operator, with your credit card numbers, bank account information, or identification details like your date of birth may be a financial problem for you. You may end up seeing your credit card used by a scammer, your identity stolen, your bank account emptied.

These situations might be both costly and time consuming. Even if you don't provide them with funds, web sites that collect your birth date and health information, such as those operated by your doctor or your health insurance provider, may not be secure.

What is wrong with the model currently used to “secure” web pages and apps? The basic problem was stated hundreds of years ago by William of Ockham. John Punch, in the 1600s, said “Don't multiply entities unnecessarily.” So, if you don't know someone, why should you trust a piece of plastic with their name, date of birth, photograph, and other information, provided to you by a government agency? You don't know any of the people at that government agency, do you? You have no idea who they are, nor why they issued this particular identity document.

Similarly, if you don't trust the web site you visit, why should you trust the certificate signed by a certificate authority? How have you narrowed the scope of your trust? Do you actually know anyone at a so-called trusted certificate authority? And if the security certificate is signed by the web site operators themselves, how is that any better, or any worse, than if it is signed by some mysterious certificate signing authority?

Trusted Authorities

There are only a handful of root signing certificate providers. Why is that? Well, fundamentally, it is because governments don't trust people with the ability to encrypt, nor to use cryptographic algorithms to sign anything. In order to be a root signing certificate provider, very large companies got involved very early in the process.

Therefore the process of becoming a root signing certificate provider is centralised. The small number of participants makes it a very lucrative cartel.

How lucrative? So very lucrative that I cannot tell you what it would cost your organisation to purchase the ability to sign certificates from one of these root signing certificate providers. They will “evaluate” your enterprise and take whatever they can get away with taking for the privilege of providing you with this ability.

Each certificate provider has different requirements for trusted root signing certificates. Most will require something similar to the following:

  • Identities of all the people working on software systems for the company.
  • Substantial net worth for the company, or the individual developer.
  • Proof of insurance against liability, to a high value.</P>
  • A certification practice statement outlining the company's exact policies on issuing and managing certificates.
  • A FIPS 140-2 Level 2 compliant device to generate and manage your root certificate keys.

Obviously, a system with such features is fraught with peril for the individual software developer, especially anyone who wants to develop software that challenges the system in significant ways.

There are, of course, various alternatives. GeoTrust offers a “trusted root signing certificate” capability for various price points from $99 to $499. Of course, then you have to wonder how widely your signed certs are going to be trusted, and that depends on browser and app developers over whom you have no control.

Self-signed Certs

Another alternative is the self-signed certificate. Organisations can generate their own certificate authority, sign their own security certificates, and deal with the fact that browsers and apps are going to throw up warnings about untrusted certificates. Or, to be candid, your browser is going to lie to you about the danger and tell you not to trust something that doesn't have the approval of a member of the cartel.


Of course, there are opportunities in any situation where a handful of giant corporations corruptly allocate worldwide security certificate authority, as seems to be the case. The same kind of thinking that has been applied to finance by Bitcoin and to domain name registration by Namecoin can certainly be applied to security certs.

To give you a sense of how centralised the market is, consider this W3Techs survey from February 2015.

Issuer Comodo might differ in the exact figures.

RankIssuerMarket Share
2.Symantec Group33.2%
3.Go Daddy Group13.2%

On 18 November 2014, a group of companies and nonprofit organizations, including the Electronic Frontier Foundation, Mozilla, Cisco, and Akamai, announced Let's Encrypt a new nonprofit certificate authority that plans to provide free SSL certificates, as well as software to enable installation and maintenance of certificates.

Kaspersky Labs says that about 6,000 security certs signed by “untrusted authorities” were identified by them in 2014. They also note about 110,000 certs signed by what they regard as more trusted authorities. Their concern seems to be that malicious software (mal-ware) may be lurking at some sites with self-signed or “untrusted” authority-signed certs. Their “answer” is to only use software and only trust the big giant conglomerates.

Of course, sites with “acceptable” security certificates may be taken over by criminal hackers without your knowledge. Mal-ware may be compiled at companies which aren't careful with their security protocols and thereby get signed by a “trusted” company. Or private keys may be stolen and used to sign certs.

So, it is a very dismal situation out there. And, of course, because giant conglomerates are often government contractors, and almost invariably fear the things a government can do to them, there is no way for you to know if the security cert your browsers and apps automatically trust has not been replaced by direction of a government authority. Some of the ins and outs of that possibility are described in this interesting Riseup article.

Protecting Yourself

Given these many concerns, you should probably implement Cert Patrol or something similar. What is Cert Patrol? It is an add-on for Mozilla's Firefox web browser. Similar products are available for other browsers. The function it performs is to look at the certificates that come into your browser, notice when one is changed, and alert you to this fact. In the case of Cert Patrol in particular, it also indicates what is interesting, routine, or very dangerous about the nature of the changed cert. So, you have some help in evaluating whether or not to accept a new cert.

For my own part, I don't trust certs issued by certain organisations, notably Facebook and Microsoft. So, I will routinely reject those certs. You are free to pick and choose which certs to accept, reject, or monitor, of course.

Other ways to protect yourself that you may find interesting: You can ask for the secure web site every time by using https everywhere. As you can see from the link, it is a product of the Electronic Frontier Foundation, a group of people dedicated to freedom on the electronic/info-tech frontier. You should prefer the encrypted web site available with https because you want your browsing and your online activities to be encrypted whenever possible. Or, you should, if you value your privacy. Many sites offer both http and https versions of the same content, so why not grab the encrypted version?

AdBlock Plus can help you enjoy your browsing experience while blocking access to your private information. AdBlock is an open source add-on for various browsers. Because it is open source, you can find out all about what each line of code in the programme does. You might find it helpful to block ads that urge you to install software, especially if other people use your computer. Anything you, or one of your friends, installs on your computer can do various things to share your private data. AdBlock has a white listing policy which may be helpful to sites you like that rely on advertisers to pay for their site content.

Better Privacy is another add-on you might like. It can help you monitor and remove local stored objects (LSOs), a particularly powerful type of “cookie” that some sites may want to place on your computer. LSOs never expire, so you have to know to delete them, unless you have a utility like Better Privacy to do it for you.

LSOs use 100 kilobytes of storage compared to most cookies which are limited to 4 Kb. Many browsers cannot display nor manage LSOs. Worse, they can use Flash to send information from your computer, including personal, technical, and browser-history information to a server elsewhere on the web. So, they leak your information without your knowledge. They are far from harmless.

Finally, there is open source. Open source software is not only for people who know how to read software code, it is for everyone. Because software coders are a large and growing community, and because they communicate rapidly, effectively, and frequently, anything that can be known about a software package is going to be known very widely. In the case of open source software, what can be known is everything. And, frankly, what you want to know about the software you install and use is: everything. Since you cannot take the time to know everything about all the possible software in the world, you are better off if you can rely on the open source community to help you.


Tyrone Monday October 27, 2014


by Tyrone Johnson

Special to The Libertarian Enterprise reprinted from their site with permission.

What are rights? Where do they come from? There are a few schools of thought about this idea. One view, and the one to which I subscribe, says that rights are intrinsic to human beings by their very nature. In this view, phrases like "unalienable rights" refer to the fact that human rights are part of humanity. Someone can prevent your exercise of your rights through some unjust procedure, but the rights remain your rights.

Another school of thought about rights is the view that rights come from God. It was this view which the author of the Declaration of Independence of the United States, together with the continental congress that reviewed and approved his text, indicated when that document presented these ideas: "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness." To the extent that a great many people believe that human nature is created by God, this idea is very similar.

Yet another school of thought takes the position that rights come from government, especially from government documents such as the United Nations Universaal Declaration of Human Rights http://www.un.org/en/documents/udhr/ or the Bill of Rights to the United States constitution. Under this view, rights are granted by those in positions of power. Naturally, the government which grants rights can take them away. So, under this view, rights are not intrinsic. They are contained in a social order and are, presumably, purchased by the citizen in exchange for, say, tax payments, loyalty, and submissive behaviour.

There are, of course, other schools of thought. It is sometimes said of the Nazi Party that their official position was to free mankind "from freedom." Presumably they would have viewed rights as imaginary or non-existent. There seem to be a great number of people who think that governments and social collectives should have unlimited power and that individuals have no intrinsic rights. These people seem to be most content when people are most subjugated. As a result, they seem to be enthusiastic about the killing of anyone who disagrees with them.

With all these different points of view, there is endless confusion and misunderstanding. One of the people I admire with particular respect to gun rights is John Ross. His 1996 book _Unintended Consequences_ does an excellent job of pointing out the importance of individual liberty in a great many different ways. One of the things he wrote struck a particular chord with me: "Our great economic power comes from the fact that Americans determine their own economic destiny. It is time we let Americans once again determine their own physical destiny."

That passage appears on page 490 of the hard cover edition. It is part of a little made-up speech that Henry Bowman gives to indicate what George HW Bush might have said, as late as October 1992, if he wanted to gain about six million more votes in that year's presidential election. And, if you give him a bit of a break about the idea that Americans actually determine their own economic destiny, since it is meant to be what a politician would say, you get the idea. In fact, of course, as the Federal Reserve of Dallas has indicated in great detail, more than half of the financial assets of the United States are held by just five banking enterprises which, in my opinion, constitute a cartel operating in restraint of trade. They have enough political power, though, that you won't ever hear anyone in a position of power say anything about this cartel's wrongdoings.

Even so, one wants the governments of the world to get out of the way of people determining their own physical destiny. Having tools for self-defence would reduce crime and make dictatorship much more difficult to achieve. Guns, ammo, sound suppressors, and rocket propelled grenades represent some of the basic tools that are extremely effective at establishing the individual's self-determination. Naturally, governments around the world mandate that some or all of these items are limited to only those in government, with few exceptions.

Ross, however, on that very same page, makes a pretty big blunder. He writes, again in Henry Bowman's voice, indicating what kind of speech Bush might have made to save his re-election bid, "The Bill of Rights _enumerates_ human rights, it does not _grant_ them." The emphasis of "enumerates" and "grant" are in the original.

Strange, though, because in the Ninth Amendment of that bill of rights, the document says, "The enumeration in the Constitution of certain rights shall not be construed to deny or disparage others retained by the people." In other words, the constitution and bill of rights do not enumerate all human rights. However, it is meant to guarantee those rights. In other words, while the listing of rights is significant, it is not comprehensive. Important rights are mentioned in the other amendments, and in the body of the constitution, but these are not meant to be an enumeration of all rights. There are a great many non-enumerated rights.

Think I'm mistaken about the body of the constitution? Consider this passage from Article 6 of the body of the constitution: "no religious Test shall ever be required as a Qualification to any Office or public Trust under the United States." The Moral Majority ought to put that in their pipes, and smoke it.

Further down the same page, Ross points out, "There is a name for a society where only the police have guns. It is called a police state." Now, a great many people seem to think otherwise. I've met many people from Britain who argue, often very shrilly, that they don't live in a police state. They admit to being disarmed, to being monitored by cameras in all major cities, to being subjugated to the extent that they are subjects of Her Majesty, but they insist that their common law and traditions prevent the police from being all-powerful. Perhaps they are content to ignore the protesters brutalised by the police.

Some people roll out the old and by now very tired theory that denying guns to the people generally is meant to deny guns to criminals. Of course, the people who break laws are quite content to break gun laws. They are also quite content to use bats, clubs, knives, and other things to commit murder, when guns aren't available to them. So, in practice, what is found is that denying gun ownership to people generally only insures that law-abiding people are denied guns. Somehow, disarming the law-abiding seems unlikely to produce a reduction in crime.

From a practical point of view, gun ownership by the population generally is a deterrent to crime. Endless statistics illustrate this point. States where concealed carry has been made legal have seen dramatic reductions in crime, especially violent crime. Rape and murder are significantly reduced where people might be able to pull out guns to defend themselves, or to defend others. There are not any states where the other result has been produced, where reductions to the limits on who may carry has produced more crime. Rather, in every single case, without exception, making it easier for people to keep and bear arms has made crime rates drop.

Now, is that very important? Since I believe that all rights are intrinsic, whether they are listed in a government document, whether they are enumerated in a constitution, whether they are mentioned in Holy Scripture, it doesn't matter to my view of rights whether rights are also practical. I believe that I have the right to keep and bear arms without regard to how that right impacts crime. It happens to be the case that the rights I have are also very, very practical.

You have a right to speak, to assemble with other people, and to do so at any place, at any time, without restriction, for any purpose, and so do I. I have that right whether or not the people in a city government believe they can require me to have a parade permit, a meeting permit, or pay a fee for these things. After all, the same people in government seem to think it is okay to impose a poll tax on voters, and we've seen again and again that even the hint of such a fee for voting has been ruled unconstitutional. One of the recent rulings of a federal court indicates that requiring voters to produce government-issued identity papers is a poll tax, since there is a fee for obtaining those identity papers. Not that, as an anarchist, I believe voting is ever going to accomplish anything: no matter who you vote for, the system wins. But I am definitely against poll taxes, literacy tests, and parade permits, just as I am against marriage licences and institutional racism.

You have the right to keep and bear arms, and the constitution says it shall not be infringed. Now, to me, that means it cannot be taxed, either. Like taxes on newspapers, which have been ruled a violation of the First Amendment, taxes on guns are clearly an infringement and a violation of the Second. Now, as an anarchist, I don't actually believe that a constitution protects rights. And, indeed, considerable evidence has accumulated to show that constitutionally guarantees mean very little. If you mean to be free, you should never allow anyone to disarm you. Being disarmed brings you considerable harm because you are the best person to defend your freedom, your life, and your property.

You have a right to privacy, to being safe in your person, papers, and home from all searches, including unreasonable ones. You have a right to remain silent, to refuse to testify against yourself. You have a right to be safe from torture, from cruel and unusual punishments, and you have a large number of rights related to being accused of a crime. Of course, you cannot possibly expect to keep these rights if you won't use tools for defending yourself, including tools for defending your privacy.

For example, you should definitely get and learn to use an e-mail encryption system. The global standard is Open PGP or "Pretty Good Privacy," first developed by Phil Zimmerman. https://en.wikipedia.org/wiki/Phil_Zimmerman I've used PGP since it was a DOS-only command line application, meaning that you had to know a long string of commands and arguments in order to encrypt or decrypt anything. Today, I use Enigmail as a plugin for Thunderbird. There are also plugins for webmail that work with Firefox web browser, and there are plugins for some other e-mail clients besides Thunderbird. The point, of course, is that if you don't encrypt, you have no control over who can read your e-mail messages. Open PGP is an open source protocol and an open source application. Enigmail is open source. Thunderbird is open source.

Similarly, for chat, I recommend Jabber and XMPP using a client like Spark, which can accept the SilentVault plugin. SilentVault Spark allows individuals and groups to chat using "off the record" or OTR as a protocol. Again, these are open source software applications and protocols. You should really take some time and look into them.

Why? You should look into open source software because you don't want to have to trust Microsoft and other government contractors with your freedom and privacy. You might want to look at who sells what to the government, or at least look at whether the people who are selling you software are also working for government agencies. You definitely want to know what the software on your computer is doing.

Similarly, you want to know what a web page is doing, so consider a plug-in like "No Scripts" and something like Certicate Patrol. You want to validate whether the secure site you are using is secure, or being mimicked with a man-in-the-middle attack, and Cert Patrol can help in that area. No Scripts can let you limit what web pages run which scripts. Other software can help you eliminate the storage of long-term cookies that eliminate your privacy on some web sites. Further to this point, you should seriously consider editing the about:config for your browser. Simply go to the location window (where web addresses are shown) and type about:config to get started. You should probably turn off geo-location, for example, so your browser does not scream your GPS coordinates to every web site you visit.

Do all these steps sound like a great deal of work, not to mention technical jargon? You bet. But, it is your privacy, isn't it? If it isn't your personal responsibility to learn how to protect your privacy, whose responsibility is it? If you know someone who is a good technical expert about computers, you can definitely ask for help. Similarly, when you were first learning to shoot a gun, you had some more experienced person, or people, to help guide you. If you went to a gun range of any sort, there was probably a person in charge of range safety who would, at least, help you avoid major blunders and unsafe actions.

Since rights are intrinsic, they are your responsibility. I am willing to help you defend your rights. Given the opportunity to use my technical or shooting skills to defend someone who is being attacked or investigated by someone else, I will do what I think is the right thing to do. But you ought not to rely on me, nor on anyone else. I'm not always going to be available to help you. So, please take charge of your own destiny.

You'll be glad you did.

Tyrone Johnson is SilentVault's lead for marketing and business development. He has experience in business operations in Europe, Africa, Asia, and North America. Johnson has a classical education in the arts and sciences and a graduate degree in business. He has worked in mainstream banking, alternative currencies, technology development, and management consulting. The company he works for recently released a cryptographically secure wallet which silences the bitcoin blockchain at https://SilentVault.com/

Security Certificates

Tyrone Thursday July 10, 2014

When you visit a web site that is using transport layer security (TLS), or the older secure sockets layer (SSL), the web server should present a security certificate to your browser. You might be familiar with the way the web address for "secure" web sites appears in your browser's location window with https:// instead of simply http:// as the beginning part of the location. That "s" represents "secure."

But, how secure is it? And, given that you are not a trusting soul, who are you trusting with this security? It should make a difference to you, since you will see that "https" invoked on the web pages where you are asked for information such as your credit card or log-in particulars. Given that you don't trust the web page without seeing its security certificate, how do you know you can trust it *after* seeing the certificate?

Or, put another way, are you simply multiplying entities without any reason to do so? William of Ockham, a scholastic philosopher in Fourteenth Century England, argued that a solution that has fewer assumptions is more likely to be correct than one that has more assumptions. If you don't know who made the web site well enough to trust them, but you trust the people who issued them a security certificate, even though you don't know those people, either, you are not any better off. You might be worse off, since you might be trusting more people you have no information about.

Your browser probably has a "root certificate list" referenced somewhere in its code. So, when your browser goes to a web site that is preceded by https, it queries that site's server for the security certificate. It then attempts to establish whether that certificate is signed by a certificate authority found in the browser's root certificate list.

Unfortunately, having a security certificate signed by an official certificate authority presents a certain amount of risk. In particular, people in government may demand that the certificate authority supply them with another apparently valid site certificate. They would then be able to use this certificate to carry out a man-in-the-middle attack in order to capture all the traffic to that site, without detection either by the visitors or even the site itself.

There are various other reasons to be sceptical of the security of transport layer security web sites. They use a level of encryption that has been broken by the NSA, according to documents released by Edward Snowden. But, given that the transport layer security in place is better than nothing, what can we do to protect ourselves from the man-in-the-middle attack by (evidently untrustworthy) government agencies? The answer is to use a self-signed site certificate, which we at SilentVault.com are doing.

Your web browser won't warn you against visiting our site because we did opt for a certificate authority issued site certificate. On other sites which do use self-signed certificates, you can work your way past those warning screens. As you do so, you should check the site certificate and record the key fingerprint for the site. When you visit the site in the future, check the page info (in Firefox, under the Tools menu) and the security tab should reveal the key fingerprint.

For SilentVault.com, we opted to use a certificate issued by GoDaddy.com to avoid all the warning screens that make many people nervous. Although we don't agree with the warning screens, we are trying to make a service that appeals to enough people in the world to make a profit for our company. Even so, you may want to look at the security certificate from time to time to verify that it remains the same certificate.

For our site certificate, the SHA1 Fingerprint is CB:E6:B4:CD:B9:FD:7C:88:B0:08:96:2E:BB:0A:1F:AB:F9:BD:2F:2C

The MD5 fingerprint for our site is: 60:51:83:E1:E0:77:33:3F:3A:3A:B4:EC:0E:CF:7B:94

You should also be aware that the SilentVault.com site itself is not involved in actual transfers from one wallet to another. Payments are made using the Voucher-Safe network, which has its own security features.

If you find the process of tracking fingerprints for secure sites to be bothersome, there are plugin extensions for web browsers which automate this task for you. Certificate Patrol at http://patrol.psyced.org/ is an example. A plugin such as CertificatePatrol will warn you even when a CA-signed "official" certificate changes, which makes possible the detection of a man in the middle (MITM) attack by government or anyone else.

Another useful plugin is HTTPS Everywhere, from the Electronic Frontier Foundation:


This plugin automatically substitutes https for http for numerous popular sites.

Now, having reviewed the issue of whether you are more or less secure trusting a certificate authority that has issued a site certificate for a site that you aren't sure you trust, you might apply this same reasoning to people you don't know whether to trust and the driver licensing authority for your region. If you don't know the person with whom you are dealing, are you trusting more or fewer persons if you ask to see their government-issued identity papers? Obviously, you would be trusting more persons. Worse, the people you are trusting to issue a valid government ID are almost certainly completely unknown to you. So, instead of trusting a complete stranger standing in front of you, because you see his or her ID, you are trusting a set of complete strangers you aren't anywhere near.

The point of that particular analogy is that the government isn't making your world safer and more secure by issuing identity papers to everyone. Back in the 1940s, when a character in a film would say "papers please" many audiences would boo loudly to indicate their displeasure. After all, it was the very large capital letter "J" on German identity papers of the 1930s and 1940s that led a great many individuals to be sent to death camps. The identity system is not serving your best interests. You should be wary of it.

Your IP Address

Tyrone Tuesday June 24, 2014

One of the key aspects of browsing the Internet is the Internet Protocol number, or IP address. In your use of the Internet, you are assigned by your Internet service provider an IP address, which is a number that represents the computer or workstation or mobile device that you are using. That number shows up in the e-mails you send, the web page requests you send, and in other ways. So, it can be very important.

Understanding your IP address is a first step in safeguarding your privacy, just as understanding encryption. You should also make yourself aware of methods for masking, obscuring, or changing your IP address through the use of proxy servers, the onion router (TOR), and virtual privacy networks (VPNs).

The current standard for an IP address is sometimes called a "dotted quad." It is four numbers, each between zero and 255, separated by dots or periods. For example, an IP address might look like this one: or like this one However, quite a few addresses in the 32-bit space defined by this system are reserved, so there are quite a lot fewer than the roughly 4.3 billion addresses implied in the figure two raised to the power 32. About 18 million addresses are reserved for private networks and about 270 million addresses are reserved for multicast network services (such as Ethernet multicast). There are therefore about four billion addresses available to general users. You may have difficulty imagining the world in 1981, when the current standard was established in its present form.

Even so, there are increasing difficulties with the current standard, called IP version 4 or just IPv4. It has been seen since at least 1995 that a new system would be needed. The new system uses a larger character set, called hexa-decimal. It also uses eight groups of four numbers, separated by colons. The hexadecimal character set is sixteen characters, the numbers from zero to nine plus the letters from A to F. Programmers will be familiar with the hexadecimal character set, including its use in defining colours in the RGB (red-green-blue) scheme. Non-programmers may be less familiar with it, but will be glad to know that in replacing IPv4, the new system, IP version 6 or just IPv6 has a much bigger address space.

Here is a typical IPv6 address: 2001:0db8:85f3:0042:1000:8a2e:0370:7334 Notice that it includes letters, it includes numbers, there are eight groups in the system, and the groups (each of four characters) are separated by colons. Because there are more characters in hexadecimal compared to the numerals from zero to 255, because there are four characters in each group, and because there are eight groups, the total address space is the figure two raised to the power 128.

In scientific notation that number is 3.4 times ten to the power 38. In the United States, the number ten to the power 9 is a billion, ten to the power 12 is a trillion, ten to the power 15 is quadrillion, ten to the power 18 is a quintillion, and so forth. That system of naming gives ten to the power 33 the name "one decillion" and the number ten to the power 36 "one undecillion" or "eleven -illion" if you would. Therefore ten to the power 38 is one hundred undecillion.

You can simply think of it as a really big number, written out with 38 zeroes. Another way of looking at this really big number is to compare it to other big values, such as the number of atoms on the surface of the Earth. In the IPv6 system, there would be about 40,000 addresses for every atom on Earth. So, it should be good for a few years of continued exponential growth of Internet traffic.

The use of your IP address in e-mail is embedded in message "headers" which are not normally viewed. Most web-mail programs and nearly all e-mail client programs will typically trim the headers to the ones you really care about, such as To:, From:, Subject:, and Date:, and CC:. In order to function, the e-mail client you use has to include a number of other headers. These may be viewed in some e-mail programs using "view..full headers" or a similar command.

Here is the content of an e-mail header called "Received," one of three such headers of that same name in a message I received. It says, "from blu002.domainA.com ( by smtp.domainB.com with ESMTPS (AES128-SHA encrypted); 21 May 2014 04:01:18 -0000" which tells us that a server at domainA with an IP address sent a message to the "send mail transfer protocol" or smtp server at domainB using a standard electronic-send-mail transfer protocol system, including a certain amount of encryption, at a given date. In other words, where the message came from can be traced back. A check of the logs at domainA will give further information about which client computer sent the message, and a look at the data kept by the Internet service provider can tell the physical location of the computer that sent the original message. Which means, whether you are using web-mail or an e-mail client, a determined person can figure out where your computer is located.

That's not really good news for your privacy. Similarly, when your computer sends out a request for a web page to a web server it has to tell that web server where to send the images and text of the relevant web page that is being requested. Your computer does that using the IP address assigned to your computer by your Internet service provider. So, whoever is sending your computer information, whether by e-mail or by web, can know quite a bit about your computer and, thus, you.

Your IP address was assigned to a regional authority by the Internet Assigned Numbers Authority or IANA. The five regional internet registries allocate blocks of IP addresses to local Internet service providers (ISPs) and other entities. That means that the number your computer has been assigned probably has a regional, as well as a local, association. Your geography can be tracked, along with what ISP you are using, to give web site owners a good sense of where you are and what kind of income you have.

But, it gets worse. You are probably aware that web sites store information on your computer called "cookies." These can be useful for identifying your computer as one that is "authorized" or at least familiar when you log into a site. If the computer logging into your account has never done so before, there is a greater chance that it is not being used by you, but by some person posing as you. So, many sites will pose security questions when that happens. How do they know? The web site looks for a cookie or other data stored on your computer by the site when you access it. And a whole lot of information may be stored in that cookie.

And, it continues to get worse. You may have been attracted to web sites called "social media" outlets. As far back as the early 21st Century there were sites like MySpace. More recently, Facebook has been a dominant site in this area, along with Twitter, LinkedIn, and others. These are a sort of "attractive nuisance" or "honey pot" which encourages you to post information about yourself, about your current activities, about your likes and dislikes. A huge amount of information about who you are and what you would like to buy on your next shopping trip are now available to advertisers, and the best part for Facebook is, you probably told them all these facts about you for free. In the old days, marketing professionals spent millions of dollars a year on studies to survey users, find out their preferences, and comb through the data they had accumulated to perform statistical analyses and figure out what to sell, in what range of colours, and at what prices. Today, much of that information is bought out of social media sites, often without your knowledge.

Not, of course, without your consent, because you are given a copy of Facebook's privacy policy, user agreement, and so forth, when you start an account there. There was definitely a link to that information available to you on signing up, and it is still there every time you log into your account. And you read all that stuff, right? And your lawyers reviewed these agreements, so you entered into them knowingly, right? Of course not. Nobody reads that stuff, and it is silly to imagine that you have given meaningful consent to what is in those agreements. But it is "good enough" consent for Facebook to sell a whole bunch of information, and to sell the right to put advertisements in front of you, to various folks who market things. Worse, and, yes, it does continue to get worse, the information you give to Facebook is almost certainly being sold to various government agencies in various countries, including defence, intelligence, and tax agencies. Doesn't that make you nervous?

In other words, when you visit web sites, when you send e-mail, and when you use social media, you are providing a huge amount of information on you. You are sending your private information out into the world, and you have utterly no control over who uses that information.

Yes, it continues to get worse. If you are in certain countries, such as the People's Republic of China, the information you receive may be monitored and censored before it reaches you. You may not have direct access to certain web sites. You may not have any access to some sites. And, some web sites will discriminate on what information they send you based on your IP address and what they think that means. That can be simple, from changing the language the site is shown in, to complex, changing actual content and keeping you from seeing some news and information.

Feeling uncomfortable? There is good news. The good news is that you can hide some of your information, if you are careful.

In our first overview piece on encryption, we encouraged you to get and use encryption. It turns out that only about a third of users who encounter encryption tools are able to figure them out in 90 minutes or less. (A link on that topic here: http://www.cs.berkeley.edu/~tygar/papers/Why_Johnny_Cant_Encrypt/OReilly.pdf ) So, we aren't saying that guarding your privacy is easy, nor user-friendly. But we are saying that it can be done.

Similarly, you can hide your location information by using a different IP address. That can be helpful to you, and it can cause a number of odd things to happen. You can change your IP address using a proxy server, the onion router (TOR), or using a virtual privacy network. For a great many reasons, the best approach is to use a virtual privacy network or VPN.

A proxy server is a server, typically a web server, that you access which then does the work of asking for web pages. If you want to experience the world as if you were living in Israel, there are proxy servers in Israel that you can access. They will request web pages for you, so that the web server thinks it is sending a page to a client in Israel.

That means that, for example, Google, if it has a separate approach to serving Israeli customers, will show up with a "Google Israel" logo on your screen. Kinda cool. Google definitely does that for Germany, France, and other places, and it will default to using the languages for those countries. So if you only speak and read English, you might find the results confusing. That's ok, though, because Google offers translation services, so that wherever you are accessing their sites from, the results show up in your preferred language. Google is one of those sites that keeps cookies on your computer, and will guess which language you are most comfortable using. Sites like translate.google.com (among a great many others) also allow you to translate foreign language web sites, but that can be more confusing than helpful unless you are very familiar with the way translation sites generate their output - and not all translations are "idiomatic" in the languages involved. So you might come away with some very wrong ideas, fair warning.

Proxy servers are inherently limited, though, to the server you choose. If you choose to use a server as a proxy that happens to be run by some party that wants to gather information on their users, such as an espionage agency, you are compromised by using that particular proxy. Proxy servers come and go, and some offer more anonymity than others. But, whatever proxy server you use, you are trusting that particular server's operator to be doing "the right thing." That might not be a safe bet.

The onion router or TOR is a different beast. TOR client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from someone conducting network surveillance or traffic analysis. "Onion routing" refers to the layered nature of the encryption service: The original data are encrypted and re-encrypted multiple times, then sent through successive TOR relays, each one of which decrypts a "layer" of encryption before passing the data on to the next relay and ultimately the destination. This approach should reduce the danger of the original data being unscrambled or understood in transit.

Unfortunately, there are a bunch of problems with TOR. Probably the most difficult problem is that the exit node, where the onion routing ends and the node communicates with a particular server that is generating actual content, has a lot of information. Any exit node has access to all the information sent to it by unsecured applications. So, if the web site you are accessing is not using Secure Sockets Layer or Transport Layer Security, the information being passed to that site, such as log-in information, would be compromised to whoever is operating the exit node. It turns out that there are good reasons to think that some big players, including possibly intelligence agencies of various governments, are operating exit nodes and gathering data. Beyond exit node eavesdropping, there are quite a few other identifiable weaknesses to TOR, such as Autonomous System eavesdropping, traffic-analysis attack, TOR exit node block, bad apple attack, IP address leak through the use of certain TOR protocols, a sniper attack, and a weakness associated with the Heartbleed bug.

Among other concerns that come to mind, TOR is endorsed as the best possible methodology for Internet privacy by the USA's National Security Agency. And as Edward Snowden has proved, those people cannot be trusted.

So we come to the Virtual Privacy Network. You'll find that a VPN works very differently in that you use its software to connect to the Internet for your entire system. In other words, it is not separate for your web browser, as a proxy server would be. Everything you do with the Internet goes from your Internet service provider to the VPN provider. Everything on that channel or path is encrypted. So you are much less likely to have things compromised. You don't have a network of TOR nodes to trust, and you don't have to wonder about the exit node provider. You do, of course, have to choose a VPN provider with some care, but once that choice is made, everything you do on the Internet is much harder to track.

A VPN is created by establishing a virtual point-to-point connection through the use of a dedicated network of connections, virtual tunneling protocols, or traffic encryptions. To safeguard your private information, VPNs typically allow only authenticated remote access and make use of encryption techniques. Even if the VPN's traffic is examined at the packet level an attacker would only see encrypted data. VPNs use sender authentication to prevent unauthorised access, including by intermediaries. Message integrity is used to detect any tampering with transmitted messages.

For a great many reasons, an encrypted point-to-point connection or VPN is the most secure way to communicate privately. There are VPNs that make it very difficult to establish where the servers they host are located, so-called "location agnostic" servers. So, even if the information hosted on those servers is "banned" in some way that would be recognised by local authorities, it may be impossible to establish which jurisdiction is relevant to effect an actual seizure of those servers.

We have touched on a number of issues that are not necessarily obvious in your search for economic privacy. If you have been using a computer to browse the web, log into sites, and search on major search engines, it may only do you limited good to connect that computer to a VPN. The cookies and logged information about your computer may still expose your privacy. You might do better to start with a completely new computer, or completely re-install everything to your computer starting from a formatted hard drive. We'll get into more information about how web sites you visit collect data about your computer and how those sites store information on your computer in another posting on this blog.

Also for another day is the issue of connecting to the Internet using a mobile device. Wireless networking is very useful. It provides you with network access in all kinds of situations that used to be zones of information darkness. However, your mobile device may not be connecting to the Internet using a wireless connection to a router. It may also connect using your cell phone provider's network of towers. So, rather than having an IP address to uniquely identify your device, other information, such as the media access control (MAC) address for your device. In other words, your use of a VPN for "secure browsing" may be ineffective if you use a mobile device that isn't using a router that actually connects to your VPN. And, your mobile device (or, indeed, any computer workstation) may be identifiable by other information. We'll do our best to explain the how and why of computer privacy.

Is it easy to be free, private, autonomous, anonymous-when-you-wish, and independent? No, it is not easy. Is it possible? Yes, definitely. Is it worth the effort? Only you can establish the value of your privacy against the value of your time. We think it is very worthwhile.

"There's a difference between us. You think the people of this country exist to provide you with position. I think your position exists to provide those people with freedom. And I go to make sure that they have it. ... One day, you'll be a queen. And you must open your eyes. You tell your king that William Wallace will not be ruled... and nor will any Scot while I live." ~ "Braveheart," film, 1995


Tyrone Monday June 2, 2014

The first thing you should learn how to do in your programme to secure a future with greater economic privacy for yourself and those you care about is: encrypt.

Learn about encryption. Learn what it is, what it does, what it protects, and how well it does these things. Learn, also, what it isn't, what it cannot do, and what can be done to you to break or circumvent your encryption. Once you have some understanding of encryption as a concept and as a technology, go get some.

It turns out that the last step has become increasingly easy to implement. The "Enigmail" plug-in for Mozilla Thunderbird e-mail application is easy to use. It allows you to create your own encryption key-pair. You can set up your e-mail account in Thunderbird to encrypt by default, which means that it will bring up a screen asking you to identify the encryption keys you want to use, or select "do not encrypt," in those cases where you don't have an encryption key for one of your correspondents.

You correspond, for the most part, with people you care about, right? Otherwise, why bother? So, you really want to encourage those people to learn and use encryption, too. That way, the people you care about are doing useful things to secure their own future with greater economic privacy.

What Is Encryption?
Encryption is a technique for substituting "cipher-text" or seemingly-random characters for "clear text." In the old days, going back to ancient times, substitution codes were worked out manually. Some readers may remember "secret agent decoder rings" and other toys used in writing and reading codes. Today, substitution ciphers are not very secure. The secure forms of encryption all use mathematics to obtain better results.

Also in the old days, as recently as the Second World War, top secret codes were kept secret. The people transmitting the cipher text often did not know the code for what they were sending, they only knew the cipher text to be sent. Of course, as soon as spies obtained a copy of the enemy's code book, they were able to break the code. Even when secret codes were implemented by machines, such as the famous-among-code-geeks Enigma machine of the German military during WW2, the capture of the machine, or even just key parts of the machine, could make it possible to break the code. Secret codes turn out to be only as secure as the ability to keep the secret.

Today's best codes are published. Code writers or "cryptographers" to use the Latin word for the same concept are mostly mathematicians, mostly interested in very difficult mathematical problems like factoring very large numbers, and entirely dedicated to posting their results in public. Published results mean published critiques. Since the 1970s, publishing the source code of cryptographic techniques has resulted in exceptionally effective coding systems. All known mathematical "attacks" against a given code system are tried and the results published so that the effectiveness of a given coding system is well understood.

Public Key Cryptography
It has been known for many decades that if you take two very large prime numbers and multiply them together, that operation is simple and easy. The reverse operation, taking the product of two large prime numbers and factoring that number into the two relevant prime numbers, is not so easy to accomplish. As a result, prime numbers play an important role in what is called "public key cryptography."

Public key cryptography works by having a computer use random data available to it, such as the movements of a mouse or the intervals between keystrokes from a keyboard, and "generating" a pair of very large prime numbers. "Pretty Good Privacy" or PGP has been a widely used application of this technique since about 1991. It works with prime numbers as large as 4096 bits.

After your computer has generated a key pair, which is basically a pair of very large prime numbers, you will have a public key and a private key that are associated. The public key is used by anyone to encrypt messages to you. So, you can publish that key on a web site, on a key server, or simply send it around to your e-mail correspondents. You don't have to worry about it being compromised, because it isn't very useful without the private key.

Your private key is secured on your computer by a passphrase. You should choose a password that is long and complicated for best results. If you have difficulty remembering a long passphrase, you can build one from things you think about often, such as the names of sports teams, vital statistics, or events in your life. You should avoid using things that other people can learn about you, such as your birth date, the birthdays of people you are close to, and so forth. The private key of your key pair is used to decrypt messages that have been encrypted using the public key. That operation is possible if you have both the public and the private key, and very difficult if you don't.

Recently, Edward Snowden revealed that the National Security Agency has broken the encryption scheme used by secure web sites. That encryption typically uses 128-bit encryption keys, so it is probable, though not certain, that the NSA has not broken the 4096-bit encryption used by many PGP users. Even if they have, you are better off using encryption to secure your economic privacy from everyone other than the NSA.

Why Does It Matter?
Encryption is important for the same reason that you use envelopes when mailing letters rather than postcards. Yes, it is possible for someone to stop a piece of mail in transit and remove the letter without destroying the envelope, read it or copy it, and put it back in the envelope, without you noticing, but it is very difficult. Obviously, anyone who encounters your postcard can read it. So, most people use envelopes much of the time.

Any e-mail message you send goes across the Internet using whatever route is available. You have no way of knowing what happens at intermediate servers. It now turns out, as Snowden revealed, that the NSA has been making copies of nearly all Internet traffic that goes through the United States, which is a very large percentage of the total. Nothing prevents any company that runs nodes on the Internet from making copies of all the traffic that passes across their servers, or across their routers. Only by encrypting the messages you send can you have at least some privacy from such attacks.

How To Do It Wrong
There are right ways and wrong ways to encrypt. You should not use a Webmail application that encrypts your messages on the servers of the application. Doing so means that the encryption keys are kept on those servers and are almost certainly easy to compromise by law enforcement, by people who work for the company that operates that application for you, and possibly by others. Instead, you should only use an encryption programme that operates on your local computer or device.