PC-BSD Day 18: Improving end-user security (part 1)
This week the so-called Big Brother Award, a price given to a person or organization that most threatens civil liberties in the digital realm, was awarded in the Netherlands to the end-users. We can blame organizations and government institutions for intruding on our online privacy, tampering with our digital liberties, but at the same time we litter the net with personal data and sensitive information. Yet, it is not so complicated to enhance our security with a few simple measures which I described in the article “Portable security for the practical paranoid” . Today I want to implement these features on my PC-BSD box.
Improving e-mail security
The first and last line of defense is the use of common sanity. Unfortunately, there is no way to install that, not with #pkg-add-r comsanity or with #make install comsanity. It would be nice -from a sysadmin’s perspective or when you are the one in the family that everyone calls when there is a screwup- if the computer would just show a message like: “You are showing irrational and insane behavior in the use of this computer. All system files will be erased in five seconds. Your personal files will not be touched and can be salvaged by someone who knows what he/she is doing. Otherwise… well, you asked for it”.
There are at least two things I would like to see in Thunderbird: an improved spam filter and the possibilitiy to encrypt my e-mail traffic. Spamato (needs java) and Enigmail (requires GPG). Installing Enigmail is a matter of downloading the appropriate .xpi from the website. The dropdown box shows there is a version for FreeBSD 6.x. After downloading you launch Thunderbird and go to Tools -> Add ons. Select the enigmail.xpi file and restart Thunderbird.
The new menu item “OpenPGP” is now visible. Selecting â€œKey managementâ€ opens the wizard that helps you to set it up and select the first key pair. There is no need to install GNUPG. After this you can sign and encrypt all outgoing e-mail.
Of course I was curious how KMail would do. You can set up encryption under Configure -> Security -> Crypto backend. There is no wizard and a ton of fields to fill with information. I think I will leave that for another day.
Spamato is a somewhat more advanced filter than the already well-working filters of Thunderbird. I installed the .xpi file and added it to Thunderbird. Under Windows and Linux I am automatically greeted by the message that it can’t find Java. No such message under PC-BSD. This doesn’t mean Spamato actually works. You still have to tell it the location of the correct java executable.
To be honest, I didn’t start looking for ways to cover my online tracks until I was confronted with a few websites that wouldn’t allow visitors from the Netherlands. In the past I could listen to music via the Pandora website. In order to sign up you needed a US-based zipcode (90210 anyone?), but nowadays the IP-address is the rat. Short of moving to the United States I found two ways to circumvent that barrier, methods for anonymous surfing: TOR and JAP.
Caveat Emptor (or, for non-literaty among us, read before you proceed): Anonymous does not mean secure. TOR is a peer to peer based proxy network where traffic is routed through various TOR servers before reaching it’s destination. Just about anyone can set up a TOR server and capture the traffic. So think before you start sending your credit card data through the TOR network. JAP provides a similar service and is located in Germany. The German authorities do not appreciate this level of anonymity and it is told the developers were forced to build in a backdoor. Chances are that German law-enforcement is listening in, so better select some decent music when you visit Pandora.
The online instructions at the JAP website ask to check the available Java version on your system. However, these instructions do not seem to work when you used the Java PBI package to get Java. It’s a matter of simply downloading the JAP.jar file and launching the program with #java -jar JAP.jar. Two windows appear, the main JAP windows and the JAP installation assistant. The assistant is pretty good. It tells you about the settings for your webbrowser and has instructions for a small collection of those. Simply put: you should change the proxy settings of your webbrowser to localhost and port 4001.
After applying the changes you are asked to run a few tests and fine-tune JAP based on the warnings you get. If you think websurfing has become too slow because of this you can try to select another free server or you can opt for one of the paid services. JAP does hide your IP from the site you are visiting, but that’s about it. Using it under PC-BSD is not a problem.
In order to get TOR I decided to use the install via the ports collection. When it comes to security I believe it is necessary to get the latest version possible. I also like to have a GUI, so I opted to install Vidalia. More on this tomorrow.