Secure Travel

The need to travel outside your immediate area does come up. The chalange is to get to you destination without the state noticing. We explore the options below.

Plane 

NO. It is not possible to travel by plane with the state noticing. Flights have to be book ahead of time  on a website, either the airline or a travel site, with a credit card. That is a minimum of 2 database entries.  Then one has to go through TSA screening where you have to present government issued ID. Just showing up at the airport with no baggage, waiting to buy a ticket with cash for a one way flight that day is going to set off all sorts of alarm bells. An addital problem is planes travel in well established routes. If the state finds you are on a flight and they want you they will just turn up at the gate when you land. Plane travel is off the table.

Train 

NO. Amtrak requires a government issued ID to buy a ticket. You will be required to present the ID when boarding the train. Train travel is problematic in America. Outside of the Northeast corridor it runs sporadically with frequent delays. Plus the train make schedule stops. If the state wants you they lots of time to pick you up at any of the stops. Train travel is a no.

commercial bus 

(greyhound, etc.) - no

motorcycle

 - no

ride share 

- maybe

car

 - yes

bicycle

 - yes

Security for Activists - passwords

Security for Activists - passwords

The lack of understand about computer security and passwords is a little scary. Lots of activity now is being done on-line. Your bank, Shopping, email, etc are all being done by accessing on-line resources and these means logging in using a login and a password. In addition to thieves trying to access you accounts, the ruling class and their servants in government have a vested interest in know what the citizens are up to. Given the empire's, (and this is now an empire) long track record of attempting to suppress and silence activists (see the Wikipedia entry for COINTELPRO, google the phrase "green is the new red") it is imperative that those in the movement know how to protect themselves and prevent the status quo from disrupting us.

 Computer Power

 In 1977 Digital Equipment Corporation AKA DEC released the VAX-11/780 ( a better picture is here VAX 11/780 ) The pictured machine is 3 side by side cabinets each being about the size of your refrigerator. What is not shown is the power handling module which was also the size of your fridge. The entire system was powered by a 440 volt 3 phase line. At the time it was introduced the cost was between $120,000 and $160,000. Just for reference in 1976 my parents bought a 4 bedroom, 2 bath, 2 story brick house that had been built in 1900 on a double city lot in Norfolk, Va. The cost of their home was $55,000. The VAX was rated at 1 MIPS (Million Instructions Per Second)

 As anyone who knows anything about computers will tell you, MIPS is also know as Meaningless Indices of Performance. Without getting too far off into the weeds, a lot has happened in the computer field to make MIPS a defective yardstick. RISC vs. CISC, advances in hardware and software optimization, more efficient algorithms, multiple CPU and cores are now the norm. But it is the yardstick we have.

My cell phone is a Samsung Galaxy S24+ that cost about $800. The way performance is measured has changed a lot since 1977 but the MIPS rating is, ball park, over 5,000 MIPS. We have come from a machine the size of 4 refrigerators.  

On the other end of the spectrum is the super computer. These are huge, very expensive machines that government and big research universities have.  The performance of these machines is measured in PetaFLOPS. That is one quadrillion (10^15) floating-point operations per second. Currently (Jan 2025) the fastest machine is known as Frontier at Oak Ridge National Laboratory. The following link lists the top 21 fastest machines. Frontier is capable of 1,194 petaFLOPS. This list does not include machines owned by NSA and other secret agencies. It is a safe assumption that their machines are at least as fast as Frontier.

So what was the point of the last few paragraphs? In general cracking passwords is a brute force effort. The more powerful the machine, the less time it takes to crack the password. When you have government  machines capable of making trillions of attempts a second, most passwords wouldn't last more than a few minutes. The good news is that the people who have access to super computers have no interest in stealing your money, they will just print more. The people who want to steal your money generally don't have access to super computers.

Anatomy of a strong password

A strong password should be at least 7 characters in length. With each character added the password gets harder to crack. If a password is composed of all ASCII printable characters, that's 95 characters; ( a-z, A-Z, 0-9, !@#$%^&*()_+{}-=[]|\;:'"<,>./?~` ), and the password is one character in length, the number of guesses a password cracking program has to make is 95. If the password is 3 characters in length the number of guess to crack the password is 857,375 (95 x 95 x 95 or 95^3). So a 7 character password would require 69,833,729,609,375 (95 x 95 x 95 x 95 x 95 x 95 x95 or 95^7) guesses. 

There two points I am making here are;

1. the longer the password the harder to crack  
   
2. using mixed case characters, numbers and special characters makes it even harder to crack.

Use mixed case characters, numbers and special characters in your password. Again this makes the password harder to crack.

Never use an easily guessed password. Words like "sex", "money", "secret" and "password" are not passwords. Nor should the password be something about you like the city where you were born or your significant others name. A password should never be a word found in the dictionary. A common hacking technique is called a "Dictionary Attack".

A dictionary attack is system where the program that is attempting a break in will randomly pick a work from the dictionary, say the word cat, and will attempt to login to your account while changing the case of the letters like so; cat, Cat, cAt, caT, CAt, cAT, etc. if none of these combinations works the word is marked as tried and another word is randomly selected from the dictionary until either they successfully logged in or they have worked their way through the dictionary. A phrase or word with mixed case characters, numbers and special characters on the surface looks good but it contains words from the dictionary and it's just a matter of time.

Name That Tune

One of the more secure password algorithms is what I call the "Name That Tune". One picks a song, say "Take It Easy" by The Eagles, then one picks a phrase from that song, lets use "Standing on the corner in Winslow Arizona". Using the first letter of each word of the phrase the password would be "sotciwa". Not bad but we can make it harder to guess by changing the case of some letters and substituting numbers for letters like so, "s0tc1WA$%^$%^". We have substituted a zero for a lower case o and a one for a lower case i. We have also made the letters w and a upper case and just for the hell of it tacked on 2 sets of charters.

The really beauty of the "Name That Tune" algorithm is that it's easy to remember, hard to crack and one can talk about the password without saying the password. For example, lets say we used the above example as the root password to a group of web servers. If someone who knew the password but forgot it (it happens) and needed to know what the password was all you would have to say is, "It's the Eagles song." You have just conveyed the password without saying it and even if someone knows the "Name That Tune" algorithm that don't know which song, which phrase and how the phrase was twisted.

Having a strong password is one thing, it is quite another thing if used stupidly. Writing down your password is a bad idea, especially if it is written down in a place where it can be found. I've seen cases where a root password was written on a piece of paper that was taped to top of the monitor. Another bad idea is to use your password everywhere. One of the basic principles of security is compartmentalization, that is to keep things separate. One should be using different passwords for different accounts. Maybe not every account be every different class of accounts, one for social media, one for bank accounts, etc.

One last point, one should change your passwords every 3 to 6 months. The longer a password is in use the longer the hackers have to break into your account.

 

Password Managers

Two Factor Authentication

 

 

America is dead

 America is dead. 

This America is not the America my ancestor and my wife's fled Europe for. This America is not the America my wife and I grew up in and hoped to grow old and die in. That America is dead and gone and the Republican party, acting on the behest of the Wall St. and the Corporations, are the fuckers who killed it.  

I'm writing this in the early hours of November 8th. and it looks like the GOP is going to take both the House and the Senate. Since GOP has managed to jam six religious fanatics on the Supreme Count future for people who are not Republicans (white, conservative, evangelical, high school education only) is not good. Make no mistake, just as they took away a woman's right to choose by overturning Roe v. Wade, they are now coming for our hard won rights. They will overturn Griswold v. Connecticut (contraception), Obergefell v. Hodges (same sex marriage), Loving v. Virginia (mixed race marriage). recreational cannabis, the right to vote. 

Voting By Mail

 This election is the most important of the last 20 years.

Encrypted emails (Linux)

Activists need to be able to send encrypted emails to protect themselves from spies, people who would undermine what they are working toward. This post is the first of three planned posts on how to setup, on a Linux desktop system, an email client Thunderbird, a pgp key, and how to send and receive encrypted.

WARNING: This does NOT make you safe from being spied on. There are no silver bullets and anyone who says there are is either lying or just plain stupid. Security relies on multiple methods, tools, and behaviors. Security is not a destination its' a journey. Keep in mind that security is an arms race between activists and those who would suppress us. That being said;

This post assumes you know a bit about Linux and have a mostly up to date system. For this post I am going to be using a VirtualBox VM running Debian 9. The reason I recommend this is that a VM is not tied to any PC. You can export the VM to a USB drive and take it with you. You can later install the VM onto any PC running VirtualBox. You can hide your work and recover it later, just don't lose the USB drive.

For this discussion I am using a Debian based Linux like Debian, Ubuntu, or Linux Mint. These methods work just as well on RPM based systems like RedHat or CentOS.

Step 1. Update your system. This is always a good step when adding a new package or doing any thing than a minor configuration change.

    sudo apt update 
    sudo apt dist-upgrade -y
    sudo apt autoremove -y

Step 2. Install the software. There are several pieces of software that need to be installed;

• haveged - This provides a stream of random data which makes the creation of a pgp key go much faster and more secure.
• ntp
• git
• wget
• curl
• postfix
• gpg
• thunderbird
• tor
• VPN client
• 
  

Tools of the Resistance (encryption)

Any resistance to be successful requires communication to organize. The prefered way to communicate is face to face, but this is not always possible. Many times communication must happen electronically be it email, text, or voice. Because of the nature of electronic communication it is possible for others, the status quo, to listen in on what we are saying. Because of this it is best to limit our use of the methods. If one must communicate electronically one should always use encryption. Today, 2019, we have free, open source encryption that 10 years ago would be considered military grade.

Even with strong encryption we need to be careful what we say in our email and text. The establishment has enormous resources at their disposal and can, if given enough time, crack most any encryption. So one should take care what one writes. A message like "The chair is against the wall" is not so clear as "We are having a sit-in at the CEO's office"

This post is the first in a series of posts explaining what modern encryption tools exist and how to use them. The first, this one, will be about PGP and it's open source counterpart, GPG. Then I will be writing about using GPG with email. The I'll cover text apps that encrypt.

PGP & GPG

The encryption tool pgp (Pretty Good Privacy) was written by Phil Zimmermann in 1991 and was the first serious encryption tool that supported public key encryption. After several years of lawsuits and government challenges pgp was declared to be legal for US citizens to own and use. Phil Zimmerman then founded a company to sell pgp as a security tool. Around 1997 Phil and several engineers decided that there should be an open standard for pgp encryption with an open source implementation. The Free Software Foundation agree with him and wrote what is now called gpg AKA GnuPG or GNU Privacy Guard.

Public Key Encryption

So what is public key encryption? The answer to that can get very deep and complicated The link above is to an excellent article on Wikipedia but to make this simple PKE (Public Key Encryption) is a way for 2 people to have an encrypted communication with only the recipients of the messages being able to decrypt the message and a way to confirm the identity of the person sending the message.

To begin with, both parties of the conversation have 2 keys, a public key and a private key. The public key is public, that is the public key is listed on a public key server. Anyone who wishes to have an encrypted conversation with you will write a message and encrypt it with your public key. which they downloaded from the public key server. The sender does not have, nor do they need a password to encrypt a message with a public key.

Once the message has been encrypted with the public only the person with the private key can decrypt the message. This requires the recipient of the encrypted message to decrypt with the private key and their password. To be truly secure the person sending the encrypted message will sign the message with their public key. The signature is confirmed against the sender's public key that is retrieved from the public key server.

This all sounds very complicated but, if one is using the correct tools, all this is hidden under the hood. There are a few simple steps needed to get set up. The steps are

1.  Install the software
2. Create your public and private key
3. Configure Thunderbird (email reader)
4. Distribute your public key 

I will be publishing three additional blog posts about how to do the above steps on Linux, Macintosh, and Windows.

Encrypted emails (Macintosh)