[StuCo 98008]
GNU/Linux for Beginners
By the end of this lecture you will know
- The ways by which commercial organizations and spammers collect your personal information
- How to defend your private information
- Settings/plugins of common GNU/Linux applications that help you strike a balance between usability and privacy
Privacy Violations
- Spam email
- Spammers trying to sell you Viagra, “more confidence”, dates with Britney Spears, etc.
- M$-assisted worms that bombard your mailbox and attempt to infect your computer
- Scam email that costs lots of money (Nigerian spam)
- Targeted advertising
- Implies that your online behavior is tracked
- Consumer behavior patterns
- “Minority Report”-like “Hi Alex, welcome back!”
Nigerian Scam Spam
Why Do I Get Spam?
- You have posted to public mailing lists/newsgroups
- Such lists/newsgroups are archived, and spammer bots (scripts) read through them to harvest legitimate email addresses.
- You have used online services that required an email
- Service providers regularly sell the personal information of their subscribers
- You have received email from a friend with a free web mail address
- Outgoing email addresses are harvested and sold to spammers
Defenses Against Spam
- Proactive
- Don't give out your real information unless you must
- Use a “junk” account for online registrations
- Don't accept HTML email
- Use timestamped addresses (apapadop+rh7Jul02@cmu.edu)
- Reactive
- Use spam filtering software like SpamAssassin
- Never click on “click here to unregister” links
The Joys of HTML email
- Web browser is typically invoked
- All web browser vulnerabilities applicable
- Web bugs (remote transparent 1x1 images)
- You're in spammer's HTTP server logs
- Good email address, keep for future spamming
- All your IPs/timestamps are belong to us
- JavaScript and friends
- No legitimate use
- Malicious code execution (worms, trojans)
What Happens When You Get An HTML email?
- Client tries to render the HTML
- Remote elements are loaded from the network
- Busted – you're in spammer's logs
Turning Off HTML email
Getting Rid of Web Bugs
Tracking People on the Web
- The “referer” field
- Where did this visitor come from?
- Cookies
- Uniquely identifiable consumers
- Banner ads
The Good Cookies
- Small text files stored on your local machine
- They usually keep useful information for a specific site – e.g. lang=el for a multi-language site
- Necessary for web authentication, since HTTP is stateless
- Theoretically not accessed by anyone else but the site that put them there.
Misuse of Cookies
- Consumer profiling networks like DoubleClick
- Cookies combined with banner ads
- Why do banners always point to so long URLs?
- Accessing cookies of other domains
- Everyone gives you a cookies nowadays. Do you need them?
- Cookies are only necessary for authentication
Defenses Against Cookie Misuse
- User decides to accept/reject cookies per domain
- Actually works after a while
- Always use the “remember my choice” feature
- Expire all cookies when I exit my browser
- Hassle-free web browsing
- Keeps all sites happy
- Acceptable, as long as you quit your browser often
Privoxy – Anonymizing HTTP Proxy
- All HTTP requests + replies go through Privoxy
- It strips all cookies / banner ads / popups
- Breaks some sites
Email Encryption
- How?
- Public Key Infrastructure
- OpenPGP standard (RFC2440)
- Why?
- Confidentiality (third parties cannot read your email)
- Integrity (message is not altered while in transit)
- Authentication (I know who sent the message)
Public Key Crypto
- Alice has a private and a public key. So does Bob.
- They both post their public keys on a key server.
- Alice gets Bob's public key from the server.
- Alice uses Bob's public key to encrypt a message to him.
- Alice signs the message with her private key.
- Bob gets the message. He uses his private key to decrypt the message, and reads it. No one else could have read it.
- Bob uses Alice's public key to verify her signature. No one else could have signed it, so the message is from Alice.
An Encrypted Message
PKI Pitfalls
- Getting a corrupt public key
- Always check the fingerprint, e.g.
3DAD 8435 DB52 F17B 640F D78C 8260 0CC1 0B75 8265
- By phone call, or face-to-face verification
- Not keeping your private key secure
- Secure your machine
- Use a strong passphrase (not just a password)
- Key mismanagement
- Always issue revocation certificate
- Set expiry date before the next Ice Age
Creating Your Own Keys - GnuPG
- $ gpg --gen-key
- $ gpg --list-keys
- $ gpg -o revcert.asc --gen-revoke <myID>
- $ gpg --send-keys --keyserver pgp.mit.edu
- Go to http://pgp.mit.edu to verify your key
- $ gpg --fingerprint <myID>
- $ gpg --import revcert.asc
- $ gpg --send-keys --keyserver pgp.mit.edu
- Go to http://pgp.mit.edu to check proper revocation
Crypto – Email Client Integration
- KMail: Native GnuPG support
- Mozilla: EnigMail plugin
- Other mail clients that support OpenPGP
- Mutt
- Pine
- Sylpheed
- Mozilla ThunderBird
Encrypting Local Files With GnuPG
- $ gpg --encrypt --recipient <myID> <filename>
- Encrypts and compresses the file
- Creates <filename>.gpg
- $ gpg --decrypt --output <filename> <filename>.gpg
- Decrypts the contents of <filename>.gpg into the file <filename>