Thailand intercepting emails

[Chicog]

By the way, how do people draw the conclusion that "Thailand is intercepting emails"?

This is a man in the middle attack most likely perpetrated by hackers.

(1) It involves the infrastructure of multiple Thai ISPs.

(2) It uses the same technique as is used by various USA ISPs for surveillance purposes.

This is most unlikely to be a hacker intervention.

(1) It involves Two ISPs as far as I know. So that doesn't sound like a government edict.

(2) It's an old MITM from the '90s so hardly anything new.

And as the post above states, it can be enabled by tweaking a Cisco setting.

What chance some chumps have left default passwords on their Cisco gear or they've been compromised from another internal server?

I'm not convinced.

Edited November 14, 2014 by Chicog

[KamalaRider]

After struggling through all this crapodology, I'm still none the wiser. Is there or is there not an effective, foolproof way to stop Big Brother and the four-eyed geek next door from reading my emails? In simple, colour by number terms, please .

Well, quite a few supplies with email encryption software but it can't be supplied when you use the browser unless they supply with HTTPS through browser connection,

I made my own with blowfish/AES encryption, works bloody fantastic as I create the HASH myself.

The downside is I have to give my receivers my private key, how to do that, well, use DROPBOX, encrypted already but I agree, it creates a security hole in my encryption but there are other ways to distribute the private key.

When people says someone use man in the middle hacks (attacks), they mean someone access to a router/proxy can read all the packets (and store it in real time) investigates the packets (information are sent in packets over internet).

That is not a realistic scenario when it comes to hackers, unless they are paid by the government or runs their own backbone to the internet.

The geek next door needs access to your router in order to save your traffic, secure your router, use a reputable VPN and you are safe from 99% of all intrusions of you traffic.

The best choice for everyone would be to get buy a CISCO firewall to put between your computers and your router but it would mean you have to learn how to setup a firewall by yourself.

Anyone challenging my info, answer this, why does it exists numerous of security companies doing precisely this for companies and they are thriving, making billions of dollars every month.

But google email encryption and you will find a couple of good software to help you with secure email, at least you would be protected from most hijacks.

AND before choosing any of them, google again with "Email encryption secure flaws", that will help you to decide which one to chose.

Try to find any negative information about them first and decide for yourself.

[KamalaRider]

Buying yourself a computer and then saying on that "highly watched" device that you are some kind of activist against the US Government.... is, not very crafty.

As a rule, anti government elements usually stay off the radar. But perhaps you are actually defying them to catch you...eh?

You are wrong again, the anti ... traffic so much crap data so they can stay under the radar, the amount of it protects them somewhat,

Another thing, state agencies, once they have decrypted the data, uses lingo based software to sift through everything and also have very sophisticated software to analyze the data, to find hidden metaphors, ciphers and whatnot.

That's where they need to computer power, analyzing data, even in small quantities requires HUGE amount of processing capabilities.

In the security agencies eyes, we are all enemies to the state.

Edited November 14, 2014 by KamalaRider

[KamalaRider]

Most of us would shit in our pants if we knew how many times our traffic actually is and was analysed.

[micmichd]

Please hold on and wait for Google Nose combined with Data Mining

[Chicog]

Most of us would shit in our pants if we knew how many times our traffic actually is and was analysed.

I think most of us don't give a toss.

[dharmabm]

Most of us would shit in our pants if we knew how many times our traffic actually is and was analysed.

I think most of us don't give a toss.

Maybe you don't, but don't include me in your 'most of us'. I have nothing to hide, but don't care to have my s4it being monitored. Better safe than sorry as my grandmother used to say

sent from my slimkat 1+ using tapatalk

[Chicog]

Most of us would shit in our pants if we knew how many times our traffic actually is and was analysed.

I think most of us don't give a toss.

Maybe you don't, but don't include me in your 'most of us'. I have nothing to hide, but don't care to have my s4it being monitored. Better safe than sorry as my grandmother used to say

sent from my slimkat 1+ using tapatalk

Realistically if you post anything on the internet you are foolish to have any expectation of privacy.

If the governments don't get it, the hackers will.

All you can do is assume that your boring and irrelevant tittle tattle is of no importance to anyone of significance.

[kaydee412]

If you care about keeping your communication private you could do the following:

0. Use strong passwords and don't log in on untrusted devices or networks.

1. Use a VPN (virtual private network) service from a reputable provider. This will ensure that the communication from your device (node) to their node is secure before it enters the public Internet.

2. Use encryption for the web (HTTPS) and email (SSL/TLS). This ensures that the traffic between you and the server (via the VPN node) is encrypted/secure.

3. Ensure you use a trusted set of DNS servers (for looking up hostnames). This avoids DNS spoofing. DNSSEC helps too eventually.

4. Use certificate pinning to detect if someone is trying to intercept your communication with a man-in-the-middle attack.

5. Disable or avoid mechanisms commonly used to deliver exploits -- downloads, attachments, ads, shady sites, phishing, etc -- and use antivirus software.

6. Stay up to date on security updates for your devices.

7. Consider a reputable firewall if you have a Internet connected network (e.g. pfSense) as the LAN opens up your attack surface.

Of course there's more, but doing steps 0-2 will help a lot if you're in a "hostile" environment or are otherwise concerned.

If you want to stay anonymous, that's a different ballgame, but Tor+anonymous VPN may be sufficient or Freenet.

If you are concerned about authenticity of emails you could start using email signing (e.g. PGP) to verify what's being sent/received (and also encrypt it again over the encrypted channel itself).

In my opinion criminals represent the biggest threat to "normal" people, but obviously we're all different and some may have vastly different needs for security and/or privacy.

If you're truly concerned I would suggest consulting a professional with your specific needs and concerns.

[slipperylobster]

Don't forget to disable any keylogging, or remote viewing that...anyone...including friends of your wife/girlfriend, may install on your computer. If they have physical access to it. Just a matter of them accessing administrators rights, installing a service such as VNC...and setting the password to access that service .....

With the keylogger....can record all the keys you pushed to login. simple to get you id and pw. it then emails it to the installer.

With programs like remote viewers (can physically control your pc, or just view your screen. Also can transfer files_)

Watch out....in your own home. You might go out bar hopping...your gal takes the laptop down the street to the Internet Palace, they hack out your administrative rights and password, disable the firewall/antivirus, and put that crap on there. By the time you find out....somebody already has all they need.

She might even know somebody that will clone your hard drive....and all your docs. Then just work on that at their leisure.

Edited November 15, 2014 by slipperylobster

[sgtsabai]

And I thought I had it bad when my ex-wife (American bitch) used to re-program my satellite from downloading and recording porn in the middle of the night to her soap operas. Best way to foil that little plot, get a new gf etc. Full disc encryption does work pretty well. The local "shop" won't break it and even the government will play hell for a long time. Even with the demise of TruCrypt there are free ones that work. Don't loose the password.

[KamalaRider]

Don't forget to disable any keylogging, or remote viewing that...anyone...including friends of your wife/girlfriend, may install on your computer. If they have physical access to it. Just a matter of them accessing administrators rights, installing a service such as VNC...and setting the password to access that service .....

With the keylogger....can record all the keys you pushed to login. simple to get you id and pw. it then emails it to the installer.

With programs like remote viewers (can physically control your pc, or just view your screen. Also can transfer files_)

Watch out....in your own home. You might go out bar hopping...your gal takes the laptop down the street to the Internet Palace, they hack out your administrative rights and password, disable the firewall/antivirus, and put that crap on there. By the time you find out....somebody already has all they need.

She might even know somebody that will clone your hard drive....and all your docs. Then just work on that at their leisure.

Before this can happen, install and use TrueCrypt and create a complete secure drive from where you boot.

As soon as you log off and close windows, they'll need a password to decrypt your drive.

Just make sure its a strong password, minimum 16 characters and not including your dogs name, gfs name or any other personal information.

I myself use +24 characters with both upper case and lower case letters + numbers and a special character.

I might be overly cautious but I think I prefer to be, it's not a question if someone's gonna try to break in to my computer, it's when they are going to try.

I just saw someone else wrote down TrueCrypt, it's a very good encryption software and best of all, it's free.

Edited November 15, 2014 by KamalaRider

[KamalaRider]

NSA or FBI still haven't cracked TrueCrypt, they arrested a guy who had created a TrueCrypt encrypted partition but they had to let him go, because they couldn't crack it and hence couldn't find any proof for their allegations.

[sgtsabai]

TrueCrypt shut down sometime back unexpectedly. I still have not seen the reason. It was believed that something or someone was compromised. I'm not sure if the people behind TrueCrypt are even known, but they recommended that people stop using and use another method. Windows 7 Pro and later has an encryption function built in. Given microspy's cooperation with the feds bet on a back door built in. There are other free, good ones out there, check EFF for recommendations. While the gov't may not be able to crack, they can certainly force you to cough up the password, in more than one way.

[sgtsabai]

Just as scary, maybe more so given the cooperate with the feds is this: http://warincontext.org/2014/11/14/why-google-is-scarier-than-the-nsa/

[tifino]

might be useful to to download and enable a DarkWeb-style app before setting foot back in LOS.

Was reading into it only just last night.

In the meantime, my laptop's IE is still unuseable since March when last in Pattaya, and my Google homepage still comes up in Cyrillic.

[KamalaRider]

Just as scary, maybe more so given the cooperate with the feds is this: http://warincontext.org/2014/11/14/why-google-is-scarier-than-the-nsa/

And some people still naively says, "I have nothing to hide".

Build a luxury house in an area with homeless, drug addicts, thieves and burglars with 15 front doors with no locks and then park your unlocked 20 luxury cars around the house and lets see if they still say they still don't have anything to hide.

(luxury home could be your own trailer, luxury cars could be you run down 15 years old car and some useless and broken down bicycles)

People don't need to protect themselves like a multinational company against intrusion, but everyone SHOULD at least make sure they have a sufficient firewall and always try use secured ways to internet, HTTPS, SSL/TSL)

Refrain from unknown publishers of downloads.

Avoid to log in to Google when they google, don't hesitate to pay for VPN.

Very simple ways to stay reasonably secure.

At present, I'm protected with 3 firewalls, router firewall, cisco firewall and a AVG firewall installed in Windows, still a russian that lived in my area got through my router firewall as it had WIFI turned on with WPA2, had to hide my SID, restrict access to internet with only allowed mac addresses before I managed to cut him off, he used up more than half of my bandwidth at times.

He could have been a criminal but I would have to take the fall if they tracked his activities on the internet, could have been spreading child porn or drug seller.

I don't know, I could only track where he went and that was russian web sites, but I couldn't track what he was sending or uploading through his secure transfers.

WPA2 is cracked now and everyone should make sure no one can access their home WIFI to commit crimes through them.

Security isn't always about ourselves, it's also making sure no one can use our connections to Internet

Edited November 15, 2014 by KamalaRider

[sgtsabai]

KamalaRider, good info as have some of the other posters. One solution to google is DuckDuckGo for a search engine. No tracking. I run Ccleaner, clean cookies etc. several times a day. I don't take all the precautions that I should. WIFI is pretty much wide open to those that know how and want in. Routers have a back door, I don't trust my 3B router as far as I could throw it with my left little toe. The old one had a Chinese backdoor in it that took me a couple of weeks with the aid of a geek problem solving site to rid the attached virus. Kids are always messing around on their computer and I hate going in to clean up the mess they leave. Nobody knows how to get into my computers. Somebody with the knowhow could probably hack their way through the kid's computer, WIFI into mine. Or, as in your case, just hijack it. It is password protected, but... . One has to have a good working knowledge of computers or know someone that does to really protect themselves, I don't have that knowledge but do all that I know how. Everybody should.

[kaydee412]

TrueCrypt shut down sometime back unexpectedly. I still have not seen the reason. It was believed that something or someone was compromised. I'm not sure if the people behind TrueCrypt are even known, but they recommended that people stop using and use another method. Windows 7 Pro and later has an encryption function built in. Given microspy's cooperation with the feds bet on a back door built in. There are other free, good ones out there, check EFF for recommendations. While the gov't may not be able to crack, they can certainly force you to cough up the password, in more than one way.

Did you bother to look for it? See https://en.wikipedia.org/wiki/TrueCrypt#End_of_life_announcement. Please don't spread FUD without properly researching topics.

[kaydee412]

might be useful to to download and enable a DarkWeb-style app before setting foot back in LOS.

Was reading into it only just last night.

In the meantime, my laptop's IE is still unuseable since March when last in Pattaya, and my Google homepage still comes up in Cyrillic.

Why "DarkWeb-style app"? If you're worried about using your laptop in Thailand why not just use VPN? It'll be like you're outside the country.

[AyG]

TrueCrypt shut down sometime back unexpectedly. I still have not seen the reason. It was believed that something or someone was compromised. I'm not sure if the people behind TrueCrypt are even known, but they recommended that people stop using and use another method. Windows 7 Pro and later has an encryption function built in. Given microspy's cooperation with the feds bet on a back door built in. There are other free, good ones out there, check EFF for recommendations. While the gov't may not be able to crack, they can certainly force you to cough up the password, in more than one way.

Did you bother to look for it? See https://en.wikipedia.org/wiki/TrueCrypt#End_of_life_announcement. Please don't spread FUD without properly researching topics.

The Wikipedia article gives enough reason for FUD.

"the software may contain unfixed security issues" (Nothing definitive).

"Multiple theories attempting to explain the reason behind the announcement arose throughout the tech community." (I.e. it's not clear why the project closed down.)

"Linux and OS X do not have complete replacements for TrueCrypt" (So why shut down a project which obviously would continue to have value to Linux and OS X users if there weren't some very serious, fundamental problem?)

[kaydee412]

KamalaRider, good info as have some of the other posters. One solution to google is DuckDuckGo for a search engine. No tracking. I run Ccleaner, clean cookies etc. several times a day. I don't take all the precautions that I should. WIFI is pretty much wide open to those that know how and want in. Routers have a back door, I don't trust my 3B router as far as I could throw it with my left little toe. The old one had a Chinese backdoor in it that took me a couple of weeks with the aid of a geek problem solving site to rid the attached virus. Kids are always messing around on their computer and I hate going in to clean up the mess they leave. Nobody knows how to get into my computers. Somebody with the knowhow could probably hack their way through the kid's computer, WIFI into mine. Or, as in your case, just hijack it. It is password protected, but... . One has to have a good working knowledge of computers or know someone that does to really protect themselves, I don't have that knowledge but do all that I know how. Everybody should.

1. Search engine tracking is one thing. Duck Duck Go doesn't track. You can use Privacy Badger to avoid third party tracking.

2. Wifi is not "pretty much wide open" -- that's false.

3. If your router has a backdoor, replace it or use a firewall.

4. If users mess up the install, you can use a known-good image and simply reimage the computer. Or lock it down and have them use it in guest mode where it gets reset after each use.

5. Sure, attacking a computer over the LAN is usually easier, but you still need services or exploits to attack. If you don't trust the kids, give them a separate wifi network.

[kaydee412]

TrueCrypt shut down sometime back unexpectedly. I still have not seen the reason. It was believed that something or someone was compromised. I'm not sure if the people behind TrueCrypt are even known, but they recommended that people stop using and use another method. Windows 7 Pro and later has an encryption function built in. Given microspy's cooperation with the feds bet on a back door built in. There are other free, good ones out there, check EFF for recommendations. While the gov't may not be able to crack, they can certainly force you to cough up the password, in more than one way.

Did you bother to look for it? See https://en.wikipedia.org/wiki/TrueCrypt#End_of_life_announcement. Please don't spread FUD without properly researching topics.

The Wikipedia article gives enough reason for FUD.

"the software may contain unfixed security issues" (Nothing definitive).

"Multiple theories attempting to explain the reason behind the announcement arose throughout the tech community." (I.e. it's not clear why the project closed down.)

"Linux and OS X do not have complete replacements for TrueCrypt" (So why shut down a project which obviously would continue to have value to Linux and OS X users if there weren't some very serious, fundamental problem?)

Did you read the last paragraph? Let me quote it for you:

Shortly after the final release announcement, Gibson Research Corporation posted a Final Release Repository to host the last official Read/Write capable version of Truecrypt for users who still want to use their existing TrueCrypt volumes. The page features a recapitulation of how TrueCrypt was discontinued by its original authors, only to be revived and forked by the community. The article debunks any sensationalist security concerns that current users may be worrying about by offering a thorough explanation of the community efforts to perform a formal security audit of TrueCrypt, as well as offering methods and third party sources to verify and validate the final released archives for TrueCrypt v7.1a. Links to various mirrors and online resources for TrueCrypt v7.1a users are provided, along with a proposed new logo for future community supported forks of TrueCrypt.

(Emphasis is mine.)

What more do you want?

[AyG]

TrueCrypt shut down sometime back unexpectedly. I still have not seen the reason. It was believed that something or someone was compromised. I'm not sure if the people behind TrueCrypt are even known, but they recommended that people stop using and use another method. Windows 7 Pro and later has an encryption function built in. Given microspy's cooperation with the feds bet on a back door built in. There are other free, good ones out there, check EFF for recommendations. While the gov't may not be able to crack, they can certainly force you to cough up the password, in more than one way.

Did you bother to look for it? See https://en.wikipedia.org/wiki/TrueCrypt#End_of_life_announcement. Please don't spread FUD without properly researching topics.

The Wikipedia article gives enough reason for FUD.

"the software may contain unfixed security issues" (Nothing definitive).

"Multiple theories attempting to explain the reason behind the announcement arose throughout the tech community." (I.e. it's not clear why the project closed down.)

"Linux and OS X do not have complete replacements for TrueCrypt" (So why shut down a project which obviously would continue to have value to Linux and OS X users if there weren't some very serious, fundamental problem?)

Did you read the last paragraph? Let me quote it for you:

Shortly after the final release announcement, Gibson Research Corporation posted a Final Release Repository to host the last official Read/Write capable version of Truecrypt for users who still want to use their existing TrueCrypt volumes. The page features a recapitulation of how TrueCrypt was discontinued by its original authors, only to be revived and forked by the community. The article debunks any sensationalist security concerns that current users may be worrying about by offering a thorough explanation of the community efforts to perform a formal security audit of TrueCrypt, as well as offering methods and third party sources to verify and validate the final released archives for TrueCrypt v7.1a. Links to various mirrors and online resources for TrueCrypt v7.1a users are provided, along with a proposed new logo for future community supported forks of TrueCrypt.

(Emphasis is mine.)

What more do you want?

No, I didn't read the last paragraph. I read the paragraph you linked to. (I have now.)

As for "what more do you want?" I want something more substantial than a Wikipedia quote that fails adequately to explain why the project was terminated, and the bland reassurance that it "debunks any sensationalist security concerns" is far from convincing. What is absolutely clear is that the whole story is not yet out.

[kaydee412]

No, I didn't read the last paragraph. I read the paragraph you linked to. (I have now.)

As for "what more do you want?" I want something more substantial than a Wikipedia quote that fails adequately to explain why the project was terminated, and the bland reassurance that it "debunks any sensationalist security concerns" is far from convincing. What is absolutely clear is that the whole story is not yet out.

Again, the mentioned Wikipedia article addresses the concerns you're bringing up: https://en.wikipedia.org/wiki/TrueCrypt#Security_audits

Re: why the project was terminated:

According to Gibson Research Corporation, Steven Barnhart wrote to an email address for a TrueCrypt Foundation member he had used in the past and received several replies from "David". According to Barnhart, the main points of the emails were that the TrueCrypt Foundation was "happy with the audit, it didn't spark anything", and that the reason for the announcement was that "there is no longer interest [in maintaining the project]."

Re: the results of the security audit:

In 2013 a graduate student at Concordia University published a detailed online report, in which he states that he has confirmed the integrity of the distributed Windows binaries of version 7.1a.

A crowdfunding campaign attempting to conduct an independent security audit of TrueCrypt was successfully funded in October 2013. A non-profit organization called the Open Crypto Audit Project (OCAP) was formed, calling itself "a community-driven global initiative which grew out of the first comprehensive public audit and cryptanalysis of the widely used encryption software TrueCrypt". The organization established contact with TrueCrypt developers, who welcomed the audit. Phase I of the audit was successfully completed on 14 April 2014, finding "no evidence of backdoors or malicious code". Matthew D. Green, one of the auditors, added "I think it's good that we didn't find anything super critical."

One day after the end of life announcement, OCAP confirmed the audit would continue as planned, with Phase II expected to begin in June 2014 and wrap up by the end of September. The French National Agency for the Security of Information Systems (ANSSI) stated that while TrueCrypt 6.0 and 7.1a have previously attained ANSSI certification, migration to an alternate certified product is recommended as a precautionary measure.

The second part of the audit is pending -- you can track it here: http://istruecryptauditedyet.com/. More information about the ANSSI process: http://www.ssi.gouv.fr/en/certification/first-level-security-certification-cspn/

[sgtsabai]

And you would trust Wikipedia, when NSA, FBI etc. can provide the information contained in it? When I see EFF saying use Truecrypt, I'll do so. Nobody even knows who/what was behind Truecrypt. You bring up good points, you just haven't learned to be paranoid, yet. I have.

[kaydee412]

And you would trust Wikipedia, when NSA, FBI etc. can provide the information contained in it? When I see EFF saying use Truecrypt, I'll do so. Nobody even knows who/what was behind Truecrypt. You bring up good points, you just haven't learned to be paranoid, yet. I have.

I'm not sure who you're addressing, but I'll throw in my two cents.

Anyone can contribute to Wikipedia. And anyone can review, fact check, dispute and correct what's being written. That's one of the strengths of an open, crowdsourced resource like Wikipedia. So would I trust Wikipedia? Sure, as much as I would trust anything else or anyone else I'm basing important decisions on. Does that mean I wouldn't seek out other resources to confirm? No, I most definitely would. In this particular case, there are more sources to back up the claims contained in the Wikipedia article. And if you don't trust academic, industry and other experts, you're always free to review the source code and build the binaries (the software) yourself.

The EFF is a great organization which does a lot of good, but if you rely on them for advice on everything you may be disappointed. Luckily for you, they have written about TrueCrypt in the past (https://www.eff.org/deeplinks/2008/05/border-search-answers) regarding safe-keeping your data against border searches.

Why is it important to you to know who is/was behind TrueCrypt? Shouldn't their work stand on its own? TrueCrypt has been scrutinized (peer reviewed, audited, battle tested, etc) and has passed the test. Again, this is not some obtuse black box that you have to trust -- how it works is out in the open for anyone to see.

If you look up the definition of paranoid you'll see terms like "suffering from a mental illness", "falsely believe that people are trying to harm you", etc. (ref. http://www.merriam-webster.com/dictionary/paranoid). I'm not sure that is something I want to learn -- I'm quite happy making informed decisions as best I can and not take on any more risk than necessary if I can't handle the consequences.

But as always, just because you're paranoid doesn't mean somebody is not out to get you.

[sgtsabai]

Oh, but it does when they actually show up to get you. I know all too well. Under today's un-Supreme Court i would still be rotting in jail. Don't talk to me about paranoid, it's kept me alive for many years.

[ukrules]

TrueCrypt shut down sometime back unexpectedly. I still have not seen the reason. It was believed that something or someone was compromised. I'm not sure if the people behind TrueCrypt are even known, but they recommended that people stop using and use another method. Windows 7 Pro and later has an encryption function built in. Given microspy's cooperation with the feds bet on a back door built in. There are other free, good ones out there, check EFF for recommendations. While the gov't may not be able to crack, they can certainly force you to cough up the password, in more than one way.

Truecrypt 7.1a is still running normally on my computers.

[jcisco]

And you would trust Wikipedia, when NSA, FBI etc. can provide the information contained in it? When I see EFF saying use Truecrypt, I'll do so. Nobody even knows who/what was behind Truecrypt. You bring up good points, you just haven't learned to be paranoid, yet. I have.

That is a stupid statement, as a regular editor, contributor and junk filter everything you said is entirely true.

Except that anyone even anons can make changes to content in Wikipedia. If you make unsupported edits or your references are garbage expect reversions of junk changes which are done aggressively.

You are actually calling into the bigger question of how to trust anything for which you didn't see first hard or had its inception in reality inside your brain.

And that is simply negated by risk based analysis and decision making,and if here is no outcome expectations you can probably just go by personal opinion if that makes it easier. It is more often than not all one can do with the information at hand and not a clue or where to get one.