Month: December 2016

Encryption Achieved

I’m proud to report that I am now able to send encrypted emails. Woo!

It was not quite as simple as I thought it would be.

I went back to the step-by-step guide at Email Self-Defense.  I can follow a tutorial, I thought. How hard can it be?

As I wrote about before, I had already set up Thunderbird and cleaned up my Gmail account so that I could reasonably use it. I have even started to open my email in Thunderbird instead of in a browser window. Progress!

So now I’m ready to install the plugin and create some keys and get rolling.

But first: I realized that my Gmail account was pretty insecure to start with. I have recently changed my password (I think mainly due to not being able to remember it on a new device), and so now I decided to set up two-step authentication as well.

Two-step authentication means that you will basically need to enter two passwords when accessing your account from a new machine. The first is the regular password you set up on your account. The second is generally a code sent by text message to your phone. I had never set up this feature because I live in an area where cell service is not a given in all locations. For example, I don’t have cell service in my office. I do, however, now have reliable cell service in my house.

But when I go back to work in the new year, I will have to go through the two-step authentication to access my Gmail there. Luckily, Google gives you the option to save a few static codes, each of which can be used once to access your account. I saved those to a flash drive that I can bring with me.

While I was at it, I did this with my Facebook account as well.

Phew. Much more secure.

But, oh no, now Thunderbird can’t access my Gmail account. Now I have to create an app password for Thunderbird that acts in place of the two-step authentication. Okay, I got that, no big deal.

Here’s where I made my first misstep: When you create the app password, Google tells you that you will not need to keep this password anywhere, you only need it the one time, never fear. So after I entered the password, I closed the window and forgot about it.

Except, when Thunderbird asked me if I wanted to remember the password with a password manager, I said no.

I’ve tried to make it clear from the beginning of this journey that I really know almost nothing about security and encryption and all that, and that I am documenting my experience so that others who know almost nothing can get encrypted as well. Here’s where that lack of knowledge shows itself.

There is such a thing as a password manager. A password manager is a separate software program that keeps track of your passwords. You create a strong password for the app, and then you have access to all your passwords for all the various websites and accounts you need to log into on a regular basis. Instead of having to remember 13 different strong passwords (or, much worse, using one password for all of your accounts), you only have to remember the one to get you into the password manager. Most of these apps also have the ability to generate random strong passwords for you to secure each of your individual accounts.

So when Thunderbird asked me about saving the password in a password manager, this is what I thought it meant. I don’t currently use a password manager, so I said no.

Whoops. Really, Thunderbird wanted to know if Thunderbird should remember the password. I should have said yes. If you’re following along at home, say YES to remembering the password in Thunderbird.

Now I had my two-step authentication all cleared up (I thought), I started following the steps to set up Enigmail in Thunderbird. The steps in the Email Self-Defense tutorial are pretty straight-forward and easy to follow.

Except I had to keep generating new app passwords for Thunderbird, which was really annoying.

And then I got to the end of the tutorial and tried to send an encrypted test email to the bot, and it failed.

It took me about two hours at night, after the children were in bed, to get this far. At this point, I threw my hands in the air and gave up.

“Don’t give up!” James said.

Fine, I won’t give up, but I’m not looking at this any more tonight.

Well, it was more like a week before I got back to it. My brother was in the town for the holidays, and I asked him to help me troubleshoot. We found that I had chosen to send to “only trusted keys” instead of “all available.” We changed that, and everything magically worked.

Okay, fine, it’s not magic. But it worked! Billy and I sent a couple of test emails back and forth. He showed me the gibberish of the unencrypted message on his phone. Cool.

But, here’s the rub: You can only send encrypted messages to someone who is also enabled to send and receive encrypted messages. Well, I guess you could send them to everyone, but only people who have set up encryption will be able to read them.

Which means, at this point, that I can talk to my brother and a bot named Edward.

There is an option in Thunderbird, when you send an email, to attach your public key. Billy said this is how people will know that you can send and receive encrypted emails. Possibly this is also a way to raise awareness about encryption as an option.

But, hooray! Encrypted!

Big Brother Really Is Watching

Allow me to take a little side street on this journey toward encryption. It came to my attention this week that the American Civil Liberties Union is taking the NSA to court over its practice of intercepting, copying, and searching pretty much all of the Internet traffic that leaves America and heads abroad.

Yeah, apparently this is a thing that happens. Constantly.

How is this possible? Don’t we have a Constitutional amendment that protects us, as U.S. citizens, from unreasonable search and seizure? Wouldn’t any reasonable person agree that a search with the scope of “every email sent outside of the United States” counts as unreasonable?

Well, here’s what happened:

Back in 2001, a group of terrorists hijacked planes and few them into the World Trade Center in New York. More than 3,000 people died. And all of America was terrified.

According to The New York Times,

Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without the court-approved warrants ordinarily required for domestic spying, according to government officials.

Under a presidential order signed in 2002, the intelligence agency has monitored the international telephone calls and international e-mail messages of hundreds, perhaps thousands, of people inside the United States without warrants over the past three years in an effort to track possible “dirty numbers” linked to Al Qaeda, the officials said. The agency, they said, still seeks warrants to monitor entirely domestic communications.

The New York Times goes on to point out that this marked a dramatic shift in the scope of operations of the NSA. Up until this point in 2002, the NSA only monitored foreign communications and threats. For the first time, the NSA was spying on Americans. The only thing that makes this a little more palatable is that the NSA insisted it was only monitoring about 500 people domestically and a few thousand abroad. So, at the very least, these were at least semi-targeted searches.

Another consequence of the 2001 terrorist attacks was that Congress began tinkering with a 1978 act, the Foreign Intelligence Surveillance Act (FISA). FISA is the legislation that allows the NSA to monitor telecommunications of suspected agents of foreign governments. The NSA can apply to a special FISA court for permission to spy on overseas agents.

The first amendment, The USA PATRIOT Act, came right on the heels of 9/11, and expanded the definition of “foreign agents” to include individuals working for an overseas group, such as al Qaeda, that is not explicitly affiliated with a foreign government.

And thus ensued much debate over the provisions of the amendments. One of the most interesting arguments to come out of this legislation is the idea that the telecommunications companies that must be complicit with the government in the surveillance deserve protection from lawsuits brought by those being surveilled.

In 2007, President Bush again asked Congress for more power to spy on Americans, urging them to pass the Protect America Act allowing the U.S. government to bypass the FISA court when seeking to monitor communications in which the originating party is not in the United States. Even if that foreign person is talking to an American citizen who is sitting in Iowa. Congress obliged, giving the NSA and other government agencies the ability to spy on innocent Americans in pursuit of terrorism, as long as they believe that one party is physically located outside the United States.

But this act only lasted for six months. So Congress had to approve another amendment to FISA if any of these provisions were to become permanent.

So they did.

In 2008, Congress pass the FISA Amendments Act (FAA). Some interesting bits:

  • The FAA permits the government not to keep records of searches, and destroy existing records (it requires them to keep the records for a period of 10 years).
  • The FAA grants telecommunications companies immunity for cooperation with authorities.

But don’t worry. There are some protections in the act, too. Like, if the NSA was spying on an American citizen who lives abroad, and that citizen returns to the States, the NSA has to stop spying on them while they are in the country. But the NSA can resume surveillance as soon as they are “reasonably” believed to have left the country. Also, the NSA is forbidden from spying on a foreign person in contact with an American with the sole purpose of spying on the American.

I feel a lot better about all this, don’t you?

The FAA was set to expire in 2012. President Obama took office in 2009, and we all breathed a sigh of relief, because surely he wasn’t into spying on Americans the same way President Bush was.

Except. Not quite.

In 2012, Congress approved a 5-year extension of the FAA, and President Obama signed it.

One positive outcome was that a young man working for a contractor for the NSA became concerned that the government was abusing the power granted it through the FAA, which was used to justify mass surveillance programs. Edward Snowden leaked classified documents to journalists that detailed the extent of the NSA’s surveillance.

(Wired ran a fascinating interview with Edward Snowden from his exile in Russia in 2014.)

That’s the — very  much abridged — history. To sum up, the NSA has been laying the groundwork for massive surveillance programs through executive orders, legislation, and litigation for over a decade.

The most recent ACLU lawsuit specifically addresses what is known as “upstream” surveillance by the NSA.

“Upstream” describes the way the NSA has parked itself on the Internet to intercept all the traffic that flows through it. Not just the metadata (information ABOUT a message rather than the content of the message, like the date it was sent and who sent it), which the NSA claimed previously was all it was collecting under its mass surveillance programs, but the actual content of the messages moving from America to foreign persons. Also, if the communication was between two Americans, but it passed through a foreign server, it is also subject to collection. And, remember, back in 2002, the NSA WAS monitoring the domestic communications of Americans. They said they have stopped.

Wikimedia (which runs Wikipedia, to which I have linked extensively in this post) is the main plaintiff in the case, arguing that the NSA is violating the First (privacy) and Fourth (unreasonable search) Amendments with this program.

To bring this side trip back around to the point, this is exactly why all Americans (and probably all people of Earth) should take steps to encrypt their communication. Although the average citizen’s most private emails might not be more provocative than the details of a surprise birthday party, there are many institutions and individuals doing really important work (Amnesty International, for one; journalists covering foreign affairs for another) that would fall subject to this upstream surveillance. Imagine the need for privacy for communications centered on obtaining asylum for a political refugee. And then realize that you can help protect that refugee by making encryption routine.

Managing Ridiculous Email Inboxes

I want to get back to my journey toward encryption.

When last we discussed it, I was in the process of moving my Gmail account to the Thunderbird client as the first step toward encrypting my email communication. The roadblock I encountered was the sheer number of messages in my Gmail account, which Thunderbird began downloading to my computer. Thunderbird doesn’t have the nifty tabs (Promotions, Social, etc.) that Gmail created and that I spent time training Gmail to use the way I want it to. So everything was getting dumped right into the inbox.

Eek.

With help from my handy husband, James, we managed to clear out the bulk of the old stuff. Remember, I opened this email account in 2006 or so, and had never deleted a significant number of emails.

First, we went back to Gmail in my browser and did a search for email within 1 year of a given date. I think we started with 1/1/2006.

In the search bar, click the arrow to get a more advanced search box. Then you can change the drop down at the bottom to “date within 1 year of XX.”

Now I can archive all of these messages, get them out of my inbox, and Thunderbird won’t download them (alternately, you can spend time deleting them en masse, if you’d prefer).

This still resulted in tedium (I really had THAT MANY messages in my inbox), so James had the idea to search on “unsubscribe” instead of the date range. This did capture all of the mass marketing emails, or, at any rate, enough of them to make a difference. Sent to the trash!

You also can use this advanced search box to create a filter, if you don’t want to delete or archive all these messages, but you also don’t want them all in your Thunderbird inbox. A filter will also help keep new messages under control. I get more than 50 Promotions messages a day (yes, I’ve started using that “unsubscribe” link on some of them).

For example, you can search for all messages in the Promotions tab, and click “Create a Filter with this Search” (at the bottom right of the dialogue box).

You now have several options: Archive all the messages, forward them to another email address, delete them, label them. I chose to categorize them as Promotions. This created a folder, which Thunderbird can see and display, where all my Promotions emails are now being sent.

An interesting side effect of this filter is that I no longer see these emails in my Promotions tab when I go to Gmail in a browser. So far this is working out just fine. (They do show up in the new Promotions folder, way down the list on the sidebar, so I can find them in a browser if I want to.)

I chose to allow those messages that Gmail splits into the Social tab in my Thunderbird inbox. I don’t get an overwhelming number of those on a daily basis, and I’ve intentionally sent a few specific daily emails there because I don’t necessarily want them in my inbox, but I don’t want them lost in Promotions, either. We’ll see if I find this annoying after a while.

Now the flow of incoming messages to Thunderbird is something approaching reasonable, and I can go and look at all the sale flyer emails I get when I feel like looking.

This is a sidetrack on the way to securing my emails. Thunderbird is going to be the software that allows me to send secure messages, but I had to make it usable before I could set up security.

(And I have to adjust my habit to actually start using it as opposed to the browser, but that will come with time.)

© 2018 Jennifer LK Clark

Theme by Anders NorenUp ↑