GFW BLOG（功夫网与翻墙）

如何提高电子邮件的安全度？

2010-01-24T09:36:00.001-08:00

来源：维权网

不少网民在使用Email（电子邮件）时，都遭遇过邮箱密码被盗被篡改、邮件已被阅读或被偷偷“自动”转发、丢失邮件等情况。最近谷歌公司透露，有些黑客试图袭击该公司网站盗窃维权人士的邮箱帐户信息。十分牢靠地确保电子邮件的安全，恐怕是做不到的。但是，有些小诀窍，可以帮助你提高电邮使用的安全度：

不要用商业性质的电邮服务商，尤其是国内的。Yahoo、hotmail、163、126、sina、sohu等电邮服务商都是商业性质的集团，可以为自身利益而出卖或向网警拱手出让用户的私人信息。众所周知， yahoo已经这样做过了。为了安全起见，公司设在中国境内的那些电子邮件服务商的产品最好不要使用。
Gmail 也是商业性质的电邮服务商，由于它不是设在国内的，所以用还是可以用，但用时必须要倍加小心。因为我们知道gmail邮箱不保险、用户经常发现信箱被攻击。

（1）、一个办法是使用gmail时给整个过程加密。具体做法如下：输入https://mail.google.com这个网址，注意它在 http后面有个s，这就代表了加密的意思。同时，进入你电邮邮箱，设定“浏览器连接: 始终使用 https”，这样你的邮件收发过程就会在加密状态下进行了。请参照图一。

图表 1：要设定“浏览器连接: 始终使用 https”，先进入你的邮箱，按右上角的“设置”，进入了“常规设置”的页面后，“浏览器连接”那个选项，选“始终使用 https”。

（2）、你在使用gmail邮箱时，经常要检查“设置”，看你的邮件是不是被黑客偷偷地给你转发到陌生的信箱里去了。参照图二。1

图表 2：要检查你的邮件是否被黑客做了手脚、把你的转发功能给重新设置了，使你的所有邮件被偷偷“自动”转发到一个陌生的信箱里去了。如何检查？先进入你的邮箱，按右上角的“设置”，进入了“转发和 POP/IMAP”的页面后，“转发” 那个功能旁边，你看看你的电邮有没有被转到一个你不认识的邮箱去？在这里选择 “禁用转发功能”

最好是使用非盈利而保密性强的电邮服务商，因为他们更能保证用户信息安全，如www.riseup.net；www.hushmail.com；www.vaultetsoft.com等。这几个服务商当中，Riseup有中文界面，但你需要被Riseup用户邀请才可以申请到一个帐号。维权网可以邀请你，请你跟我们联系。
但无论你用那个保密性强的网络服务商，跟你联系的人必须同时使用安全性强的服务商，这样才能达到邮件内容安全不被外泄的效果。否则，只有你一方使用riseup邮箱，而对方使用的是Yahoo或者sina等邮箱，虽然邮件内容在你这里是加密状态的，但是当你的朋友在非加密状态下收到时，你的邮件内容还是会被网络监控系统发现。
尽量不要通过发送附件。如果附件包含的是普通文字档案，干脆就把它贴在电邮上就最好。无可避免要在邮件上附上附件的话，可以先以其他方法（如电话或斯盖普）跟朋友沟通一下，使他们知道附件是你发来的。
电邮中的附件，来历不明的或者是群发的最好不要打开。就算是熟悉的朋友发来的，也可能是网警冒充的。先以其他方法（如电话或斯盖普）跟朋友联络，确认是否由他们所发。尤其是 ppt, pps, zip 和jpg的附件, 是黑客最常用来发送病毒的文件格式。

-----------------------------------------

[1] 国内的朋友可能会用gamil自带的Gtalk。至于Gtalk的安全性，Gtalk在06年底回答用户时有提过：“Gtalk是有用加密技术…但从一个终端到另一个终端，并不是完全加密。所以，当一个用户把信息发给另一个用户，我们不能保证这些信息的保密性。” 所以，在国内的环境下，Gtalk并不是很安全。如果你要用Gtalk 的话，你要使用一个叫Pidgin的软件把信息加密。懂英文的朋友，可以点这里下载Pidgin和使用指南: http://security.ngoinabox.org/pidgin_main

几款诡异的软件

2009-03-10T23:57:00.001-07:00

来源：http://32-40.blog.sohu.com/111976093.html

360安全卫士：今天翻墙上牛博、大纪元，用ie浏览器，习惯性的点开一大堆网页然后慢慢看。灵异事件就这样悄然发生，大纪元的网页全部自动关闭，而其他网页却安然无恙。当时耳边正响着《不能说的秘密》中的那段诡异音乐，头皮发麻。一眼暼见状态栏360那个盾形图标，很自然的联想到了那堵墙。退出360后，再次访问，一切正常。没有再开360验证一下相关性，但愿是我冤枉你吧。

瑞星杀毒软件、防火墙：总是跟我的翻墙梯无界浏览过不去。以前就出现过无界浏览自动关闭的现象，但很快无界通过自动升级战胜了瑞星。其实，大部分时间里，我都是在瑞星活动的情况下翻墙的。前几天无界又用不了了，退出瑞星防火墙，禁用所有监控，依然无法用。卸载瑞星并重启后，就可以翻墙咯。这个，瑞星想赖估计也赖不掉。

酷我音乐盒：这个软件有一个功能是可以播放本地音乐（主流网络听歌软件基本上都有此功能）。但当我放我硬盘上的mp3《我们相信杨佳》的时候，却神奇的显示红色，表示无法播放。无语，太滑稽了，一个软件能够自宫到如此地步，实在让人无法理解。说其自宫，其一是真理部对音频文件的管理一向不是那么严格，其二其他网络播放器如qqmusic等都可以播。

一个数码的突破

2009-03-08T21:23:00.001-07:00

作者：Dmitri Vitaliev 来源：http://www.olympicjournal.ca/cn/wordpress/?p=12

我们应当关注有一件事,那就是中国政府几乎可以肯定在互联网的监视和审查的竞赛中赢得金牌。自本世纪开始以来,中国政府在监控网络和监禁那些把网络当作一个自由表达平台的人士方面处于世界领导行列。然而,通过技术和我们的声援的帮助,中国网民才可以突破长城防火墙。

在中国网络警察的人数在数以万计。他们定期监视网络和在全国性的黑名单当中添加新的网站。谷歌Google(或类似网站)可迅速协助寻找新鲜出现包含“破坏性的信息”的网站。监视互联网通讯主要是通过禁止关键字来运作。如果你在一封电子邮件中写“法轮大法”或出现在使用tomskype (中文版本的Skype )的谈话当中或这些字眼出现在任何网页的内容里面,那么相关的连接将被防火墙打断。

有多种方法可以用来规避互联网的检查和保护自己免受数字化监控。一个想法可能是采用图形的方式在网上发布信息。打印出你的文章,再用你的数码相机拍下照片,之后用JPEG文件的形式上传。这将防止搜索引擎和防火墙过滤器查阅你的文章的内容,网络警察将会花更长的才能找到。

人们应当使用通过SSL服务的网页邮件。这意味着登录之后和整个过程期间都将维持“https://”状态。监视电子邮件信息内容将成为一个更为困难去达到目标的任务。博客发表帖子和网站发表文章都应当通过这种网页邮件服务。谷歌G电子邮件服务也完全可以通过SSL服务,如果你一打开网页就使用“https://mail.google.com/”。其它如此有特别安全考量的邮件服务网址有:https://mail.riseup.net , https://fastmail.fm , https://bluebottle.co.uk 和 https://vaultletsoft.com 等。

目前为规避互联网检查的最好解决方案,是那些依赖于“西方”计算机作为网关的中国互联网用户。如果你有朋友或亲戚住在中国,通过一套Psiphon( http://psiphon.civisec.org )软件在你自己的电脑创建一个代理服务器供他们使用。即使你在中国不认识任何人,安装了Tor( http://torproject.org ) 软件和注册成为在Tor的匿名网络下的一座桥。这将有利于那些生活在有互联网限制区域的人士,使Tor网络实际上几乎是无法被屏蔽的。

更加多信息请参阅:http://equalit.ie/secbox 。

Dmitri Vitaliev先生是人权和独立的媒体组织的信息安全和战略顾问。他是“人权捍卫者–数码安全” 系列非政府组织安全团队手册的作者。

多家海外中文网站受攻击而瘫痪

2008-09-18T01:09:00.000-07:00

来源：RFA
包括新世纪新闻网、独立中文笔会网等至少五个网站，因遭到攻击，到星期三晚已全面瘫痪超过24小时。分析人士认为，这些被瘫痪的网站长期都遭到不同程度的攻击，但是同时被瘫痪还是比较少见。自由亚洲电台驻香港特约记者严修的采访报道

维权网、参与、民生观察、新世纪新闻网和独立中文笔会网等网站，在大陆一直被封锁，要用破网软件，如动态网、无界浏览等才能阅读，但在海外通常可直接上网，但星期三，本台记者在香港尝试进入的时候，都显示出“连接失败，您要连结的网络服务器或网络可能发生故障。请稍后再试。”的讯息。

独立中文笔会的赵达功，同时也是新世纪新闻网的编辑，星期三接受本台记者电话采访时说，多个使用海外博讯服务器的网站都受到攻击，“服务器遭受攻击，现在还没有恢复。（是从什么时候开始的？）昨天凌晨开始的吧，具体时间我还说不上来。新世纪新闻网、独立中文笔会、维权网、民生观察、还有参与，全部都是这一个服务器，被攻击了，没办法。（这个攻击是来自哪个地方呢？）具体情况，我不是技术人员，所以我不是太清楚。我也不能够妄下断论，但是肯定是对我们这些网站不感兴趣吧，或者不满吧。（那你知道什么原因吗？）我想这里面揭露了中国的很多的真实的问题，就被攻击了，那时肯定的。”

据了解，这些服务器在海外的网站长期都受到不同程度的攻击，赵达功说，在两三个月前，这些网站也曾一度被攻击而导致瘫痪，但是在20多个小时之内得到恢复，“这种攻击，他历来都一直在攻击。（但问题是这一次…）非常严重的攻击。（独立中文笔会的网站好像不是很多那种揭露…）对，它不是新闻网站，而且它不是太敏感，只是作家的一些文章，但是一样独立中文笔会依然是攻击的目标，因为它是在界乎于中国和海外的一个独立的组织，你知道共产党最怕就是组织吗，那么这个组织是共产党非常重视的，别说这个网站受到攻击，人员也受到攻击。但是没办法舆论、网络就是这样，共产党就怕这个，而且你知道最近中国发生的事情很多，包括三鹿奶粉事件、包括山西的溃坝事件，很多很多事情，可能导致网络连接上有问题，因为当局肯定要采取措施。”

维权网、参与和民生观察网都集中报道中国各地的访民、维权等消息，多是大陆官方媒体少报或者不报道的消息。

浙江的独立记者昝爱宗星期三接受本台记者采访时说，这些网站肯定是遭到黑客攻击才导致瘫痪，相信与这些网站的报道内容有关，“我知道维权网经常登一些地方政府的拆迁，拆迁户的诉求，他们维权的档案，维权记录，这些东西都有的，比如有些可能被打的照片之类；尤其是新世纪新闻网，近期媒体对三鹿的新闻，它集中地搜集，把有关三鹿的新闻都搜集到一起，因为它一直都是负面新闻。肯定是黑客攻击，一攻击网页就瘫痪了，就无法浏览了。”

据悉，中国目前有3 亿部手机和两亿多的网民，原南京师范大学副教授郭泉星期三对本台记者说，“目前我们中国老百姓，人和人的之间的联络其实完全靠的是网络，所以中共它知道，如果想要维护它的统治的话，它可以不开枪，可以不用坦克，但是它可以把所有网络瘫痪掉。”

除此之外，总部在巴黎的记者无国界星期三称，大陆的网民也在当天无法登入他们的网站。大陆曾在奥运开幕前的一星期解除对该站的封锁，在此期间，超过一万三千名大陆网民曾浏览过该网站。

以上是自由亚洲电台驻香港特约记者严修的采访报道

一个对 Tor 的新型重放攻击方法

2008-09-06T23:16:00.000-07:00

作者：Solrex Yang 来源：Solrex Shuffling

Tor 是一个旨在抵御流量分析的匿名网络访问服务，它也可以被用为穿透网络 censorship 的工具，它的官方网站为：http://torproject.org (很可惜的是，大陆用户已经无法正常访问这个站点了)。

由于 Tor 在中国的使用还算比较广泛，我的朋友中也有不少使用它作为穿墙工具的，我想关于它的安全问题应该有人感兴趣。这篇博客将简要介绍 ICC(International Conference on Communications, 世界通信大会) 2008 的一篇论文 A New Replay Attack Against Anonymous Communication Networks 中描述的对 Tor 匿名性的一个很有效的攻击方法，这篇论文荣获了 ICC 2008 Best Paper Award(好好好好羡慕啊~~~)。

Tor 网络是由洋葱路由器(下简称路由器)、目录服务器和洋葱代理服务器(下简称代理服务器)组成的。所谓洋葱路由，就是用户发出的消息会被多层加密，每到一个路由节点，路由器解密一层来获得下一跳信息，就像剥洋葱一样一层一层解密，到最后一层才是用户的原始消息。

Tor 的工作方式是经过多次转发消息来保护原始地址不被侦知。其进行一次通信的流程是：用户在 PC 机上安装洋葱 socks 代理服务器，设置浏览器或应用程序通过本机的代理服务器访问网络；代理服务器从目录服务器得到可用的路由器列表，在用户发起 TCP 请求时，本机代理服务器选择中间通过哪些路由器转发消息，然后将用户的 TCP 包多层加密后发送出去；转发路径上经过的路由器对消息逐层解密转发，最后一跳的路由器(出口路由器)和目的主机进行正常的 TCP 通信，然后将返回的消息按照原始路径发送给用户。

这样入口路由器知道通信的发起者却不知道接收者，中间路由器只管转发，而出口洋葱路由器知道通信的接收者却不知道发起者，这就保证了用户访问网络的匿名性。

A 文中采取的攻击方法是：假定攻击者可以控制入口路由器和出口路由器，由于 Tor 采用计数器模式的 AES 加密算法(能否解密和包的顺序有关)，那么在入口路由器处重放已经发送过的消息(包的顺序被打乱)，就会造成出口路由器解密失败，收到错误的数据包。由于攻击者控制了入口和出口路由器，那么通过将入口路由器重放消息的时间和出口路由器检测到错误的时间联系起来，就能确定这次通信的源和目的地，破坏了网络访问的匿名性。

更坏的是如果消息的重放发生在用户通信的末尾，在用户结束通信后和 TCP 连接断开之间，用户甚至都不知道他的网络行为已经被发现。

虽然假定攻击者可以控制入口和出口路由器看起来是一个很强的条件，但 A 文中通过实验验证了拥有洋葱路由网络的路由器并成为入口并不算很难(Tor 网络本身就是由许多志愿者的主机组成的)，再加上一个修改过的代理服务器软件，完全可以实现对使用该软件的用户的路由选择策略的控制。如果攻击者拥有足够的资源(比如某些强力部门)，使用足够多的主机加入 Tor 网络，根据 Tor 的路径选择策略优化这些路由器的分布，我觉得也有可能实现上述条件。

总的来说，相比与其它一些对匿名网络流量进行监控的攻击方法，A 文的攻击是相当简单直接并且高效的。我简单查看了 Tor 软件的 ChangeLog，没有发现它对这一攻击进行有针对性的修改(也许是我看的不认真)。

所以呢，对中国用户来说，通过 Tor 来穿墙是可以的，但是过于相信 Tor 的匿名性并且用其去发布敏感信息或者进行其它不法行为是要三思而后行的，这也就是为什么 Tor 软件自己也说：
This is experimental software. Do not rely on it for strong anonymity.

电脑安全: 保护自己的隐私禁止使用的软件名单

2008-08-18T19:00:00.000-07:00

来源：阿波罗新闻网

1、QQ
原因：该软件公司配合一些部门设立偷窥你电脑资料的程式，其公司保留QQ聊天记录并提供给一些机构，导致使用者被非法抓捕。

QQ程序本身也有木马嫌疑，通过扫描也可以看见有加密数据不断传送回QQ网站,在你登陆论坛,浏览网页这个加密数据流量会更大。

2、迅雷
原因：该软件会扫描本地硬盘并上传一些信息到迅雷的服务器上，有可能会泄露个人信息

（至于具体扫描的是什么内容，这个现在有几种不同的说法）。禁止推荐迅雷及迅雷专用下载连接。

附言：迅雷的下载能力确实比较强，现在国内有些下载连接是死链，不使用迅雷难以下载，这个可以使用虚拟机，在虚拟机里面安装迅雷用来下载，虚拟机里面不要放任何个人信息或敏感信息，只装杀毒软件、防火墙、迅雷，然后专门用来下载，这样比较好。

注意：千万不要用迅雷来下载海外的一些禁网连接，那是有危险的，在迅雷里面使用了代理也不行！

3、IDM
原因：这个下载软件的特点容易导致发生安全问题，使用这个软件而发生安全问题的已经有一些人了。

IDM在打开下载对话框后，在你没点确认按钮的情况下它就已经尝试与服务器进行连接，并且会在短时间内进行数次尝试连接，如果使用者万一用IDM误连了禁网连接，那可能导致严重后果，虽然以前提供的IDM里面已经提供了代理设置，但有的人把代理取消来下载国内的东西，而过后又忘记恢复代理设置而导致安全问题发生，因为IDM的这种特性，一直以来有反馈直接连接的情况发生，禁止IDM不是软件性能不行，而是因为安全方面的因素考虑。

4、TOM SKYPE
Skype一定要到官方网站http://download.skype.com/SkypeSetup.exe下载。

TOM SKYPE是在skype上加入外壳，最大的木马，因为软件在本地，而且与网络加密相连，做什么，你根本就不知道，但是只要你在大陆输入

http://www.skype.com/ 无论您是否愿意都回被转接到

http://tom.skype.com 这个网站，从这个极力移连接等方面看，TOM SKYPE一定大有问题。

5. Flashget 1.73以上版本
和迅雷一样的原理了。

6. 360度安全卫士

360安全卫士是流氓软件的祖师爷——3721开发者周鸿祎的代表作！这个恶意软件当年是靠捆绑卡巴斯基、并赠送半年期的卡巴斯基激活码吸引、蒙蔽了很多人而火起来的！

很多人当时还真以为这小子改过自新而反流氓软件了！哈哈，真是江山易改，本性难移啊！现在360安全卫士好像嫌卡巴斯基开价过高把它甩了，又与BitDefender捆绑在一起了吧！结果是360安全卫士与卡巴斯基互相将对方列入木马而互杀！而其网站也被Av认定为间谍网站！

7. 暴风影音

《电脑爱好者》杂志多次刊登相关文章，里面的漏洞使得你的电脑暴露在黑客之下，能通过漏洞，远程控制你电脑，并安装木马套取你网络上股市，银行交易系统。

8. Realone player

里面的漏洞使得你的电脑暴露在黑客之下，能通过漏洞，远程控制你电脑，并安装木马套取你网络上股市，银行交易系统。

9. SREng

10. 影子系统

它也是一个国产软件，我看到在它的主页上有如下的话语：

为国防信息安全建设保驾护航 —中国人民解放军三军仪仗队全面采用影子系统　

11.杀毒软件

国产杀毒软件以金山，瑞星，江民为主要，但是现在很多木马他们三款都无法查出。从现在开始不再推荐使用购买国产杀毒，防毒软件。推荐使用国外流行免费杀毒软件COMODO，防毒软件Avira(俗称：小红伞）。

How China Censors the Internet and Monitors Your Telecommunications

2008-08-13T21:34:00.000-07:00

来源：维权网

How China Censors the Internet and Monitors Your Telecommunications

CHRD’s Alternative Guide to the Olympics (Part II)

(Chinese Human Rights Defenders, August 11, 2008) –Foreign journalists reporting on the Olympics and visitors to China may not be fully aware of the risks they pose to themselves and to Chinese citizens with whom they communicate when they discuss issues the Chinese government deems “sensitive”. CHRD’s Alternative Guide to the Olympics (Part II)[i] provides you with a short overview of the ways in which the Chinese government censors the internet and monitors telecommunications. CHRD’s investigations[ii] have revealed the government’s use of a skilful mix of sophisticated technologies, tens of thousands of cyber-police and a complex administrative management system to censor expression and control information on the internet and telecommunication networks.

Censorship of the internet and blogs

Do you want to find out what Chinese people think about the Olympics from browsing Chinese websites and blogs? You will rarely come across voices critical of the Games and the government.

Government regulations, such as the “Regulations on the Administration of Internet News Reports”[1], require that all internet services be run by organizations registered with or recognized by the government and that the qualifications of such organizations be subjected to regular inspection. Similarly, the “Blog Service Self-Discipline Conventions”[2], a “voluntary” agreement signed by fourteen major blog service providers, gives internet companies (and by extension, the authorities) the power to erase “illegal and harmful” information from blogs and cease provision of services to the bloggers concerned. When authorities deem published information “sensitive”, they can use the Regulations and the Conventions as a justification to close down or block “unregistered” websites and “illegal and harmful” blogs.

In addition, a number of central government bodies are specifically in charge of issuing daily censorship directives. In Beijing, for example, internet companies receive as many as five directives daily from the Beijing Internet Information Administrative Bureau. To comply with the government’s orders, all the online companies have set up a section dedicated solely to monitoring all the messages and comments on their websites. Content of a sensitive nature is immediately masked or erased, and the username or IP address of the person who posted it is also blocked or forwarded to the police. Although websites practice diligent self-censorship, sometimes when websites are found to have postings that broach taboo subjects, the authorities may apply penalties ranging from criticizing the site, imposing a fine, ordering the dismissal of the website employee responsible or forcing either the site section or the entire site to close down.

Using the above mechanisms, the authorities have sought to ensure that negative news and comments regarding the Olympics are promptly deleted or blocked on the internet. Examples of some directives to Internet Service Providers (ISPs) are:

July 2, 2007: “Please do not report on the fire at the Beijing University Olympics Ping Pong Coliseum. Please remove all reports that are already online. Please make sure searches using the following keywords return no results: ‘Fire at Beijing University Coliseum’, ‘Olympics Ping Pong Coliseum on Fire’…. Remove all relevant news reporting on the fire, and the issue should not be discussed or pasted onto internet forums, blogs and other interactive programs.…”

August 6, 2007: “Do not report or discuss in interactive programs [note: internet forums and blogs] the protest in front of the International Olympics Committee this afternoon by certain foreigners.”

August 13, 2007: “All websites: Delete ‘One World, One Dream and Universal Human Rights: Our Calls and Recommendations to the Beijing Olympics.’”

In recent years, the internet has become a tool employed by the authorities to persecute free expression. Articles posted on the internet have been used as “evidence” to prosecute individuals. One of the authorities’ preferred charges by which to criminalize free expression is article 105(2) of the Chinese Criminal Code, which stipulates the crime of “inciting subversion of state power.” Yan Chunlin (杨春林), one of the “Olympics Prisoners”, was imprisoned for “inciting subversion of state power”. “Evidence” used against him at his trial included an open letter, “We Want Human Rights, Not the Olympics,” which he posted online.

Mobile Phone Text Messaging

When you call Chinese friends or interviewees, your fixed-line/land-line phone is likely to be wiretapped. It is equally dangerous if you call or text them on your cell phone. Your text message goes through the cell-phone operator’s system, a part of which is a surveillance and monitoring system. In October 2005, the Ministry of Information Industry (MII) issued a notice requesting mobile phone operators to carry out real-time monitoring of all text messages. Since then, the three major mobile phone companies (all controlled by the state), China Telecom, China Unicom and China Netcom have carried out pervasive monitoring of the content and frequency of text messages sent out. Text messages are automatically screened for sensitive keywords while specialist staff monitor images and other multi-media content around the clock.

The use of keyword filtering is one of the main methods employed to censor not only mobile phone text messages but also the internet and other telecommunications. Authorities responsible for internet control issue a list of words, acronyms and phrases, which contain “core” keywords such as “falun”, “rfa” and “voa”. In addition to this core list, the authorities issue to ISPs additional keywords every month, depending on the political environment and the “sensitive” issues at the time. For example, just prior to the one-year countdown to the Olympics in July 2007, some additional keywords for censorship included “the fire at the Olympics Ping Pong Venue”, “Villagers Who Lost Land Due to Olympics Construction” and “Villagers Who Lost Land Due to ‘Bird’s Nest’”.

When “illegal” content is detected, the surveillance system stops the transmission of the message and keeps a record of it. Messages sent from certain mobile phone numbers, such as those of “noted” foreign journalists or key activists/dissidents are recorded by the surveillance system whether or not they are “illegal”.

You are likely to endanger the Chinese individuals whom you exchange text messaging, especially if you communicate what authorities consider “sensitive” information. On December 17, 2007, the Beijing Municipal government released a notice[3] stating that individuals who send mobile phone text messages that "propagate and spread rumors" and "endanger public safety" will be investigated and held legally liable by the Beijing Public Security Bureau (PSB).[4] With this notice, the municipal authorities threaten arbitrary detention and punishment of those citizens who exercise their freedom of expression and disseminate information that the government does not wish disseminated.

It is important to note that there is no clear legal definition of “rumors” and “endangerment of public safety”. In practice, “rumors” refer to information that may reflect negatively upon the government. Citizens who express their opinion and transmit “sensitive” information can be conveniently prosecuted using trumped-up charges of “making rumors” and “endangering public safety”. In June 2007 for example, Mr. Ding, a resident of Wuxi City, Jiangsu Province, was administratively detained for ten days after he sent over one-hundred text messages claiming that the level of carcinogenic substances in Taihu Lake, a well-known lake in the area, exceeded the acceptable standards by about 200 times. The messages were sent out around the time a toxic algae bloom on the lake caused public panic. Ding was punished for “using text messages to spread rumors…and cause public panic”, thus violating Article 25 of the PRC Public Security Management and Punishment Law. The government had previously called the algae bloom a “natural disaster” but later admitted that Taihu is polluted and that the bloom was a man-made disaster. In spite of that, Ding’s charges were never withdrawn.

E-mail Surveillance

Contacting your Chinese friends or colleagues or corresponding with people back home should be as easy as typing an email. But email too is subjected to stringent scrutiny and censorship. The ISPs providing email services in China comply with the official keyword filtering policy. The content and attachments of email messages are screened. Those containing “sensitive” keywords are not delivered. Whereas authorities can easily pressure domestic internet companies to comply with its censorship measures, they cannot as easily control foreign email service providers. In order to ensure that no “harmful” information gets into or out of China, the “Great Firewall” analyzes, filters and blocks material going in and outside of China. When you send emails into and out of China, they pass through various network devices, such as gateways and routers, which can automatically screen the content. If there is a banned keyword detected in the message or attached documents, it will be intercepted and may not reach the destination mailbox. The message, its sender and the sender’s relevant IP address will be recorded and may come under investigation. The “Great Firewall” is capable of breaking into a data-stream of an email messages and interrupting the connection. When you visit your gmail or other foreign-based email service provider inside the “Great Firewall”, if the dataflow includes a keyword, you will see the default ‘Cannot Be Displayed Page’.

Not only is your email under surveillance, the cyber-police might fake your identity or that of your correspondents (such as known organizations, journalists and dissidents) and send messages to you with attachments infected with “Trojan horse” viruses. If you open those, your computer will get infected, after which it risks being monitored as well as having information and passwords contained on it stolen.

Surveillance on Instant Messaging

“QQ”

QQ is the most popular instant messaging tool in China. Because of its popularity, QQ has become a key target of surveillance. Do not use QQ to communicate with people in China about “sensitive” issues, as eavesdropping on QQ conversations is pervasive. Tengcent, the company that owns QQ, cooperates with the Chinese government and has added a “back entrance” to eavesdrop on chats between QQ users. When sensitive keywords are used in the chats, QQ automatically records them. The messages as well as the computers’ IP addresses are sent to Tengcent’s server without the users’ knowledge. Tengcent then sends this information to the police so the latter can decide on when and whether to take further actions.

MSN Surveillance

Since MSN uses ASCII in encoding, the instant messaging service cannot be encrypted and it is very easily intercepted and eavesdropped by special software. Because of its insecure nature, cyber-police do not need to install spyware on the target’s computer to get a complete view of the chat records. It is believed that the MSN chats of many of China’s more prominent activists and dissidents are subjected to surveillance.

Skype

In September 2005, Skype and TOM (a Chinese internet company) launched the TOM-Skype Chinese version. TOM complied with the Chinese government’s request and installed a Trojan horse feature which filters keywords and collects user information. On installation, TOM-Skype automatically installs a censorship and filtering file, “contentfilter.exe”, on the user’s computer without notifying the user. Also during installation, TOM-Skype downloads a ‘keyfile’—an encrypted file that blocks and filters keywords-- to the user’s computer. If you chat with a person via TOM-Skype, when you use a sensitive keyword, the chat is recorded and sent to TOM in an encrypted format.

When internet users in China go to Skype’s website (www.skype.com) and download the application, they are automatically re-directed by the Great Firewall to TOM-Skype’s website (http://skype.tom.com/). This means that most Chinese Skype users have downloaded and are using the TOM-Skype software with the surveillance mechanism. Many of them simply do not have the opportunity to download the un-censored international version.

How to Evade the Chinese Cyber-police and the Great Firewall

We suggest several safety measures while you are in China:

To access blocked websites, use proxy tools provided by dongtaiwang.com and wujie.net. Other services that can be used to circumvent internet censorship are ziyoumen, huofenghuang, shijietong, hanfeng, SafeWeb and Tor.
Avoid the use of “sensitive” keywords when using telecommunications tools.
Do not use domestic anti-virus or firewall programs as their safety could be compromised.
Do not use email services provided by ISPs based in China as they are likely to practice self-censorship and surveillance.
Use foreign-based email servers, although note that their level of security depends on their relationship with the Chinese government. Gmail is a relatively safe email service, but its homepage is frequently blocked by the authorities. You can use proxy tools to access it. Use the encrypted form of gmail to prevent emails from being monitored simply by adding an “s” when requesting the usual gmail URL: https://mail.google.com. However, since correspondence takes two, your email is only secure if your correspondents also use encryption.
Other safe and secure email service providers include Hushmail, riseup.net and vaultetsoft.com.
It is essential that you use strong passwords for your email account and your computer. A strong password has no fewer than 8 characters and a combination of numbers, letters (in both uppercase and lowercase) and symbols.
Refuse the computer’s offer to remember your password and fill it in automatically the next time you log on. If your computer is stolen, the thief can easily access your email and other internet applications.
It is inadvisable to open email messages, and in particular attachments, from strangers. The risk of contracting viruses from strangers’ email attachments is higher. Even if the attachments seem to come from a friend, it’s best to be careful and check the sender’s address to make sure it is indeed your friend’s.
Do not use QQ or MSN instant messaging services.
If you have to use Skype, make sure your correspondents uses Skype, not TOM-Skype. To reach the Skype international website and download the international version in China, you need to use proxy tools described in point 1 above to circumvent the Firewall.
When you use Skype, make sure it is not set to keep a chat history. If your computer is stolen or confiscated by police, it is easy for them to access your Skype account and peruse its chat records.
When you use Skype, always establish the identity of the person with whom you are chatting. Do not assume the person is who s/he says. For example, ask the person questions s/he would not be able to answer unless s/he is who s/he claims to be.

The preceding information is from the following CHRD reports in Chinese

(An English version of the reports will soon be available):

政府如何监控我们的电子网络通讯? (“How does the Government Monitor our Telecommunications” March 24, 2008)

中国网络监控与反监控年度报告（2007） (2007 “Annual Report on Internet Surveillance and Anti-Surveillance in China” July 10, 2008)

Related CHRD reports in English:

“China: Journey to the heart of Internet censorship” (October 26, 2007)

“Dancing in Shackles: A Report on the Situation of Human Rights Defenders in China (2007)” (May 1, 2008)

[1] <互联网新闻信息服务管理规定>

[2] <博客服务自律公约>

[3] “Notice Regarding the Further Regulations and Management of the Use of Mobile Phone Text Messages in the Release of Public Information”《关于进一步规范本市手机短信息发布公共信息管理工作的通知》

[4] CHRD, “Beijing to Punish Mobile SMS Users for ‘Endangering Public Security’ and ‘Spreading Rumors’,” December 23, 2008, available here: http://www.crd-net.org/Article/Class9/Class10/200712/20071224131450_6851.html.

[i] “CHRD’s Alternative Guide to the Olympics (Part I)”, August 7, 2008, http://www.crd-net.org/Article/Class9/Class10/200808/20080808010440_9905.html

[ii] See 政府如何监控我们的电子网络通讯? (“How does the Government Monitor our Telecommunications”) and 中国网络监控与反监控年度报告（2007） (“2007 Annual Report on Internet Surveillance and Anti-Surveillance in China”).

10个能防止老大哥监视你的极其有用的网站

2008-08-09T07:49:00.000-07:00

翻译: boxi 转自：译言

（译者：老大哥源自乔治.奥威尔著名小说《1984》，故事发生在1984年（即奥威尔创作此书时的30多年后）的“大洋国”。“大洋国” 的统治阶级是“核心党”，“核心党”的领袖是“老大哥”，后来荷兰的电视台以此名推出了真人秀节目，6名青年男性、6名青年女性选手共同生活在一个特制的有着花园、游泳池、豪华家具的大房子里，大家共享一间卧室、一套起居室和卫生间等。摄像机一天24小时记录他们的一举一动。在共同生活的85天里，选手们每周六要选出两个最不受欢迎的人。而每天守候在电视机前的狂热者们则用声讯电话，在这两人中选出一个他们最不喜欢的、最没人缘的选手出局。老大哥》节目 1999年9月16日在荷兰首播时，观众高达2400万人。截至当年10月30日，约有2/3的荷兰人看过这个节目。
《老大哥》成功之后，真人秀这种全新的电视节目形式就吸引了西方国家电视制作商的眼球，《幸存者》、《诱惑岛》、《阁楼故事》等真人秀节目随之出现。）

人们可能没有意识到，自己完全陌生的人窥视它们的生活究竟有多频繁，手段是如何的多端。成千上万的企业、人员以及政府通过摄像头、手机或通过互联网等手段窥探着我们个人的工作和生活。

每当一个人填了一张参赛表、申请表或者加入某在线社区的时候，在毫不知情的情况下，用于填写这些表格的个人信息被出售、出租或泄露给第三方、第四方的机会就来了。

大部分正规的公司和网站都会有一项隐私保证声明，把它们将如何使用从会员和客户那里收集到的个人信息解释清楚。但不是所有的公司和网站都那么正规，因此在把个人信息交给生人之前先读读其隐私声明是极其明智的。

以下站点对于防止老大哥监视你的工作和私人生活是十分有用的：

1.PGP

　　PGP提供了隐私加密术和认证，这些被设计用于两方或多方之间收发邮件时被外部获知。这是一项极佳的邮件加密程序，活干的很棒，对收发重要的商业邮件非常重要。

2.GuerrillaMail

　　使用它是阻止垃圾邮件充斥你的邮箱的一种优秀途径。在需要时用它你可以随时获得一个可支配的邮件地址作为个人邮箱。该地址将在15分钟内失效，刚好足够发送或接收邮件。

3.PookMail

　　别再把你真正的邮箱地址与那些向你请求的网站分享了，用这个网站来创建一个虚拟的邮箱地址吧。我使用这项服务一段时间之后注意到接收到的垃圾邮件的总量的显著不同...大大地减少了。与你账号关联的邮箱每24小时将被清理一遍，让你可保持匿名享受快乐。

4.Anonymous Speech

　　每次你收发商业邮件时公司、政府、私营企业都会跟踪你的动向并把这些邮件存放于公共和私有的服务器上。Anonymous Speech有一项极其保密的email服务，能在邮件收发后的很长一段时间内为其提供持续保护。该公司不与他人分享其客户的个人信息或邮箱地址，包括政府机构和企业团体。该程序不会令任何希望隐匿地在互联网冲浪的人失望的。

5.Obviously

　　这是一个优异的DIY网站，向你展示了如何阻止不知名的市场调查电话的骚扰，以及如何把你的个人信息从市场邮箱清单中移除，免受垃圾邮件困扰。

6.Double Click

　　根据其自述，该公司是数字化市场时代的神经中心，不过事实上，Double Click 有可能收集了网上冲浪人群的使用信息（某时某地）。它们把收集到的个人信息卖给有市场目的第三方，且会把这些收集到的信息与司法部门或其它政府机构分享。根据上述网址把你的姓名和信息从Double Click的服务器上移除掉吧。

7.The Cloak

　　用这个网站匿名地冲浪吧，他可以把你的冲浪行为掩藏于窥探者眼皮底下。这项加密的连接使用http或https匿名代理可隐藏你的身份于网站之中。你的隐私是个人的，用它吧。

8.BeHi dden

　　另一个匿名冲浪的搜索引擎，可保护冲浪者的身份和活动于爱管闲事的站主、企业、政府之中。同时，BeHidden也可用于发送匿名邮件，以便进一步保护你的身份，优秀的网站！

9.Government Public Records Database

　　跟执法机构和政府官员一样访问同一个数据库，以便请求一份个人的FBI文件的拷贝。是的，这是真的，FBI收集了美国国内的普通公民的记录，你也有可能是其中被监视的一员。对于操弄商业的人来说，也是一个优秀的网站。

10.Snarfed

　　这是一个突出的博客，可在你网上购物时保护你的隐私，告诉你所使用的的信用卡借记卡的类型、它们是如何工作等信息。不是所有可支配的的信用卡都是一样的，有些发卡机构对你的保护措施就做得比别人好。这个博客告诉你大量关于隐私的信息，总有一些是人人需要的。

　　记住，每次你填写参赛表、抽奖表或者完成一项调查表的时候你的个人信息就会被收集存储于某处陌生人的计算机服务器上。每次一个人加入另一个社区网络的时候（MySpace,Facebook）或者注册参加在线论坛的时候，你的个人信息正在被收集呢。

　　对于收集到的个人和隐私信息，这些公司将使用哪些，如何使用依赖于公司的收集工作。开始与这些公司交易或暴露个人信息给它们之前，好好读读公司或网站的隐私条例声明。如果它们没有或者看上去可疑，不要把个人或他人信息泄露给它们。

王金波：强烈谴责盗用我的信箱给别人发送邮件的行为！

2008-07-21T09:15:00.000-07:00

来源：维权网

王金波委托《维权网》发布

今天下午，我同一位在中国的外国朋友用skype聊天时，我的MSN通知我收到一封来自 Wang Jinbo的邮件。我很奇怪，立即打开hotmail信箱，发现收到一封我的gmail信箱发来的邮件，时间是2008年7月21日16时58分17秒，标题是：“胡佳因压力‘自尽’！”，附件是：“胡佳反思书.pdf（280.6KB）”，内容是（见截图）：

“警示！

胡佳反思书

胡佳，这个高调革命家也没有逃脱双向高调的命运！胡佳在看守所写的自我回顾和反思全文。

金波

7.21”

我极为奇怪，接着是愤怒。急忙打开gmail信箱，眼见收信箱里有几封未打开的新邮件，立即保存到所有邮件里面。这几封邮件包括两封杨宽兴和郭玉闪的回信。另外还有几封系统退信，打开后发现共有5封，但是更奇怪的是下面显示有52封已删除邮件！我打开这52封邮件，发现大多是系统退信，是发给一些我很陌生的信箱的。这时收件箱显示又来了几封新的邮件，我点击打开收件箱时，怪事发生了：一封新的邮件也没有！我又打开所有邮件，再次发生怪事：我刚才保存的那些邮件不翼而飞了！在已删除邮件里面，这些邮件也没了丝毫踪影！

在这期间，那位粗通中文的外国朋友说：“thank you for the email...”我让她发过来邮件的内容和附件，发现跟上面的邮件一样。我告诉她，那不是我发的，附件是病毒。她不理解地说“i dont understand”，又补充说“fuck, i opened it”。

这时我又发现我的信箱里面有一封16:29保存的草稿，除了密送给“ChinaRights@googlegroups.com”之外，其余全是空白。这又是一件怪事。

接着我又陆续收到一些系统退信和回信，显示用我的信箱发送的邮件的内容跟上面大同小异：“胡这个高调革命家没有逃脱双向高调的命运,胡佳已因压力而‘自尽’！胡佳在看守所写的自我回顾和反思全文。金波7.21”

在此，我郑重声明：

1、上面提及的邮件确实是从我的信箱发出的，但并非我自己发送的，是有人盗用我的信箱发送的。对于这种盗用我的信箱发送邮件的行为，我予以强烈谴责，并保留追究盗用者责任的权利。

2、附件是pdf格式，里面有可能有病毒、木马。对于因打开这个附件而使电脑受到损害的收件人，我在道义上表示歉意。

3、我通常很少向不熟悉的人士发送邮件（包括附件）。熟悉的朋友我也很少发送附件。如果发送附件，我大多使用txt格式，少数情况下使用word格式。迄今为止，我不会制作pdf格式的附件。

4、今天我的信箱被盗用时我恰好在第一时间获悉。估计此前可能还有被盗的情况，但我并不知道，或者知道时也已错过“捉奸”现场。对于此类情况，我同样予以强烈谴责，并保留追究盗用者责任的权利。

5、今后，除非非常熟悉的个别朋友外，我一律不再用信箱发送除txt以外的附件。

6、今后，用我的gmail信箱发送的邮件，朋友们只要觉得可疑就可以不用理睬。

王金波

2008年7月21日

Reporters’ Guide to Covering the Beijing Olympics: Secure communications

2008-06-30T00:01:00.000-07:00

来源：人权观察

In electronic communications, avoid using sensitive words or names authorities may be monitoring. Install anti-virus software on your computer and ensure your hard drive and confidential files are password- protected. Change your passwords frequently. If you are sending emails you have any reason to believe could result in negative consequences for yourself or others if they are seen by third parties, especially the Chinese authorities, you need to use encryption when sending emails.

NEVER open unsolicited email attachments even if they are purportedly from somebody you know: even US government computer systems have been compromised by spyware delivered via email attachments. If your computer is compromised with key-logging software or other spyware, your communications can be monitored no matter how much encryption you use.

Note that there is no such thing as foolproof security. There are only degrees of security, degrees of risk, and degrees of convenience and inconvenience—you need to make your own choices based on the specifics of your situation.

Relatively secure:
(Note that none of these methods is really secure unless the recipient is also using encrypted email—especially if that recipient is inside China.)

Create an account with an encrypted email service, such as Hushmail (http://www.hushmail.com/), which is not open-source and offers free accounts in addition to paid services with more custom features.

Another good new service is VaultletSoft (https://www.vaultletsoft.com/); it requires you to download a secure email client, but you can put it on a USB drive and use it from any computer.

A simple way to send encrypted email (assuming that you trust Google in the particular circumstance) is to use Gmail—but IF AND ONLY IF you add “s” to the “http” in the URL, so that your address bar reads: https://mail.google.com/mail/ (you will know the encryption is working in Firefox when the top address bar turns yellow).

A more technical and secure way to encrypt your email is by using a PGP key. Instructions are provided in “Ensuring your e-mail is truly private” by Reporters Without Borders, available online at: http://www.rsf.org/article.php3?id_article=15014

Not secure:

Email services provided by internet service providers are not secure because the ISP administrators can access the email, and because such services are generally not encrypted so that the people who control the internet connection you are using at any given time (or who are snooping on it) can potentially monitor your communications going back and forth. Yahoo and Hotmail are also not secure because they too are not encrypted. (Also, if you use a yahoo.com.cn email account, or any mainland email service provider, your email records will be shared with the Chinese police upon request.)

Anonymity complete GUIDE

2008-06-01T23:55:00.000-07:00

作者：Theraider 来源：Governmentsecurity.org

By Theraider

Anonymity on the web
(source NEWORDER)

[ t a b l e o f c o n t e n t s ]

01 - table of contents
02 - introduction
03 - first tips
04 - about proxies
05 - cookies
06 - ftp transfers
07 - secure transactions
08 - SSL tunelling
09 - anonymity on irc
10 - mail crypto (and pgp usage)
11 - icq privacy
12 - spyware
13 - cleaning tracks
14 - ending words

[ introduction ]
Nowadays, everyone wants privacy on the web, because no matter where you go, someone could be watching you. Someone like your employer, someone trying to hack your system, companies gathering all your info to sell to yet other companies, or even the

government, may be on your track while you peacefully surf the web. Thus, anonymity on the web means being able tu use all of its services with no concern about someone snooping on your data.

Your computer being connected to the net has an IP [Internet Protocol] address. If you have a dial-up connection, then your IP changes every time you connect to the internet (this is not always true, though. There are dialup isps, specially for university students, that do have static ips). Cable modems and DSL connections have a static IP, which means that the IP address does not change. One of the goals of getting anonymous is to make sure your ip, either static or dynamic) isn't revealed to other users of the internet, or to server administrators of the servers you roam around when using internet services.

This text tries to give you some hints on how to maintain your anonimity on the web. Some of the hints may sound banal, but think of, if you really abide them in every situation.

[ first tips ]
When chatting on IRC, ICQ, AIM (etc..), do not give out personal information about yourself, where you live, work, etc.
Do not use your primary email address (the one your ISP gave you) anywhere except to family members, close friends or trusted people. Instead create for yourself a web-based email account such as yahoo, hotmail, dynamitemail, mail.com, etc. and use this e-mail address to signing up for services, when in the need to give your mail to download something, or to publish on your homepage.

When signing up for services on the web, don't give your real information like address, phone number and such unless you really need to do so. This is the kind of information

that information gathering companies like to get, so that they can sell out and fill your mailbox with spam.

Use an anonymous proxy to surf the web. This makes sure your ip doesn't get stored on the webserver logs. (Webservers log every GET request made, together with date, hour, and IP. This is where the proxy comes in. They get the ip from the proxy, not yours)
Use a bouncer to connect to IRC networks, in case you don't trust the administrators, or the other users. A bouncer is a program that sits on a permanently connected machine that allows you to connect there, and from there to the irc server, just like a proxy works for webservers.
Use anonymous remailers to send out your e-mails.
Cryptography can also help you by making sure the material you send out the web, like by email, etc, is cyphered, not allowing anyone that doesn't have your key to read it (in key-based cryptography). Programs like PGP (pretty good privacy) are toolkits with all you need to cypher and uncypher your stuff.
Delete traces of your work with the computer including history files, cache or backup files.
[ about proxies ]
Proxies are caches that relay data. When you configure your web browser to use a proxy, it never connects to the URL. Instead it always connects to the proxy server, and asks it to get the URL for you. It works similarly with other type of services such as IRC, ICQ etc. There'll won't be direct connection between you and the server, so your real IP address won't be revealed to the server. When you view a website on the server, the server won't see your IP. Some of web proxies do not support forwarding of the cookies whose support is required by some of the websites (for ex. Hotmail).

Here are some anonymous proxies that you can use to surf anonymously (notice that some of these may be a payed service):

Aixs - http://aixs.net/
Rewebber - http://www.anon.de/
Anonymizer - http://www.anonymizer.com/
The Cloak - http://www.the-cloak.com/

You'll highly probably find many websites that provide the lists of unauthorised proxies and remailers . Such lists are being compiled usually with the help of port scanners or exploit scanners, scanning for computers with wingate or other proxies' backdoors. Using these proxies is illegal, and is being considered as unauthorized access of computer. If you get such list to your hands, check if the info is legal or compiled by script kiddie, and act acordingly.

If you anyhow decide not to use proxy, at least do not forget to remove your personal information from your browser. After you remove details like your name and e-mail address from your browser, the only info a Web site can sniff out is your ISP's address and geographical location. Also Java and JavaScript applets can take control of your browser unexpectedly, and if you are surfing to unknown and potentially dangerous places you should be aware of that. There are exploitable browser bugs (mainly Internet explorer ones) reported ever week.

[ cookies ]
Maybe you're not aware of the fact that if you have the "allow cookies" feature in your browser on, websites can store all sorts of information on your harddrive. Cookies are small files that contain various kind of information that can be read bt websites when you visit them. The usual usage is to track demographics for advertising agencies that want to see just what kinds of consumers a certain site is attracting. Web sites also use cookies to keep your account information up-to-date. Then for instance when you visit your e-mail webbased account without being unlogged some hours later, you find yourself being logged on, even if you turn off your computer. Your login and password was simply stored on your harddrive in cookie file. This is security threat, in case that there is more persons who have the access to your computer.

Most of the browsers offer the possiblity to turn off the cookies, but some of sites like Hotmail.com require them to be turned on. In case you decided to allow cookies, at least never forget to log off from the websites when you're finishing visiting them.

[ ftp transfers ]
When using an FTP client program to download files, assure yourself, that it's giving a bogus password, like guest@unknown.com, not your real one. If your browser lets you, turn off the feature that sends your e-mail address as a password for anonymous FTP sessions.

[ secure transaction ]
Everything being sent from the web server to your browser is usually in plain text format. That means, all transferred information can be easily sniffed on the route. Some of the web servers support SSL (which stands for Secure Socket Layer). To view and use these websites you'll need SSL support in your browser as well. You recognize, that the connection is encrypted, if URL starts with https:// instead of usual http://. Never use web server without SSL for sending or receiving sensitive private or business information (credit card numbers, passwords etc.)

[ SSL tunelling ]
What is SSL?

SSL stands for Secure Socket Layer. The ?Secure? implies an encryption, while Socket Layer denotes an addition to the Window Socket system, Winsock. For those that don?t know, a Socket is an attachment to a port on a system. You can have many sockets on one port, providing they are non-blocking (allowing control to pass through to another socket aware application which wishes to connect to that port).

A Secure Socket Layer means that any sockets under it, are both secure and safe. The idea behind SSL was to provide an encrypted, and thus, secure route for traffic along a socket based system, such as TCP/IP (the internet protocol). Doing this allows security in credit card transactions on the Internet, encrypted and protected communiqué along a data line, and overall peace of mind.

The SSL uses an encryption standard developed by RSA. RSA are a world respected American organisation that specializes in encryption and data security. Initially, they developed a cipher length of only 40 bits, for use with the Secure Socket Layer, this was considered weak and therefore a longer much more complicated encryption cipher was created, 128 bits. The reasoning behind it was simple: it needs to be secure.

The RSA site puts the advantage of a longer encryption length pretty clearly: because 40-bit encryption is considered to be relatively weak. 128-bits is about 309 septillion times ( 309,485,000,000,000,000,000,000,000 ) larger than 40-bits. This would mean it would take that many times longer to crack or break 128-bit encryption than it would 40-bit.

If you want more information on the technicalities or RSA?s SSL encryption engine, visit their site: http://www.rsasecurity.com/standards/ssl.

But what does all this encryption and security have to do with you?

Well, that?s a simple question. No matter how hard you try, at times your privacy will need to be knowingly invaded so you can make use of the product offered for doing so. If you think about food, for example, one cannot eat without swallowing. When we wish to make a transaction or view a site on the internet, where we have to give enough information away so that it happens, we also want to be assured no one else along the line gathers that data. An encrypted session would mean our data is not at the hands of any privacy perpetrators unless they knew how to decode it ? and the only ones in the know, are those you specifically wish. SSL uses public key encryption as explained in the PGP section.

To put this at a head: if you use an encrypted connection or session, you can be relatively assured that there are no prying eyes along the way.

And how do I implement SSL with SSL Tunnelling?

We know that a Secure Socket Layer is safe, but what we don?t know is what a Tunnel is. In the most simplistic form, a tunnel is a proxy. Like proxy voting in general elections, a tunnel will relay your data back and forth for you. You may be aware though, that there are already ?proxies? out there, and yes, that is true. Tunnelling is done via proxies, but it is not considered to be the same as a standard proxy relaying simply because it isn?t.

Tunnelling is very special kind of proxy relay, in that it can, and does relay data without interfering. It does this transparently and without grievance or any care for what is passing its way.

Now, if we add this ability to ?tunnel? data, any data, in a pipe, to the Secure Sockets Layer, we have a closed connection that is independent of the software carrying it; and something that is also encrypted. For those of you wanting to know a little more about the technicalities, the SSL layer is also classless in the sense it does not interferer with the data passed back and forth ? after all, it is encrypted and impossible to tamper with. That attribute means an SSL capable proxy is able to transfer data out of its ?proxied? connection to the destination required.

So to sum up, we have both a secure connection that does the job and relays things in the right direction; and we have direct tunnel that doesn?t care what we pass through it. Two very useful, and almost blind entities. All we need now is a secure proxy that we can use as the tunnel.

Proxies:

Secure proxies are alike standard proxies. We can either use an HTTP base SSL equipped proxy - one specifically designed for security HTTP traffic, but because of the ignorant nature of SSL communication, it can be bent to any needs ? or we can use a proper SSL service designed for our connection ? like you would use a secure NNTP (news) program with a secure proxy on port 563 instead of taking our long way - which would probably work as well.

A secure HTTP proxy operates on port 443. Host proxies are not public, that means they operate for, and allow only traffic from their subnet or the ISP that operates them ? but, there are many badly configured HTTP proxies and some public ones out there. The use of a program called HTTrack (available on Neworder) will aid you in scanning and searching for proxies on your network or anywhere on the Internet if your ISP does not provide you with one.

Neworder also features a number of sites dedicated to listing public proxies in the Anonymity section. While it?s often hard to find a suitable fast proxy, it?s worth the effort when you get one.

So how can I secure my connections with SSL Tunnelling?

That?s a big question, and beyond the scope out this tuition as it must come to and end. I can however, point you in the right direction of two resources that will aid you in tunnelling both IRC, and most other connections via a HTTP proxy.

For Windows, the first stop would be http://www.totalrc.net?s Socks2HTTP. This is an SSL tunnelling program that turns a normal socks proxy connection into a tunnelled SSL connection.

The second stop, for both Windows and Unix is stunnel. Stunnel is a GNU kit developed for SSL tunnelling any connection. It is available for compile and download as binary here: Stunnel homepage - http://mike.daewoo.com.pl/computer/stunnel

[ anonymity on irc ]
A BNC, or a Bouncer - is used in conjunction with IRC as a way of hiding your host when people /whois you. On most IRC networks, your host isnt masked when you whois, meaning the entire IP appears, like 194.2.0.21, which can be resolved. On other networks, your host might be masked, like IRCnetwork-0.1 but it can still give valuable information, like nationality if your host is not a IP, but a DNS resolved host, like my.host.cn would be masked to IRCnetwork-host.cn but this would still tell the person who whoised you, that you are from China.

To keep information such as this hidden from the other users on an IRC network, many people use a Bouncer, which is actually just a Proxy. Let us first draw a schematic of how a normal connection would look, with and without a BNC installed.

Without a BNC:

your.host.cn <<-->> irc.box.sk

With a BNC:

your.host.cn <<-->> my.shell.com <<-->> irc.box.sk

You will notice the difference between the two. When you have a BNC installed, a shell functions as a link between you and the IRC server (irc.box.sk as an example). You install a BNC on a shell, and set a port for it to listen for connections on. You then login to the shell with your IRC client, BitchX/Xchat/mIRC, and then it will login to the IRC server you specify - irc.box.sk in this case. In affect, this changes your host, in that it is my.shell.com that makes all the requests to irc.box.sk, and irc.box.sk doesn't know of your.host.cn, it has never even made contact with it.

In that way, depending on what host your shell has, you can login to IRC with a host like i.rule.com, these vhosts are then actually just an alias for your own machine, your.host.cn, and it is all completely transparent to the IRC server.

Many servers have sock bots that check for socket connections. These aren't BNC connections, and BNC cannot be tested using a simple bot, unless your shell has a socket port open (normally 1080) it will let you in with no problem at all, the shell is not acting as a proxy like you would expect, but more as a simple IRC proxy, or an IRC router. In one way, the BNC just changes the packet and sends it on, like:

to: my.shell.com -> to: irc.box.sk -> to: my.shell.com from: your.host.cn <- from: my.shell.com <- from: irc.box.sk

The BNC simply swaps the host of your packet, saying it comes from my.shell.com. But also be aware, that your own machine is perfectly aware that it has a connection established with my.shell.com, and that YOU know that you are connected to irc.box.sk. Some BNCs are used in IRC networks, to simulate one host. If you had a global IRC network, all linked together, you could have a local server called: cn.myircnetwork.com which Chinese users would log into. It would then Bounce them to the actual network server, in effect making all users from china have the same host - cn.myircnetwork.com, masking their hosts. Of course, you could change the host too - so it didn't reveal the nationality, but it is a nice gesture of some networks, that they mask all hosts from everyone, but it makes life hard for IRCops on the network - but its a small price to pay for privacy.

Note: Even if you do use IRC bouncer, within DCC transfers or chat, your IP will be revealed, because DCC requires direct IP to IP connection. Usual mistake of IRC user is to have DCC auto-reply turned on. For an attacker is then easy to DCC chat you or offer you a file, and when IRC clients are connected, he can find out your IP address in the list of his TCP/IP connections (netstat).

How do I get IRC bouncer?

you download and install bouncer software, or get someone to install it for you (probably the most known and best bouncer available is BNC, homepage : http://gotbnc.com/)
you configure and start the software - in case it's bouncer at Unix machine, you start it on your shell account (let's say shell.somewhere.com)
you open IRC and connect to the bouncer at shell.somewhere.com on the port you told it to start on.
all depending on the setup, you may have to tell it your password and tell it where to connect, and you're now on irc as shell.somewhere.com instead of your regular hostname
[ mail crypto ]
Usually the safest way to ensure that your e-mail won't be read by unauthorised persons is to encrypt them. To be compatible with the rest of the world I'd suggest to use free PGP software.

PGP (Pretty Good Privacy) is a piece of software, used to ensure that a message/file has not been changed, has not been read, and comes from the person you think it comes from. Download location: http://www.pgpi.org/

How does pgp Work?

The whole idea behind PGP is that of Public and Private keys. To explain the algorithm PGP uses in order to encrypt the message would take too much time, and is beyond the scope of this, we will however look at how it ensures the integrity of the document. A user has a password, this password has to be chosen correctly, so don't choose passwords like "pop" or "iloveyou", this will make an attack more likely to succeed. The password is used to create a private key, and a public key - the algorithm ensures that you can not use the public key to make the private key. The public key is sent to a server, or to the people you send e-mails/files, and you keep the private key secret.

We will use a few terms and people in this introduction, they are: Pk - Public Key, Sk - Secret Key (private key). Adam will send an e-mail to Eve, and Rita will be a person in between, who we are trying to hide the content of the mail from. Rita will intercept the email (PGP doesn't ensure that Rita cant get her hands on the package, she can - its not a secure line like other technologies) and try to read it/modify it. Adam has a Sk1 and a Pk1, and Eve has a Sk2 and a Pk2. Both Adam, Eve, and Rita have Pk1 and Pk2, but Sk1 and Sk2 are presumed to be totally secret. First, here is a schematic of how it all looks:

PUBLIC SERVER
Pk1, Pk2

Adam <------------------------------------------> Eve Sk1 ^ Sk2
|
|
|
|
Rita

So Adam wants to send a packet to Eve, without Rite reading it, or editing it. There are three things that we need to make sure:

That Rita cant read the text without permission

That Rita cant edit it in any way, without Eve and Adam knowing

That Even knows that Adam sent it

First thing is making sure Rita cant read the text. Adam does this by encrypting the message with Eves Pk2 which he has found on the server. You can only Encrypt with the Pk, not decrypt, so Rita wont be able to read the data unless Eve has revealed her Sk2.

The second thing to make sure, is that Rite cant edit the message. Adam creates a hash from the message he has created. The hash can be encrypted using Pk2, or sent as it is. When Eve gets the message, she decrypts it, and creates a hash herself, then checks if the hashes are the same - if they are, the message is the same, if its different, something has changed in the message. The Hash is very secure, and it is in theory impossible to make a change, and get the hash to remain the same.

The third, and probably one of the most important things to ensure, is that Rita hasn't grabbed the mail, made a new one, and sent it in Adams name. We can ensure this by using Public key and Private key too. The Sk can be used both to encrypt and to decrypt, but Pk can only encrypt. When Adam normally sends a message M to Eve, he creates the encrypted message C by doing: C=Pk2(M). This means, Adam uses Pk2 (Eves Pk) on message M to create message C. Image this: Adam can encrypt the message with his Sk1, because it is impossible to derive Sk1 from the message, this is secure and without any danger, as long as no one knows the password used to make Sk1 with. If the message M is encrypted with Sk1, he gets a message called X, Eve can decrypt the message using Pk1 which is public. If the message decrypts to something that makes sence, then it must be from Adam, because Sk1 is considered as secret, and only Adam knows it.

The entire process looks like this, when sending message C: Adam signs his digital signature on C, and hashes C: X=Sk1(C). Then Adam encrypts the message for Eve: M=Pk2(X). The message is sent, and looks all in all like this: M=Pk2(Sk1(C)). Rita can intercept M, but not decrypt, edit, or resend it. Eve receives M, and decrypts it: X=Sk2(M). Then she checks the digital signature: C=Pk1(X) and checks the Hash on the way.

This way, the PGP Public/Private key system ensures integrity and security of the document e-mail, but PGP is not the only algorithm that uses the Public/Private key theory, Blowfish, and RSA are among the many other technologies that use it, PGP is just the most popular for e-mail encryption, but many don't trust it because of rumors of backdoors by the NSA (I don't know if its true though). PGP comes in a commercial, and a freeware version for Windows, and is available for Linux as well. What ever encryption you use, it will be better than none.

[ anonymous remailers ]
Remailers are programs accessible on the Internet that route email and USENET postings anonymously (i.e., the recipient cannot determine who sent the email or posted the article). This way the sender can't be traced back by routing headers included in the e-mail. There are different classes of remailers, which allow anonymous exchange of email and anonymous posting to USENET and often many other useful features.

Resources:

Chain is a menu-driven remailer-chaining script:
http://www.obscura.com/crypto.html

Raph Levien's remailer availability page offers comprehensive information about the subject
http://www.sendfakemail.com/~raph/remailer-list.html

The Cypherpunks Remailers are being developed to provide a secure means of providing anonymity on the nets. Here you can find out about the available remailers, those which have been standard in existance for a long time as well as the new experimental remailers and anonymous servers.
http://www.csua.berkeley.edu/cypherpunks/remailer/

[ icq privacy ]
How can I keep my privacy at ICQ?

Send and receive messages via ICQ server, not directly. Every direct connection enables attacker to learn your IP. Encrypt your messages by dedicated software, encryption addons.

How to encrypt ICQ messages?

There are addons which enhance your ICQ with possibility to encrypt outcoming messages. The user on the other side needs to have the addon as well in order to decrypt your message.

Resources:

http://www.encrsoft.com/products/tsm.html
Top Secret Messenger (TSM) - trial version has only weak 8-bit encryption

http://www.planet-express.com/sven/technical/dev/chatbuddy/default.html
Chat Buddy - a freeware Windows application for encrypting chat sessions

http://www.algonet.se/~henisak/icq/encrypt-v5.txt
how encryption works in ICQ protocol v5

[ spyware ]
As we all work hard to become more savvy about protecting our personal information and keeping as anonymous as possible on the web, advertising companies are working just as hard to come up with new ways of getting our personal information. One of the ways they accomplish this is through spyware.

Spyware are applications that are bundled along with many programs that you download for free. Their function is to gather personal information about you and relay it back to advertising firms. The information is then used either to offer you products or sold to other advertisers, so they can promote THEIR products. They claim this is all they do with this information, but the problem is nobody really knows for sure.

Spyware fits the classic definition of a trojan, as it is something that you did not bargain for+when you agreed to download the product. Not only is spyware an invasion of your privacy, but (especially if you have a few different kinds on your machine) it can also chew up bandwidth, making your internet connection slower.

Sometimes, these spies really are harmless, merely connecting back to the home server to deliver+you more advertising. Some, like Gator for instance, send out detailed information about your surfing habits, operating system, income, age demographic et cetera.

Avoiding spyware

Avoiding spyware is getting harder and harder, as more software distributors are choosing it as a method of profiting from freeware and shareware distributions. Be leery of programs with cute+little icons like Gator. Also, watch those Napster wannabes like AudioGalaxy, Limewire, and Kazaa. I've yet to find one that didn't include spyware. Before you download, check to see if the program is known to contain spyware.

For a list of most known spyware, the best I've found is here:
http://www.infoforce.qc.ca/spyware/enknownlistfrm.html

Getting rid of spyware

In most cases, you can remove the spyware from your system and still use the application you downloaded. In the case of Gator and Comet Cursor, the the whole program is spyware an it must be completely removed to stop the spying.

There are several ways to get rid of spyware on your system. You can use a firewall to monitor outgoing connections. The programmers that put these things together, however, are getting sneakier and sneakier about getting them to circumvent firewalls. Comet Cursor, for instance uses an HTTP post command to connect without the intervention of a firewall. You can also install a registry monitor such as Regmon to monitor your registry for unwanted registry registry changes, but this is not foolproof either.

Probably the best method of removal is to download a spyware removal program and run it like it was a virus scanner. The best examples of these programs are:
Lavasoft's Adaware. Available at http://www.lavasoftusa.com/ Or professional cybernut Steve Gibson's OptOut. Available at: http://grc.com/optout.htm Both of these programs are free and are updated regularly.

Here are some links, if you wish to learn more about spyware:
http://www.spychecker.com/
http://grc.com/optout.htm
http://www.thebee.com/bweb/iinfo200.htm

[ cleaning tracks ]
Resources:

Burnt Cookies - allows automatic detection and optional deletion of Cookies deposited by Banner Ad web-sites
http://www.andersson-design.com/bcookies/index.shtml

Surfsecret - automatically kills files like your Internet cache files, cookies, history, temporary files, recent documents, and the contents of the Recycle Bin.
http://www.surfsecret.com/

Note: One sidenote on cleaning tracks. When you delete some files on your machine, these aren't actually deleted. Only the reference to their location in the hard drive is deleted, which makes the OS think that that location on the HD is free and ready to take things. Thus, there are ways to recover data even after you delete them.

There are however, several ways to _wipe_ this information. Programs that fill hard disk locations with zeros, then with 1s, on several passes are your best bet to make sure no document goes to the wrong hands. One of such programs is PGP. PHPi now comes with a utility that does this work, and you can even select the number of passes to wipe files. For *nix, there is also the "wipe" program. Use these when you feel you have data that needs secure cleaning.

[ ending words ]
If you would like to find out more about this topic, you may email me at anonraider@governmentsecurity.org.

[ CREDITS ]

cube - cube@boxnetwork.net
Caboom - caboom@boxnetwork.net
Zwanderer - zwanderer@boxnetwork.net
kript0n - fred@boxnetwork.net
Drew - bbd87@optonline.net (Spyware section)
QX-Mat - matt@guysjs.org (SSL tunelling section)

怎样保证你的Email(电子邮件)安全？

2008-05-27T18:56:00.000-07:00

来源：维权网

互联网时代，BBS、Blog、即时通讯、Email（电子邮件）越来越称为人们日常生活、交流、联系的重要方式，其中尤以Email（电子邮件）应用广泛。而Email（电子邮件）的安全问题可能常常为使用者所忽略，尤其在中国大陆当前社会背景、新闻舆论环境下，Email（电子邮件）的安全问题尤为普遍和严重。维权人士、异见人士、社会活跃人士及普通公民，都会遭遇统治集团的干扰和监控。最典型的便是师涛案：2004年12月，雅虎香港控股公司应中国警方的要求，提供了中国湖南商报记者师涛的Email（电子邮件）账号。随后，师涛被以泄露国家机密罪判重刑10年。面对海内外舆论的质问和谴责，雅虎以遵守中国法律为由进行辩解。2007年11月，雅虎集团向师涛及其家属公开道歉，而受害者师涛却仍继续付出沉重的代价。

很多网络人士在使用Email（电子邮件）时，都遭遇过邮箱密码被盗被篡改、邮件已被阅读或被莫名其妙地转发、丢失邮件等情况。那么，在日常通讯交流中，网民该怎样确保自己的Email（电子邮件）安全呢？以下是关于电邮安全的几点小知识：

1、收发邮件需加密浏览（http后加一个字母s来浏览、登陆网站）。

Yahoo、163、126、sina、sohu、gmail等电邮服务商都是商业性质的集团，这样的公司目的是盈利，虽然它们一般是为用户提供免费电邮服务，但在其与用户的合约中有一条是公司可以使用你的邮件用于商业目的。众所周知， yahoo已经这样做过了，为自身利益而出卖用户的私人信息。所以，对盈利性质的网络服务商而言，谁也不能保证他们不会把你的信息用于商业目的。

其中，gmail相对安全一些，毕竟其服务器在中国境外，但是随着google与中国的进一步合作，gmail邮箱也不再那么保险。因为在中国，你上网浏览的所有网页、你收发邮件的内容都在国家网络监控系统里留下印记，监控者随时都能查看每个网民的动态，如不采取措施，网民的上网活动都会赤裸裸地暴露在网络监控系统下。所以当你在使用gmail邮箱时，应进行加密，可输入https://mail.google.com，这样你的邮件收发过程就会在加密状态下进行了，而网络监控系统就无法看到你的内容了。但是这也不是绝对安全的，收发你邮件的朋友也必须使用gmail邮箱，并在加密状态下活动，这样才能保证双方都不会泄露邮件内容。

2、选择合适的电邮服务商。

以上提到商业性质的网络服务商并不能保证用户的信息安全，一些非盈利的网络服务商是能保证用户信息安全的。比如，www.riseup.net；www.hushmail.com；www.vaultetsoft.com；www.bluebottle.com；www.fastmail.fm；www.safe-mail.net。在这里要推荐的是riseup，它比gmail要安全，当然使用riseup邮箱也需要用户与其联系用户之间同时使用，这样才能达到邮件内容安全不被外泄的效果；否则，只有你一方使用riseup邮箱，而对方使用的是Yahoo或者sina等邮箱，虽然邮件内容在你这里是加密状态的，但是当你的朋友在非加密状态下收到时，你的邮件内容还是会被网络监控系统发现。

所以，建议广大网民使用riseup邮箱。gmail邮箱要在加密状态下使用https://mail.google.com。为了安全起见，中国境内的那些电子邮件服务商的产品像sina、163、126、sohu邮箱等最好不要使用。

3、通行密码非常重要。

Email（电子邮件）的通行密码是最重要的，一般密码不得低于8位，而且不能是纯数字、纯字母，这样简单的密码是很容易被破译的。密码位数越长，被破译的几率越小。最安全的密码需要数字、大小写字母、各种字符混合组成，如12ABde#*89。或许你的电脑也需要设置这样的开机密码，以防你离开电脑时其他人趁虚而入。

如果把你的名字、生日、相关城市及在英文词典能找到的单词设为密码，是不安全的。一个攻击者会首先了解你的个人信息，生日、家乡等信息；或是查找词典里的词，这种情况用程序来排序查到你的密码的几率也很高。而数字、大小写字母、符号的随机组合是最不容易被破解的。即使你的密码设置的非常复杂，也需至少每六个月更换一次。而且最好不要将你的邮箱、msn、skype等即时通讯的密码设为同一个，那样的话，一个被破译则其他的通讯方式的密码也就同时被破译了。

4、千万不要让电脑记住你的通行密码。

网民在每次登陆Email（电子邮件）时，电脑总是提示是否需要记住该密码，请在登陆前选择不要记住。千万不要为了偷懒或者方便下次直接进入，而让电脑记住你的通行密码，这是很不安全的。电脑如果被攻击或监控，你的电邮密码将丢失，他人将轻易进入你的电邮。

还有最好不要查阅陌生人发来的邮件，尤其是附件，以免打开携带病毒的破坏性文件。

Committing Journalism: The FCCC Reporters' Guide to China，Guide to the Internet部分

2008-05-02T12:38:00.000-07:00

来源：Foreign Correspondents Club of China

The Chinese government’s Internet monitoring and censorship programs present particular challenges for foreign correspondents, whether it be accessing Web sites in their home country or communicating privately with sources. While it is probably impossible to write a definitive account of either the technical difficulties or solutions, we hope this collection of resources will help correspondents overcome some of the most common problems.

References

· James Fallows’ March 2008 Atlantic article on “The Great Firewall” is a good explanation of the basics of Chinese Internet censorship

http://www.theatlantic.com/doc/200803/chinese-firewall

· As is an earlier piece by Oliver August in Wired magazine

http://www.wired.com/politics/security/magazine/15-11/ff_chinafirewall

· Reporters Without Borders has a handbook (not China-specific) on how bloggers and dissidents can evade Internet censorship

http://www.rsf.org/rubrique.php3?id_rubrique=542

· The University of Toronto’s Citizen Lab has a guide to by-passing Internet censorship

http://deibert.citizenlab.org/Circ_guide.pdf

· Front Line has a guide on how human-rights activists can evade Internet monitoring and censorship

http://info.frontlinedefenders.org/manual/en/esecman/index.html?q=manual/en/esecman/

· Open Net Initiative documents Internet filtering/censorship worldwide

http://opennet.net/

· Rebecca MacKinnon’s guide for Hong Kong journalism students

http://jmsc.hku.hk/blogs/newmedia/working-from-mainland-china/

Rebecca’s blog is also a good source for discussions of Internet and media issues in China http://rconversation.blogs.com/

· Andrew Lih’s blog also frequently touches on China Internet issues

http://www.andrewlih.com/blog/

Tools

Virtual Private Network (VPN). As the name suggests, these are Virtual Private Network (VPN). As the name suggests, these aresecure,private networks that run through the public Internet. This gives them the benefit of bypassing China’s Internet monitoring and censorship systems. Many corporations use VPN systems to allow employees to access company e-mail remotely; if you work for one of them, you probably will not need other tools for accessing e-mail and blocked websites. For others, there are a number of off-the-shelf technologies that can easily create VPNs.

Explanations of VPN

· http://en.wikipedia.org/wiki/VPN

· http://www.howstuffworks.com/vpn.htm

VPN software and services

· Paid

http://www.witopia.net/personalmore.html

http://www.hotspotvpn.com/

http://www.publicvpn.com/

· Free / advertising-supported

http://anchorfree.com/downloads/hotspot-shield

Other tools for private/secure Internet access

Gladder (an add-on for the Firefox browser)

https://addons.mozilla.org/en-US/firefox/addon/2864

· Tor

http://www.torproject.org/index.html.en

· Psiphon

http://psiphon.civisec.org/

· Anonymizer

http://www.anonymizer.com/

· Proxify

https://proxify.com/

Secure email

· Web e-mail

Gmail. Accessing gmail via https:, rather than the usual http: connection, creates a secure connection for e-mail, and should be your default option. The added "s" means secure.

§ https://mail.google.com/mail/

Hushmail. A service offering web-based email encrypted with PGP technology (see below).

§ https://www.hushmail.com/

· PGP email. The open-source standard Pretty Good Privacy allows for high-level encryption of e-mail sent through standard desktop e-mail software. This prevents anyone intercepting the e-mail from being able to read it.

Explanations

§ http://en.wikipedia.org/wiki/Pretty_Good_Privacy

§ Phil Zimmerman, inventor of PGP: http://www.philzimmermann.com/EN/background/index.html

Software

§ http://www.pgpi.org/

§ http://www.gnupg.org/

§ http://www.winpt.org/

§ http://www.cgeep.com/

Incognito

2008-04-13T04:56:00.000-07:00

来源：Incognito

Incognito is an open source LiveDistro based on Gentoo Linux assisting you to securely and anonymously use the Internet almost anywhere you go, e.g. your home, work, university, favourite Internet cafe or local library. Incognito can be used from either a CD or a USB drive and has several Internet applications (Web browser, IRC client, Mail client, Instant messenger, etc.) pre-configured with security in mind, and all Internet traffic will be anonymized. To use it, you simply insert the CD or USB that you have installed Incognito on in a computer and restart it. Incognito should then start as an independent operating system instead of Microsoft Windows or whatever operating system you have installed. It is also possible to run Incognito as a guest operating system inside Microsoft Windows by simply inserting the media while Windows is running which should present you with a menu.

Incognito is Free Software released under the GNU/GPL (version 2).

Why do you need anonymity?

In case you didn't know, we currently find ourselves in a state of steady decline of our freedoms and privacy, with increasing levels of mass surveillance and repression all over the world (see this report from Privacy International). Without taking any precautions, your Internet service provider, the state, the police and global surveillance systems like ECHELON (which is not a conspiracy theory although some have overstated the extent of its operation; see this report from the European Parliament) can record what you do online: what you read, what you write and who you communicate with etc. This is possible since all messages sent over the Internet contain the IP addresses of both the sender and receiver, much like an ordinary mail sent through the postal system contain addresses of both sender and receiver for two-way communication. IP addresses can easily be traced back to the physical location of the computers and their owners, and from that ultimately back to you.

How does Incognito provide with anonymity?

True anonymity is impossible; given enough resources an attacker will get you. But what one can do is to make the cost of doing that so high that it becomes infeasable. Incognito tries to do this by using an application called Tor which makes your Internet traffic very hard to trace by encrypting it and bouncing it around between several other computers (mixing it with the other Tor users' Internet traffic) before the encryption is removed and the traffic is sent to your destination from someone else's computer. If someone tries to trace you while you are using Incognito and Tor, the trail will most likely stop at that point because they will see the other computer's IP address, not your. As at least a rudimentary understanding of Tor currently is essential for using it securely (and knowing its limits) we strongly recommend reading the Tor overview and Understanding and Using Tor - An Introduction for the Layman (also see the note below).

Features

Common Internet applications pre-configured for anonymous use.
Transparent network filtering which anonymizes all Internet traffic without any configuration needed (TCP only, though).
Should run on most modern computers (otherwise please consider sending a bug report to help us further improve Incognito).
Comes in two sizes:
- Incognito Full at ~350 MB, featuring many Internet related applications and security tools using KDE as desktop environment.
- Incognito Tiny at less than 50 MB, a minimal installation using the Fluxbox windows manager, suitable for business card sized CDs and smaller USB drives. [The development of the tiny version is currently halted]
Ability to run from USB with persistent user settings and file storage, and optional password protected encryption, including TrueCrypt hidden volumes for plausible deniability.
Publish web sites anonymously as Tor Hidden Services when running from USB with persistent file storage (see above).
Virtualization - run Incognito Full within Microsoft Windows without the need to restart the computer.
Anonymous email with Mixminion on Incognito Full.
Option to randomize your network cards' MAC addresses when connected to untrusted networks.
Secure deletion of system memory content on shut down to prevent forensic analysis.
Except for some drivers (which should be OK) all software used by Incognito, including Incognito itself, is open source software and thus open for inspection for bugs, backdoors and bad design features unlike most proprietary software.

A note of caution regarding Tor

As Incognito relies heavily on Tor, and there are many misconceptions about Tor around, we would like to warn you about the fact that by simply using Tor (as all Incognito traffic does per default) your communications should only be considered to be untraceable back to the computer you used, not encrypted or in any other way hidden. While it is encrypted when it leaves your computer, it will only be so until it leaves the Tor network just before the traffic is sent to your destination. This means that an eavesdropper at some later point will be able see your traffic without Tor's encryption, but will not be able to link it back to your computer.

As such, if you are sending or receiving sensitive data whose disclosure would be damaging in itself even if it is untraceable, you need to use end-to-end encryption to hide the meaning of your data to everyone except the recipient. Examples of such sensitive information that you need to protect in this way are your real identity or other information linkable to you, login details and passwords, bank account or financial details, anything illegal and secrets in general.

There are several tools bundled with Incognito offering end-to-end encryption for various applications: Enigmail/GnuPG provides with encryption for email, OTR is for instant messaging (MSN, ICQ etc.) among others. Also, bear in mind that web browsing on sites for whom the addresses begin with "http://" are not encrypted and thus dangerous to transmit sensitive information to, but those starting with "https://" (notice the additional s) are encrypted and thus secure (many web browsers also display a lock or a similar symbol in the address field or status bar indicating that the connection is secure).

如何使用WordPress与Tor进行匿名博客

2008-03-26T02:56:00.000-07:00

作者: 埃森·朱克曼

全文: http://advocacy.globalvoicesonline.org/wp-content/downloads/gvaanontorwpguide-cn.pdf

介绍:

在压迫人们保持沉默的强权之下, 总有一部分人依然坚持表达自己的意见, 而工作在“全球之声”的一个最大的乐趣便是有机会与这样一群人工作在一起。同我共事的许多作者表示，他们想要在网络上发表一些关于政治或个人问题的文章，但前提是不会因此而泄露自己的真实身份。这些作者包括一些国家的人权积极分子，身处在专制国家中的援救工作者以及工作在公司或政府机关中的告发人。几个月以前我在“全球之声”上发表了一篇关于如何写匿名博客的技术指导，在其中我罗列了几种不同的匿名博客的方法。此后，我开始在世界各地举行专题研讨会并欣然地向人们传授一套高度匿名的工具 —— 一种将Tor、WordPress以及各种免费邮箱相结合使用的匿名手段。以下的说明并不会提供给你多余的选择，而只是详细地向你介绍一种方法。

如果你想要快速阅读这篇文章或者你是那种做事情不需要知道为什么的人，便大可以忽略说明当中“为什么”的部分。在将来某个时间里，我希望能够将这篇文章整理得更加精致点，特别是将“为什么”的部分变得更加短小精悍一些，这样便可以大大缩短整个文档的长度。

如果我在文章当中某些地方表述的不清楚或者有什么错误的地方，请您在评论当中告诉我。这是一篇未经斟酌的草稿，我希望在把它发表在“全球之声”之前能够再进行一些整理。如果你认为这篇文章是有帮助的并想要对其进一步传播，请随意——正如这个网站几乎所有的东西一样，这篇文章同样遵循创造共享2.5协议，这就意味着如果你认为有市场并且有钱可赚的话，大可以自由的将这篇文章印在咖啡杯上进行售卖。

政府如何监控我们的电子网络通讯?----中国网络监控报告之二

2008-03-25T19:52:00.000-07:00

作者：于声雷来源：维权网

全文：http://crd-net.org/Article/Class1/200803/20080324093843_8168.html

目录：

导言

一、现代电讯工具在中国的开发及其对传统信息垄断的挑战

二、中国官方对现代电讯工具的管制、审查、和监控

1.对手机短信的监控

1.1.手机短信监控流程

1.2.手机短信监控措施

2.对电子邮件的监控

2.1.服务商自律安装过滤

2.2.“国家防火墙”

2.3.监控涉外电邮机制剖析

3.对QQ的监控

3.1.腾讯公司自律，QQ设有后门检测程序

3.2. QQ如何监视用户的聊天记录

4.对SKYPE、MSN的监控

4.1.对skype的监控

4.2.对MSN的监控

三、关于安全使用电讯工具的建议

1.一般性安全措施

2.电邮安全措施

3. QQ安全措施

4. SKYPE安全措施

5. MSN安全措施

四、保障公民言论自由和通信自由

附件一：中国网监目前使用的关键字基本过滤词表[相关部分]

附件二：QQ是如何监视你的聊天记录？

free security and communication tools

2008-02-03T20:21:00.000-08:00

转自：Jamboola

security.ngoinabox.org provided list of free security tools that could be used for NGOs or anyone who is looking for free protection. It is a bit an old list, though some of them should have upgraded versions. Check it out if interested!

Fyodor, maybe you could review and comment about them? and any tools you could recommend under similar cathegories?

PASSWORD TOOLS

Password Safe
program stores your passwords in a secure database. It is a small and easy-to-use program, which you could also run entirely from a floppy disk. The database is locked with a master password, called ’safe combination’. All your other passwords are accessible only by entering the master password correctly. Your passwords are stored in different categories to help you retrieve them when necessary.

Keepass
program stores your passwords in a highly encrypted database. This database consists of only one file and can therefore be transferred from one computer to another easily. This database is locked with a master password or a key-disk. If you use a master password, you only have to remember one password or passphrase (which should be strong then!) at a time. If you lose this master password, all your other passwords in the database are lost too. The database is encrypted on the basis of mathematics, and there isn’t any backdoor or a key which can open all databases. There is no way of recovering your passwords.

DATA STORAGE, BACKUP AND DESTRUCTION TOOLS

Eraser
it is used to permanently delete (wipe) sensitive data from your computer. Files and folders can be selected for wiping. This can be done on demand or scheduled to run at certain times. Note that your computer must be switched on at a specified time, otherwise the wipe will not happen. Eraser can also be used to create a ‘nuke boot disk’. This can be used in emergencies when you want to delete everything from your hard drive quickly.

BCWipe
used to delete sensitive data from your computer. There are two categories of files that can be deleted using BCWipe. The first are user selected files and folders. The second type is information, voluntarily stored on your computer whilst you are browsing the Internet. This includes temporary Internet files, cookies and others (explained in the manual). Finally, it is possible to clear the free space left on your computer of the remnants of files that have been deleted.

Handy Recovery
an easy-to-use data recovery software designed to restore files that have been deleted from computers and floppy drives. The program can recover files damaged by virus attacks, power failures and software faults or files from deleted and formatted partitions. It can also recover files moved and emptied from the Recycle Bin.

Freebyte Backup
Freebyte Backup is a free backup program for Windows 95/98/ME/NT/2000/XP. It allows one to easily copy (and filter) a large number of files and directories from various sources into one backup directory. It is possible to backup all files found in the specified set of folders, or to have only certain file types copied. Easily fitting on a floppy disk, this program is portable and allows you to perform timely efficient backups wherever you go!

Zip Genius 6
a backup tool that allows you to both compress (zip) and decompress (unzip) your archive. By compressing the data, you are reducing its physical size on your computer (could be useful for those with little free space). It can also encrypt the archive for safe storage on your computer or removable media. It is a handy and free replacement for the more common WinZip program. There is also a useful function allowing you to email the archive directly from the program.
- ENCRYPTION TOOLS

The GNU Privacy Guard (GnuPG)
enables people to securely exchange messages and to secure files with both privacy and strong authentication. GnuPG is a free software replacement for the PGP suite of cryptographic software. The basic GPG program has a command line interface, but there are various front-ends that provide it with a graphical user interface; we are including the GPGshell interfave on this disk (see below). Also GnuPG has been integrated into various email clients also with Thunderbird with the Enigmail plug-in (see the internet and communications tools section).

GPGshell
is a graphic interface that allows you to use the cryptographic software GnuPG in a easy and user friendly way. Its goal is encrypting/decrypting files and/or email messages, but also signing them ( or verify their sign ).

4Hit Mail Privacy Lite
provides a quick and easy way of protecting your communications by hiding your text into an image. It combines hiding with a strong encryption method. Use any image on your PC - from a pleasant landscape to your latest birthday photo. HIT Mail supports a wide variety of image formats.

INTERNET & COMMUNICATIONS TOOLS

Mozilla Firefox
Excels in preventing pop-ups and offers advanced level of browser security. Also comes with a useful anonymous proxy plug-in.

Free plug-ins add extra security and privacy features to the default (standard) version of Mozilla.

Switch-Proxy - Allows for much easier use and manipulation of numerous kinds of proxies (see below in section: ‘Internet browsing with anonymity’). Among other features, it allows easy switching between different proxies as well as automatic downloading and configuration of proxy lists. Version - 1.3.2 / English
Secure Password Generator - Creates a dialog box that helps you create secure passwords. Version - 0.5.2
Copy Plain - Allows you to copy the text from the browser window without the embedded formatting. Version - 0.3.1

Thunderbird
next generation e-mail client. Thunderbird makes emailing safer, faster, and easier than ever before with the help of the industry’s best implementations of features such as intelligent spam filters, a built-in spell checker, extension support, automatic encryption and much more.

Mozilla Thunderbird Plug-ins

Enigmail - Adds encryption support to Thunderbird using the OpenGPG framework. Allows for key creation, manipulation and encrypted email support (encryption and decryption). The set of accompanying screenshots shows how to install, create a key and use it to send and decrypt email. Version: 0.92 (2005.4.16); Installation: [Screenshots]; Note: You have to install OpenGPG first see ‘Miscellaneous tools’ chapter

Portable Thunderbird
is a fully functional package of Thunderbird optimised for use on a USB key drive. It has some specially selected optimisations to make it perform faster and extend the life of your USB key as well as a specialized launcher that will allow most of your favourite extensions to work as you switch computers. It will also work from a CDRW drive (in packet mode), ZIP drives, external hard drives, some MP3 players, flash RAM cards and more.

Hushmail
is a Web-based e-mail service (meaning you can access it from your Internet web browser) that lets you send and receive email with good security. Hushmail messages, and their attachments are encrypted using Open PGP standard algorithms. These offer users heightened levels of security. Messages are encrypted before leaving the sender’s computer and remain encrypted until after they arrive to the recipient’s machine, where the contents are automatically decrypted. Encrypting a message is as simple as clicking a mouse. Note: 1) You must access your free Hushmail account at least once every three weeks or it will be deleted. Alternatively, you can purchase an account and be free from some account limitations. 2) Hushmail’s security works if communicating with other Hushmail users. If you use it to send messages to, say, a Hotmail account, the overall security is nullified. 3) To operate on your computer, Hushmail requires that you use Internet Explorer version 5 (and above) or Mozilla Firefox, and the Java program must also be installed.

RiseUp
A secure and light weight webmail interface from the activists at RiseUp.net Registration on the website is free, but you need to be either invited by already existing RiseUp users or write to them requesting an account. Can also be set up to run in a mail client like Thunderbird.

Gaim
a multi-protocol instant-messaging (IM) client. One of its biggest advantages is that you can use it with most other instant-messaging service networks available on the Internet today (like AIM, ICQ, MSN Messenger, Yahoo!, IRC, Jabber, Gadu-Gadu, and Zephyr). Gaim users can log in to multiple accounts on multiple messaging networks simultaneously. There is a plug-in available (see below) that allows you to encrypt your chats for increased security of your Internet communications. Whilst most other instant messaging services bring some Adware and spyware when installed, Gaim is reputably free of these annoyances.

Plug-ins;

Gaim-Encryption it provides strong and transparent encryption for your chat. Version: 2.38 (2005.6.11); Home Page: gaim-encryption.sourceforge.net
Off-the-Record Messaging - allows you to have private conversations over instant messaging by providing: Encryption, Authentication, Deniability, and Perfect forward secrecy. This is the only cross-platform free & open source encryption chat tool - and as such it is recommended for those who need secure chats. Version: 2.0.2 (2005-02-23); Installation: [Screenshots], Setting-Up; Home Page: www.cypherpunks.ca/otr/

TOR
When you use Tor, instead of taking a direct route from your computer to a server, your request on the Tor network will take a random pathway through several routing proxies that will randomise your tracks so that no observer at any single point can tell where your requests are coming from or going to. Tor can be used as a gateway to the Internet, or hidden services can be accessed inside the Tor network. Like the Freenet and GNUnet networks, Tor can be used to circumvent content filters, censorship laws, and other restrictions on communication. Unlike Freenet, which is a distributed, encrypted, data store, Tor aims to simply create a framework for anonymous communication. When using TOR, your Internet connections mayt be slower, however they will still work.
To make the Tor program function, you must also install a program called Privoxy. Together they can help to anonymise your Internet activity. They also help you access websites that could be otherwise blocked in your country. They need only to be set up once and will run in the background without any further intervention.

Torpark is a project that attempts to intergrate the Tor client and the Firefox browser into an easy one-file install, that can be run from a USB memory stick. Plug it into any Internet terminal whether at home, school, or in a public Internet cafe. Launch the program by clicking on Torpark.exe and it will open a built-in copy of the Firfox browser and build a Tor circuit connection that will allow you to browse the Internet bypassing website censorship. Very handy for anonymous browsing without having to install the whole Tor client. Please note that the source code of Torpark is closed and therefore its overall security cannot be independently verified. The project is not developed or supported by the Tor team.

FIREWALLS TOOLS

Zone Alarm
easy-to-use firewall blocks hackers and other unknown threats. Stealth mode automatically makes your PC invisible to anyone on the Internet.

VIRUS, ADWARE AND SPYWARE CLEANER TOOLS

AntiVir
a free antivirus program for Windows computers. It has a resident component that monitors file movements for signs of viruses. It also allows you to scan your computer and repair files that have been infected. The program comes with a facility to automatically check the AntiVir website for updates to the virus definitions and download them. Updates are free. Includes a check for malicious dialler software (when downloaded, they dial high-cost international numbers at your expense).

Avast4
another popular free anti-virus program. New version of avast! antivirus kernel features outstanding detection abilities, together with high performance. You can expect 100% detection of In-the-Wild viruses (the ones what are really spreading amongst people) and very good detection of Trojan horses, all that with only a minimum number of false alarms.

Avast (stand alone)
A stand-alone version of the Avast virus and word cleaner. You do not need to install it, as it runs directly from the executable file. Small enough to fit on a floppy. However, it does not update itself, so you need to find the latest version on the website.

SpyBot
SpyBot’s Search & Destroy can detect and remove spyware of different kinds from your computer. Spyware is a relatively new kind of threat that common anti-virus applications do not yet cover. If you see new toolbars in your Internet Explorer that you didn’t intentionally install, if your browser crashes, or if you browser’s start page has changed without your knowledge, you most probably have spyware.

ADDITIONAL TOOLS

DBAN - Darik’s Boot and Nuke (”DBAN”) is a self-contained boot floppy that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.

Recover My Files - Recover deleted files from hard drives, floppy disks, digital cameras, USB drives, ZIP disks, compact Flash cards, smart media and Sony memory sticks. Recover Office, RAR, Hotmail, Yahoo mail, text e-mail and other file types. The program retrieves items emptied from the Recycle Bin, items contained on formatted hard drives, and items lost due to a system crash or virus. It will even recover temporary files for documents that were never saved.

IsoBuster - is able to rescue lost files from CD or DVD, save important documents and backup your system. It includes support for Direct CD compressed files and blanked DVD+RW media in 41 languages.

CCleaner - deletes unused and temporary files from your system, including Internet Explorer cache, History, Cookies, Index.dat, Recycle Bin, Temporary files, Log files and many more. Those deleted files still need to be wiped-out (see Eraser above).

Registry First Aid - cleans the Windows registry to speed up your computer and stop program crashes. Software un-installations sometimes leave behind nagging file references in the Windows registry, pointing to files that no longer exist. With time, you can end up with hundreds of these files that may slow down your computer and cause software to lock up. This program eliminates the above. It scans the registry for orphan files and folder references, finds these files or folders on your drives and corrects your registry entries to match the located files or folders. If your registry has links to files for deleted applications, Registry First Aid will find these invalid entries and remove them from your registry.

Abakt Backup - a versatile, easy-to-use backup-tool for Windows. Files and directories are selected using a combination of advanced filters. Uses wildcards, sets and other advanced masks to select files to backup, besides creating a standard ZIP archive. You can call other compression tools (like 7-Zip) to create backups. Also, it is possible to simply copy, move or delete the selected files.

DeepBurner - DeepBurner is an CD and DVD burning package. It supports a wide range of internal and external (USB 2.0 and FireWire) CD and DVD writers. Burn any data, copy any disc, make backups, create photo CD albums, make ISO CDs and Video DVDs.

TrueCrypt - is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data are automatically encrypted or decrypted right before they are loaded or saved, without any user intervention. No data stored on an encrypted volume can be read without using the correct password or encryption key. Until decrypted, a TrueCrypt volume appears to be nothing more than a series of random numbers. Entire file system is encrypted (i.e., file names, folder names, contents of every file, and free space). TrueCrypt never writes decrypted data to any storage device.

Steganography - enables you to use digital data-hiding techniques (steganography) to hide and encrypt files within other files (carriers) such as picture or sound files. This allows you to encrypt sensitive information, while hiding it in a file that will not look suspicious, so nobody even knows that there is any encrypted information. Features strong 256-Bit encryption algorithms, advanced compression, the ability to create password yourself. Those files, containing hidden files, are fully functional and are identical to the original files. This software is a free 15-day trial version with the option of registration.

Putty / WinSCP - PuTTY is an SSH, Telnet, rlogin, and raw TCP client. It was originally available only for Windows, but is now also available on various Unix platforms (as well as several other platforms as unofficial ports). Provides secure connections to remote systems. It integrates with WinSCP and then you are able to do all basic operations with files, such as copying and moving (to and from a remote computer). It also allows you to rename files and folders, create new folders, change properties of files and folders and create symbolic links and shortcuts.

Virtual Network Computing (VNC) is a desktop protocol to remotely control another computer. It transmits the keyboard presses and mouse clicks from one computer to another relaying the screen updates back in the other direction, over a network. VNC is platform-independent: a VNC viewer on any operating system can connect to a VNC server on any other operating system. There are clients and servers for almost all operating systems and for Java. Multiple clients may connect to a VNC server at the same time. Popular uses of the technology include remote technical support, and accessing files on your work computer from your home computer. It is recommended that you use VNC over a secure tunnel (i.e. SSH) to ensure the data are not intercepted easily.

VNC Clients - The VNCs client included on this CD are specific for the Win32 platform.

TightVNC - Version/Date: 1.2.9 (2003.07.31), Licence/Price/Languages: Free Software / No cost / English, Home Page: www.tightvnc.com
Real VNC - Version/Date: 4.1 (2003.07.31), Licence/Price/Languages: Freeware, Personal/Enhanced (30 USD) & Enterprise versions available (50 USD) / English, Home Page: www.realvnc.com

Smart FTP - This program allows you to connect to FTP servers to update/download files. For example, it can be used to update html files on a webserver. This has proxy support as well as SSL functionality allowing for encrypted file transfers.

——-

They provided some links to related resources here.

If you find this post useful then please consider subscribing to our RSS Feed. You can also subscribe by Email to get new posts delivered directly into your inbox.

Hotspot Shield绕墙有路

2007-12-18T20:32:00.001-08:00

来源：http://xrspook.blogbus.com/logs/10509899.html

Youtube归西以后穿墙再次成为小网民议论的重点。不过比起几个月Flickr的突发身亡理智多了，毕竟这次咱们是有了很充足的心理准备啊，当 Google Video不复存在以后，Youtube，这个世界最大的视频网站要继续在中国生存下去几乎是不可能的，被murder或assassinate只是时间的问题。 2007-10-18，当Youtube推出繁体中文版（包括香港版：http://hk.youtube.com和台湾版： http://tw.youtube.com），在中文Youtube的大喜日子里，中国用户却不得不给Youtube开追悼会。这让我想起了Charles Dickens在A Tale of Two Cities（《双城记》）里的前几句话：It was the best of times, it was the worst of times. It was the season of light, it was the season of darkness. It was the spring of hope, it was the winter of sadness.

逝者如斯，化悲愤为力量更为重要，与其大家在为河蟹的问题口沫横飞地大骂，不如早个好办法继续我们的自由生活。

在Youtube遇刺1星期后，2007-10-25，经典的代理浏览器U和FG也撞墙了，于是大家又开始抓脑袋，破口大骂。不知道中国人的新软件什么时候推出，但暂时我们得依靠其它了的，我是个 Firefox粉丝，所以我用Gladder 或者Tor+FF解决燃眉之急。Gladder利用的是连接在线代理，所以，面对一些要登陆方能浏览的网页没有任何办法，听说有人是利用 http://www.viproxy.net（Gladder内其中一个在线代理）的，我试过，网页是打开了，但Flash的播放窗口却load不出来。再说说Tor，可以说是久仰了，但开Tor的速度真的很慢，从打开Vidalia（洋葱头），等待洋葱头连接上起码要等上5分钟，在FF上load出个网页也要5分钟,这些漫长的等待对于 4shared来说很值，因为用其它方法要上传文件无论你等多久都无法保证真的能上传完毕，而且普通上传方法在IE内核的浏览器还会有bug而无法显示上传速度和剩余时间。但对于只看不传（不是人人都要上传好多吧）的Youtube，我们需要花那么多时间去等吗？我等了8分钟，Youtube的页面仍未在洋葱头的带领下出现。

与看Flickr的图片不同，要看Youtube的视频我们需要找到更为快捷、顺畅的穿墙方式！

搜索Google（1个星期前我已经是非无计可施绝对不用 Baidu了）找到了http://bbs.breezecn.com/read.php?tid=143097（题目比较敏感，就只贴网址了）。该文章介绍的方法是安装使用一个代理软件。我没多想，下载安装了再说。结果真的成哦！而这个软件叫做 Hotspot Shield。

Hotspot Shield官网： http://anchorfree.com/hotspot-shield/
下载：http://hotspotshield.com/download/hss/HSS-0.941-install.exe

与U和FG不同，它需要安装而且是外国人的东西，但这就意味这它绕墙的路更多，就如Tor那样。和Tor相比，Hotspot Shield有个共同点，它们的设计初衷都是为了网络安全，防止黑客们窃取你的信息。Tor利用的是经过N重服务器曲线救国，而Hotspot Shield则利用了一个我们都耳熟能详的技术――VPN（Virtual Private Network，虚拟专用网络），与一般的VPN不同，一般VPN建立的是电脑与机房服务器的特殊通道，Hotspot Shield利用了光纤以外的另一个网络――wireless network。Hotspot Shield的特点是利用Wi-Fi（Wireless Fidelity，无线保真）技术，把有线和无线结合起来，这就是Hotspot Shield牛B之处。

安装并运行了Hotspot Shield以后，状态栏会有个红色的盾牌，这样还不行，因为红色代表disconnect，你还没连接上，你需要按一下connect那么VPN才算连接上了，此时盾牌变成绿色。连接上以后会跳出一个IE窗口，表示你已连接上并显示出连接数据，比如说你用的端口等等。接着，你就可以去上你要的网站了。用U或FG不经特殊设置，可直接使用的是IE内核浏览器；用Tor+FF不经特殊设置，用的是Firefox，不过，一旦把Hotspot Shield连接上以后无论是IE还是FF都行，任君选择啊！不过呢，如果你此时开着Q那么就麻烦你重新登陆一下了，因为连接了VPN以后，外界所识别到你的IP地址已经改变。

试用过Hotspot Shield，速度还行。打开Youtube的速度和2007-10-18日之前没有什么巨大差别，没有试过在其状态下在Youtube上传，但在4shared上传不了。不过，要快速登陆一些需要登陆的和谐论坛已经没问题。哈！

有好东西，应该大家分享，在如此和谐的社会我们更应该守望相助，团结一致向前看！！！

保护你的上网隐私，自曲上网浏览

2007-12-18T19:56:00.001-08:00

作者：Nyng 来源：NYNG♥千湖芬兰

(Nyng注：此软件针对国内朋友，是对付功夫墙用的。国外的朋友就用不着了，呵呵)

想必各位都有上网隐私的害怕吧，害怕是否会被人跟踪，或者是有这个或那个网站无法浏览。现在有一个万全的解决之道 - Hotspot Shield，请大家立即下载该软件，来享受完整的网络生活。
请注意，该软件的浏览速度比其他的保护软件要快上许多倍，可以说与你平时上网毫无区别！请大家要务必测试一下，亲身体验！
第一步，请到网站上下载软件 -

下载地址

你会看到以下这个页面

请点击上面的绿色长条来下载软件，软件下载完后请立即安装！

安装完后会在你的桌面上出现这么个图标，请立即点击打开软件（会是你的默认浏览器）

当出现以上这个页面后，请点击绿色长条中的"RUN HOTSPOT SHIELD"，马上就要成功了哦，请稍等。。。

按完以后会出现这个页面，请你什么都不要按，让他自己运行

当你看见绿色的"CONNECTED"的时候，你就可以自由自在的浏览网络了！

这个软件唯一的缺点就是有个广告栏挂在上面，不过相比能自由自在的上网，这个小小的牺牲还是非常值得的。
如果你已经在运行这个HOTSPOT SHIELD的话，请来测试一下你是否能真正自由浏览了噢
测试连接

怎样网聊更安全

2007-12-15T19:07:00.000-08:00

作者：六月雪来源：民主论坛

一、即时语软体的选择

１、不要使用ＱＱ、ＩＣＱ、TOM-Skype

大家都知道ＱＱ的服务器会记录网聊内容，同时过滤敏感词，还涉嫌搜集客户硬盘资料、在用户电脑中留后门等。为了安全，大家尽量不要用它。

ＩＣＱ会暴露真实IP，黑客的攻击都是从获取IP开始的，ＩＣＱ有很多外围软件可以很轻松的查到使用者的IP，很不安全。

TOM-Skype，即Skype与TOM网站合作的TOM版，此软件可能含有木马程序，不建议使用，如果非要用，那就到www.Skype.com去下载skype的官方中文版。

２、慎重使用MSN、AIM Pro、Pidgin

MSN为了解决网聊内容被侦听的问题，软体从第八版开始加入了“加密聊天”的功能。此外还有许多配合MSN的加密软体可供选择。

试用下载：http://messenger.live.cn/

AIM Pro，由AOL美国在线所提供的免费IM工具，对通讯内容提供SSL协议加密，支持对传文件，并对文件进行病毒检测，支持视频对话。又可以随时收听收听来自CNN、ABC的新闻播客节目，是个不错的选择。但是也有网友称可以使用第三方软体劫持到网聊内容。对安全要求严格的网友要慎重使用。

试用下载：http://dashboard.aim.com/aim

Pidgin（旧版名Gaim）基于GTK+，并以GPL许可协议发行的免费、开源的模块化聊天程序，可以支持几乎所有的聊天软体，支持多平台、多语言、多服务、多插件。可以实现最高4096位的RSA加密。此软体可称为即时语软体中的新秀。总体来说是要比QQ安全，也更方便，这是中国大陆开发的软件，安全性未知。只建议大陆以外的网友试用。

网站地址：http://www.gaimcn.com/
试用下载：http://www.gaimcn.com/download.php

３、安全性较高的即时语软体waste

功能不多，可以加密聊天、共享文件。他的优点在于不依赖于服务器，无服务器时需要知道对方IP。同一服务器上，不信任的人之间不可见。网聊双方需交换公匙。

详细说明：http://waste.sourceforge.net/docs/docs.html
网站地址：http://waste.sourceforge.net/

二、第三方加密软体支持

１、清心加密信使

《清新论坛》出品的免费、绿色加密软体，提供最高4096位加密，可加密文本、文件。同时兼容PGP和GPG

试用下载：http://qxbbs.org/viewtopic.php?t=206094

２、LockNote

这是个绿色软体，只有96k大，可以锁纯文本文档，外观类似记事本，很容易使用。

３、Free Hide Folder 1.8（英文）

免费的加密软体，可以将私人文件夹隐藏起来，保密私人隐私不会被窥视、窃取。用于加密聊天记录很好。

下载地址：http://www.cleanersoft.com/hidefolder/free_hide_
folder.htm。

三、一些值得注意的问题

１、隐藏IP

网聊时隐藏IP也是很重要的，可以在网聊时先打开破网软体在进行网聊。火凤凰、世界通、TOR都很适合于网聊时使用。

２、及时清理剪切板

网聊时总会有些内容停在剪切板里面，这样就有可能会泄露私密，要记得及时清理。方法是：开始-->运行。输入“clipbrd”，如果不能打开，说明你的系统没有安装，依次打开控制面板-->添加或删除程序-->windows组件-->附件和工具-->附件-->剪切板查看器，安装就可以了，也可以专用的清理工具。

３、密码和加密网聊记录

不要让网聊工具记住你的密码，这样会容易被盗密码。密码一般要长于16位，还要注意经常更换。这样才不容易被破解。网聊记录要加密保存好。

小结：

如果身处敏感地区或者是敏感人士，最好是使用多种保密方法结合，从各个环节都注意安全。选择flat+sockscap+waste是比较好的选择。如果不熟悉这几个软体的组合，可以选择先TOR或火凤凰再使用
MSN、skype、googletalk任意组合，网聊时用清心加密信使、加密。

一般联络可以使用MSN启用“加密聊天”或用msn shell加密网聊内容。或用SimpLite+GoogleTalk可以实现加密网聊。

有一些网友ＱＱ上面好友很多，或由于特殊原因需要使用ＱＱ，那么建议这样的朋友改用Pidgin，而且，要在虚拟机（推荐sandboxie）里运行至少现在还未听到Pidgin有收集硬盘资料或在电脑中留后门的
传闻。

FireGPG是啥及安装

2007-11-24T08:30:00.001-08:00

来源：FireGPG

FireGPG是啥？

FireGPG是一个在GPL下发布的Firefox插件，它提供了一个使用GPG来加密、解密、签名及验证签名的接口。

FireGPG features a contextual menu giving access to several GPG functions. It also brings GPG features to the Gmail¹ webmail interface, making it easy to use GPG directly from within Gmail! Other webmails will be supported in the future.

FireGPG已被翻译成英语，法语，意大利语，德语，葡萄牙语，土耳其语，西班牙语，波兰语，汉语和荷兰语。我们鼓励你贡献翻译，这很简单。

¹ Gmail is property of Google. FireGPG isn't affiliated with Google.

本插件目前处于 beta 阶段。但是不管怎么样，最重要的特性已经完成了，并且整个插件是完全可用的。如果你发现了一个臭虫（bug)，欢迎联系 FireGPG团队。

MD5 : ad910d55d407d5671144f00bec0f116a

额外的注意事项：

FireGPG并不是密钥管理器。你必须安装GnuPG软件！

在GNU/Linux和Mac OS上，是 GnuPG。你可以使用你喜爱的软件包管理器（比如新立得（Synaptic），YaST，Yum，等等）来安装它，或者从它的官方网站下载安装。

如果你使用微软的视窗系统（Microsoft Windows），你得下载 WinPT和GPG，然后把它安装到默认位置。

如果你已经在你的系统上安装了GnuPG，但是装在一个不平常的地方，你仍可以使用本插件的选项（option）对话框来指定它的位置。

源代码：

你可以使用Subversion下载源代码：

svn co svn://svn.tuxfamily.org/svnroot/firegpg/firegpg

你也可以使用The Tuxfamily's Websvn。

Eraser 5.84 汉化版（Eraser 5.85 en 10.30更新)

2007-11-21T08:49:00.001-08:00

作者：迷恋罪恶来源：http://www.wochpo.cn/read.php/753.htm

删除文件？那还不简单？先 Delete，然后清空回收站，或者直接 Shift + Delete 不就得了？殊不知这可让那些耍小聪明的小贼门钻了个大空子。因为文件删除后（不是放入回收站），系统只是简单地把 FAT 或 MFT 中的记录给去掉，留下的那些内容，也就是磁盘上原来的文件内容，在新的数据写入之前仍然是堂而皇之地摆在那儿的。这对一些重要，乃至是机密的数据的销毁，造成了极大的隐患。(开源软件)
Eraser 正是一款用于解除这样的顾虑的免费工具软件，可用于彻底删除指定的文件、擦除回收站内容、清除文件夹入口，以及清除驱动器可用空间中的内容。支持系统外壳扩展，您可以随时随地调用 Eraser 擦除所需的内容。程序支持最高的 Gutmann 算法35 次擦除，同时还内建了两种符合美国国防部 US DoD 5220.22-M 标准的擦除算法，可以彻底防止软件和硬件恢复工具的恢复。程序同时也内置了速度较快的"伪随机数据"擦除算法，也是挺有效的。这些算法都可以在帮助文件中找到比较具体的信息（当然是 E 文的）。另外软件也允许用户自己定制擦除算法――毕竟一成不变的东西总是有可能被识破的。

　　除了清除数据的功能外，Eraser 还提供了"安全移动"的功能。由于用通常方法移动文件时系统也只是改了一下 FAT 或 MFT，文件数据在磁盘上的位置并没有改变，因此在文件被移动后，特别是在不同驱动器间移动后，文件的原始位置仍然可能被找到。如果使用"安全移动"，便可很好地避免这样的麻烦，让您的文件真正做到"来去无踪"。

官方网站

Eraser 5.84 汉化版

Eraser 5.85 X86

Eraser 5.85 x64

KeyPass：随身携带的密码管理专家（2）

2007-11-21T07:53:00.001-08:00

作者：易水寒来源：it168.com

三、快速输入密码

基本参数设置完毕后，我们来亲自实践一下。打开IE浏览器，访问"IT168商讯信箱"（网址）。移动鼠标，定为光标在"用户名"输入框，调用快捷键（Ctrl+鼠标右键），怎么样，轻易就将预置的密码列表"呼"了出来，鼠标选定对应项目即可填入"用户名"了，如图4。

图4 KeyPass键入密码

小提示：修改默认快捷键的方式

点击菜单"查看"→"参数"，进入对话框后，在左侧列表中选择"参数选择"→"弹出菜单"，即可重新配置激活键，如图5。

图5 KeyPass配置弹出菜单

此外，你还可以在"参数选择"中设置最近的项目数、修改密码、执行数据库同步等操作。

通过KeyPass的有效管理，用户名、密码自然不必再去记忆了，需要使用时直接调用即可。但是这样的操作还不够自动化，用户可以通过创建"登陆脚本"的方式来实现全自动登陆。

KeyPass运行后，会自动在系统任务栏托盘区添加一个"钥匙"图标，我们可以随时双击图标调用KeyPass主窗口。返回KeyPass主窗口，依然选择"商讯信箱"项目，可以在右侧窗口中找到"登陆脚本"项目。

"登陆脚本"实质上就是模拟我们的键盘操作，来实现自动登陆系统。基本的脚本元素包括"字段"（绿色"F"图标）、"键"（蓝色"K"图标）。添加脚本前，我们先来确认一下，如果不用鼠标，只用键盘，我们应该怎样去实现"IT168商讯信箱"的登陆，登陆界面如图6。

图6 "IT168商讯信箱"登陆

很简单，我们可以将步骤分解为：键入"用户名"（即字段）→按Tab键切换到"域名选择区"→按Tab键切换到"密码输入区"→键入"密码"（即字段）→按Tab键切换到"记住我的身份"→按Tab键切换到"登陆按钮"→按Enter键实现登陆。

明白了上面的操作，下面我们就可以来定制一个自己的脚本了，最终效果如图7。

图7 KeyPass登陆脚本

"登陆脚本"的创建就这样简单，用户按照由上到下的顺序添加脚本即可。KeyPass提供的基本脚本按钮可以在工具栏中找到，从左到右依次是："添加字段"、"添加键"、"添加Tab"、"添加Enter"、"添加延时"、"删除"。

以后用户用"Ctrl+鼠标右键"调用密码列表，继续选择对应的项目，不过此时用户不必依次去选择用户名、密码等字段，直接选择"登陆"即可自动实现系统登陆了。

KeyPass：随身携带的密码管理专家（1）

2007-11-21T07:49:00.001-08:00

作者：易水寒来源：it168.com

KeyPass是款帮你管理密码的工具，它除了基本的密码管理功能外，还可以在任何应用程序中实现快速密码调用。使用KeyPass调用密码非常简单，例如在IE浏览器中打开某个需要密码验证的网站，你不必再逐一输入用户名、密码这些信息了，你只需按下热键即可实现密码的快速填写。

KeyPass特色非常突出：使用便利，程序很小可以用U盘随身携带，而且还支持远程数据同步；安全性高，数据库加密使用448位blowfish算法；可以导入外部数据，支持导入IE收藏夹、CSV文件、Firefox书签；自动化程度高，支持登陆脚本，可以实现网站全自动登陆。

一、软件功能简介

KeyPass安装很简单，用户第一次运行KeyPass时，系统会要求输入"管理密码"，如图1。

图1 KeyPass校验管理密码

"管理密码"相当重要，建议大家无论如何使用一个较为复杂的密码作为KeyPass的管理密码。

KeyPass主窗口是非常简洁、直观的，左侧窗口为数据库目录，右侧为密码管理区，操作容易，用户可以很快上手。下面我们来实际操作一下，为"IT168商讯信箱"的用户添加一个密码管理项目。

二、基本操作入门

KeyPass在数据库中已经预置了"书签"、"信息卡"、"信用卡"、"应用程序"等分类文件夹，我们可以直接在这些分类下添加新的密码项目。

选中"书签"文件夹，点击菜单"文件"→"新项目"，重命名新建的项目名为"商讯信箱"（快捷键F2）。选中"商讯信箱"项目，接下来我们在右侧窗口中添加登陆信息，如图2。

图2 KeyPass主窗口(点击看大图)

在"Web地址"中键入"IT168商讯信箱"的具体网址，这很重要，正确填写了该地址，以后就可以直接呼出热键调用登陆页面了，而不需要在IE的地址栏中重新输入。

接下来，我们在"字段"中定义登陆的信息。软件一开始就内置有两个最常见的字段"Username"、"Password"。KeyPass中添加新字段非常方便，所以它的用途就不仅限于密码管理了，你完全可以把KeyPass当作为填表工具来使用。

修改字段非常简单，用户双击"字段名"进入"编辑字段"模式，如图3。

图3 KeyPass编辑字段

"名称"仅作为对用户的提示，所以，你可以将默认的"Password"修改为中文的"密码"。在"数值"中键入登陆密码，为了增加安全性，用户应该在对话框中勾选"隐藏密码数值"，点击"确定"按钮完成。

注：对话框中有一个"生成"按钮，它的作用是生成一个高强度的随机密码，大家不妨试试。

关于邮箱被盗用的声明

2007-11-12T21:09:00.000-08:00

作者：滕彪来源：博讯

昨天，我的邮箱against.teng@gmail.com被第四次盗用。

一个朋友打电话来，说有人又用你的邮箱乱发信了。我赶紧让他把原信发过来：原信题目是“陈光诚软骨妥协”，发件人是 against teng（against.teng@gmail.com）,时间是10月30日。那几段文字几个月前就有人炮制出来，什么“据权威人士透露：陈光诚已与中共达成某种妥协”“条件是不再发表‘民主’ ‘人权’等言论，断绝与外界维权和民运的联系”，“背后黑幕详情见附件”等等，一看就假得要命。

还有另外一篇《来自大陆的怒吼－－不要奥运要人权！》，以我的口气写道，

“此文是我2006年的作品，那是在我遭受打击的低谷，创痛却不可与人言，访旧半为鬼，多病故人疏。更重要的是我看不清楚这个社会的未来，也不能说服自己，我以往坚守和付出的是否有价值，甚至是否有方向性的错误……”，
“他们都没读懂我的文章，因为他们没有我所怀的困惑，不过从哲学上讲被误读恰是人生的常态。我自己随随便便写的稿子，供不应求，稿酬颇高，还欠了一屁股文债，最呕心沥血的作品多是帖血本贡献给互联网了，只要中国的大环境没改善到一定程度，我自己当总编辑大概也是一样。”
“但所有工作最后的意义是为了自己内心的安宁，当那些文字思考的碎片象蚊子一样在你脑海里嗡嗡作响，催促你让它们浮出水面，你工作后，你享有平静和自由。” “感谢各位师友，我已得救。”

竟然写出“从哲学上讲被误读恰是人生的常态”，看来不是一个初中水平的国保，而是一个会写文章的思想警察。不过说我“看不清楚这个社会的未来，也不能说服自己，我以往坚守和付出的是否有价值，甚至是否有方向性的错误”，真是一个巨大的“误读”。我当然看清了社会的未来，知道自己的价值和局限，更不可能怀疑自己有“方向性的错误”！我仍然会向以往那样思考、行动、坚守和付出。

胡平先生收到信后将信将疑，回信问我，是不是我发的。“我”竟然回信道：“是的．昨天刚看到，希望可以帮我转发．谢谢！”胡平还是怀疑，通过电话询问，才知道那回复也是假的。

那个“内鬼”出入我的邮箱如入无人之境！今天是西方群魔乱舞的万圣节，这个情节比鬼可怕多了。

这是今年7月份以来我的gmail邮箱第四次被盗用。前几次发的也是一些新闻文章之类，还有不少朋友回复。愤怒谈不上，谁让人家有上百亿元的“金盾工程”呢？更多的是担心。看这些垃圾邮件，浪费朋友们的时间不说，那些点开附件的朋友，可能导致电脑中毒甚至崩溃，而我竟不知道受害者是哪个人！（当然也不知道施害者是哪个人。）

对此我的郑重声明如下：

（1）这种行为旨在破坏朋友间的信任关系，这远远比传播虚假信息、传播病毒要卑鄙、下流的多！对此种行径我表示最强烈的谴责。混淆是非、颠倒虚实、弄假成真，网络特务利用这种手段已经越来越猖獗，成为与控制信息、监控邮件、窃听偷录、过滤敏感词等手段相配合的新式武器。

（2）我对自己的定位是独立知识分子和人权律师，对政治花边新闻不感兴趣，对密谋、暴力、组党、闯关之类不感兴趣，对某个人的隐私或诋毁攻击不感兴趣；凡是用我邮箱发出的这类信息，可直接删除之。

（3）我自己的文章或者我所办理的人权案件的新闻稿件，我一般只发给向我约稿或者我经常投稿的媒体或者记者朋友，一般不会群发。

（4）我不用附件，除非与收信人另有个别约定。在群发邮件中绝不会使用附件。不用附件无法携带病毒，希望邮箱被冒用或盗用过的朋友，以及其他朋友也采用此方法。

（5）虽然我自己也是受害者，但是我对那些因为打开相关邮件的朋友而遭到的一切风险和麻烦，我表示深深的歉意。

（6）本人今天起不再使用against.teng@gmail.com，新启用的邮箱地址为：fangu@email.com。

（7）作为个人我当然有隐私，而且隐私（私人信息、私密空间、独处的权利）对于一个人正常的生活、思考和写作还至关重要。但作为一个（公共）知识分子，我的一切思想、观点都是公开的，全部都在我的文章、采访和辩护词里。
（8）这种盗用邮箱的行为，构成了对隐私权、姓名权的侵犯，显然违法中国国内的法律和相关国际法律规范，在此正告违法者：我本人保留采取一切法律救济手段的权利，希望你们早早收回你们“肮脏的手”！

2007年10月31日