Secure online communication is a tricky business. From your brain to theirs, each stage of the communication process has dozens of vulnerabilities that need to be secured. Ease-of-use, security, and anonymity compete, and often we lose all three.

Like two ships passing in the night...

Facebook and IM are easy, but neither secure nor anonymous. Pidgin with the Off-the-Record plugin is secure, but not easy for most users. ImageBoards, such as 4chan, are anonymous and easy, but are by definition not secure. There are ways for individuals or groups to set up almost totally secure channels, but they require at least some user-training and sophistaced administrators.

For anyone interested in making sure their communications are kept safe, check out the newly published Surveilence Self-Defense guide published by the Electronic Frontier Foundation. Otherwise, here’s a quick hack that may help against unethical service providers or snoopy governments.

Two-Minute Semi-Secure Chat

All security works on the premise that people know something that others don’t. This may be a password, cryptographic key, or in this trick, a URL.

Essentially, this “technique” involves two users having a list of chat rooms with number labels. In a “known” medium, be it text message or Facebook chat, a user communicates a destination chat number, which tells the other user which chat room to go to. Nobody listening on the known channel would know what URL that number corresponds to and would be unable to eavesdrop. Nobody on the “dead-drop” URL would know who the people speaking are or what they’re discussing, unless they volunteer it in the conversation.

Note that this strategy can be easily expanded to groups; keep in mind the more widely the list is distributed the less secure it should be treated.

How it doesn’t work

It ONLY secures against a single service provider being able to log and compile all conversations between two people. This means if some malware is logging your keystrokes, it won’t help, but if the British government is reading all your Facebook conversations, it may help.

How to do it

Step 0) Collect a list of chat websites and IRC servers. Preferably, they should be in multiple countries and support some kind of encryption. While not a  guarantee, check their privacy policies so see if they keep any conversation logs.

Two examples of web-chat are ChatMaker.NET and drop.io.

For novice users, mibbit.com’s widget and CGI:IRC can provide secure web-clients to access IRC chat rooms. This creates another point of potential logging, but neither say they do. It does, however, allow the user to use more services with only a browser.

Step 1) Open a new spreadsheet. Label the columns as the following:

Chat ID, Random String, Host URL, Destination URL.

Random numbers generated from Random.org

Step 2) Use this page on Random.org to generate 50 random numbers. Copy/paste into the first column.

Step 3) Use this page to generate 50 random alphanumeric strings. Copy/paste into the second column.

Step 4) Fill the Host URL’s with addresses where the random strings can act as “rooms”. You may copy and paste the same URL in large blocks. Below are some examples.

• http://www.chatmaker.net/chatap/rooms/
• https://widget.mibbit.com/?forcePrompt=true&server=irc.freenode.net&channel=%23
• https://widget.mibbit.com/?forcePrompt=true&server=irc.mibbit.net&channel=%23
• http://drop.io/

If you’ll notice, the two mibbit.com widgets point to different servers. This is the way you can configure that particular web IRC client.

Step 5) In the last column, use a formula to append the random string to the Host URL. In Excel, this would be =CONCATENATE(C2,B2). Then sort the sheet by the first column to make looking up a number easy.

Step 6) Securely get this to your friend. Printing it is a good solution for two reasons:

A) transmitting and scrubbing secure digital bits is incredibly difficult for most users.

B) people are good at keeping physical things safe.

Step 7) After meeting at a dead-drop, avoid using your name, distinguishing details or other sensitive information. Also, avoid relying too much on a single service provider as this may prove your two identities are related. Remember: you can always send another destination room number any time you like. Once you leave a room, both users should scratch it off their list and never return.

How to harden this technique

To secure a desktop at the software level, a user could run a bootable CD such as Ubuntu or Knoppix.

To resist server access logs (IP logs), combine this with some kind of open-access connection (open wifi, pre-paid WAN access) or proxy (SOCKS, Tor). The XeroBank Browser can be run from a thumb drive and integrates a Tor proxy client.

To resist service provider logging, users could employ end-to-end encryption such as PGP or Off-the-Record. Instead of chat URLs, the list could be of disposable instant-messaging accounts used in conjunction with Pidgin + OTR. It could even be a list of pre-paid mobile phone numbers or Drop.io conference call bridges.

Also, to resist service-provider logging, use as many different providers as possible. There are hundreds of public IRC servers and dozens of web chat rooms. Take advantage of that fact, be a ghost.

Why?

The technique is not complicated or hard for most users when put the right way. “Go to chat room 12″ is a lot easier than “First go here and install this software, then add this plugin. Then wait for me to IM you…” or “let’s only talk in person ever.”

Handing your nontechnical friend a printed list is fast and easy; it also can be combined with other more sophisticated techniques and technology. While much more secure methods are available, most of us aren’t facing an omnipotent secret society or are on the run from the FBI.

I almost did not publish this blog entry because the hack, taken by itself, is rather insecure. It should be thought of as only as an optional addition to another security strategy. That being said, unidentified communication is the premise behind drug dealers using pre-paid cellphones and spies keeping One-Time Pads in East Germany. Even by itself, it probably is more secure than 99% of the communications people do on a day-to-day basis.

Someday novice users will be able to communicate online securely against overbearing governments and unethical service providers. Until then, however, we’re stuck with difficult technology and hacks like this one.

Seriously, go read the SSD guide.

Dear Internet,

I need a project to do. It could involve electronics, it could be straight craftsmanship, but I’m open to suggestions. It must be affordable, and preferably have an iota of practicality. Below is a parts list of things I either own or am willing to buy. Please leave your suggestions in the comments!

Hardware

• Sealed or deep-cycle lead-acid battery
• Uninterpretable power supply (dead battery)
• AC power inverter
• Float charger
• Inspiron 6000 laptop
• Linux wall-wart server
• RFID reader and tags (sticker, “pills”, etc.)
  
• USB web camera
• Phidgit USB-controlled relays
• X10 or other automation controllers
• Stand alone motion-activated alarm (allowed to hack and make it a trigger)
• Pre-paid cellphone (allowed to hack to hack and make it a trigger)
• Laser pointers
• Servos
• Tripods
• Anything else I can buy at Radio Shack or Home Depot

Software

• Linux or Windows powered server
• Web-cam motion-activated software
• RSS reader and publisher
• SMS send and receive
• Email server
• IRC server and bot
• Jabber server and bot
• Custom applications

Services

• Drop.io file uploading, MP3 voicemail number
• One-way disposable email addresses (MeltMail, Mailinator)
• Remote-administration tools like TeamViewer
• Icecast audio streaming
• Video-streaming websites

So far, I’ve only come up with either building either an autonomous paintball sentry, web-enabled tomato plant (site to watch, water, measure), or an RFID apartment door lock. Write your idea in the comments.

Can stoves are one of those skills that you will most likely never need unless you go camping. Then again, it’s one of those skills that could save your life in an emergency. I know how melodramatic that sounds, but this past winter, up to 770,000 people in Kentucky had lost all power to their homes. In Madison, WI. we had one of the coldest winters on record with nighttime temperatures as low as -30 Fahrenheit / -34 Celsius. In an emergency, you may face the very real, very dangerous scenario of having to face at least one night in your home without any heat. Even if you could survive wrapped in all your blankets, some pets can easily die if the temperature drops below 50 Fahrenheit / 10 Celsius. Rather than trust your life to your local utility company, spend an hour and try this out.

What to Do

The first thing is to have a mylar space blanket. They cost only a few dollars at Wal-Mart/Target/gas station and reflect 97% of heat back onto your body. Then fish two soda cans out of your trash, grab your bottle of rubbing alcohol/vodka/etc. and build a soda-can stove. Wrap the blanket around you and put the stove (carefully) near you and try and catch as much heat as possible. Even though it is a small flame, it heated my entire bathroom in a few minutes.

You can make these as overly complicated and intricate as you’d like, as you can see in this instruction set. Mine was not. I grabbed a box cutter and eyeballed the cuts, then poked vents in the side with my Leatherman Skeletool (which is more or less a permanent extension of my body). It took two tries, but I quickly had it working. Follow any of the instructions you find online and you’ll probably have a functional stove.

Don’t Be Stupid

I have two other big pieces of advice if you are going to be using this indoors.

1) Put your stove on a plate or in a bowl. If your seams are not tight or you spill fuel while filling it, you will ignite blue flashes of flame under the stove. Not an issue for a ceramic plate, but would start your carpet on fire if, you know, you’re an idiot.

2) Ventilation. If your stove is burning hot enough, you will not have too big of an issue with fumes. If you’re like me and your first stove sucks, you will have plenty of methonal vapor hanging around your bathroom. Turn on a fan, crack a window or just open a door. In an emergency where you have to keep a door closed to preserve heat, do shorter, controlled burns as needed or use an oil-based lamp.

Like any open flame, it’s easy to burn your house down, so don’t be stupid. I tested mine in the bathtub under the faucet so I could kill it quickly.

Other Options

This is only one of many options for emergency heating. You can just as easily build an oil based lamp or use a well-maintained fireplace. This episode of The Survival Podcast goes into more depth about better options if you would like to prepare, but for those blissfully ignorant or in apartments, this option is useful in a pinch.

I do not own a smart phone. I don’t even have a data plan. It sounds strange because I’m by any definition a zombie-loving, Linux-running geek. I am also, however, very cheap. After discovering I can completely use my Google Calendar via text-messaging, I wondered if I could start to use Gmail in the same way. The solution I have right now is incomplete, but very easy to setup.

The Problem: I lose ToDo lists. I played with the one built into Gmail, a paper planner, and a whiteboard on my door. Each has their own advantages, but I don’t have universal access to any of these (without dropping $400 on a smart phone and another $20-$30 / month on a dataplan).

My Solution: Text my  ToDo’s to Gmail so I can have a complete list on any computer, and have the record of it as an outgoing text.

1) Add your gmail address as a contact in your phone. In truth, any email provider will work for this, but you get to figure out message rules if you use something else.

2) Send a test text message to that address. It’s not very well known, but virtually all mobile providers provide an SMS gateway that treats your number as an email address. Your test message will show up as coming from something like 6085551213@att.com. You can even reply to the email and your message will be forwarded as a text to your phone.

3) From the message’s page, click “More actions” and then “Filter messages like these”. Click “Next” on the box that appears. Check the box that says “Apply the label:” and choose “New Label…” from the drop-down box. Name it “To Do” or something to that effect. You can also check “Archive” if you don’t want these messages to automatically appear in your inbox.

4) Now whenever you want to see your ToDo list, click the label on your gmail. If you’re on the go, check your sent text messages. I leave mine rolling so I never delete them, but there’s nothing stopping you from pruning it.

The Future: In a period of copious time and crushing boredom I’ll expand the system so that I can fetch my ToDo list similar to the “Day” text message function of Google Calendar. “Day” returns all my appointments as a text for the day, and has saved my butt more than once.

The way I envision it is an email client running on my machine that waits for a message from my phone with the text “fetch todo”. Using a shell script or Thunderbird extension, I would have it fetch the last 20 messages labeled ToDo and reply with them. Thunderbird would seem the obvious platform for this, but it might be possible using Sendmail (which is also available on Windows).

If you have any suggestions or ideas, please leave them in the comments or email me. I’d love to hear ideas.

This update has been a long time coming. A little more than a year ago I had given up on blogging. The vast majority of personal websites are either narcissistic (I’m looking at you, Twitter), re-posts of re-posts, or  half-baked rants. I had given up on the site because I frankly did not have the ego for it.

I’m starting the site again for two reasons. The first is I have a body of esoteric (but not necessarily useful) knowledge. If a dozen people discover something insightful or useful, I’ve accomplished my goal. The second is that I won’t be in the warm embrace of academia much longer, and I need a cleanly built, easy-to-find clearinghouse for my projects and contact information.

Here are some things you won’t find on my site:

• Uncredited photodumps – if you loider on the web enough, you’ve seen any funny/artistic photo I could show you. Furthermore, even for a copyright reformist like me, I cannot stand seeing something uncredited. What if I want to see their other pieces? Understand the context?
• Wholesale copying or a half-hearted paraphrasing – If I had found a site worth a link, it goes in my StumbleUpon. You don’t need me to play Telephone with an Associated Press article.
• Excessively personal posts – If you know me in real life, then we’re probably either friends on Facebook or drinking a pint together. I don’t need to drown Internet with my bleeding heart.
• Regular updates – I will only post when I have something of value. You didn’t come here to read what I ate for breakfast.

If I shut down the site again, I won’t be surprised. I will make an honest effort to provide original and interesting content, but I won’t keep it if I can’t be proud of it. Soon you can expect articles on things ranging from bushcraft to novel security technology.  From politics to video games. I’m not sure yet, but I am excited about the Internet once again.