All posts by Frank

Privacybox: The anonymous messaging system

Aimed primarily at journalists, bloggers and activists, Privacybox is a free service from the German Privacy Foundation, it provides a way to anonymously exchange messages with others without the possibility of anyone tracking down the sender.

If your friend’s computer is seized or stolen and its hard disk looked into there will be nothing linking him to you other than the message contents, Privacybox can be compared to an online dropbox point where you simple drop the messages, including attachments (600Kb) with pictures or documents and it is anonymously forwarded to your contact, all you need to know before sending a message it is their personal contact URL.

Privacybox contact methods

When you create an account with Privacybox you will automatically be assigned four URLs, you can use any of them and pass it on to your contacts, or post it online.

Tor hidden service: A tor hidden service URL website in the form of .onion, only accessible for people using tor and not to the general Internet populace, anyone sending you messages using this URL will be protected by the tor proxy.

I2P anonymous network: You are assigned a .i2p URL, it is only accessible for people using the anonymous I2P network, an anonymous network that encrypts data and distributes it routing traffic through other peers.

Online anonymous dropbox messaging
Online anonymous dropbox messaging

Mobile device access: You will be assigned a .mobi URL for your people to contact you suing a mobile device.

Desktop computer access: You will be given a plain vanilla URL to be access through the normal Internet, this URL; like the others can be posted anywhere, forums, websites, etc.

The sender decides which is the best form to contact you, as long as they have your personal URL, which is not known to anyone unless you reveal it, you can create new contact URL and change your encryption keys anytime you like using Privacybox account management.

Retrieving anonymous messages

Anonymous messages and attachments can be retrieved using the German Privacy Foundation POP3 free SSL postbox, you can find the settings for this inside your Privacybox account, you can use a tor hidden service to receive the email, have the messages forwarded to an I2P mail account (without S/MIME encryption) or have the anonymous messages forwarded to an external email address, the message headers will not contain any identifiable information.

Anonymous online
Anonymous online

In your account settings you can choose no encryption, S/MIME encryption, and PGP encryption, in order for encryption to take place (optional) you will have to supply your own OpenPGP public encryption key or a S/MIME digital certificate (in .pem format)

Interface is multilingual, available in English, German, French, Russian and Portuguese, for questions you can contact the admin team using their online form, PrivacyBox software is open source.

Message deletion and logging

Privacybox claims it does not log any data about the sender of messages and can’t provide any information about it even if compelled, it is impossible to supply what does not exist, however, because the system is open to abuse due to its anonymity, if abuse is reported to them the account will be deleted.

There is no reply function, PrivacyBox is a one way anonymous messaging system.You can erase your Privacybox account any time you like by entering your password in your account, all of the data is then erased straight away and the data backup vanishes one hour after that.

Visit Privacybox homepage

UPDATE 2013: Service has been discontinued.

Dropbox the encrypted online data storage with FBI access

Dropbox caught red handed

While Dropbox textually said on its website (now changed):

Dropbox employees aren’t able to access user files and when troubleshooting an account they only have access to file metadata’

They now admit in their Dropbox updated terms and conditions that they can and will decrypt your private files for law enforcement and textually say :

Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement

Is Dropbox lying to customers?

They have sent out an statement to the Business Insider saying that they are not lying because:

“…In our help article we state that Dropbox employees aren’t able to access user files. This is not an intentionally misleading statement — it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the user’s permission…”

Dropbox can access AES256-bit encryption

This online data storage uses one of the strongest encryption algorithm out there, AES256, but because they hold the encryption keys it is perfectly possible for them to decrypt everything if needed.

There is nothing new with a company admitting that they will help out law enforcement if subpoenaed, what it is new is that they first tell you their employees can’t access the data and after they are caught red handed changing their terms and conditions they now say that it has all been a misunderstanding and they will change the wording on their site.

National Security Agency (NSA)
National Security Agency logo

Even if you were to live in cuckoo land and trust the authorities not to abuse their powers to access people’s data without a valid reason, you might want to read about Derek Newton’s article on Dropbox insecure design and Christopher Soghoian article on how Dropbox sacrifices users privacy for cost savings.

How to secure online data from eavesdropping

If you are going to store data online always encrypt it locally first in your computer, never trust a third party service like Dropbox or Hushmail with your data even if they tell you they can’t access it and that everything is fine, the bottom line here is that they have access to the decryption key.

Besides the chances of  encryption implementations being flawed by your online storage service, they can do anything they like with the decryption keys, if you send the data already encrypted to your online storage space you will be the only one who can decide when and how to decrypt your confidential files, you will also protect yourself from a rogue employee tempted to look at your confidential files.

PS: I am adding Dropbox to my shit list.

BrusselsLeaks the European Union leaks website

A Wikileaks alternative with the same aspirations to publish the leaking of confidential documents to promote the freedom to know targets that Wikileaks has but this time aimed at exposing what goes on inside the European Union.

With their server located in Iceland, a country with very strong press protection laws and currently outside the European Union, although Iceland has applied to join the EU the process it is likely to take quite a few years and BrusselsLeaks has said that they will review their server location when that happens.

BrusselsLeaks describes itself as a self-funded group of activists, journalist, Non Governmental Organisation workers and public relations sector workers based in Brussels (Belgium), who want to expose what goes on behind closed doors during the decisions that are taken in the European Union.

BrusselsLeaks logo

They claim that no personal data is stored when you submit documents through their online form but do not explain in detail how they achieve this, their site is using a RapidSSL digital certificate which is a good thing for privacy but does nothing for anonymity.

I kept wondering if their server has any special set up to routinely wipe connection logs, nothing of this is mentioned in their security section, data encryption is mentioned but this only goes so far and my main concern would be their submission server being seized with the IP logs still inside, however unlikely it is always better not to leave anything unconsidered and I would make sure to be using a proxy if I had to submit any documents .

According to the EUObserver, BrusselsLeaks will not be publishing anything itself but will instead check the documents authenticity and pass them on to selected media. BrusselsLeaks is willing to take your material of ethical, political, diplomatic, economic or historical significance but not opinions or documents which have already been published elsewhere.

UPDATE 2012: Project ceased to exist! Link erased. 

FBI asks for help breaking encryption code in murder case

The FBI is not trying to break the mighty PGP or Truecrypt, they have been trying to crack a home-brew encryption code and have not succeed, this can only indicate that they haven’t got that many means to break encryption as they like people to believe, being this a murder case one can assume that it is a high priority case and if after 12 years they are asking the public for help one can assume that they are at a dead end road.

Encrypted note FBI murder case
Encrypted note FBI murder case

The encrypted notes were written by the victim and it is the only clue to solve the murder, his family claims that he had used such encrypted notes since he was a boy, but no one in his family knows how to decipher the code. The American Cryptogram Association has been helping out in this case and unable to crack the code too.

FBI cryptanalysts are asking for other encrypted notes using the same code in order for them to compare and move their theories for cracking the code forward.


How Google dirtballs attempted to get money out of my girlfriend

My girlfriend Viviana got a nice letter from Google Adsense today, they offered her free money, this free money, Google Adsense charlatans said, was in the form of free advertising to promote her sites using their Adsense program, this promotion was worth €75 (aprox. $100).

As soon as Viviana said the words Google the scam alert activated in my mind and I looked at the letter carefully, at the back of letter I found some tiny writing, I got my magnifying glass out of the drawer to be able to read the text properly, it started by saying “terms and conditions”, this is what I found.

  • Google Adsense breaking Google Webmaster spamming rules

A well known con artist trick used by spammers is to stuff a website with keywords using white coloured font on a white background, this way nobody can read the text except the search engine, Google has banned this practise and penalized such sites, Google Adsense terms and conditions are written using difficult to read grey ink printed on a white background.

To top it up, Google Adsense wrote the terms and conditions using a teeny-weeny font, if Google Adsense terms and conditions were to be a written on a website instead of a letter it probably would be blacklisted and flagged as spam.


Google Adsense terms and conditions
Google Adsense terms and conditions 
  • Google Adsense Marketing manager Christina Wire fake signature

The letter comes signed in blue ink by Google Marketing manager Christina Wire, on a closer look you will notice that this blue ink has in reality been printed, Christina Wire never signed your letter in person,  Google has been clever enough to choose blue ink for this part of the letter, it might look to some people as if she signed it herself  but the signature has in reality been machine printed.

  • Google Adsense demands payment upfront

While Google claims to give you €75 worth of free advertising, if you choose the easy to manage Adsense prepaid mode you will need to pay Google €5 first “to activate your account”, their credit card payment processing system requires a minimum €10 payment, in the end you end up having to pay €10 upfront for their “free present”.

There is an option to choose the “automated” Google Adsense management with no upfront payment but that method is much more likely to incur in accidental over budget expenses afterwards, whichever way you choose, Google always wins.

  • Google Adsense helpline premium number

Google Adsense free money letter clearly prints its phone help number on the front, what it isn’t so clear to read is the tiny terms and conditions at the back pointing out that this is not a a free call and it will cost you €0,67 minute plus a connection fee.

  • Google Adsense wants you to hurry up to secure the “free money” offer

Google free money/present offer is only valid for a set period of time, the longer it takes for you to sign up with them, the less “free money” you will get, after a month this “free money” offer is reduced by €25 and one month later the offer is finished.

What the Sicilian Mafia could learn from Google

There is no need to break the law to get wealthy, while I can not call Google fraudsters because they have terms and conditions that can be read by people with very sharp eyesight and others using a magnifying glass, I can certainly call Google Adsense dirtballs because honest and transparent businesses do not use degenerate marketing strategies in order to get my girlfriend’s hard earned money.

I have said it before on this blog and I will say it again until they leave us alone.


Fuck Off Google!
Fuck Off Google!

Homeland Security built website offering child sex in Canada

Police fake child sex site taken down by their webhost

The Department of Homeland Security fake website offering cheap (presumably) trips from the USA to Canada for men to engage in sex with children has been suspended by their webhost after a member of the public reported it to the host abuse department whom in turn took it down and if they followed standard procedure must have reported it to the FBI as well.

The DHS will have learnt its lesson and if they ever try this again they might be using their own server instead of relaying on commercial services, this way they can ignore public complaints, they could also work in collaboration with the hosting company and inform them of what they are doing.

A one year undercover operation and hours of police time have gone up in flames because of their short thinking.

Police set up of the fake child sex tourism site

The Homeland Security fake online website/company was named “Precious Treasure Holiday Company” which can be abbreviated as PTHC, in pedospeak that acronym stand for preteen hardcore sex. The website also depicted some well known underground paedophile logos, aka boylover and girllover logos ( and it contained some misspellings, I would assume done intentionally to make it look like a foreigner was behind the company.

To make sure everything looked convincing, the site had a password protected online catalogue of children for customers to choose the cutest kid from, only interested parties where given access to the password protected part of the site after initial contact.

Child sex website
Child sex website

 How did DHS made sure pedos would find the website?

DHS agents also set up a series of sites with ambiguous content, I am assuming here nothing illegal was posted just worded as if it were, and they included links and mentioned their sting operation “Precious Treasure Holiday Company” on those sites, they kept promoting their sting operation on chat rooms and forums that dealt with jailbait and little lolita sex while assuring people that it was a bonafide operation.

Descriptions used by “anonymous” posters to illustrate the site included: “great place for real incest”“only place for the real thing.”“This website…is an actually thriving business that is legit.”

How could one have spotted the fake child sex website?

Various clues gave away this website as a sting operation, anyone with a little common sense would have easily spotted there was something wrong.

  • First inconsistency: Child sex trip to Canada

Has Canada become a child sex haven now? Why travel to a country next to yours with akin living standards and rule of law (no added benefits) in order to engage in child sex when you can do it in your own country? Selling child sex travellling to a third World country would have made more sense.

I believe the DHS chose Canada because they wanted to make 100% sure that nothing could go wrong and everything was under their control at all times. If they had arranged for the suspects to travel a real child sex paradise there was the chance that the subject might have engaged in sex with kids there before he got arrested.

  • Second inconsistency: Privacy services from a Canadian company

This is a supposedly illegal website, but it is not being hosted in Russia or China or Mongolia, it is using a North American based domain registrar and hosting with a privacy whois service (Tucows) subjected to Canadian law. The whois records also show that the domain had recently been created (2010), not a big giveaway but not a good sign either.

  • Third inconsistency: Online child sex catalogue does not contain illegal images

The suspects were given a username and password to access an online children’s catalogue, I am speculating here (but willing to bet money on that) that it is almost certain that all of those photos, although perhaps racy (if at all), did not contain any indecent images of children, doing so would have meant that the police were breaking the law themselves by distributing child pornography, and if only for the headlines that it would make on the press, it is highly unlikely the police will ever distribute child porn unless they are really desperate to make an arrest and have run out of options, even then they would want to make sure that those images can never be redistributed/copied.

Spotting FBI fake child porn websites

The rule of thumb is that the police can offer illegal services but they will never actually provide them because it becomes legally troublesome and it makes the cops look real bad in the press, police informants are a different thing, but cops themselves only in extreme circumstances might ever distribute child porn or drugs, but nothing stops cops from distributing fake child porn (photos not showing pussy and tits) and drugs (flour anyone?), that is fair game.

Did this fake child sex website got any results?

Because of the fake DHS child sex tourism website one USA citizen is now serving 20 years in prison and another awaiting trial for conspiring to transport an 8yo girl from Canada to the U.S.

I do not agree with these kind of police tactics where they incite others to commit a crime that might have never occurred had the cops not offered them the possibility to carry it out, it stinks of entrapment. DHS operation it is no different from opening Bank Of America’s safe next to a homeless shelter and waiting behind the corner ready to arrest anyone coming in to grab the cash.

News Source: The Smoking Gun

Wikileaks alternative: OpenLeaks

new Wikileaks alternative has just opened for business, it is called Openleaks and their target is to help whistleblowers spread leaked documents and information. Openleaks has a contact phone number (with a German country code), fax, email address (with corresponding PGP encryption key) and Skype.

Using Skype for communications does not seem too bright for someone who is a Government target, Skype is owned by eBay and it is closed source software, I can easily envision an scenario where a US Court forces eBay to insert a backdoor in Skype for the FBI to tap into the communications.

OpenLeaks website
OpenLeaks website

I wonder why Openleaks didn’t choose a Jabber based instant messenger based on XMPP, the open standard for instant messaging, Gajim and PSI would be two good choices, they both support end to end encryption with SSL and do not belong to any big US corporation open to subpoenas.

Differences between OpenLeaks and Wikileaks

Openleaks will not publish any leaked information themselves they pass it on to third parties, they define themselves as a complementary project to Wikileaks, not a competitor.

There are ways for someone to anonymously send confidential information to a third party (tor proxy, remailers, etc) but that needs time and knowledge, Openleaks will make it easy to send leaked documents, acting as a middle man in between the leaker and the publisher, the more proxies you have, the harder it becomes tracking down the source.

The only doubt in my mind is, who will dare to post the next stolen top secret documents in a censorship free media without fear of consequences? I can only think of WikiLeaks, maybe Openleaks can be used to send documents to Wikileaks. :)

In fairness Openleaks claims to be on an alpha stage and it is still too early to judge them, I hope they succeed in their endeavours, I hope they change the Skype thing too.

Visit OpenLeaks homepage (Site no longer exists)