[liberationtech] SMS questions

Erich M. erich at moechel.com
Tue Aug 27 18:34:02 PDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/27/2013 07:29 PM, Bernard Tyers - ei8fdb wrote:
> 
[ei8fde de oe3emb. will contaqt you offlist for a sked on HF.
Consulted qrz.com HI]
> 
> Depending on the information your colleagues want to collect, and
> depending on how onerous the control of the telco system is,
> FrontLine SMS might be useful.
> 
> http://www.frontlinesms.com/ 
> http://www.frontlinesms.com/technologies/frontlinesms-overview/



 If it is such and such a government "far away" one can only strongly
recommend _not to use SMS for any such purposes_ . SMS is service
number one controlled by all local authorities. SMS are  relayed via
the telco SS7 [not a protocol but a "signalling system" ;] bulk data
stream. You can log them at the local telco switching system easily
even without the use of a monitoring centre.
But there are all monitoring centers built into the telco premises
even in remote places such as Mongolia or South Sudan. Astonishingly
prominent delegations sent by these governments were spotted at the
ISS surveillance equipment trade shows lately.

In 2009 the Iranian protesters were fished off the streets one after
another. Many of them had used twitter apps via sms-gateways from
their mobiles. These SMS were read in at by the even before they When
the Tehran clericofascist secret police could not cope with the new
accounts any more they would block twitter. Three days later they
would go for an other fishing trip opening up their firewall for
twitter again.
They did this three times in a row until the prisons were overcrowded.
The twitter app was a trap as it ran over SMS.
Below are some recommendations to Gezi park activists sent by a very
distant 2/3 grade cousin of mine.
The recommendations were adapted twice according to feedback.
Interestingly there were only very few reports  [compared to other
regions] on net surveillance based arrests.
That coincided with Squire Snowden's gallant information operations on
 Mediterranean fiber optic cables
Servus
Erich M.
postscrypt: oe3emb now qsy 40m





- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECURITY BULLETIN 0.2 for the .TR DOMAIN

2013 06 18

Barev,

This version overrules 0.1. It is adaptated roughly to the current
situation estimate from here. Not for publication in the WWW-sphere
but for informal circulation.


1. Please do recheck all your *mobile apps*. Some of these operate via
SMS, never use one of these for tweeting live. The Sultanat owned
machines have read it in before your message is published on Twitter.

2. Please do check the "sanitary situation" of all your computers. Do
not fully trust the security of any, but check out the least
suspectful machine. Best case would be a machine running a freshly
installed operating system in a somewhat shielded network enviroment.
This machine should be used only for sensitive information.

3. The Sultanat forces are after your machines to infiltrate these
with trojan horses and other malware. They do this preferrably to
people who they deem "leaders". Beware of e-mail attachments seemingly
coming from a friend, the attached doqument will bear a title that is
designed to trigger your current interest.

4. Make sure that you have separated all sensitive communication
channels from general and public messages. Classify your
communications into two or three security levels, as you deem
appropriate. Avoid crisscrossing these levels, so fewer people can
unwittingly endanger your coordination.

5. Example: Level 1 could be family and best friends, all strictly
personal. Level 2 is more or less public, for informing people. Write
everything that is not mission critical there and does not compromise
anybody directly. Level 3 is for sensitive issues that are critical to
your cause. So the levels here are "private", "[semi]-public" and
"sensitive". Choose any similar model that fits you best.

6. The three levels of communications or so are an abstract, not
necessarily identical with a communications channel. This is an e-mail
account, a mobile fone account. Apply these three levels of security
to the internet communications channels you already use [diverse email
accounts, Facebook, other chatrooms, chat clients, closed fora and so
on]. Do not change your electronic communication habits abruptely. Try
only to become less visible, try to fade out of their focus on the
internet spots known to the Sultanat.

7. Prepare an emergency SMS code with a set of five or so short coded
messages, known to the adressees. Hate to write this: arrested,
hospitalized, you name it. This a last ressort communication means.
Will still be available when internet traffic does not work.

8. On the mobile fone/internet level consider which of the available
mobile providers shows least affiliation to the Sultanat. Decide how
to distribute your communication onto these networks. Do not trust any
of them, of course. Again: Do not mix up communication levels, keep
these separate.


If some points made here are already known or even considered trivial
this would be appreciated here with relief.

TECHNICAL RECOMMENDATIONS

Close to all of these programs are free software. Start with Firefox
browser, best is an entirely new installation. Add the recommended
plug-ins. Inform yourselves and DO urgently contact local technology
minded people you trust.

https://securityinabox.org/

By clicking the link below you will find my public key. You can import
this key by copying. All you need is free thunderbird mail prog with
the enigmail plugin. You can do roughly the same on M$ Outlook with a
Plugin by Google.

http://www.enigmail.net/home/index.php
http://code.google.com/p/outlook-privacy-plugin/ If you send me an
e-mail using exactly this public key your message can only be read by
me.  This message is relayed via gmail, unencrypted. So my cheers go
to the esteemed algorithms of Google and the NSA as well.

kenats't
Harkank Merzenoghian
- - --
Key ID 0x67F25C35
70EE A271 08B1 3FAB 8107 B035 B25D A753 67F2 5C35
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB25DA75367F25C35
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJRwMoHAAoJELJdp1Nn8lw1HzQH/2qRoOzlmJUq5F5lRntWXNm+
aUsyRfQBV+PDCNkzjq3GLZHwrTK557kVrriI3Vz+YEyGm074FCXF2Qqohho1eNkI
Fgh0RBrszLzoTWXO8pvAnbdJYfQdp5qsinRYgeb4+0yZcOjzXL0jQmL1XnnUz9Ro
jXmW4n3ZMkc6D+y56Lwf+G4GRsw7jvCmydn4m70nEsTBmNz3ZgSStLLa5DzBQkwU
CvZDafwgApmTqVIZ46PPUp37hlCjnQZAER4AJyIX5iLgz9i8OqhdReFZ6a9pJZcW
FDOhUsnifqa/eWFn0NgoCdr3NQdSqF4dl7wFcEZ+wGVNWLbpzdtuKrBHCCA1RTY=
=mjQp
- -----END PGP SIGNATURE-----






> 
> Hope it helps, Bernard
> 
> On 27 Aug 2013, at 17:36, Richard Brooks <rrb at acm.org> wrote:
> 
>> I have colleagues living in a small country, far, far away with a
>> history of rigged elections who want to put in place a system for
>> collecting information using SMS. The local government keeps
>> shutting down the systems that they put in place.
>> 
>> I think I understand their needs and wants. SMS is really not my
>> strong point. If anyone with an understanding of SMS, SMS web
>> interfaces, and/or related security issues would be willing to
>> point me in the right direction (or discuss potential issues) I
>> (and by extension they) would be grateful.
>> 
>> The alternative is for me to dedicate my excess cycles to
>> researching those issues from scratch, which sounds time
>> consuming. They kind of need help in the near future.
>> 
>> -Richard -- Liberationtech is a public list whose archives are
>> searchable on Google. Violations of list guidelines will get you
>> moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing
>> moderator at companys at stanford.edu.
> 
> -------------------------------------- Bernard / bluboxthief /
> ei8fdb
> 
> IO91XM / www.ei8fdb.org
> 
> 
> 


- -- 

http://moechel.com/kontakt.html        PGP KEY 0x2440DE65
fingerprint A564 1457 71C3 E907 6D78 429E 76F3 C66E 2440 DE65
- --... ...--   -.. .   . .-. .. -.-. ....   --- . ...-- . -- -...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJSHVOKAAoJEHbzxm4kQN5lf+gH/jet5jYjDLQeznozIef3XA2K
GtdyJrCckkZ46m9EFZ4FluYCRTmj7Oq4wYhdoCDbkvmNg3cKR90oTDtvp4rsCwJl
zKjZlrnf3NM78OCEgR8l52A1vHZcNw78WcmKMY0MHGmzkL8vYneBFmhHKdU1GzNa
siVgIG+i/Q6NcKCOXBLbprC2gNw+HeL2xUY2YE9G0JwPBAPnVSN7eq5RJ8ab9Y2q
lYbQt62VS9P+Lmq/dC1e+FfLiH+lfcjw8g4ttSEAWuoKWHb3qxDnvTOiz9nFUwN6
Ln8HBRck71cbX8dlMi9RCN4qGZkQeUdyP2Fzr6ydaAB+axaB/+4R3Gi+e4yuvSE=
=MclY
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list