The Namibian government wants to spy on you - but can they really?

The main problem here is: if you have the necessary know-how, you can easily protect both your computer or business network environment from any such espionage attempt (something that keeps even highly skilled and well tooled government agencies in other countries like the US or Germany pretty busy, as it is aparently anything but trivial to circumnavigate such potent protection), encrypt your communication that you feel you need to keep secret, and simply refrain from using ways of communication that would be easy to intercept.

Obviously, that fact is also nothing new: basically all communication in the business world that would require some sort of "secrecy" (mainly to protect business secrets from competitors) is already done this way - so you already have secure communications in place, probably by means of a VPN (virtual private network) that makes use of potentially (or in the case of the Internet: known to be) unsecure communication networks to transmit only encrypted data.

So these bigger companies usually have not much else to do but to revisit their already existing security policy, tighten some of the measures they already have in place to ensure them against already existing "spy attacks" on the Internet (for example by prohibiting the use of detachable media on all key business applications - including the use of server based computing via terminal servers or CItrix metaframes - to keep both data and applications in the datacenter and not on some easy to steal or potentially easier to intercept laptop or desktop PC).

Obviously, somewhat well organized criminals and terrorists (the actual folks that the new Communications Bill is probably supposed to target) can also make use of this readily available technology to hide their intetions from a potentially "nosy" government ageny - all it takes is a sufficiently large enough financial funding, or alternatively enough bright sparks in the respective criminal organisation to implement such security measures all on their own.

But the normal PC user that perhaps only exchanges the one or other email with friends or family (be they located locally in Namibia or abroad) seems to be left out in the cold - usually with only insufficient means of funding expensive hard- or software that would give him or her similar protection against people that want to spy on them - be that criminals on the Internet or Namibian government agencies that aparently think about adopting similar tactics to spy on its citizens.

With a law like this being passed, it does indeed become rather difficult to distinguish between hard-core criminals and official government agencies that try to spy on you - that's for sure. In this case though, this comes as a slight advantage to those that want to protect their communications against the prying eyes of others - as you protect yourself against criminals, you obviously also make it virtually impossible for the government to spy on you (unless of course they unleash a plethora of new regulations that would essentially require you to lay open virtually all of your communications to them - which at the very least takes them some more years to come).

So I will simply focus on keeping criminals outside of the loop of your day-to-day communications - obviously with the hindsight that each of these tips protects you and your information much more than those that are tasked to pass that obnoxious communications bill seem to have been thinking would be possible: a nice little side effect to foil the attempt of pretty much any over-zealous person to obtain more information about you than you are willing to share for yourself.

Government and litigation - something that just dropped from the radar screen

One very interesting aspect of that new communications bill has so far obviously not been reviewed yet: while any government can of course pass laws that would allow them to spy on their citizens communications, what happens if the information obtained in such a spy attack gets into the wrong hands? With no legislation that would in some way regulate the usage and obviously also the protection of such red hot data in the hands of government agencies, it seems to be impossible to avoid for just about any government employee involved in any such action to become the target of extremely expensive legal battles.

After all: a company that deals with billions of Namibian dollars each year will not take it very kindly if essential business information is leaked to their competitors simply because of the negligence of some overwhelmed government official who though it would be a bright idea to obtain that data yet forgot to think about the consequences it would have for him if that data remains unprotected on some discarded harddrive or USB-stick that he then leaves behind somewhere.

As such, if you are a government official reading this - it may be time you ask your superiors some very difficult to answer questions, namely to find out what kind of policies and technical measures they have in place that would prevent you from becoming an accomplish to some truly criminal act, as you are obviously responsible to safeguard the information you are working with (yet have no sufficient technical means to actually do so).

Are you really up to that? An important question, that as I said may be difficult to answer, depending on what specifically it is you do in your agency...

Secure your online banking

One really critical aspect of your life is probably the information on where you spend what of your hard earned cash. If you simply go to your ATM and withdraw cash to do your purchases (which is still the most common way to pay your bills in Namibia), you obviously have not much to fear - sure, you will be on surveillance cameras as you withdraw your cash, the information about your bank account may also not be too secure as soon as the new communications bill is passed, but wether you spend your cash you just withdrew on groceries or anything else you can think of is pretty hard to track without a significant amount of expenditure for surveillance that goes beyond simply tracking your electronic transactions.

But what about someone intercepting your transactions as you do them on a computer? Granted, currently it is mainly companies that have switched to using electronic banking as a means of convenience to save some time on their banking transactions - but as that technology becomes more and more commonplace, so does the respective customer become target of the interests of criminals that also want to have an insight into your banking details, obviously to defraud you from your hard earned cash.

One major concern in bigger economies here is the ever present threat of "phishing" - the criminally fraudulent attempt to aquire sensitive information like usernames and passwords from an unsuspecting user that thinks he'd be logging into his online banking facility when instead he's actually only interacting with a site on the Internet that looks like the real bank - but in fact isn't.

As the online banking tool (in Namibia that's most likely a Java applett that is loaded into your browser to handle the transactions) is obviously also interacting with the underlying operating system of your computer (you will almost always have to type something on your keyboard and view some information on your screen - two areas that can be easily intercepted by malicious software that has made its way onto your computer long before you ever established a connection to your bank account), it is considered a very good idea to use one oeprating system for your day-to-day work and have another operating system (e.g. one of the many "live" distributions of Linux on a bootable CD - all of which come with more than enough tools to connect to the Internet these days, yet obviously are protected from any malware, as you can't "infect" a read-only device such as a bootable CD) ready as soon as you want to do interactive online banking via the Internet.

It's just like keeping your ATM card locked up in a safe while you are out and about on a wild evening, visiting all the favourite watering holes of your city: you simply don't have to be concerned that someone steals it, while you are being distracted by something else. Call it common sense - or just make it part of your own personal "best practice approach" to doing business on the Internet.

One very good live Linux you could use would be Knoppix, as it comes with all the important features to secure your Internet connection: a firewall, that prevents attacks from the Internet, a general immunity to viruses, trojans and spyware that was meant to be targeting Windows machines, plus most importantly it's compatible with virtually all major banks in Souther Africa - especially Standard Bank, First National and Bank Windhoek online banking facilities.

Plus, it only costs you some time to download the image and a blank CD or DVD to install it - and you get the chance to learn something about UNIX operating systems as an extra bonus on the side, including an entire operating system to take along wherever you go, together with an entire suite of office programs - including a program that http://www.namforum.com/blog/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=newallows you to manage your entire private and/or small business accounting requirements, namely GNUcash. So in any case - it's worth taking a look.

Secure your passwords and login credentials on your PC

One big problem with many sites on the Internet still even today is the fact that they do not really secure your login credentials - so if you want to make sure that nobody else reads your passwords as you log in to portals on the Internet, make sure that the site you are using does use some sort of secure (SSL) communication between your browser and their website.

You can usually establish this by looking at the bottom status line of your browser - you will find a little "lock" there, that indicates to you, that you are using a secured connection. If you use Firefox, possibly with an extension like NoScript, you can actually see right in your address-line of your browser if a site you are using is secure or not.

In any case, as you wander through the Internet, you should adopt the practice of using different username/password combinations as you go along - that of course makes life a bit more difficult, as you have to remember which username/password combination you have been using where, but since there are tools available like the Open Source tool Password Safe, you can leave such administrational troubles to your PC - the tool simply keeps a list of all your passwords and account details wich it itself encrypts with a "master password", which then is the only password you will have to remember.

Encrypt your data on your PC - and especially on removable media

Those niftly little USB sticks are indeed quite handy - you can keep an enormous amount of information on a device that you can attach to the bunch of your house, office or car keys. Unfortunately though, these USB keys get lost (or stolen) just as easily - and with it the information that was once stored on it, irrespective of how confidential it was. The same obviously applies to CD-ROMs or DVDs - any media that is not permanently attached to your PC will obviously leave the confines of your office or house one fine day, and as such give third parties a way to obtain information from you that wasn't intended to reach them.

One good way to make it much more difficult for anyone to actually use that data, is to encrypt it. With on-the-fly encryptions software such as the Open Source tool TrueCrypt, you can even establish a so called "pre-boot authentication", that renders an entire PC or Laptop pretty much useless to any data-thief: without the knowledge of the right password, your data stays encrypted.

It is a good idea to have all your removable media encrypted like that - and of course also a very good idea to secure your home or office PC or Laptop like this at all times.

Establish strong two-factor authentication in your home or office

It is a fact: most password in use are not worth the effort it took to set them up - simply because they can be spied upon very easily, and in some cases can be obtained by "social hacking" (if your secretary knows your password - how do you know the new flirt she meets at the club next weekend won't be able to extract it from her in some "harmless" looking conversation?).

One very good way to protect you here is to use two factor authetication with a device that is called a "token": the password alone is of no use if you do not know the (random) token that is displayed on a small keyring device you carry with you. At the same time, the token without the password is of no use to a thief either - all you do is get another token for yourself, deregister the one that got stolen on your network, and you're safe again.

One good tool to establih such two factor authetication is WIKID, which you simply install on a server in your company network and let it handle the authetication from that day onwards. All you then need for your users is a USB-stick (also known as USB pen drive) on which you install the WIKID client - it then acts as an automatic token for the authetication process (meaning that compared to tokes like those from RSA, you don't even have to go through all the trouble of entering the token code). Stealing or cloning the USB token is of no use - your system simply stays secure.

Use a server based computing environment in your office

If your applications and data are strictly kept in your office, then you stay in control over who gets to work with these applications and the corresponding data - and not some criminal or just plain "nosy" mind outside of your company.

One way to establish this quickly and without the cost involved with solutions like Sun's Ray, is to use an open source alternative like x2go.

That way, they can steal your laptop or even your home-office PC while you are on holiday - but unless they also have the chance to steal the redit card sized authentication card, they won't be able to work with your data or applications. And as a business owner you have an additional advantage too: instead of providing each employee with his or her own PC on a desk, you can share computers easily now - users can simply insert their authetication card, do their work on one PC, remove the card, walk to another PC and resume their work there. That "other PC" can for example be a computer at home - or at a branch location, even abroad and connected via a VPN to your office newtork.

Make sure your network is protected by a firewall and intrusion detection system (IDS)

As you lock down more and more of your data on your private or office PC and make sure that you establish security aware procedures when handling information that you intend of transporting by modern communication means, you obviously narrow the big broad stream of information into and out of your office or home.

But in one way or another you will remain "connected" to the rest of the world - and these days that usually means you have some sort of Internet connection via which you exchange Emails and surf the Internet. Unfortunately though, as it became easier and easier to actually connect to the Internet and retrieve information for yourself, so it became easier for criminals to retrieve information from your own PC or network - that's the problem every bunker construction expert faces: you have to be able to enter and exit that (in your case: information-) bunker somehow, and that means that the door becomes your "weak spot".

In a military environment, you thus place an armed guard there, probably with some additional surveillance systems in place, so as to protect that door from being used by people you haven't invited.

On a PC and especially in a network of computers you will use both a firewall as well as an intrusion detection system (IDS) to safeguard your IT assets and data.

If you have a spare PC, equip it with a bunch of network cards and install software like IPCop on it, and make it your "bouncer" at the gate to the internet - and if you do not have a PC: think about obtaining a used older machine, IPCop runs on pretty much everything that still runs.

It also comes with a large list of available add-ons, so your security system for your network can grow as your requirements grow. Most importantly though: the built-in intrusion detection system works pretty much like any other house-alarm you know: as it raises an alarm, you are immediately aware that someone has targeted you and will also in future attempt to break into your system, so you can take all the counter measures you deem necessary (even the most drastical: temporarily disconnect your entire network from the Internet by simply pulling the plug).

IP Cop not only includes an IDS, it also allows you to establish a VPN - and as such make sure that all the "road warriors" you have working for your company also only transmit information via a secures channel that is hard to break into. Connect entire branch offices (each with their own LAN) via two IPCop PCs, and you can all of a sudden work as if all employees sit in the same office - yet actually communicate via a secure connection over the Internet.

Security is not a product - it is a state of mind

Obviously, as the threat to your communication requirements becomes more and more intense (either by half-baked communication acts or simply by more and more criminals targeting your communication infrastructre), your requiremens towards your security implementations in your company or at home will change - and as such, any of the above mentioned security tips is not meant to be regarded as some "fire and forget" solution that you simply drop into your network as you would drop instant coffee into your coffee mug each morning - it is a constant process that needs to be reviewed and adapted as you go along.

There is no such thing as perfect security. That said, as soon as you are aware of that fact and take precautions as you go along, there will not be really much left to truly "surprise" you - a vigilant user of communications can not easily be attacked and overpowered by criminals or over zealous government officials, and it obviously does not take much to protect yourself either.

What AIDS-awareness is in times of HIV spreading like wildfire, a good sense of IT-security-awareness is to the virulent growth of the numbers of online crimonals as well as nosy governments alike. Think of it this way: as you protect your data, you also protect your business from being spied on even by foreign governments.

After all, it's not as if the Namibian gorvernment would be the sole institution that would try to "listen in" on what you do or have to say. As undemocratic as such actions may be (you obviously have no say at all as to what information any of these governments may be allowed to gather and what regulates the use of that data by them - they simply attempt to attack you like a bunch of pirates, highjacking your data and IT infrastructure in a way that is pretty hard to distinguish from an armed robbery - and they do so in broad daylight), as long as you do not surrender your own vigilance, you still stand a pretty good chance to stay in control.

Consequences nobody seems to think of in the Namibian government: as you gather data, you become responsible for it!

As the Namibian government the starts to collect data it otherwise wouldn't have, we can the raise a completely new discussion that targets the possible abuse of that data: cases of fraud even in the government of Namibia are well documented already, so it would be naive to assume that all of a sudden your data would be well looked after and protected from being sold by some cash-strapped government official - or that someone would now all of a sudden no longer be able to bribe his way right into the heart of the communication network of the government itself.

As such, I can already see a huge amount of legal battles ensuing with the Namibian government and their officials - after all, a company that is very much aware of its own data security can of course also pro-actively "leak" specific information that may make it as easy to trace the communication flow within the Namibian government as it would be to trace a banknote that has been stained with permanent ink: just think of well established concepts like a "honeypot" that in a governmental organisation that already has a lot of headaches because of information leaks, fraudulent employees "dealing" with information and corrupt officials attempting to hide their deeds from the eyes of the prublic, actually may allow pretty much anyone (especially those that the government may have been initially targeting themselves) to turn things around and spy on the very inard operating procedures of such government organisations.

Or are they really so naive to assume that what they plan on doing would not be something one could not only effectively counteract but actually pro-actively use against them?

I am pretty sure that with that half-baked communications bill they have most certainly bit off a much larger chunnk of responsability than they can currently chew - and that may indeed turn into a rather huge disaster for the government and less for the companies and individuals they try so hard to get information about. They're just not yet aware of it, it seems...