An Anonymous Coward writes:
Speaking at the Decentralized Web Summit conference in San Francisco run by the Internet Archive, the engineer [Inventor of the World Wide Web, Sir Tim Berners-Lee] joined other internet notables including "father of the internet" Vint Cerf and Mozilla head Mitchell Baker in discussing how to strengthen the open internet as well as ensure its contents are retained over time."The web is already decentralized," Berners-Lee told attendees. "The problem is the dominance of one search engine, one social network, one Twitter for micro-blogging. We don't have a technology problem; we have a social problem."[...] founder of the Internet Archive, Brewster Kahle: "Edward Snowden showed we've inadvertently built the world's largest surveillance network with the web. We have the ability to change all that."The conference featured the developers of many tools that aim to retain the internet's decentralized nature, such as Blockstack, Ethereum, Interledger, IPFS and others.
Speaking at the Decentralized Web Summit conference in San Francisco run by the Internet Archive, the engineer [Inventor of the World Wide Web, Sir Tim Berners-Lee] joined other internet notables including "father of the internet" Vint Cerf and Mozilla head Mitchell Baker in discussing how to strengthen the open internet as well as ensure its contents are retained over time.
"The web is already decentralized," Berners-Lee told attendees. "The problem is the dominance of one search engine, one social network, one Twitter for micro-blogging. We don't have a technology problem; we have a social problem."
[...] founder of the Internet Archive, Brewster Kahle: "Edward Snowden showed we've inadvertently built the world's largest surveillance network with the web. We have the ability to change all that."
The conference featured the developers of many tools that aim to retain the internet's decentralized nature, such as Blockstack, Ethereum, Interledger, IPFS and others.
It's not just the World Wide Web, it's the entire internet: your phone reports on your location at all times, apps on it flush contents of your phone to the owners of the app, almost all websites do some sort of tracking (most of them using Google Analytics), e-mail providers happily hand over anything to anyone asking, and the rest is vacuumed up automatically by the NSA.
On my phone I have a firewall/application control app that limits what apps can do.Even with this, I don't download and install apps that ask for everything - why should a game want access to my contacts, etc.?!
On my laptop, I have the same thing. F-Secure Client Security (an old version) has an out-bound firewall, so any applications wanting internet access, F-Secure pops up and asks me.
When at home, my DNS server has a block list from http://pgl.yoyo.org/as/, [yoyo.org] updated about once a week.
As well as the usual ScriptBlock, uBlock Origin, etc browser plugins.
Informative. Thanks. Incidentally, your link had an extra comma at the end... reposted, sans comma...
So you're only dependent on the upstream DNS servers, an insecure out-of-date F-Secure (and that is probably querying a remote server to check the "safety" of the program in question against their database), and the browser for your privacy.
This is the point. Not that you can't browse the web. But that you can't do it without the control of third-parties in the loop - everyone from ICANN to F-Secure.
Those may help. But your phone can't help reporting your location due to the simple need to connect to towers and tell those towers which phone calls it will accept. And then each app that you DO allow to accept connections re-establishes its connection with those motherships so you get your emails, text messages, game score updates, weather reports etc. etc.
The net itself is even worse, because just finding the connections that exist is extremely hard. If you can't explain every single listening or establoshed connection shown at the top of a simple "netstat -anp" display you are probably at risk from things you never knew were running.
Then after wading through those, you realize the next piece of hardware up stream is as big a tattle-tale as your phone
I've been thinking about what Berners-Lee and friends were saying since the article first appeared. I was thinking of submitting it, but someone beat me to it.
I've concluded that it couldn't have happened any other way. Even if encryption was built into every single connection and every single app, the net still would have ended up as a great spying machine. Its the very nature of humans to remember who they talked to, and about what, and generally when that happened. Few are so anal as to write all of that stuff down. But computers make that easy, and some of our laws make that mandatory.
So I ask, How could it have turned out any different?
So I ask, How could it have turned out any different?
That's a stupid question. That's like saying that because each of a hundred different forms of government would all fail to prevent every last murder, that being selective about your form of government is a waste of energy.
If instead of FCC-10-201 net neutrality spinning some lovely fairly tale about empowerment on the internet, including 'Sir Tim's wonderous invention, they had actually made that fairy tale a reality- Then we could have all been running our own federated home email servers, and when the NSA PRISM architects realized they would have to slurp shit straight out of all of our homes instead of just the Googleplex... Well, it would have been different. Would it have prevented every last murder? No, but it would have been quite different.
Well now - no-script is probably the single biggest thing you can do. Just stop your own computer from reporting on you. Don't allow those scripts to snoop through your brower, it's settings, plugins, fonts, etc. The importance of stopping scripts really can't be over emphasized, now can it?
Cookies. Don't accept them unless they are necessary - that is, the site won't run without cookies. But, few sites are really that necessary. Right here on Soylent, the cookie is a convenience, but it's not a necessity.
Block advertising. Pretty much all advertisements today come from a relatively small number of servers. Block those servers, and they can't track you. Block Google analytics, and Google loses much of their leverage.
Blocking Windows telemetry is becoming a big thing. Windows is phoning home, and you don't want Microsoft to know anything about you.
Don't be a part of the big social network - Facebook. I know, you just almost have to have an account. Pretty much everyone has a Facebook account, and sometimes you need to check on someone. An invalid parent maybe, the kids at home, whatever. But, FFS, don't be the damned fool who posts every minute of your day to Facebook! And, trash all those Facebook apps. Each and every app is a camera and microphone into your life, with a "developer" trying to capitalize on it.
All by itself, a VPN isn't worth much. If you're accepting cookies, allowing scripts to run, and advertisers are installing super cookies to your computer, the VPN is totally worhtless. The browser is identifying itself despite the VPN. But, if you're blocking most or all of the crap, then a VPN does have value. Use a cookie manager to clear those cookies - you can whitelist the half dozen that you deem necessary, and have the browser discard all the rest every several minutes, or at the end of a session.
Don't sign in to Google, or Yahoo, or any of those other "services" providers. Or, if you must sign in to make use of Gmail or whatever, use another browser to take care of all your other business. Once you're signed in with a browser, Google or whoever has a lot of access to your other tabs and windows. Use a different browser that shares no data with your signed-in browser.
Avoid those damned toolbars like the plague. Few of them have any redeeming value whatsoever - all of them "phone home" to someone.
Firewall settings. If you run Windows, especially if you run an aging version of Windows, you don't want ANYTHING coming in from the web, uninvited. Firewalls are not a bad idea for other OS's, but they are essential for Windows. Shut down EVERYTHING that you don't actually use. No vector, no spying, no exploit. If you never use FTP, just close port 21, you don't need it. If you don't close it, then the bad guys might use it against you.
Shut down any services you don't need. I've used Blackviper's tweaking advice since I found his site years ago. If you don't need that remote assistance service, then disable it. Don't be afraid to disable half of Windows services. If you're not real sure, disable that service, and run your computer for awhile - if you can do everything you want to do, then that service is unnecessary for YOU.
Best practices say that you never open an email attachment, unless you were expecting it and you know what it is. Don't click links in your email. You have little idea where you'll end up, and chances are there is a "drive-by" waiting to download itself.
Stay away from the porn sites - they have a long history of being exploited, then, in turn, exploiting people watching the videos.
Uninstall Flash. Better yet, uninstall all Adobe products. It's not that long ago that Adobe had more unpatched exploits running in the wild than even Microsoft had. You don't need any Adobe stuff - there are satisfactory substitutes for everything that Adobe publishes.
I guess that's nearly it. I'll think of something more after I click "submit" - but this is a good starter at least.
Last I heard, gossip and entertainment sites were a bigger malware vector than porn sites. It may have changed of course.
Last I heard, gossip and entertainment sites were a bigger malware vector than porn sites.
Wait, there are people frequenting porn sites for other reasons than (a very special form of) entertainment? Or what makes you think porn sites are not entertainment sites?
I watch porn for the dialogue.
For me it's the fabulous sets and the special effects that keep me riveted.
A nice list. I would add that Browsers (Firefox, Chrome) and have different profiles - so use them!!
I have many profiles from the ultra paranoid, to the somewhat lax, and use the browsers for specific purposes.
I find it greatly improves the user experience, for some sites that don't work properly....you can fine tune a profile.
Oh, and I ONLY use chrome to access google crap. I use chromium for other "chrome" friendly sites...
I'm a Penguinista ;-)
Well now - no-script is probably the single biggest thing you can do.
Stay away from the porn sites
One of these things is not like the others...
(going to various free porn sites with NoScript and AdBlock is perfectly safe in my experience)
It's a good list, and thank you for providing it.
I would say, run Linux and you eliminate a good chunk of what you're talking about. Second, run NoScript and UMatrix and you eliminate a good chunk of the browser-based stuff you're talking about.
The real crux of the matter is the physical network stuff you're talking about. Software is easy, download it and you're done. Hardware is harder. How do you get a server in Boston to communicate with a client in Roanoke unless your info travels through a corporate- or government-controlled line?
That's a piece of the puzzle for us citizens to solve. If we can solve it, it eliminates one of the most pernicious groups of companies who oppose our freedom, the telecoms.
But it misses the point.
All of these steps are the digital equivalent of preppers, and ultimate force the hand of escalation until you are spiking directly into a line with a food bucket and 56k modem.
There lots of different ways to do anonymity, but reducing the usefulness of a tool is assbackwards IMHO. Might as well go back to sneakernet.
Making the data worthless seems more effective long term, like if you could design a program to do random searches and visit random pages, so it becomes impossible to detect signal from noise.
Eventually tech will progress to where reliance on telecos will be less pronounced, but for this particular epoch, you might as play along with an ace up your sleeve.
TrackMeNot [nyu.edu] works for Firefox, Chrome, and at least some derivative programs like Pale Moon.
Note that random searches are a 2-edged sword. They increase the noise level, which is good. OTOH, they may sooner or later search for "anthrax kiddie porn jihad bomb", which could conceivably attract unwanted attention. Though it's more likely to be something like "our apr nov consensus divided" (the last thing my browser seems to have searched for). Random searches have the most desired effect if lots and lots of people are doing them.
Actually, that works in your favor.
For any search, if you can prove the extension was installed, you have plausible deniability.
Same works for encryption, privacy settings, etc. (a lot of people have to use them otherwise they stand out against the traffic).
Anyhoo, best practice is assume you are being tracked regardless, and work from there.
Perfect. Thank you.
Cookies. Don't accept them unless they are necessary - that is, the site won't run without cookies.
I tried this for a while, and it was a hassle. Instead, you probably want something like Tab Cookies [google.com] for Chrome, or Self-Destructing Cookies [mozilla.org] for Firefox. These extensions will accept all cookies from sites you visit, and then delete the cookies set by a given site once you no longer have that domain open in any tab. (You can whitelist certain domains so its cookies are kept, for logins you'd like to have persist.) You get all the functionality of accepting cookies on any site, and are subject to none of the long-term (cookie-based) tracking.
your phone reports on your location at all times
It has done so since the invention of the cell phone. It may now also do it via the internet (and thanks to GPS, with greater accuracy), but it always did through the phone network protocol (GSM, CDMA). If it didn't, nobody could call you on the mobile phone.
While it did do that,the location was limited to the cell tower where it could find you, for technical reasons.Currently it's the exact bar/restaurant, highway, ... where you are, and I can't think of any other reasons than to invade your privacy. Added to that, this is reported to all those app's and pretty much any company that has something installed on your phone, while previously that was just the telecom provider and maybe the gov with some subpoenas.
> the location was limited to the cell tower where it could find you, for technical reasons.
Er, no. For technical reasons it was a lot less limited than that:
a) the towers always have multiple antennas, therefore the tower and the direction are known - it may only be a 120deg arc, but that is still three times better than which towerb) range from the tower can be estimated from transmission time (my educated guess is this is less accurate in built-up areas due to buildings causing multi-path interference)c) you will often be in range of more than one cell tower (esp. in built-up areas), and as the networks have built out this has become more and more often, this allows for triangulation
My last phone had no GPS, it could still get usually my location down to half km or better, typically dropping to 2km in rural areas.Also worth noting that they can easily tell from cell signal if you are moving and in which direction.
GPS is a better locator, sure, with GPS they know which road you are driving on and if you are breaking the speed limit, but just from the cell system they already knew which area of the city you were in and when and which direction you were going when you left.
If this bothers you (or if you think it is not worth the benefits of the cell phone system) then use burner phones, turn them on only intermittently, and burn them, often.Or just stay the f*** on the far side of the moon, which should be good for avoiding surveillance for another few years...
e-mail providers happily hand over anything to anyone asking
Just run your own mail server, you might even learn a thing or two.
Thanks, Hillary! How's that working out for you?
he said mail server not POS MS exchange!
One thing you will learn is that it's a ridiculous pain in the ass. As one of the oldest services on the Internet you'd think it would have become exceptionally easy, but it's the opposite. It's absurd how hard it is to set up your own email server and keep it secure.
I recently did some experiments with OpenSMTP and so far it seems to be to Postfix what Postfix was to Sendmail, i.e. a whole lot less insane.
Might be worth a try if you think Postfix is a hard to setup / maintain.
Another thing you will learn, aside from the ones mention here, is that your email exists in two places: the originator and the recipient. So guess what, unless you never email anyone from yahoo/google/msn et all your email will still be read by them.
So guess what, unless you never email anyone from yahoo/google/msn et all your email will still be read by them.
Wait, sending a single email to such an address allows them to read all my email? Doesn't sound right …
Anyway, the correct solution against others reading your email is to encrypt it. But that has the problem that you can only do it if the person you exchange mails with also can encrypt/decrypt mail.
I have a typewriter and I'm not afraid to use it.
Not sure whether to moderate "funny" or "informative". Funny because a typewriter can't do much of what a computer does - but informative because modern tech cannot exploit what isn't there to exploit.
Hell - I'll go with funny.
it is terrible!if i tell how i do it then other people do it and afterenough people do, "they" will find a workaround to undo and then i have to start again.
i think one example is the shitty cloud flare stuff.after enough people used (and abused) tor, the websites sought shelter. dubious at most. there might come a time of reconing were your website has a ddos survivable time comparable to a windows xp maschine that is connected to the internet.not that "secretly", maybe cloud flare has out sourced the ddos to some hackers using tor ... to the end of driving more customers to their "service"?
i think three very obvious things one can do are:-enable cookies only for websites which are open in a window or tab. nuke the cookies when closing browser, a window or tab.-dont stay logged in to big google, facebook etc in one tab and then surf around other sites. do your google/facebook business then logout.-disable "referer" in browser. if clicking on a hyperlink on one site the refered-tosite could query where you came from.
Hey moderators this story makes some good points, but just scratches the surface. How about some follow up stories explaining tools such as Blockstack, Ethereum, Interledger and IPFS in more details. How do they work, why do we need them, and what are their strengths and weaknesses?
That's a great idea, datapharmer. Are you up to submitting any of those? If so, please do.
Yeah I would second this. It's a clear need. If you have links/stories to help the rest of the community out, submit them. Truly.
It's not just server logs, purchasing histories, geolocation data, cookies and NSA intercepts. Technology can now recognize an individual in a crowd photo, and in an anonymous forum post like this one by writing style. We're on the grid at all times and even if we went hiking w/o a phone we could still be recognized and tracked.
Half my days I think about the above and work to protect myself, and think about how I can protect myself better.
The other half, I act like 99% of internet users and really don't give a damn who knows my browsing habits and why. I am not a terrorist or spy, and I have very very little in my life that I really care about if it became known.
And 1% of the time, I put major updates on Facebook *** because that is the only location where I know 95% of my friends and family will come to know I've been hospitalized. *** I'm almost Facebook-free, but when everybody else I know is there, then that's where I need to be.
I think part of that other half comes from my not really knowing what's at stake for me, personally. I'm serious. Imagine for a second I'm no sort of techie, I just likes hearing from my family, sharing things with them, and watching cute kitten pictures on Facebook. What's at stake to me personally / what skin is it off my nose to be the product of FB?
Alternatively, there's a different reality to behold. One example: bike across the country. You'll quickly realize how unnecessary all of this is, and how small we all are.
Benjamin Franklin started a Post Office so he could spy on mail to get the scoop for his news paper.
Warrantless wiretaps have been happening since the telegraph was invented. ECHELON / Five Eyes, Omnivore / Carnivore and etc spying programs have always existed for every kind of communication system that exists.
The Internet didn't cause the Spy Net. It became a part of the Spy Net at its inception as a defense project for DARPA when it was called the ARPANET.
So, let's think about this. It was the desire to spy which created the postal service. And the Internet was created by governments who spy. Well, correlation isn't causation. So, if you want to think that the warrantless wiretaps are caused by spy agencies we have to disprove the null hypothesis: Technologies were invented by spies for the purpose of spying, and all other use cases are tangential to this cause.
Your move, "scientists".
Sorry but technologies get invented first, then spies co-opt and/or create their own tech to snoop on the people using it. The decentralized web is a good solution which will protect users against a lot of the broad surveillance.
So, you're saying that the government didn't invent the ARPANET?
Riiiiiight, so Ben Franklin started his post office in order to spy for his news paper, but it was only AFTER it was constructed that it was used for spying. Gotcha.
You haven't disproved the null hypothesis at all, and I don't think you even know what the term means. You must disprove the null hypothesis in order to prove your correlation is causation. You say that non-spies create the coms tech first THEN it's used by spies. However, AT&T and other information conveyance services have been in with the state surveillance apparatus since before AT&T existed, and thus tapped telegraph lines as soon as they were installed. So, disprove the null hypothesis. Prove your statement by providing contrary evidence that innovative tech companies are not rife with spies.
Take Intel for example. Israeli chip fabrication which has ties to Mossad.
Take Intel for example.
No use talking to idiots, you'll never convince them. The fucking company is named INTEL for fuck's sake and the morons still scoff like the idiots they are. They spies are flaunting it in their faces and laughing at Joe Six Pack's resolve not to see what's right in front of him.
Just because Intel put cellular radios on their chips allegedly for "anti-theft" protection doesn't mean it was actually meant to facilitate spying... Yeah, it probably was.
Hey, did you know electronic computers were designed for the spy task of breaking the encoding of messages encoded with mechanical machines?
Sorry but technologies get invented first, then spies co-opt and/or create their own tech to snoop on the people using it.
It's dangerous to go stupid, here take this:
A report on BoingBoing, authored by Damien Zammit, claims that recent Intel x86 processors have a secret and powerful control mechanism implemented into them that runs on a separate chip that nobody is allowed to audit or examine. [boingboing.net]
The decentralized web is a good solution which will protect users against a lot of the broad surveillance.
Riiight, on processors that have been compromised by spies since their inception? I seriously fucking doubt it, mate.
What I do is use Skullcode [skullcode.com] It's a bitch to get in unless you're a sufficiently skilled hacker, some say by design. And unless you can write code you probably won't be able to do much. However, for a certain sort of individual it can so useful that I'm not sure how I got on without it.
There's been some talk about lowering the barrier to entry, but if eternal September creeps in it'll kill the appeal for me and many others.
Spent 10 minutes. Gave up. ¯\_(ツ)_/¯
the problem we have is that it's socially acceptable to have horrid security practices. the reason for this is obvious: it easy to do and doesn't have an immediate negative effect on people. if we want to fix society, we need to A) make security easy and B) make bad security obvious to other people. doing this of course means building ecosystems with security in mind (which is no easy task) and possibly poisoning existing ecosystems (which is unethical).
the road forward is fraught with danger.
http://pcast.ideascale.com/a/dtd/-The-need-for-FOSS-intelligence-tools-for-sensemaking-etc.-/76207-8319 [ideascale.com]"Now, there are many people out there (including computer scientists) who may raise legitimate concerns about privacy or other important issues in regards to any system that can support the intelligence community (as well as civilian needs). As I see it, there is a race going on. The race is between two trends. On the one hand, the internet can be used to profile and round up dissenters to the scarcity-based economic status quo (thus legitimate worries about privacy and something like TIA). On the other hand, the internet can be used to change the status quo in various ways (better designs, better science, stronger social networks advocating for some healthy mix of a basic income, a gift economy, democratic resource-based planning, improved local subsistence, etc., all supported by better structured arguments like with the Genoa II approach) to the point where there is abundance for all and rounding up dissenters to mainstream economics is a non-issue because material abundance is everywhere. So, as Bucky Fuller said, whether is will be Utopia or Oblivion will be a touch-and-go relay race to the very end. While I can't guarantee success at the second option of using the internet for abundance for all, I can guarantee that if we do nothing, the first option of using the internet to round up dissenters (or really, anybody who is different, like was done using IBM computers in WWII Germany) will probably prevail. So, I feel the global public really needs access to these sorts of sensemaking tools in an open source way, and the way to use them is not so much to "fight back" as to "transform and/or transcend the system". As Bucky Fuller said, you never change thing by fighting the old paradigm directly; you change things by inventing a new way that makes the old paradigm obsolete."