Snowden's Tough Advice For Guarding Privacy 210
While urging policy reform as more important than per-person safeguards, Edward Snowden had a few pieces of advice on maintaining online privacy for attendees at Saturday's New Yorker Festival. As reported by TechCrunch, Snowden's ideas for avoiding online intrusions (delivered via video link) sound simple enough, but may not be easy for anyone who relies on Google, Facebook, or Dropbox, since those are three companies he names as ones to drop. A small slice: He also suggested that while Facebook and Google have improved their security, they remain “dangerous services” that people should avoid. (Somewhat amusingly, anyone watching the interview via Google Hangout or YouTube saw a Google logo above Snowden’s face as he said this.) His final piece of advice on this front: Don’t send unencrypted text messages, but instead use services like RedPhone and Silent Circle. Earlier in the interview, Snowden dismissed claims that increased encryption on iOS will hurt crime-fighting efforts. Even with that encryption, he said law enforcement officials can still ask for warrants that will give them complete access to a suspect’s phone, which will include the key to the encrypted data. Plus, companies like Apple, AT&T, and Verizon can be subpoenaed for their data.
Don't avoid them (Score:3, Insightful)
Google and Facebook make our lives easier in many ways. Just understand that what you say is not truly private and use common sense about what you post there.
Re: (Score:3, Interesting)
Wait... what?
Okay, I get how Google makes our lives easier (as far as searching and maps go). I get how CamelCamelCamel telling us where the cheapest thing to buy is and when makes our lives easier. I get how that little thing that helps you find the cheapest local gas station makes our lives easier. I totally get how email does. But Facebook? In what possible way does it even remotely offer any service that makes people's lives easier?!
Re:Don't avoid them (Score:5, Insightful)
But Facebook? In what possible way does it even remotely offer any service that makes people's lives easier?!
Facebook is arguably an aggregation of some of the best online/telephonic communication mediums ever developed. For the hoi polloi, it's an effective "one stop shop" to communicate with each other.
Re: (Score:2)
Facebook is arguably an aggregation of some of the best online/telephonic communication mediums ever developed.
When you use the word "arguably", it means both sides of the argument may have validity. Are you really going to try to argue that FB ranks *anywhere* near TCP/IP (and tools like SMTP, NNTP, FTP, ...)?
Kids these days.
Re: (Score:3)
You see, there are these things called friends. They are other humans we like to interact with. Some of these "friends" no longer live close to us so we like to see pictures of them, their families, and their activities. Facebook allows us to do these things.
Re: (Score:2)
Some of these "friends" no longer live close to us so we like to see pictures of them, their families, and their activities. Facebook allows us to do these things.
There were many solution to that problem before Facebook, and there are still many solutions to solve that same problem today.
Re: (Score:2)
And you're still a fucking idiot. People like simplicity, and ease of use. Facebook/G+ make that REALLY simple for them.
No, they're not (still a fucking idiot). You're delusional. What's hard about email, for instance (from the user's point of view)? Okay, if you're stuck using Win*, it's a !@#$%, but that's not email's fault. *Everything* on Win* is a !@#$%.
You're on /. how long, yet you've not bothered to listen to (read) the *many* discussions *many* forums have been reporting on this over the years, or bothered to research this ancient (in "Computer/Software Years") topic?
Correct me if I'm wrong but /. has a search f
Re: (Score:2)
Any grandmother with an account on facebook could tell you how much easier it is to see what's up with their grandkids via facebook.
My mother (a grandmother) would argue that with you. She was quite happy with email and despised FB. When lazy brats like you decided a spam email or two a day was too much to deal with and gave up on email in favour of FB, she was disgusted.
It's hard to believe that we're *still* arguing about this on /.
Re: (Score:2)
Do you actually have something to add to the conversation, like why what I said is a terrible idea?
If you insist. It's been common knowledge for a long time that FB is not your friend in any way. Their product is their users' data (sold to advertisers & etc.). Now, we even have Snowden's insider view of the NSA confirming they're in no way protecting their users' data. With all the !@#$ that's been going on with NSLs and AT&T (et al) coughing it up for nothing more than a demand written on a Post-It note, everyone on-line world-wide ought to be horrified.
Most of us didn't need Snowden to conf
No technical solution for a social problem (Score:5, Interesting)
Of course government can read my e-mail. All they have to be is waterboard me. Or install enough camera in public places to capture my unlock pattern. The question is what we allow the government to do, and in democracy we deserve what we get. No amount of encryption is going to solve this problem. We should have a direct popular vote for a commission of constitutional enforcement and then if majority of them rule that some secret agency is in violation, they will be able to disclose it legally.
Re: (Score:1)
Of course government can read my e-mail. All they have to be is waterboard me.
But, but, Obama, he promised change, man!</whiny-hippie-greybeard>
Re: (Score:2)
Of course government can read my e-mail. All they have to be is waterboard me.
"All they have to do"? Doing that to everyone would take forever. The point is to make sure they have more trouble automatically gathering everyone's emails.
Or install enough camera in public places to capture my unlock pattern.
Nice pseudoscience. And this would still be more difficult than what they're doing now.
There are indeed technical solutions to some social problems.
Re: (Score:2)
Forever? Just round up people based on nationality, participation in a protest or a house of worship. Then carry out waterboarding in public view, giving each person in line a choice to spill the beans or experience waterboarding and then spill the beans. Should take no time at all. Regimes far less wealthy than US have been doing great job keeping tabs on their citizens with good old secret police work rather then tech. Weather we allow that, or Prism, or consequences of no secret surveillance at all is re
Re: (Score:2)
The question is what we allow the government to do
Or maybe the question is what the government allows you to do. In the US, they won't allow a 3rd party, for starters. And the two remaining parties have a great deal of overlap regarding surveillance.
Re: (Score:2)
Re:No technical solution for a social problem (Score:4, Insightful)
Of course government can read my e-mail. All they have to be is waterboard me.
Wrong.
I can't understand why people are so confused about this. It has nothing to do with government needing to resort to extreme measures to get its way.
All it takes is a warrant. People have been getting warrants for close to a thousand years. Getting a warrant is not hard. Getting a warrant is a routine part of professional law enforcement. Nowadays getting the warrant is actually easier than all the theatrics they're doing instead. All these efforts to circumvent constitution guarantees (in multiple countries) are about making the political statement that the government is above the law. It is intimidation with no constructive purpose. Citizens are worse off not just because it violates their rights, but also because it encourages sloppy police work.
Re: (Score:2)
Of course government can read my e-mail. All they have to be is waterboard me. Or install enough camera in public places to capture my unlock pattern. The question is what we allow the government to do, and in democracy we deserve what we get. No amount of encryption is going to solve this problem. We should have a direct popular vote for a commission of constitutional enforcement and then if majority of them rule that some secret agency is in violation, they will be able to disclose it legally.
After a mental debate about the pros and cons of NSA surveillance, I have reached some conclusions.
With total secured data and transmissions, businesses have the confidence that what is private to them remains so.
With total secured data and transmissions, criminals have the confidence that what is private to them remains so.
With total secured data and transmissions, NSA have the confidence that what is private to them remains so.
With total secured data and transmissions, terrorists have the confidence that
Re: (Score:2)
Uh, no. What has been screamed about is that meta data collection is happening on a broad scale
Methinks someone doesn't understand what dragnet means.
Taking it a step further (Score:5, Insightful)
Simply avoiding Facebook, Google and the rest isn't going to serve much. Because that makes you stand out, too. Use them. Fill them with enough goody-two-shoes garbage that you're uninteresting enough. Invent some innocent hobby or two for you to have so you can fill that page with something. Invite friends (whoever you run across will do, just make sure that they're not in some way "odd").
The important bit is just to keep your real life apart from your official one. And yes, before you ask, your work belongs on the "official" side. Along with your official family and everything else that can easily be connected to you with existing data. Don't try to hide what can be proven to belong to you.
And yes, 10 years ago I would have agreed that doing something like this means your tinfoil hat is sitting too tight. Today, I ain't so sure anymore...
Re: (Score:2)
hardly new (Score:2)
People have always been suspicious of people who were different. And people have always had to keep some things secret from their neighbors.
Despite all the beating of chests, I think we are probably better off today than ever before. Many things people used to be able to blackmail you with (homosexuality, extramarital affairs, illegitimate children, bankruptcy, atheism, whatever), people don't give a f*ck about anymore. Furthermore, none of the NSA or CIA bullshit is new, but finally, people are finding out
Re: (Score:2)
The abandoning privacy argument. If you believe the government already consider you very suspect better that they can find out everything about you, which is nothing and make it easy for them. Rather than protecting your privacy and making it very difficult for them, so they end up wildly overreacting and place you in the life threatening situation of a search warrant swat team.
The catch with that, is they want to believe. They will believe that all the information they easily find about you is fake and
Re:Taking it a step further (Score:5, Funny)
I'm not so sure about psychic abilities, but statistically aliens are almost a certainty. The real question is: are they amongst us?
Am I flagged as a harmless nutter yet?
Re: (Score:2)
This is an interesting premise, especially for I.T. workers. For everyone else, there's enough computer illiteracy and lack of access, (and apathy) that such a diversion isn't necessary. I think you can also draw a sort of curve, given to the age of people and what is expected of them in terms of computer literacy. That age curve also provides a relative form of plausible deniability. But IT workers are screwed in this way.
Re: (Score:2)
Especially if you're an IT worker in the area of security. You needn't wonder if there is a file about you. There near certainly is. You're after all potentially dangerous, you know how "it" works.
Re: (Score:2)
Isn't it incredulously absurd that engaging in this spy-game double life nonsense has actually become a completely rational behavior?
Fer crissake I just wanna live my life with a reasonable expectation of privacy.
Re: (Score:2)
The price of privacy is eternal vigilance...
Re: (Score:2)
Since governments prefer fucking idiots since they're easier to control, I prefer them to see me as a fucking idiot.
gpg (Score:5, Informative)
gpg, when you can.
To encrypt, but have the encrypted output be encoded as text (so can be put copy/paste into an email)
gpg --symmetric --cipher-algo AES256 --armor example.txt
(gpg will then ask for a passphrase, make it long, as random as possible, upper and lower case, a punctuation, and a number)
TO DECRYPT
gpg example.txt.gpg
Steve Gibson has a very cool Internet resource for helping people learn about password strength: https://www.grc.com/haystack.h... [grc.com]
Per the haystack page:
Example passphrase = search space size
64characters of hex = 4.13 x 10^99
63characters of hex, plus adding a punctuation symbol = 4.93 x 10^117
62characters of hex, plus adding a punctuation symbol, plus adding an upper case letter = 3.79 x 10^126
Re: (Score:2)
62characters of hex, plus adding a punctuation symbol, plus adding an upper case letter = 3.79 x 10^126
Nice. However, the devil's in the details. We're often told that strength of the algo won't out anyone. Social engineering or stuff we haven't considered will, and the latter's complicated. My key mentions an ISP (email addy) I haven't used in a couple of decades. How to fix? Revoke old key then release a new one. Er, how, exactly?
If this's non-simple for a geek like me, how's my (late) mom going to handle it?
Re:gpg (Score:4, Informative)
My key mentions an ISP (email addy) I haven't used in a couple of decades. How to fix? Revoke old key then release a new one. Er, how, exactly?
Via some quick googling:
Generate the revoke certificate (you can keep this stored until you need it)
gpg --output revoke.asc --gen-revoke KEYID
Import the revoke certificate when you want to revoke the key.
gpg --import revoke.asc
Send the updated pubkey to the keyservers.
gpg --keyserver KEYSERVER_ADDRESS --send-keys KEYID
Re: (Score:2)
I know it's bad form to reply to self...but you can do all of the above in a GUI like Seahorse too.
Re: (Score:2)
Tell that to computer illiterates who don't know command lines. ;)
Re: (Score:2)
You can use gpg without command lines. In fact I created my key using "GPA" (Gnu Privacy Assistant), because I couldn't get enough entropy on the command line for some reason.
Re: (Score:2)
To encrypt, but have the encrypted output be encoded as text (so can be put copy/paste into an email)
gpg --symmetric --cipher-algo AES256 --armor example.txt
There's no need to go to the command line to encrypt an e-mail. Just use a proper e-mail client that supports GPG/MIME.
Re: (Score:2)
I get mail from Navy friends signed with a DOD-issued cert, and we can communicate securely with no difficulty at all. I got my 70-year-old mother using it on her iPad, no problems. I'm astounded that it isn't more popular.
The cert thing is the problem, because the cert is usually installed into the web browser and then you have to export it from there and then import into the client. Then thre is getting the pubkeys. S/MIME doesn't use keyservers so basically to send someone an encrypted mail, they have to send you a signed mail first.
can be subpoenaed for their data (Score:1)
Um, so what was the encryption for again?
Re: (Score:2, Insightful)
Mainly to make the authorities go through the front door, you know, as the constitution says they should.
They hate having to follow that old rag's commandments though.
Re: (Score:2)
Too bad any long-distance wireless frequencies are regulated and would result in breaking the law with very stiff fines and possible jail sentences. Plus you could be sued from the big telcos for interfering with their paid-for air-waves. Even HAM radio does not allow noise or encryption to be transmitted over the radio waves.
You can always use an encrypted VOIP service I suppose, but technically that is controlled as well, not to mention that the NSA is also developing/buying 0-day exploits so they can b
Welcome to the world of the social (Score:1)
Keep your communications limited.
Only talk to people you need to talk to.
PGP, Encrypt, Key-pass, everything, I mean everything.
Hide it all from any networked service
Once a security hack that worked for his former employer, my take away from his recommendations are:
a. hide your cash in your mattress--then again cash has serial numbers (even bitcoin sort of...). Convert to gold.
b. put on your tin foil hat.
c. don't talk to anyone.
BUT what he's doesn't realize is... if you want to be apart of any society:
a. Com
stupid (Score:4, Insightful)
His advice is so stupid that I'm really beginning to wonder whether he is still working for the NSA. It's not only inconvenient, it actually puts you at a greater risk.
Computer security is really not that different from physical security: locking up everything from everybody is a lot of work, inconvenient, and expensive.
For most things, Google and Facebook are perfectly fine. Hysterical avoidance of them is not only inconvenient, but switching to supposedly more secure services will either make you appear suspicious, or you may simply be running into the open arms of some intelligence service that is using those services as a front.
Information you don't want to fall into the hands of criminals, you should encrypt; online storage may be fine for some if you are good about encryption and it's not that critical. For really critical information, use local USB drives or paper.
Is there information you don't want to fall into the hands of government? Yes, even if you are law-abiding. You want to avoid being a false positive on some witch hunt for terrorists or drug offenders, and you don't want to give corrupt prosecutors the ability to blackmail or pressure you into admitting things you didn't do. So, keep your Magic Pony gay porn collection off the Internet and encrypt it, keep your medical information on paper, and purchase your fertilizer and cold medication with cash when you can.
How about all of them? (Score:2)
Everyone seems to be collecting data even /.. :(
Is this where they dangle a puppet? (Score:5, Insightful)
Is this where "the man" dangles a puppet in front of your eyes so you forget about everything else? Say I never used facebook, dropbox and google and steer clear. Now "they" only have phones, credit cards, bank statements, anything I get shipped, plane stubs, hotel reservations, car license plates, cell- and/or smartphones and a bazillion other things to know exactly what I ate last Tuesday and to violate my privacy which, judging by the attention wh**ing online, nobody cares all that much about anyway it seems.
Re: (Score:2)
Spot on. Social apps are the least of the problems.
Add in databases of criminal records, medical records, etc, etc.
As people are wont to say about the TSA, dropping out of social media is just security theater.
Not that tough (Score:2)
Re: (Score:3)
The key is on the phone. Easy enough for any TLA to get unauthorized access to without the owner's knowledge. Apple's new policy changes nothing.
Re: (Score:2)
on phone, passphrase. on iCloud, not really encry (Score:5, Interesting)
On the device, the data that is encrypted uses a key derived from the password or pin. This is very similar to how you'd encrypt any local file. Anything you can still get to after forgetting your password and resetting it obviously was not encrypted with that forgotten password.
On their cloud, some things are technically encrypted, but the encryption isn't very effective. Anything you can access via their website or apps, including email and photos, they have access to. Email is a good example- their web site shows you the To, From, and Subject lines of the messages, so obviously their server has access to read the emails.
In general, encryption of live, working data on a server is _often_ largely security theatre. Sure, if a bad guy physically broke into the datacenter and walked out with the server, the encryption of the disk would make it hard for him to access the data. As long as the server is up and running, any data the server can access can also be accessed by a hacker with a presence on that server. In these cases, the key is for one of the server's disks, so it's generated by Apple and probably sitting on the same server where the data is. With tens of thousands of servers, you don't have human beings walking around typing in passwords, so the key needs to be on the server. If the hacker is in the server ...
The data is encrypted in transit via ssl/tls. For that time period, it's encrypted via tls/ ssl. First Apple's ssl key is used, then a per-connection key is generated.
Holes, where the data is not encrypted at all, and there is no key, occur at transition points. They web server takes the ssl encrypted data, decrypts it, and hands it off to the storage layer to be "encrypted" on disk. Quotes are on the disk encryption because as discussed above the encryption on disk is largely illusory. Similarly with the transition from your phone to the upload to the server. Your phone decrypts it with your key, encrypts it with the ssl key, and then sends it to the server.
Those transition points in which the data is unencrypted are vulnerable points which are targeted for attack. I've confirmed at least one case where I've seen the transition point on the server compromised. Fortunately, I _think_ I may the one who tapped the data and logged at it that point, for debugging and recovery purposes. I forgot to turn off the logging when we went into full production, I think.
Re: (Score:2)
The key is on the phone. Easy enough for any TLA to get unauthorized access to without the owner's knowledge.
I fail to see how it would be "easy" for a third party to access a file on my cellphone without my knowledge. If they do it with my knowledge, then they need a warrant, and have to go through proper legal channels.
Apple's new policy changes nothing.
It seems to me that Apple's policy, along with the policy changes by other big tech corps, change everything. Pervasive encryption is coming, and coming fast. These companies no longer have any reason to voluntarily cooperate with the NSA. The NSA screwed them, and that screwage is costing the
Re:Is this counting Apple's new encryption scheme? (Score:4, Insightful)
they need a warrant, and have to go through proper legal channels.
I take it you've been living under a rock for the past decade.
Re: (Score:2)
I think his point is that while the NSA has been able to sniff around the internet with impunity, to actually take your phone and examine it, they would need a warrant.
Re: (Score:2)
I think his point is that while the NSA has been able to sniff around the internet with impunity, to actually take your phone and examine it, they would need a warrant.
Step 1: You are pulled over while driving for .
Step 2: Cop determines that you are acting suspicious and refusing to comply with his orders.
Step 3: Cop tells you to step out of the car, puts you in handcuffs, empties your pockets, and searches your vehicle.
Step 4: Cop takes your phone and plugs in AutoFascist 3.0 device while you watch, pressed up against the hood of your own car.
Step 5: "Thank you, Officer."
Re: (Score:2)
These companies no longer have any reason to voluntarily cooperate with the NSA. The NSA screwed them, and that screwage is costing them billions.
*Golf Clap*.
You pathetic moron. You think Apple or Google umbrage is going to stop NSA suckage? Ho. Ly. ...
Re: (Score:2)
Hmm... the key is NOT on the phone. I don't understand Snowden's comments or yours. The IOS file system is encrypted, and if you use a decent length pass phrase it should be unhackable. No?
Re: (Score:2)
if you use a decent length pass phrase it should be unhackable. No?
Only if you're naive enough to believe that a keylogger can't be installed surreptitiously.
Re: (Score:2)
They never had the keys in the first place. What they have done is to enable more things to be covered by encryption.
Re: (Score:2)
This encryption is only useful when the phone never were unlocked after authorities got suspicious of you. The moment you unlock, it connects to the carrier, the baseband downloads the rootkit (or they use one of the various other backdoors they have), and the authorities get the key, and any other phone content they wish.
Re: (Score:2)
In the interim, why you crazies are arguing the difference between deflaguration and detonation, the kid's head falls off.
I hope you are happy with yourselves.....
Re:Is this counting Apple's new encryption scheme? (Score:4, Insightful)
Here is the rub:
A company breaks up a key into pieces and says that no single division or part can decrypt data.
However, with the proper "encouragement" via a government (similar to how India "encouraged" RIM to give them access to BIS servers), the data can still be obtained. iPhones are quite closed devices, and in theory (mind you, this is theory), Apple could push some code to the phone belonging to a person of interest that would either install a backup key, pull the key out, or download data in the background.
Android, similar... but with Android, there are so many different ROMs, phones, and configurations out there that it would take some doing and not just typing an IMEI number, click "spy", and be done with it. It is quite possible, but not as easy.
Do I trust Apple? There are other big companies who have started to play policeman and actively sift through their subscriber data and hand things over without being told to do so. Apple doesn't actively do the virtual equivalent of going through one's belongings with a fine tooth comb, then bringing in the police if something illegal is found under a couch. There is already enough fighting to keep government powers at bay. Having private companies act as another police force is unacceptable, no matter how noble their aim.
Would I stay at a hotel knowing that my stuff there will be sifted through for anything illegal, and my phone calls taped and actively listened to for any activity? Nope. I'm sure the "do you have anything to hide" argument will be brought to bear, but if the company storing my data is now someone actively trying to find a way to cause me legal issues, I'll take my business to another place that doesn't do that. I feel that Apple hasn't tossed anyone to the wolves, so they are probably a lesser evil in this department, although who knows where their data ends up, as their devices are made in China, and the Chinese government has just as much say in what goes into them as Tim Cook does.
Don't forget -- "illegal" applies globally. The US has extradition agreements with Saudi Arabia and Turkey, so technically, a US citizen can be extradited to KSA for something anti-Islamic (giving a church flyer to a Muslim), and then beheaded even though the person never set foot outside the US. So, what may be something one doesn't worry about now may be something (and their families) that one might be killed over in a few years.
Another example is Thailand's lese majeste laws. A US citizen who poked fun at Thailand's leaders can be deported there, even though the person never was in the country. Having a private company look for these types of things, items that people never thought of, then they get arrested and shipped overseas to stand trial in a country they never even seen is something that is inevitable. Someone may be a 100% law abiding person in the US and have nothing to hide... but with extradition treaties, they might be breaking laws in a country they never have heard from and can be hauled off for that (Kim Dotcom, anyone?). So, privacy is a must.
Do I trust Facebook? Rule 1 of the Net. Don't put it up unless you want the local DA, Feds, and your worst enemies seeing it. With that in mind, plus common sense partitioning (run your FB Web browser in a sandbox or container separate from everything else), FB is tamable. It is a must these days (I've been turned down for jobs because I didn't have a FB ID, as an IT worker without a FB or Twitter account is considered a "fossil".)
Do I trust Google? I use their services, and have found that Android is well written. Even the disk encryption is decent, especially if you separate the dm-crypt partition passphrase from your unlock PIN, making your /data partition extremely tough to brute force open. I'm not really worried, as they are not any worse or any better than other places.
Do I trust Dropbox? Similar to above. Neither worse or better. However, I do pack my own parachute and use Boxcryptor (not 10
Re: (Score:1)
Don't forget -- "illegal" applies globally. The US has extradition agreements with Saudi Arabia and Turkey, so technically, a US citizen can be extradited to KSA for something anti-Islamic (giving a church flyer to a Muslim), and then beheaded even though the person never set foot outside the US. So, what may be something one doesn't worry about now may be something (and their families) that one might be killed over in a few years.
I don't think that's what extradition agreements are for.
Re: Is this counting Apple's new encryption scheme (Score:2)
US extradition treaties only cover actions that are crimes in both countries, which means that the only crimes you could be extradited to Saudi and beheaded for are drug offenses.
factually false (Score:2)
The US does not have an extradition treaty with Saudi Arabia.
http://en.m.wikipedia.org/wiki... [wikipedia.org]
The US treaty with Turkey is first limited to crimes which BOTH countries consider felonies. That requirement is on page 1.
Them there's another 20 pages of requirements for it to apply.
New Zealand has treaty, money laundering, racketee (Score:2)
New Zealand does have an extradition treaty with the US, and recognizes money laundering and racketeering as felonies.
The precise opposite set of facts vs GGP's imagination.
Re: (Score:2)
Search: duckduckgo
Email: numerous options
App Store: isn't a benefit of android that there can be many app stores? Alternatively, use iOS.
It's not that hard to get away from goog (or fb, for that matter).
Re: (Score:1, Interesting)
Apple isn't any better than google.
[citation needed].
1) All iOS devices are encrypted such that even Apple can't access.
2) After #Celebgate apple rolled out 2 factor authentication throughout the OS and services.
3) iMessages and Facetime are encrypted end-to-end, so even apple can't access them when they're on the server.
4) apple's business model is not to spy on their users in order to make more money from them.
5) if you look through all the NSA leaks and all the hacker actions, none of them have been able to penetrate a iOS device that is
Re: (Score:1, Informative)
Re: (Score:1)
Neither are more secure than the other and that's a fact and will always remain a fact so long as humans are using these devices.
I agree, in a sense if a human is in the equation then there's always going to be an element of insecurity. But one choice can still be more secure than the other.
Nevertheless, everything you've listed is also available on android devices so I fail to see what point you're trying to make?
Now you're just trolling. Of the five things I listed, number 2 -- 2-factor authentication -- is on android as well. But numbers 1, 3, 4, and 5 are all iOS or apple specific and definitely not on android.
Re:No Google (Score:5, Insightful)
You need to take Apple at their word for most of those. There's proprietary hardware and binaries in the mix. There's no independent outside audit. Your level of trust is disturbingly naive in an era where corporations and governments lying to citizens is the norm.
Apple may well be telling the truth about all of them. But to put actual trust in it is fanboiism itself. Right now, you can't trust much of anything. In short, we're stuck between a rock and a hard place. We need to get work done, to interact with others, to be productive in general--but the best options available to us are lousy.
Trust comes at a high premium and isn't given lightly.
Re: No Google (Score:2)
Exactly how does that custom ROM get installed??? Does it require modification of a device? Hardware modifications are not stock, are they? Are these devices readily available from a major supplier or must they be custom ordered?
There has been no reported successful hack of iOS devices to install malware where the device wasn't jailbroken. If you know otherwise, please provide relevant links? This can not be said of Android.
Now, what happens on the backend is open to interpretation and subject to debat
Re: (Score:2)
The hack you posted is not an exploit of the phone - it was a hack against one of the services provided by iCloud. The phone, itself, was not compromised.
There was a report of spyware that could be installed on an iPhone - it required a jailbreak to install. It could not be done OTA and without physical access to the device.
Replacing a ROM chip is both a software and hardware modification. It is not stock, is it? So, out of the box, which platform is more secure at this time?
Now, once you modify the dev
Re: (Score:2)
http://www.cnet.com/news/fbi-q... [cnet.com]
Somewhere between a tame telco, tame hardware, tame software and the "Communications Assistance for Law Enforcement Act" https://en.wikipedia.org/wiki/... [wikipedia.org]
an average users gps, voice, text, images, voice print and all other cell related data will be as easy to get as always.
An average user might be sold on the idea that some user data is protected from wider outside network man in the middle efforts but tha
Re: (Score:2)
Recent major security blunders with open source software beg to differ.
Re:No Google (Score:4, Insightful)
But i know, that there are people working with the source code. An obvious backdoor would have been found i.e. by the cyanogenmod people, so it needs at least to be more subtle.
Re: (Score:2)
It's not about the obvious backdoor. It's often about the random number generator used for generating keys. Maybe that keyspace is smaller than you think.
How many of the e.g.cyanogenmod people collect a paycheck from the NSA? We've seen very subtle flaws in open source code that looked plausibly like a typo, but weakens security just enough for a powerful attacker while remaining secure from a script kiddy.
Not like it's just open source. Trust was lost for the hardware RNG in Intel CPUs (I'm not sure th
Re: (Score:2)
Security is just not black and white.
For opensource you have the chance to see something, with closed source you do not have it.
The only argument could be, that flaws in opensource can be found easier by the bad guys, because of the open source. But i doubt it. At least for this not so obvious ones.
I think stuff like the debian ssl bug was known by the nsa. But not because they read the source, but because they collected A LOT of ssl keys. So its like blackbox testing.
Re: (Score:2)
Are you looking at the code? I don't think that's relevant.
Companies like Google, Apple, and yes Microsoft have plenty of smart people looking at their closed code for security flaws - well-trained people who's day job is to do just that.
The once-believed advantage of open-source was that companies might be in bed with the NSA, putting flaws in deliberately, but open-source projects wouldn't be. Turns out, not so much. Both groups are just as vulnerable to malicious insiders, and both are filled with te
Re: (Score:2)
> Google, Apple, and yes Microsoft have plenty of smart people looking at their closed code for security flaws
same for big opensource projects.
And now show me a case of malicious insider in an open source project.
Re: (Score:2)
It's hard to google pre-heartbleed OpenSSL flaws, but there were some serious, subtle flaws in OpenSSL that looked remarkably like typos. After the NSA leaks, there's no doubt: someone committed those flaws deliberately. And the NSA leaks showed a large and well-funded program to do just that: to subvert every public cryptographic tool and standard in subtle ways, vulnerabilities that left tools secure unless you knew about the backdoor (which is particularly pernicious, as when the backdoor is inevitably
Re: (Score:2)
Yeah, i suspect the NSA to infiltrate BIG projects like openssl as well. But i fear closed source the same. The only difference is, that commercial (!= closed source) software can easliy be affected by a NSL and that open source (which may be commercial as well) software can be read if something is suspected. And you can patch as soon as possible without waiting for a patch day.
Re: (Score:2)
With open source, you can start making your own version and modifications
That is the one real advantage. It's not cheap or easy. It's not going to be a hobby project. But it's possible.
The replacement of OpenSSL, the TrueCrypt audit and fork. That's where you see open source step ahead.
We already have countless pieces of evidence of companies being in bed with the government
There's a big difference between a company giving data to the government -- security doesn't enter into that -- and adding deliberate flaws to security products. There hasn't been much evidence of the latter, though wasn't RSA tainted? The bigger worry with proprietary security products is
Re: (Score:2)
I know of at least 2 very big projects that have backdoors injected and them and no one has a clue.
Really? Well, it's free software, so either inform someone or get cracking. I see you're being very vague about this.
Re: (Score:2)
And in closed source software, you do not even have the chance to see the backdoor.
Re: (Score:2, Interesting)
Careful who you're calling "imbecile" there. Reading source code doesn't do a damned bit of good unless every line of code on your machine was built *by you* from the same source you audited, using a known good compiler. Every executable, every driver, every library, every damned line of code that executes on your hardware.
Re: (Score:2)
The point is that you *can* read the source code. *Anyone* has that ability, or can learn to do so. Many people do so.
Almost no one but the actual developers of the project read the source code. Software projects are so large these days that people seldom wade through the multiple thousands lines of code just for fun.
Here's an experiment people here can do: download the source code of some small project and read it thoroughly. Just try what it feels like. Understanding how the program actually works can take surprisingly big amount of time.
Do that experiment now.
Re:No Google (Score:5, Insightful)
Google analytics and ads are everywhere so even if you don't directly use their services like Search and GMail, you are still being tracked by them.
Also, your browser sends referrer headers which tells whatever site you're visiting where you came from. Your browser + browser plugin profile can be used to narrow down who you are even behind Tor. Browser plugins like Adobe Flash save their own set of cookies separate from regular browser cookies.
If you use the Internet, you're being tracked. You may be able to help yourself be tracked _less_ by taking some precautions, but that's about it, I think, for the average person.
I used FB for years before finally closing my account down. No doubt that data will stay in their system forever. Like a drug, better to not start at all than to have to quit.
Basically it boils down to: law enforcement are going to do what they're going to do. I know I'm being tracked, I try and keep my nose clean, and whatever happens happens. I'm not going to live my life all paranoid.
Re:No Google (Score:4, Interesting)
Re: (Score:2)
that's actually a really cool site, thanks for this. the user sets his his name set. the name sets are what you expect: american, hispanic, german, etc. but they also have hobbit. My new name is Tomburän Mugwort.
Re: (Score:2)
irony: to login you should use a google account.
Re: (Score:2, Informative)
That only has a limited effect. https://panopticlick.eff.org/ This is one of the SIGNIFICANT downsides of being a geek. Running Linux, alternate browsers, having unusual plugins, etc. all make it very easy to identify your particular machine on the 'Net.
Re: (Score:3)
Blocked in my 'hosts' file. See: http://winhelp2002.mvps.org/ho... [mvps.org]
Re: (Score:2)
Re: (Score:2)
Sadly, Opera 12.x breaks more and more pages these days :(
No Google (Score:2)
Free is not free (Score:3)
Re: (Score:3, Informative)
Try startpage.com. It uses results from Google, but isn't Google. As far as I can determine, they don't log anything you do.
It also happens to be the default search engine of the Tor browser, which should say something as it goes way out of the way to make sure your activity is completely anonymous.
Re:No Google (Score:5, Interesting)
As far as I can determine
But what's that worth? They're pretty much silent on their internal operations. Who owns them? Who runs them? What does their infrastructure look like? How about their business model?
I don't trust any of the search providers as far as I can throw them. If you've got to make a search and you're worried, do it over a public network somewhere else with a spoofed mac and/or over Tor (for starters). Start by locking down your box and then lock down your habits.
Re: (Score:3)
... it would be like having to constantly avoid highways and grinding your way through crumbly outback routes.
Really? Other than youtube, I don't think I've bothered with google in years. ixquick is a reasonable search engine (and there are others as good). It even has a google gateway, and it's https. mail.com (among others) offer free email.
Other than the wonderful feature of NSA slurping everything you do, what's google really do for you?
I've nothing really against google. I just prefer not to go that way.
Re: (Score:2)
mail.com / email.com got bought out by AOL years ago ...
I don't much care about that. Yeah, AOL in its day was pretty silly, but mail.com seems not bad. Anything I've talked to them about seemed handled professionally. Yeah, I tend to edit my replies in emacs, then attach that to an otherwise empty email (to preserve formatting), but that's the way of the world (Microsoft and its related apps' embrace & extend corruption) that I've come to expect to have to work with in many ways. They didn't invent that. FTP need[ed|s] to be told explicitly when it was
Re: (Score:1)
Thanks Ed!
Standardize one-time pads (Score:2)
The message is then seen as classic random numbers and is then flagged at some stage as using encryption and further sorting by gov/mil.
The gov/mil does not care what is in your message but the slightest hint that any person is using crpyto like numbers or letters in bulk would ensure any ip, user, isp is noted.
That message glows.
Expect 3-4 level of hop