Ten Steps You Can Take Against Internet Surveillance 234
Hugh Pickens DOT Com writes "Danny O'Brien writes for the EFF that as the NSA's spying has spread, more and more ordinary people want to know how they can defend themselves from surveillance online. 'The bad news is: if you're being personally targeted by a powerful intelligence agency like the NSA, it's very, very difficult to defend yourself,' writes O'Brien. 'The good news, if you can call it that, is that much of what the NSA is doing is mass surveillance on everybody. With a few small steps, you can make that kind of surveillance a lot more difficult and expensive, both against you individually, and more generally against everyone.' Here's ten steps you can take to make your own devices secure: Use end-to-end encryption; Encrypt as much communications as you can; Encrypt your hard drive; Use Strong passwords; Use Tor; Turn on two-factor (or two-step) authentication; Don't click on attachments; Keep software updated and use anti-virus software; Keep extra secret information extra secure with Truecrypt; and Teach others what you've learned. 'Ask [your friends] to sign up to Stop Watching Us and other campaigns against bulk spying. Run a Tor node; or hold a cryptoparty. They need to stop watching us; and we need to start making it much harder for them to get away with it.'"
Use end to end encryption? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
If the spies are actively targeting someone, yes. But they can't hack *everyone* - not only would it be expensive, but they'd be detected in no time at all. So if your objective is to avoid the dragnet, it works.
Re: (Score:2, Funny)
é÷ÖúöÜHòÙ¥’`^&FQòÔ`sqÅxEÀÍ_,Bnâ|©1ßÉ*'
problem is "keeping SW up2date" (Score:4, Insightful)
When the computer industry was "young", there was little likely hood the NSA had co-opted your developers & SW providers. Now?
With every update you need to wonder if it contains a new backdoor at the request of the NSA, asked via a "security letter", which makes disclosure illegal.
Examples in linux abound as vendors stumble over each other to provide secure-boot distro's, complete with windows-like service managers (systemd), that move config control out of scripts where you can see what they are doing, into binaries, that you have to verify come from a source that is likely too large for most of us to audit -- not to mention the problem looking for a backdoor that might be very well hidden these days... (ex. pre-solved factoring keys for AES encryption), etc... You got the latest certs downloaded from *where-ever* (needed for https and such)? How many aren't already cracked?
I wouldn't have a problem with the NSA's spying, *IF* they didn't share anything not related to national security -- but our entire justice system is predicated on law-enforcement being 'human' and needing warrants to search private stuff -- but now? The NSA doesn't need those, and any info it finds is shared with generic, domestic law enforcement. It's already been seen that the FBI has been getting info dumps from the NSA that it's been using to start determined "take-down" efforts against *persons*. I.e. they just watch the people they want, and find some excuse to 'legally' find out the info, OR, find something else to bust them on.
Of course it's been well documented here on "/.", how both foreign visitors and US citizens lose their constitutional rights when they are at a border -- losing laptops and having decryption keys demanded.
What crap!.
One rectifying solution would be to have any illegally leaked evidence taint prosecution of someone for *any, "hidden", charge*, for some number of years (whatever statute of limitations might be).
By hidden, I mean things they'd have to probe into to find out -- not armed robbery or such...
It sounds problematic, and the details would have to be ironed out, but between that, and the profit motive for "charging" a "rightless" property with "crimes" instead of the person, our legal rights as citizens are falling below western standards and down into the "outcast/illegal/brutal" regimes that we supposedly "invade" for....
Who's gonna invade us to save us from our government? I think the only ones with the ability to save us are "us".
Re: (Score:3)
Not with major browsers like Firefox screaming blue murder at encrypted connections that haven't been officially by certification authorities. We can't have an encrypted web if browsers themselves are hostile towards it.
Is OTR on every platform? (Score:2)
They can't be assed to spend 10 minutes to set it up, thereby having it for the entire future.
That or they choose, for other reasons, to use a mobile platform to which OTR messaging happens not to be ported yet. Webmail also has well-known problems with PGP. Or have those been solved yet?
Re:Use end to end encryption? (Score:4, Insightful)
Steps You Can Take Against Internet Surveillance (Score:5, Funny)
Step one: Don't post on forums.
Re:Steps You Can Take Against Internet Surveillanc (Score:5, Insightful)
Step one: Don't post on forums.
Step Two: Terrorists Win.
When you opt not to speak out against the government out of fear of reprisal, then you effectively have lost your right to free speech. Forums like Slashdot need to embrace the use of proxies like Tor, etc., instead of shutting them down with giant ugly off-red pages saying "Blocked!" Anonymization services like Tor are invaluable for creating a safe haven for free speech; in countries like Iran, North Korea, United States, France, Iraq, and Egypt, people are being harassed, arrested and imprisoned for chastizing the government for being a police state. We need websites to publish information about these governments' activities for the world to see, and sites like Slashdot that block Tor and similar technology are simply enabling those governments to build a digital iron curtain around themselves to lock down political dissent.
Re:Steps You Can Take Against Internet Surveillanc (Score:5, Interesting)
Considering the number of things the NSA has completely missed (e.g. Boston bomber, Snowden, Bengazi, etc.) I'm beginning to wonder if the NSA really has any decent spying capabilities at all. What if this is much like a Banana Republic, were the government puffs up it's chest and parades around a bunch of military men and equipment to try to scare it's citizens into line. But actually they are totally outnumbered by the citizenry, have very little real power, and they know it.
All these "leaks" about the NSA spying on everyone in the world could just be a desperate attempt by a government that realizes it has very little real control over people to try to keep people in line. Sure, they might be collecting a lot of data, but storage and analysis may be such a monumental task that they can really only figure out things in retrospect, which really doesn't give them much advantage over classic investigation techniques. But hey, some tech companies are probably getting rich over this.
Re:Steps You Can Take Against Internet Surveillanc (Score:5, Insightful)
Considering the number of things the NSA has completely missed (e.g. Boston bomber, Snowden, Bengazi, etc.) I'm beginning to wonder if
Back up the fail train there. The NSA wasn't tasked to find the Boston bomber, the FBI was. And they did. Bengazi is a figment of the tea party's over-active imagination -- there's no evidence that anything other than poor judgement and incompetence at a local level occurred. And Snowden... well, that's the only thing you mentioned that has any weight. The NSA management was warned about him long before "the incident" by Homeland Security. They ignored that warning. The case can be made this was a mistake -- but it seems from the after action reports online they're addressing their structural/organizational deficits that allowed it to happen post-incident. The fact is, there's always a risk of a defector, no matter how good your agency is. Every major intelligence agency from every major government in the world has had it happen. This is not a statement on the overall competence of the NSA as an intelligence organization.
What if this is much like a Banana Republic, were the government puffs up it's chest and parades around a bunch of military men and equipment to try to scare it's citizens into line. But actually they are totally outnumbered by the citizenry, have very little real power, and they know it.
That's pretty much the working definition of law enforcement everywhere, man. There's only 1 police officer for every, what, 10,000 citizens? It's a practical impossibility for the NSA to do all the things the tin foil hat brigade claims they're doing -- monitoring everyone's cell phones, everyone's e-mail, the entire internet... and just to keep things interesting, doing all that while cracking foreign powers' high level cryptography and military communications systems. To do everything they claim they're doing, even assuming their technology is twenty years more advanced than the civilian sector equivalents, would imply multi-trillion dollar budgets per year to sustain and a workforce vastly higher than the numbers available suggest.
Sure, they might be collecting a lot of data, but storage and analysis may be such a monumental task that they can really only figure out things in retrospect, which really doesn't give them much advantage over classic investigation techniques. But hey, some tech companies are probably getting rich over this.
The data collection is a massive operation because the data being sent only has data retrospectively; When they identify a potential suspect for development, based on those "classic investigation techniques", without that infrastructure they're starting at day zero. But if everything is logged, they can proceed immediately with looking into his/her background and recent communications. In the intelligence world, there are three things that give an asset value; Timeliness, accuracy, and analytical support. It does you no good to find the terrorist after the bomb has gone off, it does you no good to identify the wrong person, and it does you no good to have all the information that could have met the first two criterion if nobody analyzes it and suggests a course of action (arrest, drone strike, whatever).
Once you understand that the analytical side of the intelligence cycle is the real bottleneck here, you quickly realize that the NSA can't possibly care about your marijuana stash, or even the warrant for your arrest. To develop leads and maintain a solid intelligence cycle, they can only focus on a tiny fraction of the data they're pulling in... so unless you're a .01%'er in the world of terrorism, counter-intelligence, spying, or foreign military... forget it. They don't care.
Re:Steps You Can Take Against Internet Surveillanc (Score:5, Insightful)
Back up the strawman train there. The GP was pointing out that the information gathered by the NSA failed to prevent the Boston bomber, and
prevention is what the NSA claims that its massive surveillance program does.
In reality, what it does is undermine democracy. What if the NSA discovered some embarrassing material relating to Dianne Feinsteinn and is using it to blackmail her to support the NSA? How do you know that it hasn't happened? The answer is that you don't and that's why democracy has been undermined. What would Herbert Hoover would have given to have the information that the NSA has?
Re: (Score:3, Informative)
Re: (Score:2)
He's another Hoover, they are all the same, aren't they? But really, yes. I did mean J. Edgar.
Re: (Score:2)
Re: (Score:3)
The NSA has great spying capabilities. It just isn't using this ability to find terrorists.
Step Two: Terrorists Win. (Score:2)
As much as my comment was a jest, pure and simple;
There's no such thing as a "terrorist", the term is a confabulation, a nebulous entity somewhere between "opponent" and "boogeyman".
End to end encryption on /. (Score:2, Funny)
Do you think you are special? (Score:3, Insightful)
According to news reports, there are around 1000 analysts at NSA engaged in surveillance. Let's assume half of them are looking at foreign traffic and half at domestic traffic. That's 500 analysts for 350 million population, or 1 analyst for every 700,000 people. What makes you think you are special enough to deserve their attention?
Personally, I'm much more concerned about the way commercial organizations are spying on us. I think the loss of privacy to Facebook, Twitter, LinkedIn, Google, and other social media is much more creepy than some secret government bureau knowing that I called my parents 3 times last week.
Of course, there are those that worry about cops knowing when they are calling their drug supplier to set up a buy, but all indications so far is that the data is not available to regular police organizations.
Re: (Score:3)
What makes you think you are special enough to deserve their attention?
Well, if you are the ex-girlfriend of an NSA analyst, you might be special. Although, I guess that doesn't apply to Slashdotters.
Maybe an NSA analyst has a grudge against you, dating back from High School times . . . ?
In Soviet NSA, everyone gets their attention . . .
Re: (Score:2)
So, you're "much more concerned" about social media spying on you than the Government, even though the Government gets the take from the social media PLUS their own "special" modes of spying....
Re:Do you think you are special? (Score:5, Informative)
Re: (Score:3)
Its the threat that they can decide to make you "special" when and if it suits their cronies' prejudices and career prospects.
Do you think you are special?
We heard this kneejerk rejoinder all through the 2000s-- an attempt to stop critical thinking because it causes people like you too much cognitive dissonance. But that's the cop-out BS which landed us in the situation we have now.
Chickenshit apologists, take a backseat.
Sock puppet, begone! (Score:5, Insightful)
According to news reports, there are around 1000 analysts at NSA engaged in surveillance. Let's assume half of them are looking at foreign traffic and half at domestic traffic. That's 500 analysts for 350 million population, or 1 analyst for every 700,000 people. What makes you think you are special enough to deserve their attention?
Okay, let's look at those statistics more closely.
500 analysts for 350 million people continuously is 500 analysts for roughly 1 million people per day each year, or roughly 1 analyst is spending an entire day looking at 2,000 people. Each year. So there's a 1-in-2,000 chance that sometime this year, an analyst will be pawing through your online behaviour.
(Of course, if you assume that the analyst spends 1 hour on each person, it drops to 1-in-250 chance that sometime during the year you will be "analyzed" by an NSA agent.)
Now consider the power of computers. Is it reasonable to think that 1 computer could collect and analyze the E-mail and online speech of 2,000 people in a single day of compute time? Assuming you put certain keywords in your online text ("I'm going to kill some time this afternoon by watching the presidential debate"), how likely do you think it will be that you win the 1-in-250 chance?
Let's add in ambiguous laws. The recent trend is not to charge people with doing harm, but conspiracy for doing harm. One recent news report told of a couple of people charged with "conspiracy to join Al-Qaeda". Note that these two people didn't do a terorrist act, they didn't contribute to a terrorist group, and they weren't even a member of a terrorist group. They were talking about joining a terrorist group. People are commonly charged with "conspiracy to grow marijuana" (google has many links).
We've reached the point where you can be arrested when no overt crime has been committed.
There's a recent news story where, for the first time, the DOJ is informing a defendant [usatoday.com] that they used NSA/warrant-less surveillance to gather evidence. They used mass surveillance to get enough probable cause to apply for a real warrant which resulted in evidence of a crime.
The important bit of the previous is that the DOJ was conflicted about revealing this information. The prosecutor felt that it was only a "procedural decision", since no evidence from the mass-surveillance warrant would be introduced at trial. (A couple of lawyers in the DOJ argued for disclosure.)
All evidence indicates that they analyze everyone's online presence all the time, and use that information to pick-and-choose people for prosecution when no overt crime has been committed.
Sock puppet, begone!
Re: (Score:2)
Analysts aren't looking for random law breakers, they are looking for people believed to be planning terrorist acts.
You are assuming, of course, that the government is made up of perfect angels that never make mistakes and never abuse their powers. Such a government has never existed throughout history.
To trust all current and future people in the government to such an extent is borderline insane. I honestly have zero idea why people believe the government is only looking out for our best interests here.
Re:Sock puppet, begone! (Score:5, Informative)
I disagree completely
I'm a dual citizen .. i'm being looked at. I have a degree in computers and I talk to foreigners ... i'm being looked at. I speak 3 languages ... i'm being looked at. I rarely use any social media - far less than most people hmm.. suspicious ... i'm being looked at. I'm on a site talking about using tor ... i'm being looked at. I used to live in a different country ... i'm being looked at. I have made a political comment about not liking a specific candidate, either over the phone or internet in the last 5 years ... i'm being looked at. I have a higher than normal IQ (above 100) - and i love chemistry ... i'm being looked at. I'm an atheist ... i'm being looked at. I've been tagged in a photo on facebook that was taken on a mobile device and therefor has all the EXIF location data on it letting people know that i was more than 200 miles from where I live... i'm being looked at. I've update my passport in the last 5 years ... i'm being looked at.
Now, once you get over the notion that this is the 1950's and that everyone is in a manila folder with a black and white picture - and that someone is sitting around trying to LITERALLY watch you full time - you can come to understand that the entire country IS being "watched" daily, via electronics, and is being monitored the same way that google (and other search engines) monitor websites. They use spider like software, and every time something "triggers" in their system, your profile gets updated. Think of it like a point system, the more points you have, the more likely you are going to get checked up on. Using the information from Okian Warrior above, you realize that the 1 in 250 chance is scarier than you think. Also, add in that not all 350 million people in the country are being monitored. Take out children under 13 (too low risk), take out old folks who literally can't move, or are senile, or folks in the hospital for long term care (even if only for a week), and that number of people that an analyst needs to check up on drops significantly.
Google is able to index 23+ billion pages (according to some random statistics i found). If google is able to do that the hard way (crawling pages, finding href links, indexing them, hitting all THOSE links), then i'm sure the NSA can do it far easier. Why? Because, according to the surveillance leaks, they already have access to the nicely indexed databases from many/most companies.
Sad thing is ... i'm not even going into tin foil hat mode yet ...
Re: (Score:2)
That's 500 analysts for 350 million population, or 1 analyst for every 700,000 people. What makes you think you are special enough to deserve their attention?
But since you have so many people to check, doesn't that mean that they are going to make a massive use of automation to do the checks?
Remember how good the spamfilters are? And they are designed against something extremely frequent
Now remember how infrequent a terrorist attack is? And what about that False positive paradox [wikipedia.org]?
It's not about feeling special or not, it's just the the system is broken by design... and the algorithms are surely perfect...
Re: (Score:2)
Example: post all tweets as images of captcha text. If it can't readily be OCR'ed, they won't be collecting keywords without paying some cheap labor somewhere to manually transcribe everything. And if we all did it, that would be a really big and/or slow job. Tweets are designed to be read by human eyeballs only anyhow, aren't they? Captcha them all.
Re: (Score:2)
Re:Do you think you are special? (Score:4, Insightful)
Data can be wrong. Interpretations can be wrong. Police tend to intepret everything as an act of wrongdoing as soon as they have a single data point or dumb-ass idea that suggests you are a suspect.
Case in a point: David Marie [youtube.com] (jump to 5:00). He enters a subway station. He's flagged as a suspect because he's "wearing a jacket." Seriously. The Bumblefuck Police Department then use this as justification to raid his apartment where find a page of random scribbles they deem as "subway map" (seriously, look at the drawing in the video, it's just fucking random scribbles) and proceed to charge him as a terrorist. Oh, he's not in prison, he just can't get a Visa, leave the country or expect to ever be free from constant restrictions and "unwanted attention" in his life.
Amazing how someone can be too dangerous not to be watched, but not dangerous enough to imprison. I wonder how it feels to be stupid enough to engage in that level of cognitive dissonance and not go insane.
Re: (Score:2)
People who want to blow things up need to be hunted down. They and others with bad intent should be abused. The problem is their idea of "bad" has become so broad as to encompass a lot of people who are no threat to anyone but themselves. You might be just a little paranoid though.
Re:Do you think you are special? (Score:5, Insightful)
What the hell? You think spying on everyone so we can maybe catch a few terrorists is acceptable in a country that's supposed to be the land of the free and the home of the brave? You think it's okay for our government to blatantly violate the constitution and then claim that they didn't actually do so because some secretive court rubberstamped general warrants?
You might be just a little paranoid though.
There has never once been a government that has failed to abuse its powers throughout history. Why do you believe me to be paranoid when I suggest that allowing the government to collect nearly everyone's communications is an awful idea? Do you believe the people in the government to be perfect angels? I do not understand why you would say such a thing otherwise.
I hope you were joking; otherwise, you are profoundly ignorant and naive.
Re: (Score:2)
What makes you think you are special enough to deserve their attention?
What makes you so damn selfish that you only care if the government abuses you? Is it not a problem if they abuse anyone? There are people who are 'special enough' for the government to harass.
You're trivializing the issue, and I strongly suspect it's because you don't truly understand the situation.
If sI4shd0rk's post deserves to moderated -1 Troll, so does my reply — I completely agree with what sI4shd0rk wrote here.
Re: (Score:3, Insightful)
So, given the NSA versus greedy companies, I'll take the NSA any day.
There is no such dichotomy, and you should be extremely concerned about the NSA spying on everyone's communications. The US is a country founded on the idea of distrusting authority, and yet you basically suggest that we should not care when the government is essentially crumpling up the constitution and tossing it into the garbage. What a sorry state of affairs this is that people so naive even exist.
Re: (Score:2)
Run a Tor node????? (Score:2)
10 Steps You Can Take Against Rapists (Score:2, Interesting)
Wear unattractive clothes, don't wear makeup, stay sober, don't flirt, don't leave drinks unattended, don't be out after dark, don't be out alone, learn to cook, find a good husband, teach others what you learned.
Re: (Score:2)
There is only one way (Score:2)
Don't use the network. No matter what you do to prevent it, there are holes if you are well funded ( and have the fear of the 'law' behind you )
Re: (Score:2)
Countries that have adopted paperless taxation (Score:2)
Re: (Score:2)
Then you move to a less oppressive and invasive country.
Resident visa (Score:2)
Re: (Score:2)
Off the top of my head i doubt much of the middle east has gone digital. I am sure there are others ( aside from the US, i still print and us-mail my taxes in each year )
What about email (Score:2)
Maybe I'm naive or ignorant, but what can a normal user do about e-mail?
Most e-mail from ISP's runs over port 25, and it all gets logged by logboxes and tappers. I don't think the default for an MTA is port 465 or 587, but still 25. If I'm wrong. please correct me.
What should be done here, can someone inform me. Is there something a user, admin or mta-developer should do here?
I read my mail over imaps and pop3s, and store it on my own-hosted imap server. But what to do about smtp-traffic?
Re: (Score:2)
As a normal user, it is hard. Once the mail hits the main SMTP relay and heads out, it is in plaintext unless one is running Exchange which has secure connectors and one sets up TLS links with other sites.
It would be nice to have a TLS/SSL mechanism where company E-mail servers would be checked if they had a secure transport port, the key fetched and checked with a CA, and then the mail sent.
However, there are really only three choices for E-mail:
1: Have both users share the same provider so mail is just
Help me understand global transitive trust (Score:2)
Best of all, have a PGP/gpg web of trust
Which requires expensive travel to participate in key signing parties in other cities unless you only want to communicate with others living in the same city. Sure, you can trust that someone is the person described by a particular government ID, but that's orthogonal to how much you trust her to sign others' keys.
Re: (Score:2)
I know GPG. But I do not know anyone who is using it. I haven't seen a gpg-signature in years, except my own :).
Re: (Score:2)
Webmail (Score:2)
nonsense, that's just cowering (Score:2)
Quit voting for mega-corporate bitches like Obama or most Republican candidates. Quit voting for those that support the police-state policies of Bush/Cheney and Obama administrations. Make people aware of what is happening to their freedoms. Raise awareness.
Can't vote against all incumbents (Score:2)
EFF instructions don't work (Score:2)
The video on the EFF site gives instructions for downloading a Vidalia Bundle for Mac - but this doesn't exist on the Tor website. The only downloads that I can see available are the 'Tor Browser Bundle' which is an auto-launching Tor node and browser combination.
So you can't run a node without a Tor browser window open all the time?
Re: (Score:2)
IIRC the "Vidalia Bundle" is just an older name for the "Browser Bundle"
Re: (Score:2)
Sorry, my above post is not entirely correct. it seems, for Windows at least, it Vidalia control panel is included in the Browser Bundle.
https://blog.torproject.org/blog/plain-vidalia-bundles-be-discontinued-dont-panic [torproject.org]
Not sure about OSX/Linux, but I assume it is similar
Re: (Score:2)
Thanks for the link - that cleared things up nicely.
The Tor site is a tad jargon heavy methinks.
Also... (Score:2)
Run a TOR Node? (Score:2)
Are you nuts?
What sort of people run TOR nodes? Have you been following the news [channel4.com]?
You'll be straight on the authorities' list of very-likely-some-kind-of-crimials. Probably a terrorist, drug addict/dealer, paedophile or pirate of Madonna/Boys-R-Us/One Direction/Lady Gaga music.
It's called chaff (Score:2)
Intel Inside (Score:2)
Just be more prudent (Score:5, Interesting)
By the way, thanks NSA for forcing us to censor our thoughts in our head, before we even write them down and tell them to someone. I couldn't have imagined that we'd come to live in a totalitarian-like world (at least that how it feels when you apply censorship in your head) just a few decades after the Iron Curtain was torn apart, and that this totalitarian world is being brought forward by a western country that formerly championed free speech and freedom in general.
Re: (Score:2)
Re: (Score:2)
Not when it's done to suit someone else's agenda.
The NSA as a distraction (Score:2)
Windows (Score:3, Insightful)
"use anti-virus software"
Just come out and say it. Don't use Windows.
How about running your browser as another user (Score:2)
I think one of the biggest risks is drive-by infections. I have been thinking that running my browser as a different (underprivileged) user might be a nice added layer of insulation. You could add that user's group to your extended group list and still get all the files. But it could not get at yours.
Re: (Score:2)
EFF are losing their edge (Score:5, Interesting)
We get a long list of complicated half-measures from 10 years ago, especially the idea of using Tor to access commercial email providers that like to capriciously ban Tor users.
If email metadata is such a concern (because metadata=data), then does it help all that much to have people try to adjust to using PGP? I don't think it does. Giving the wiretappers the Who and When (and even Subject) of our communications doesn't jibe with the underlying goal of stopping surveillance.
The only really good encryption in this environment is the kind that effectively encrypts the Who, When and everything else... and doesn't limit you to Web browsing the way Tor normally does. TAILS already recognized the value of using I2P for comprehensive privacy, [geti2p.net] which is why they started including it in their distro years ago. The "downside" is that the other end has to use I2P as well (but that ensures end-to-end encryption, so its also a big plus).
Tor is outdated and dangerous to use because it encourages illusions like: a) 1024bit encryption is 'enough'; b) an elect group of core nodes can provide cover for everyone else (I2P makes everyone a router); c) the insecurities of the whole everyday Internet and PCs can be rectified by installing a small app, and you don't have to make technical demands on people you're communicating with.
In short: Use I2P for communications (it has a DHT-based email system, and you can even torrent fully over it) and use it with an OS built for privacy and security like TAILS or Qubes. If the recent exploits against the Tor Browser had occurred against a Qubes user, there is no way they could have discovered the user's real address or other info. That, plus put a secure open source firmware on your routers (its been revealed that the NSA breaks into routers more than anything else; garden variety crooks will probably be following suit).
Re:EFF are losing their edge (Score:4, Insightful)
If, however, there was an equal exploit that could be triggered on a Qubes user (ability to execute code on the local machine), exactly what protections are in place to prevent gathering their real external IP, MAC, and forwarding it off to the attacker?
Under Qubes, the Tor Browser (actually, all browsers) operates within its own hardware-enforced (both VT-x and VT-d) virtual machine ensuring that even privilege-escalated code would have no way to access the Internet except through Tor itself. It would have no access to real system settings or personal info, etc., unless for some odd reason you put them into that VM.
The system architecture is a series of VMs that have varying levels of risk assigned to them. Even the firewall, IP stack and X11 graphics (with attendant hardware drivers) run in their own separate VMs under Qubes, booted from a non-writeable system template.
The hypervisor itself is a desktop GUI disconnected from any networking devices.
Re: (Score:2)
I'd also like to point out that Qubes isn't dedicated to the idea of anonymity... The Tor VM is a separate download image, and most VMs that run applications have fairly regular network access (filtered through the firewall and network VMs).
Use tor against surveillance? (Score:2)
Recommending tor for safety is like telling someone that if they paint themselves orange and shout at the top of their lungs, nobody will notice them in a crowd.
Let's face it, tor is pretty much synonymous with "pedophile, drug user, crook". Despite its best intentions, it's like painting a huge target on your back for the spies to focus on you, not "oh, this one is using tor! our efforts have been foiled!".
Re: (Score:2)
This advice does not apply to Tor sites run by the NSA.
By the people (Score:2)
Nice democracy/republic/free country you have there. Since it's your government, and they're working with your tax dollars, you might not want to make things more expensive for them. You might, however, want to cut their budget, and vote them out, and impeech them, and whatever else you do when you both check and balance your government.
sheesh.
Re:Boycott of US & UK products (Score:4, Insightful)
Re: (Score:2)
They might do that anyway to keep the plebs dumb and helpless.
It's hard to use your brain to defend yourself if the powers that be have laid siege to its food supply.
Re:Boycott of US & UK products (Score:4, Interesting)
Oppression can be ranked. The UK and USA certainly have their oppressive aspects, the spying on individuals being just one of them, but there are plenty that are far, far worse.
Re:Boycott of US & UK products (Score:4, Insightful)
Really? It's not like the US and UK export all that many products. Boycotts are almost always a waste of time.
Re: (Score:2)
Really? It's not like the US and UK export all that many products. Boycotts are almost always a waste of time.
Um, we're not talking about washing machines here. Ever hear of Cisco?
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:3)
I use https because I don't feel like broadcasting my slashdot (and others) username and password to all and sundry over unencrypted wifi.
--
BMO
Re: (Score:3)
Re: (Score:3, Informative)
The authentication token goes over the net for each access (or how else is Slashdot to know whether you are the logged-in person?)
Re: (Score:2)
Re: (Score:2)
Though you could troll with my username in the interim.
And change your password and e-mail address.
Re: (Score:2)
Re: (Score:2)
Just because you don't understand someone's desire for privacy, you argue he has no need for that privacy? Attitudes like that are why TFA had to be written in the first place.
Don't ever argue for less privacy. This is just like security - you take the least privilege you can and offer the best security you can; it's not a question of why. Give the user the most privacy you practically can in every way that you practically can - it's not a question of why, that's a broken mindset.
Re: (Score:3)
Fight for privacy where it matters and makes sense. If my login data weren't secure, I'd pretty peeved off by Slasdot. As it stands, I am not. Whether they implement HTTPS for the rest of the site is irrelevant, because the data is freely visible already anyway.
Re: (Score:3)
You might pause to consider why one might write an anonymous "letter to the editor" to be published, all public-like, in the paper. You might pause to consider how that applies to HTTPS. Or you might bull on ahead blindly with no consideration for anyone's circumstances but your own. Or you might admit that you're not omniscient, and thus there might be some need for privacy that you just don't happen to see, and so advocate for as much privacy as possible, everywhere, all the time.
Re: (Score:3)
If you really wanted to publish something but still remain anonymous, you'd better use a service built for that purpose - like securedrop. If you want privacy, it need
Re: (Score:2)
If you want to post something on ./ that warrants HTTPS, you are probably already doing it wrong.
That's funny, but if you're encrypting only what you think needs to be encrypted, rather than encrypting that which can be encrypted — I think it's you who's doing it wrong. You announce: "Attention: I am now transferring sensitive data!"
It's much like shredding only those documents that contain sensitive information, and throwing away the rest intact: You're answering your adversary's question, "which of these documents should we concentrate on reassembling/examining?"
Re: (Score:2)
If one subscribes, they can use SSL for every page.
But why should one even need to subscribe? (Score:2)
Re: (Score:3)
Not only that, I expect Tor users get special targeting. It's most likely considered probable cause for a warrant to bug your house.
Re: (Score:2)
Ah! A fellow isolationist. I with you brother, that makes two of us.
If everyone was a node, then it would work better (Score:2)
If everyone were a node and there was just no telling what packets would come out of anyones box, then they basically would not be able to use IP addresses anymore.
Re: (Score:2)
Who has audited the current version of Truecrypt? Why do you trust them?
It's better for different people to use different approaches, so that no one compromise will take down everyone. But this makes communication difficult.
I don't have a real answer, this side of one time pads.
Re: (Score:2)
ROTFLOL.