Paradox
©
Fisana

Jump to content


Photo
- - - - -

Online Privacy Going Totally Away


  • Please log in to reply
29 replies to this topic

#21 sparrow95

sparrow95

    Mycophage

  • VIP
  • 117 posts

Donator


Awards Bar:

Posted 24 April 2017 - 07:03 PM

Opera is a free, fast browser that's based in Norway.  It includes a vpn. Just go to settings and turn  on the vpn after you've downloaded the browser.


  • Heirloom and CatsAndBats like this

#22 CatsAndBats

CatsAndBats

    [^._.^]ノ彡 & /|\( ;,;)/|\

  • OG VIP
  • 7,978 posts

Awards Bar:

Posted 24 April 2017 - 07:11 PM

Just fyi:

protonmail.com is a free and encrypted email client with swiss servers [strict privacy laws over there]

Paid VPNs rule and offer support and real protection [I use PIA, which encrypts EVERYTHING that leaves your phone, which is reassuring]

Using an encrypted messaging app like signal, whatsapp, etc is another layer of protection as it's real hard to build a case with no record of messaging..

.02
  • Sidestreet, Heirloom and sparrow95 like this

#23 Guignol

Guignol

    Mycophiliac

  • Free Member
  • 5 posts

Posted 29 April 2017 - 08:07 AM

 

Just fyi:

protonmail.com is a free and encrypted email client with swiss servers [strict privacy laws over there]

"How many of you have broken no laws this month? That's the kind of society I want to build. I want a guarantee--with physics and mathematics, not with laws--that we can give ourselves real privacy of personal communications." -- John Gilmore

John Gilmore is one of the founders of the Cypherpunks. I tend to agree with him.

As it is currently structured, Protonmail has a major design flaw; the very same design flaw that was exploited by the DEA against Hushmail users in the Fall of 2007, as part of Operation Raw Deal. Let me explain:

In the Fall of 2007, the DEA launched Operation Raw Deal, frequently referred to as ORD. ORD was designed to bust as many illegal anabolic steroid manufacturers, distributors and end-users as they possibly could. One of the vulnerabilities the DEA exploited was the use of Hushmail by many of those involved in the steroid game. Hushmail essentially provided "one stop shopping" for secure communications for Chinese bulk steroid powder suppliers, anabolic steroid manufacturers, distributors and end-users. A lot of these people used Hushmail for two reasons:

First, Hushmail described itself as secure, due to their use of PGP encryption.

Second, Hushmail emphasized the fact that they were located in non-U.S. jurisdictions: Canada, Ireland and Anguilla.

Hushmail actually boasted that they would only respond to subpoenas from the Supreme Court of British Columbia (which was true). They also made a number of other promises, which turned out NOT to be true. One of these promises was, that if subpoenaed, Hushmail could only turn over to the authorities the PGP-encrypted emails. (This turned out to be a lie, as you'll see.)

A great many people relied on Hushmail's promises -- if they had known anything at all about public key cryptography, they would not have accepted Hush's glib promises at face value.

The fundamental principle behind public key cryptography lies in the strict separation of public and private key halves. As the names imply, the public half can be widely distributed, while the private half must be closely guarded. Under NO circumstances should the private half of your encryption key ever leave your custody or control. Hush violated this fundamental principle.

The way Hush worked (and Protonmail, Countermail and similar services still work) is that they generate and store BOTH HALVES of the PGP keys for you. In the case of Hush, this turned out to be a fatal mistake.

When a user logs into their Hushmail (or Protonmail) account, the public and private halves of the PGP keypair are retrieved from the server, and loaded into the customer's browser. In this way, the customer is able to encrypt/decrypt and sign various emails or documents.

The only thing preventing the service provider from using the private half of that PGP key is the user's passphrase. Using the Mutual Legal Assistance process, the United States government requested the Canadian government to order the Supreme Court of British Columbia to issue a warrant for information that the DEA wanted from Hush's customers.

All the people named in that warrant were fed a poisoned Javascript applet, which was modified so as to capture the users' PGP passphrase. With that passphrase and the private half of the users' PGP keys, the encrypted messages were trivially decrypted by Hush. So it was that in excess of 100,000 decrypted messages were turned over to the DEA by Hush.

Given that Protonmail uses a similar design to Hushmail, it is not unreasonable to think that the same type of attack could be successfully used against Protonmail.

The only way around this would be for the communicating parties to use PGP to encrypt their traffic before it leaves their computer. Naturally, this tends to eliminate the need for Protonmail and Hushmail -- you could use any email provider, if you are going to encrypt your own emails. The value proposition for services like Protonmail and Hushmail vanishes in this case.

Paid VPNs rule and offer support and real protection [I use PIA, which encrypts EVERYTHING that leaves your phone, which is reassuring]

I would disagree. VPNs are for privacy, Tor is for anonymity. You can think of a VPN as an encrypted tunnel between two end-points; one end-point is your machine, the other is the VPN's server. The VPN provider knows who you are at all times. Protonmail does offer a Tor hidden-service, but their use of Javascript means that you can be de-anonymized easily.

See: http://www.wired.com...ncrypted-e-mai/

Using an encrypted messaging app like signal, whatsapp, etc is another layer of protection as it's real hard to build a case with no record of messaging..

.02

Agreed.

Guignol


 

Edited by Guignol, 29 April 2017 - 08:18 AM.

  • TVCasualty, Myc, Heirloom and 1 other like this

#24 Arathu

Arathu

    Dirtmaker

  • OG VIP
  • 4,829 posts

Awards Bar:

Posted 01 May 2017 - 08:24 PM

Some time ago didn't I say we were so fucked that it's almost amusing? Hahahahaha.............Well I'm saying it again..........

 

IMHO..........

 

You're only true security is to get the fuck off the internet and corporately held networking period....No phones, no networked computers, none of it....get off the grid, move into the mountains or the streets for that matter, and shut the fuck up........

 

Else just quit anything you might be doing. Even then I'm sure that would draw attention to you because you want to have privacy.......which to a psychopath is really interesting for some reason. Because they're fucking psychos!

 

If you're buying a connectivity service from someone....THEY KNOW WHO YOU ARE........if you think they aren't going give you up when the man comes threatening them and their precious corporate dollars .....hahahahahaa GEEZUS........

 

.02

 

A


  • Sidestreet likes this

#25 niemandgeist

niemandgeist

    You make me happy in a manic sort of way :)

  • OG VIP
  • 2,476 posts

Donator


Awards Bar:

Posted 02 May 2017 - 09:08 PM

I think the scariest trend in violations of internet privacy has stemmed from social media. Facebook has done some creepy stuff in the past and they make big bucks from selling your information. I'm not just talking about information that you provide to it willingly. I'm talking about all of the other information they collect on you based upon every word that you post, who you connect with on there for friends and other pages like musical artists and other things, and so on.

 

They can tell your mood and even manipulate it. In fact, Facebook did a secret study where they actively sought to influence the moods of their users, either positively or negatively, by altering peoples' news feeds. They discovered that they definitely can affect the moods of their users.

 

There was something in the news about how Facebook learned how to target teenagers in Australia to target them based upon their moods and how they could predict or manipulate the moods of these teens. For profit of course so they could sell the information to advertisers:

 

https://arstechnica....feel-worthless/

 

Another aspect of social media and spying is all of those free applications (apps) people use on their cell phones. Things like Instagram, Facetime, and all of the others offer their programs free for a reason. When you install any of those things on a smartphone you need to allow them to access all sorts of information.

 

These companies can see where you are geographically and plot your location over time from the GPS data from your phone. They can look at your purchasing and browsing history. Some of the applications can even access the camera and microphone of your smartphone.

 

Google also tracks all sorts of things when people use it to search online. Google and others develop a profile on every user to track them and then sell the information or use it to learn how to better target people individually for displaying ads and possibly even search results.

 

Fortunately, there's a free open source alternative to Google's search engine that has almost all of the same features including advanced search operators. It's called DuckDuckGo ( http://www.duckduckgo.com) and they don't track you at all. I have DuckDuckGo set as my default search engine in Firefox.

 

With Facebook, even long after people delete their profiles they can still track you using cookies inside of your browser. There's almost no way to completely disable such online tracking because of all of the nefarious methods that are used in doing it. Facebook aren't the only ones who do this, either.


  • sparrow95 likes this

#26 TVCasualty

TVCasualty

    Embrace Your Damage

  • OG VIP
  • 10,705 posts

Awards Bar:

Posted 14 May 2017 - 04:34 PM

The way Hush worked (and Protonmail, Countermail and similar services still work) is that they generate and store BOTH HALVES of the PGP keys for you. In the case of Hush, this turned out to be a fatal mistake.

When a user logs into their Hushmail (or Protonmail) account, the public and private halves of the PGP keypair are retrieved from the server, and loaded into the customer's browser. In this way, the customer is able to encrypt/decrypt and sign various emails or documents.

The only thing preventing the service provider from using the private half of that PGP key is the user's passphrase. Using the Mutual Legal Assistance process, the United States government requested the Canadian government to order the Supreme Court of British Columbia to issue a warrant for information that the DEA wanted from Hush's customers.

 

That sounds suspiciously like a honeypot.

 

All the people named in that warrant were fed a poisoned Javascript applet, which was modified so as to capture the users' PGP passphrase.

 

 

 

And that sounds like a red herring intended as a distraction, like a magician drawing your attention over 'here' while pulling a fast one on you over 'there.' In any case a plausible story was needed to point to when denying that it was all just a giant set-up from the start. Anyone setting up such an email system would be cognizant of the realities of encryption and how such a scheme would basically render it moot. And that strongly suggests it was intentional IMO.

 

It reminds me of the failed farce known as the "Clipper Chip" released in '92 by the NSA for encrypting voice communications (I'm personally not familiar with it beyond what I've read, but I've read a lot about it). That was back before the NSA realized that they need to hide the fact that they'd designed back-doors into what they were promoting telephone and other device manufacturers to adopt (which is almost comical in its naivete).

 

Back then, if your communications were encrypted with the Clipper it would not raise a red flag because the gov't would know that they could listen in if they wanted to, or decrypt recorded conversations later. But if you used a privately-developed form of encryption, it would automatically and immediately trigger those red flags and raise some questions that they'd want answers to (e.g., "What exactly do you have to hide, huh?? Since We the Government provide a nice little system for you to secure your communications with, the implication if you use a different one is that you must be trying to hide something from the government specifically!" or some such bullshit). In that case, your communications would likely (and ironically) be more secure just sending them free and clear (thanks to 'security through obscurity,' which is generally a terrible approach to security).

 

One author who strongly criticized the Clipper suggested that a way around that would be to encrypt your communications with a private, secure program like PGP and then transmit the already-encrypted data with a Clipper-enabled device. That way you wouldn't raise any red flags just by communicating (since the gov't snoops would only detect their own encryption being used), but if your communications ever did become subject to closer scrutiny they would be decrypted from the Clipper but remain securely encrypted nonetheless. Sure, you'd have some esplainin' to do but that's when you plead the 5th and shut yer trap.

 

The double-layer approach seems like a good one to keep in mind for whenever you might feel the need for it; i.e., encrypt your data with a robust algorithm (at least 128-bit) and then re-encrypt it again using a gov't approved or relatively insecure form of encryption. True security is ultimately achieved in layers, after all.


Edited by TVCasualty, 14 May 2017 - 04:37 PM.

  • Sidestreet likes this

#27 SteampunkScientist

SteampunkScientist

    Distinguished Mad Scientist

  • OG VIP
  • 2,615 posts

Donator


Awards Bar:

Posted 18 May 2017 - 10:52 PM

I wouldn't bet on CenturyLink. Now I bet my totally crappy DSL gets even slower, since they get to watch everything I do here go thought their lines. So, how doest that VPN thing protect me here?

Monopolies are the best thing ever. Capitalism's end game.

Don't forget Alder, that is also Socialism's, Communism's, and Fascism's end game as well.

Never forget folks, the one true law. The only law there is, ever was, ever will be:

"Do as you will, so long as you never abrogate the right of another to the same."

That is it. All correct behavior eminates from that one law. You may believe anything, do anything, say anything you desire.

But you may never take from someone the right they have to do the same.

This single law implies your defense should another break this law against you.

That is all we need.

Edited by SteampunkScientist, 18 May 2017 - 10:53 PM.

  • Sidestreet likes this

#28 CatsAndBats

CatsAndBats

    [^._.^]ノ彡 & /|\( ;,;)/|\

  • OG VIP
  • 7,978 posts

Awards Bar:

Posted 25 June 2017 - 02:05 PM

Mozilla just released a new firefox app called 'firefox focus' for android (it was only on ios for a while), it's basically a slimmed down version of firefox with one button ad block/tracking and one button browser erase. FYI

 

https://blog.mozilla...s-your-privacy/



#29 Sidestreet

Sidestreet

    May your tracks be lost...

  • App Administrator
  • 7,523 posts

Donator


Awards Bar:

Posted 27 June 2017 - 06:12 AM

Just fyi:

protonmail.com is a free and encrypted email client with swiss servers [strict privacy laws over there]

Paid VPNs rule and offer support and real protection [I use PIA, which encrypts EVERYTHING that leaves your phone, which is reassuring]

Using an encrypted messaging app like signal, whatsapp, etc is another layer of protection as it's real hard to build a case with no record of messaging..

.02

 

 

These are all good but there is another weak point they can't cover: the stored messages in the phone itself.

 

Facebook doesn't even save its unencrypted messenger messages, but that won't help you if someone gets ahold of your (or your friend's) phone. 

 

Now, I doubt anyone here will let their phone fall into the wrong hands, but it's usually a good idea to encrypt the phone itself or at least use a lock screen password.



#30 CatsAndBats

CatsAndBats

    [^._.^]ノ彡 & /|\( ;,;)/|\

  • OG VIP
  • 7,978 posts

Awards Bar:

Posted 28 June 2017 - 09:11 AM

 

Just fyi:

protonmail.com is a free and encrypted email client with swiss servers [strict privacy laws over there]

Paid VPNs rule and offer support and real protection [I use PIA, which encrypts EVERYTHING that leaves your phone, which is reassuring]

Using an encrypted messaging app like signal, whatsapp, etc is another layer of protection as it's real hard to build a case with no record of messaging..

.02

 

 

These are all good but there is another weak point they can't cover: the stored messages in the phone itself.

 

Facebook doesn't even save its unencrypted messenger messages, but that won't help you if someone gets ahold of your (or your friend's) phone. 

 

Now, I doubt anyone here will let their phone fall into the wrong hands, but it's usually a good idea to encrypt the phone itself or at least use a lock screen password.

 

 

 

Just fyi:

protonmail.com is a free and encrypted email client with swiss servers [strict privacy laws over there]

Paid VPNs rule and offer support and real protection [I use PIA, which encrypts EVERYTHING that leaves your phone, which is reassuring]

Using an encrypted messaging app like signal, whatsapp, etc is another layer of protection as it's real hard to build a case with no record of messaging..

.02

 

 

These are all good but there is another weak point they can't cover: the stored messages in the phone itself.

 

Facebook doesn't even save its unencrypted messenger messages, but that won't help you if someone gets ahold of your (or your friend's) phone. 

 

Now, I doubt anyone here will let their phone fall into the wrong hands, but it's usually a good idea to encrypt the phone itself or at least use a lock screen password.

 

 

 

Protonmail is virtually unhackable and they don't store one of your passwords, so if the user forgets it or loses it, the user loses access forever.

 

Both protonmail and signal have message destruction options that can be set by the user. :)


  • Sidestreet likes this




Like Mycotopia? Become a member today!