Slashdot Mirror

You jest, but they did go after a similarly high-value target, the United States Postal Service: https://www.eff.org/deeplinks/2012/03/help-eff-bust-dangerous-jones-patent

(Note that article was posted more than a year ago, yet this troll keeps on trollin'.)

Please stop spreading the "Google doesn't respect privacy" FUD. Have a look at how well Apple respects your privacy.

Is that the same EFF that claimed undeniable evidence that Apple had DRM in their headphones? Why yes, it is

Is this also the same EFF that receives a lot of their funding from Google? Another rhetoric question.

Please stop spreading the "Google doesn't respect privacy" FUD. Have a look at how well Apple respects your privacy.

Is that the same EFF that claimed undeniable evidence that Apple had DRM in their headphones? Why yes, it is

Is this also the same EFF that receives a lot of their funding from Google? Another rhetoric question.

Yes, Yes it does. (Note that is not its main functionality, but it does do it.)

Please stop spreading the "Google doesn't respect privacy" FUD. Have a look at how well Apple respects your privacy.

The point is that connections can be encrypted. HTTPS EDHE can't be passively sniffed even if you have the server's private SSL key, you need to do active man-in-the-middle. NSA can't do on a wide scale without being detected. By handing over a plain text copy to Google, you can 100% guarantee another copy is indexed by the NSA. So avoiding US providers is about "having a fighting chance" vs. "making sure they have your data".

Exactly!

Seems the NSA decided to double down on the Tor network since the cat is out of the bag.

Not that smart, I might even be grateful to them for the extra bandwitdh (still keeping in mind other elements may still make part of the communication trackable: DNS queries, cookies and what not).

Explained, with pictures.

Associate Member Benefits for Free Software Foundation:
https://my.fsf.org/associate/support_freedom/join_fsf
This depends upon how much you want it to look like a donation.
http://www.fsf.org/associate/benefits

EFF has similar things:
https://supporters.eff.org/shop/eff-gift-membership-certificate
Several of the larger open source organizations also have shops with hats and T-shirts and the like.

The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.

https://panopticlick.eff.org/

Yep. It's absurd, and unfortunately many "privacy-enhancing" tools (for example, anything that alters the user agent) can actually make a browser more unique rather than less-so.

NoScript is an exception, and one that works very well. I know it's parroted on Slashdot a lot, but if you care about privacy and security on the web there isn't a single better option. Using Panopticlick on my browser as an example:

Without NoScript: Your browser fingerprint appears to be unique among the 3,316,576 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 21.66 bits of identifying information.

With NoScript: Within our dataset of several million visitors, only one in 2,433 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 11.25 bits of identifying information.

Still not great, but a lot better than unique. It's quite unfortunate that the web evolved with the assumption that arbitrary code may be executed in the browser. If we had started out instead with an opt-in approach to Javascript, I think things would be quite a bit better now in terms of privacy and security than they currently are.

The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.

https://panopticlick.eff.org/

The OP mentions Sandvine: the EFF has a tool called Switzerland.

Is your ISP interfering with your BitTorrent connections? Cutting off your VOIP calls? Undermining the principles of network neutrality? In order to answer those questions, concerned Internet users need tools to test their Internet connections and gather evidence about ISP interference practices. After all, if it weren't for the testing efforts of Rob Topolski, the Associated Press, and EFF, Comcast would still be stone-walling about their now-infamous BitTorrent blocking efforts.

Developed by the Electronic Frontier Foundation, Switzerland is an open source software tool for testing the integrity of data communications over networks, ISPs and firewalls. It will spot IP packets which are forged or modified between clients, inform you, and give you copies of the modified packets.

Switzerland is designed to detect the modification or injection of packets of data traveling over IP networks, including those introduced by anti-P2P tools from Sandvine (widely believed to be used by Comcast to interfere with BitTorrent uploads) and AudibleMagic, advertising injection systems like FairEagle, censorship systems like the Great Firewall of China, and other systems that we don't know about yet.

Relevant graphic: https://w2.eff.org/Misc/Graphics/nsa_1984.gif

Perhaps you aren't aware, but Border Patrol has the "legal" right to copy your smartphone's contents:

From the EFF ( https://www.eff.org/wp/know-your-rights ):
Q: Can the police search my computer or portable devices at the border without a warrant?
A: Yes. So far, courts have ruled that almost any search at the border is "reasonable" - so government agents don't need to get a warrant. This means that officials can inspect your computer or electronic equipment, even if they have no reason to suspect there is anything illegal on it. An international airport may be considered the functional equivalent of a border, even if it is many miles from the actual border.

They also have the technical ability to do it while bypassing your password:

"The CelleBrite UFED is a handheld device that Michigan officers have been using since August 2008 to copy information from mobile phones belonging to motorists stopped for minor traffic violations. The device can circumvent password restrictions and extract existing, hidden, and deleted phone data, including call history, text messages, contacts, images, and geotags."

And yes, Cellebrite proudly boasts of their ability to bypass Blackberry passwords. Here's a partial list of government contracts for the "Unversal Forensic Extraction Device". Note the extensive DHS and Border Patrol purchases: http://companies.findthecompany.com/l/5493513/Cellebrite-Usa-Corp-in-Glen-Rock-NJ

The only reasonable conclusion for why they would have you leave your phone in the car, is that they copied the entire contents of your blackberry, and sifted through it.

Sorry to tell you this, but your worst fears already happened. Not only did they search the phone, they made a complete copy of it and have the legal right to look at the contents anytime they want. Welcome to the USA.

• 1) Manipulate social media accounts to troll the movement apart. Down-votes are fairly effective at removing data. http://www.infowars.com/us-military-caught-manipulating-social-media-running-mass-propaganda-accounts/
• 2) Parallel construction using the database of possible crimes they assembled above. https://www.eff.org/deeplinks/2013/08/dea-and-nsa-team-intelligence-laundering
• 3) Blackmail using data collected http://consortiumnews.com/2013/06/21/bushs-foiled-nsa-blackmail-scheme/
• 4) Allegations of affairs, rape, and sexual deviance whether true of false tend to destroy people. Support of Assange decreased after his allegations that came out right after he released his material. We have seen Generals outed by the intelligence community for having affairs, its possible there is something there.
• 5) Apparently you can also harass their spouses when they are traveling.
• 6) Most of the stuff done under COINTELPRO: http://en.wikipedia.org/wiki/COINTELPRO

Boom. A system to take out the subversives. All without people suspecting.

"I called for a thorough review of our surveillance operations before Mr. Snowden made these leaks. My preference - and I think the American people's preference - would have been for a lawful, orderly examination of these laws; a thoughtful, fact-based debate." - Obama

Mr. President, how are we supposed to have a thoughtful, fact based debate about programs which are so secret nobody knew about them until a whistle blower revealed them directly to the public. About a court who's orders are so secret that entire companies shut down when the thread of an order looms, and they can't even say what the threat was.

Without transparency, there can be no debate. Without Snowden, there would be no transparency on this issue.

It's definitely a good sign. I'm still waiting for integration of AdBlock plus. Being in the top 10 installed plugins means that users want this feature.

I'm not even against ads but I don't like being tracked by ads servers getting my IP address, my browser fingerprint ( https://panopticlick.eff.org/ ), and the page I was reading (referrer).

RequestPolicy and NoScript are two more good plugins for controlling what info your browser gives to who.

But there's more hope of this sort of thing getting into a fork, such as GNU IceCat: https://www.gnu.org/software/gnuzilla/

You're both right, a little at least. It's perfectly safe to connect to whatever random wifi you run across and use it in the sense it's intended, in the case that you are absolutely certain anything important is actually being encrypted at the application layer where it should be.

For most people, in the real world, they have no idea. Application programmers seem to do a really lousy job of it (as in usually dont even try) so it's certainly not safe to assume. Probably smarter in many cases simply to set your phone to only connect to networks you program it specifically to connect to. And encrypt them, so they cannot be trivially spoofed.

IF they are actually broadcasting their MAC when NOT attempting to connect to a network, that would be a bug to stomp. But I am pretty sure that part was just GPs ignorance.

And, btw, you SHOULD use encryption to browse wikipedia. You should, in fact, use HTTPS Everywhere and attempt to encrypt every single piece of data that is sent out, redundantly. This is because if you only encrypt things that you are worried about being seen, the encryption is suspicious in and of itself, and anyone investigating you for any reason (even just 'because your traffic passed our sniffer') is going to at least see exactly the data they are looking for, they will see the endpoints even if they cannot break the encryption. That 'meta data' may be more valuable than the encrypted message itself.

So if you want digital privacy, dont just encrypt important documents. Encrypt every single thing you can, and encourage others to do the same. An internet where only super-sekrit documents are sent encrypted is a fertile environment for snoops. One where the amount of traffic that is encrypted at the application level already nears 100% may be the only way to regain the privacy that we have lost in the digital era - and it certainly cannot hurt.

If you think that's frightning... try reading this:
https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots

- Great Firewall of the UK, China, Iran and Russia
- Undersea cables cut in the Mediterranean knocking entire continents off the network
- Copyright collection agencies deciding what is allowed on the internet and what isn't with no public input or control whatsoever (HADOPI, GEMA, the list goes on for quite a while)
- Several nations' network speeds are so slow as to make the internet unusable for doing anything more than reading text
- Several nations don't have internet connectivity whatsoever (largely island nations, Southeast Asia and Africa)
- ICANN's support of non-English URIs and country-specific TLDs
- US laws like COPPA, CFAA, and the planned CISPA/SOPA, and a USTR hostile to internet freedom
- And this one has been important since the dawn of the internet: ICANN and IANA have always been based in the US and controlled by its government
- The top three biggest TLDs in the entire world (.com, .net, .org) are all administered in the US, and this has been used to establish jurisdiction over servers physically located in foreign countries. (See Megaupload, Rojadirecta, TVShack, and the Pirate Bay) -- frequently at the behest of private industry without due process of law

Original article on EFF blog.

No mention of warrants, is that odd or does the EFF info only apply to computer searches? https://ssd.eff.org/your-computer/govt/warrants

Or if you use the proper extension.

As pointed out by others, this 'problem' is nonsense because the random number is generated by the client's browser. A government could lean on browser providers, but that puts the 'attack code' client-side and waiting to be noticed.

Trust of keys from providers is a real problem. In order to be certain that a connection is actually secure from listening you have to trust that what you are getting is the real certificate from the service provider, and not an 'attack' certificate generated by some dodgy CA (e.g. DigiNotar and the Iranian google snooping, and others). This can be reduced in some (limited) cases by using certificate pinning, or by using something like EFF's SSL Observatory.
Even if you actually are getting the 'real' certificate, you need to trust that the service provider hasn't already handed that certificate over to government. This isn't just a problem for the current certificate trust model - obviously if the other person is giving away their keys then you're pretty screwed regardless of the encryption system.
Finally, even if the communication is encrypted and the spying group doesn't have the keys, you still have to trust the service provider to not just hand over the unencrypted network traffic or your content anyway.
That's a lot of trust being spread around.

In the case of something like gmail, the solution is more encryption - it is encryption of the content end-to-end rather than just in transit, and with keys only you and the recipient have. That could be personally exchanged self-signed x509 keys/certs or OpenPGP keys, or even preshared symmetric keys. If you're a bit more trusting, it could be keys signed by a trusted other (a genuinely trusted other, not a large company).

So the solution is more encryption - in part at least. Just not more TLS.

>> you would have to scrutinize the key material in many thousands of connections before you would even start to suspect something was wrong.'

A few iterations of their plugin, to also examine key information and find a safe way to report such concerns.

https://www.eff.org/observatory

The Session Key of the SSL session is what they seek to control. So this is a matter for a secure key exchange protocol to fix.

I don't understand how storing information inside a cookie (which is presumably inside the HTTPS connection) helps the attacker. Since in order to examine it they would have already brute forced their 100 million known keys to find the one that worked. So why do they need any extra information from the cookie.

Maybe a cryptographer can explain if key exchange protocols such as DH are immune to this kind of concern, since don't both ends pick their own random numbers, to derive a usable symmetric cipher key. So as long as each end can trust their own local random number generation isn't the exchange immune to this attack even if you presume the other end uses same (not random number) every time. They still can not control my RNG and my RNG perterbs the resulting master key. So we just need to make sure there is enough entropy from one ends input to satisfy their ends security concerns.

No the real problem here is having the remote endpoint simply persist and store for later lookup, or forward in realtime the agreed key the client and server used of any SSL session along with a timestamp and the IP address and port number tuples. This you can never protect yourself from. You have to ask the question, what data would I trust the endpoint with, just like any other kind of relationship ?

More encryption is good, because then at least there maybe whistle blowers and loss of reputation costing the relevant company some financial penalty, hopefully 10x more than the bribe.

Or Abine DoNotTrackMe, which I marginally prefer over Ghostery because the latter is run by the ad networks (of course, I'd prefer an OpenSource alternative...)

NoScript, Perspectives, Flashblock, BetterPrivacy and HTTPS Everywhere round out the package.

And occassionally PrefBar so I can change my browser UserAgent on the fly, just to mess with 'em...

Unless you've taken some odd measures, you're very server-side trackable. Go here and see how unique you are even with no cookies of any kind on your client. As a general rule, any step you take to block cookies or client-side tracking makes you more unique to server-side tracking. IP address isn't the point at all here! I'm unique mostly because I have an unusual monitor resolution due to running in a VM, and ad blocking on IE.

Unless you're so privacy-obsessed that you actually turn javascript off everywhere (plus a bunch of other tuning), you have a personal signature available to every web page you visit, and most pages these days phone home to the Google and Facebook motherships.

Today, there's no connection between that tracking and law enforcement. That we know about. Yet. So nothing to worry about, right?

CALEA also requires that encrypted communications be decrypted.

True, within limited context. CALEA requires that the communication providers and equipment decrypt. If you can communicate with general-purpose equipment and networks (e.g. PCs and the Internet) where your software handles things, there currently isn't any law in the US which require it be decrypted. That is why the government wants a "CALEA II," to make it illegal for people to write or use secure software, such as ssh or gpg.

The reason Skype isn't legally allowed to be secure, is that Skype software completely relies on the Skype service, and the dedicated service both falls under CALEA and and has a single point of pressure (currently: Microsoft). If the service were something generic (e.g. use any XMPP server) and replaceable, and if the client software handled the security, then CALEA wouldn't apply. Beyond CALEA itself, governments and other powerful entities can use force against software makers, so just make sure: 1) your software is not single-source; effectively this means it needs to be Free Software 2) it uses generic networks, and the software secures things at the endpoints rather than relying on the service to magically apply security (which is hilarious when you think about it).

Skype's security problems reminds me a lot of some basic strategies for computer freedom in general. While Free Software and standardized services are usually preferred because they're most likely to not work against the user' interests (and if they do, it's almost never deliberate), there actually do exist situations where a proprietary service or application may be fairly safe. The trick is to never, ever use a proprietary application with a proprietary service, combined. As long as one or the other can be replaced, you have a means of keeping the overall system "honest" and responsible to the user.

So while, for example, the iTunes application may be a rather shittier-than-average media player, it's actually fairly safe to use it as a player. Just don't use it with the iTunes store or you're risking getting into a single-source trap. Or if the iTunes store were to opens its protocols so that other applications could transact with it, it would be just fine -- just don't use the iTunes application with it. Similarly, nearly all websites are effectively proprietary (e.g. they're not running GPL3 code) but that's totally not a problem, because your Firefox or Chromium or Konqueror lack special code to screw you over, by for example, locking you into any of these websites (or, say, by leaking session keys to third parties).

The problem with Skype is that you can't use it without the Skype network. And you can't use the network without their app. Together, it adds up to an application and network which are nearly useless, because you'll never be able to trust them. CALEA is almost the very embodiment of the general problem, written into law (!) and limited to the domain of communications. You can see echos (but they're not quite as clear) of the same user-screwing idea written into other laws applying to other domains. e.g. DMCA, which is used to tie proprietary content to proprietary players, keeping users from being able to legally do things the right way (i.e. retain the capacity to "fire" their player or provider).

It's in the opinion issued by the appellate judge, pg 8, last paragraph.

https://www.eff.org/sites/default/files/fox.v.dish_.9th.pdf

Nope, not even close: https://www.eff.org/who-has-your-back-2013

Even if you believe the stats that the companies tell you, who the fuck cares that microsoft is worse? I already said they are dead in that area but all your desperate microsoft hate and google love prevented you from parsing basic text you ignorant drone.

Your employer (Microsoft) handily beats them in the amount of your personal data they siphon off from their services and OS. Still, carry on with the Scroogling, I guess you need to earn your money somewhere.

Oh fuck off, you *know* cant objectively discuss this so you resort to that pathetic drivel. I said nothing about microsoft being any good, in fact they probably are worse, but who gives a fuck? They are irrelevant in that area, I already even said that but youre just trying to skew the discussion away from Google being evil by saying Microsoft is more evil. Willfully ignorant fanboy.

when it comes to devices that send off your data to 3rd parties for analysis and profiling Google's are top of the list.

Nope, not even close: https://www.eff.org/who-has-your-back-2013

Your employer (Microsoft) handily beats them in the amount of your personal data they siphon off from their services and OS. Still, carry on with the Scroogling, I guess you need to earn your money somewhere.

It is amazing how the behaviors of large organizations change when profit is involved.

National Security Letters, which are similar, result in a lot of difficulty challenging the gag order without violating the gag order.

At the eff, they talk about national security letters. They have made some progress in challenging the gag orders, but this is years later. The recipient of this gag order would likely not have even been able to get it into court before they had already removed it 9 months later.

The OP was served with a FISA warrant, which is apparently more rare and somewhat different. I don't know much about these, but the eff has some info here.

National Security Letters, which are similar, result in a lot of difficulty challenging the gag order without violating the gag order.

At the eff, they talk about national security letters. They have made some progress in challenging the gag orders, but this is years later. The recipient of this gag order would likely not have even been able to get it into court before they had already removed it 9 months later.

The OP was served with a FISA warrant, which is apparently more rare and somewhat different. I don't know much about these, but the eff has some info here.

Three more letters EFF and three more words The SSD Project and now a link https://ssd.eff.org/your-computer/govt/warrants but swatting can be the real killer https://en.wikipedia.org/wiki/Swatting

Think again. When it's privacy related they're pretty much at the bottom. They do put a lot of money into marketing though, and based on profit margins, I'd have to say it seems to be a smarter choice than security and privacy related spending.

"How they came to that conclusion is a secret."

It does seem to run contrary to how they behaved before they had much power.

The NSA has every conversation they have made since ~2000 recorded and analyzed. You can see from this article that the NSA has been interested in controlling politics with blackmail for some time.

Here's a link in case anyone has no idea what I'm talking about.

They are making a fourth amendment argument too. Three of the five counts of the complaint (https://www.eff.org/node/75009) are for violations of the first, fourth and fifth amendments.

You may want to have a look at this.

You can also pay with Bitcoin.
EFF donate

Thanks for the reminder. Here's another -- multipliers aren't just for video games. See if your company does donation matching -- the EFF is a 501(c)(3) nonprofit.

it says a lot for the people that bought into the DNT, they'll buy into just about anything. Uncheck your third party cookies in your browser and that should take care of them tracking you to other sites. I have a multi purpose firewall that kept finding tracking cookies until I cut out third party cookies now it doesn't find any.

Your measures are... outmoded.

Sure, cookies make things markedly easier(since data persistence is what they do, in a sort of feeble, hacky way); but there are so many more bits of information available if you want to fingerprint a user. Even better, the ones that squirm the hardest against the easy methods tend to end up with the most unusual configurations.

They already tried to use the Fourth Amendment. Problem is you basically have to make the government admit to how they violated the fourth amendment:

"The EFF is demanding that the Justice Department immediately process the records previously requested under FOIA and are asking for the feds to compensate them for any attorney fees incurred in their lawsuit against the government.

'As Congress gears up to reconsider the FAA, the American public needs to know how the law has been misused," EFF Senior Counsel David Sobel says. 'The DOJ should follow the law and release this information to the American public.'" http://rt.com/usa/blanketing-spy-program-information-983/

More...

http://arstechnica.com/tech-policy/2012/08/court-ruling-that-nsa-spying-violated-4th-amendment-remains-secret/
http://ncjolt.org/eff-seeks-answers-from-secret-court-in-ruling-on-nsa-spying-violations/
https://www.eff.org/document/complaint-19

It has been well established case law that phone records are protected by the 4th amendment. linky There are lots of links both for and against. Mostly the 'for' rulings are the appeals and overrides of the rulings that said that records were not subject to 4th amendment.

Similarly, the police need a warrant to get your email. If it's 180 days old on the server, then they don't need a warrant.

Wonderful response!

I'd also like to throw-in the fact that DDG is a big proponent of SSL as well. Their website redirects you to their SSL site, and all their search results will send you to the HTTPS version of a site, if it exists (eg. Wikipedia). Things which other search providers do not do.

So, in the context of the NSA tapping all internet communications (which we know for a fact they have been doing since 9/11/2001: https://www.eff.org/nsa/hepting), DDG also provides much more privacy and security than any other major search engine, which don't take these steps at all.

Check out https://panopticlick.eff.org/ and all the things that JavaScript can potentially reveal to the sites that you trust to execute JS. My favorite is that the list of fonts you have installed can uniquely identify you.

You also missed the obvious settings regarding cookies, your browser cache, referrer tags, and user agents. I assume that was just oversight.

Yes, I know NoScript will block all JavaScript if you're ruthless, but that means never letting your desire for convenience, functionality, or access to a site allow you to bypass NoScript, ever. And make sure you're blocking Flash and Java as well.

I watch movies for free all the time over at a friend's house. He rented or bought them, I paid nothing. If he loans me the physical media, is that illegal? I still paid nothing. Now just stretch it a bit further and say he ripped it for the purposes of back up, then loaned me that copy? There isn't a lot of difference in these scenarios, and it proves, that yes, you can legally watch movies for free sometimes.

Well, no, there actually is a difference in those scenarios. In the first scenario, you are not breaking the law or committing a crime. In the second scenario, a DVD is being decrypted. This is a violation of the DMCA and a crime under US statutory law. You should always strive to be aware of the laws that you break. https://www.eff.org/es/wp/unintended-consequences-under-dmca

"You already use the internet, they should be able easily to associate your IP with your identity. "

only if you are a complete fool and use your home internet for most things.

they cant find me in the noise of a starbucks connection.

Unfortunately for you, the combination of browser plugins you use is basically unique (see https://panopticlick.eff.org/) and more than sufficient to track you.

The EFF want to ban your spam filters - they consider them to be "censorship", and unacceptable (unless there's never, ever a legitimate email accidentally blocked for any user - which isn't possibly, even theoretically).

http://w2.eff.org/spam/position_on_junk_email.php

(Old document, but still their current position).

Now that is a very creative (i.e. totally fucked up) interpretation of the EFF's clearly stated stance on spam. In point of fact, the EFF explicitly supports "your spam filters". To wit, "On a larger scale, EFF supports combatting spam by providing end-users with adequate tools to filter unwanted messages on the receiving end."