Slashdot Mirror

Please read my page Why You Should Use Encryption.

If you get your mail from and put web pages on a hosting service, then at a minimum you should use one that provides secure shell (ssh) and secure copy (scp) access. One such hosting service that does is Seagull Networks. Does anyone know any others?

When you retrieve your email via POP or load a web page via FTP your password is being transmitted in the clear. You have no control over which routers and cables it passes through in the process, so you have no way of knowing if someone's running a sniffer on a compromised host. Usually you have no knowledge even of the route, unless you go to the trouble to run traceroute regularly.

You can download your email via an encrypted channel with ssh port forwarding if your mail host provides ssh. The instructions given are oriented to the BeOS but apply in general to any OS for which an SSH client exists.

If you run a website that uses passwords please consider allowing the users to enter their passwords via SSL (https).

If you use websites that require passwords, please use a different password for each site. At the very least, use a unique password for your important sites, like your email, web pages and financial sites. If you keep the passwords in a file (which you may have to do because there are so many sites that take passwords), encrypt the file.

Be aware that most sites that have passwords do not encrypt them, otherwise they wouldn't be able to send you your password reminder in clear text. I've even used sites that mailed out password reminders in the clear every couple months just to prompt me to use the service. Note that anyone at the site who has root access, anyone who compromises the site or anyone running a sniffer on or near the site will be able to catch your passwords.

Also I think it is very likely that many websites are provided for no other purpose than to collect passwords for later use by crackers - beware of that free trial and use a unique password if you must accept the offer!

Use the anonymizer or, if you have Windows 95 or 98, Freedom to protect your privacy while you web surf.

Finally, do you use a laptop computer? Do you have files on it that you don't wish to share with the random stranger who might steal it someday? How about your competitors? A thief won't likely be in the direct employ of your competitors but they may recognize the value of the information and sell it to them, or even post it on the net for fun.

And remember in this information age the information on our computers is more valuable than the hardware itself, and unlike car stereos can continue providing value to a thief because, once it is fenced, it is still available to be fenced again.

Depending on your OS, you should use PGPDisk or the Linux encrypting kernel on your laptop.

Consider encrypting important information on your desktop too. A friend of mine who is a software developer lost every machine in his company in a robbery - source code, strategic plans, and the customer database.

I know of two cases where laptops were stolen from intelligence agents, once during the Gulf war, and once from an MI5 agent while he'd set it between his legs at a train station. Good thing they used encryption!

Finally, read the Forum on Risks to the Public in Computers and Related Systems available on the Usenet News as comp.risks and on the web at http://catless.ncl.ac.uk/Risks

Tilting at Windmills for a Better Tomorrow

"Hey, hey! Ho, ho! 100110!" - Robot rebels in Futurama

"Hey, hey! Ho, ho! 100110!" - Robot rebels in Futurama

Each server peels back one layer, so it never knows more than "the last hop was machine X and the next hop is machine Y" -- theoretically you could trace the path back, if you could subpoena 3-5 different companies across a couple of continents... feasible, but difficult, and that'd still only get you an IP address.

Anyway, it's quite a neat system but unfortunatly crashes a little too often for my tastes. Still, given time...

In the spirit of fun, here are my predictions. Take with a grain of salt, of course.

e-commerce

The development of e-commerce will continue in full force. However, today's piddly little oracle-backed web sites will look remarkably primitive by the standards of 2010. When you place an order, the back-end will automatically negotiate with a worldwide network of fulfillment centers and choose one with the optimum combination of availability, shipping cost, and delivery time. The majority of delivery trucks on the road will be carrying out Internet-placed orders. By 2010, GPS transponders will start allowing the network to dispatch delivery trucks in real-time, based on the current location of the truck and the planned route.

This evolution, I feel, is very likely to happen. The economic incentives are there. Whoever masters it will be able to provide better service at lower cost.

This type of technology has the potential to enable a large number of small providers. However, over the next few years, there will be a strong trend towards consolidation and megamergers, to try to bring down the transaction costs.

media

The Internet will be the primary distribution channel for most people to listen to music. In addition, a significant minority will be using it for high-quality movies. In fact, the agility of the Internet will be what finally brings HDTV movies into your home. This will require a pretty big pipe. High-tech people will be eagerly awaiting widespread deployment of gigabit fiber to the home. Actual transfer rates will be more like 10Mbps, but this will be plenty adequate for downloading your favorite HDTV movie overnight.

rights management and freedom

The current intellectual property wars will rage on unabated for the next 10 years. People will slowly start to get the clue that tightening up the IP laws benefits corporations at the expense of people. Nonetheless, the corporations will continue to put up a strong fight due to their political power, PR, and money.

Ironically, overly tight enforcement of intellectual property will finally spur the deployment of technological solutions to privacy. Being able to pirate music and movies in peace will finally provide a large number of people with a good reason to be securely pseudonymous on the net. Thus, we will see the realization of the cypherpunks holy grail as discussed over the last 10 years. Freedom is a harbinger of this direction.

The majority of people will prefer to avoid the hassle of piracy and just pay out to the media corporations. However, these corporations will finally start getting the message that they're actually competing against "illegal" distribution of intellectual property, and start providing attractively priced products designed to appeal to the "swing" demographic of young, technologically savvy males.

http, html

The Web will continue to suck, although arduous progress will be made. Around 2005, a proposal will come forward that integrates consistenly rendered typographic quality text, graphics, and good internationalization, while being able to print at full graphic arts quality. This protocol will also be a decent UI for interactive content. The inner format will be nicely structured so that it can be effectively searched, spoken aloud, etc.

Of course, all the technology to do this has been around for a while. It's just that the vendor cabal making up the W3C won't be able to agree on any of it.

conclusion

I have no idea whether any of these predictions will bear out. However, I predict with great confidence that the next 10 years are not going to be boring. May we live in interesting times!

Other options:

1. Use another browser. I recommend Opera.
   
2. Install IDcide. Seems to work for me.
   
3. Use a "cookie managing" anonymizer like PrivadaProxy or Freedom. They aren't free...I prefer Freedom...and not just because the link includes my affiliate ID :-)
   
4. Use a "cookie managing" Web-based proxy. If you are going to surf promiscuously (whatever that means) where this exploit might rear its head, you can use The Cloak which is distinguished from Anonymizer et. al. in that it caches cookies remotely. Bandwidth limiting and you have to remember to use it, but it's free of charge.
   
5. Live with it until the fix is in.

   A proxy comparison chart
   

How can I mask my IP number when going online (through IRC, web, napster, etc.)? And I mean really anonymous--no logs to be revealed under court order.

freedom.net

It's an implementation of Chaumian mixes (similar to the cypherpunks remailer network) and it is _really_ anonymous.

Zooko

.. now that I wasn't aware of.. I see so many companies advertising shells for the sole perpose is to run an irc bouncer.. *shurg*

As for the bouncing/encrypting, Zero-Knowledge Systems wrote a piece of software called Freed0m, which does just that. Of course there is a free trial available.. it's quite cool -- it acts as a proxy.. only with a gazillion (I'm guessing at the exact number) layers of encryption. Check it out, it's definately worth a look.



.- CitizenC (User Info)

.. now that I wasn't aware of.. I see so many companies advertising shells for the sole perpose is to run an irc bouncer.. *shurg*

As for the bouncing/encrypting, Zero-Knowledge Systems wrote a piece of software called Freed0m, which does just that. Of course there is a free trial available.. it's quite cool -- it acts as a proxy.. only with a gazillion (I'm guessing at the exact number) layers of encryption. Check it out, it's definately worth a look.



.- CitizenC (User Info)

I don't understand why it's not possible for a man-in-the-middle attack. If point A transmits to B, and X is in the middle, what prevents X from simply decoding A's message, and passing it on to B with its own key. Each person at A & B would never know there signal was being intercepted; especially since its a one-time scratch key. There would be no verification between A & B directly, only between A & X; X & B.

You could argue that A could simply tell B in its message what its keys hash or CRC was. A protocol could be introduced to do it automatically, but X could simply modify the protocol to introduce its own scratch key for B to receive. This is no good either unless each party hand keys in there own hash or CRC at completely random spots, and in random ways, in each packet or message.

Zero Knowledge has there own 'Freedom' software package. I know there are other packages like it, but it is the one I have read the most documentation on. It uses DES encryption accross a line of servers wishing to run the Freedom Server Software.

It sort of works like this, though i'm not 100% accurate. The client encrypts there own message with the receivers public key. The first server on the internet encrypts the message a second time with the next servers public key. Each server after that removes a layer of encryption and adds its own to be removed by the next. The message always stays encrypted, but the second layer of encryption is to hide where the message was last sent from.

Somehow in that method, any fullscale attack on a router or servers packets will only give you the last hop of the message, nothing before it; and good luck using a word file to brute force a message encrypted twice.

This client - server - server . . . - client encryption routine could be used on a large scale with one-time scratch keys, but it still leaves the man in the middle attack open. All one has to do is implement packet forwarding on one of the servers, and the encryption routine, though repeated up to 20 times accross the internet is entirely useless.

With Freedom's DES routine however, a public key is used meaning the encrypted message can be double encrypted by each server and forwarded, so once it is unencrypted by each server to forward, it is still under a layer of encryption. (Believe that's the methodology).

By introducing encryption at the physical point-to-point transmission level, you lose the power of obscurity; your method for developing a key of any type is right there in the transmission itself. Encryption atleast requires the Obscurity of the decrypting key! That's why you don't pass someone a scratch-key encrypted message with the scratch-key at the same time.

http://www.freedom.net

On a related note, Zero Knowledge Systems sell a 'total internet privacy' program called Freedom. Have a look at the FAQ. Has anyone experience of this product? What are your impressions?

raw cod annoy sumo

On a related note, Zero Knowledge Systems sell a 'total internet privacy' program called Freedom. Have a look at the FAQ. Has anyone experience of this product? What are your impressions?

raw cod annoy sumo

Zero Knowledge Systems sell Freedom. Have a look at the FAQ. Has anyone here used this product? What are your impressions?

raw cod annoy sumo

Zero Knowledge Systems sell Freedom. Have a look at the FAQ. Has anyone here used this product? What are your impressions?

raw cod annoy sumo

IMHO, there's little one can do to ensure their privacy and anonymity. TrustE is only as good as the policy is, and the word of the licensee.

You won't get anything 100% with someone's policy or word. The only 100% is when it is physically impossible to violate privacy / anonymity.

Some of the mathematical theories I have faith in suggest that 100% privacy / anonymity is unattainable, but practically speaking, things like freedom and AT&T's Crowds is about as good as you'd ever want for the privacy / anonymity level provided.

Also, I'm working on an anonymity project, involving a cooperative network of computers to ambiguate the source. Many common services are possible, and their use is transparent (i.e. you can use pine, elm, kmail, netscape, or whatever you like for email). The link's in my .sig

---
script-fu: hash bang slash bin bash

Would something like Freedom.net allow you to get around this whole internet tax thing by concealing the physical location of the point-of-sale?

Mr. Pierce said it wasn't easy, I think that his point is that it's possible. If there's demand, the market will make privacy easier. I think that there's demand and investors seem to agree. A good thing, IMO, because I strongly doubt that regulators would also agree.

Professor David Post wrote "What Larry Doesn't Get: A Libertarian Response to Code and Other Laws of Cyberspace" just recently. It's quite a good read*.

While it hasn't gotten nearly the net.hype Professor Lessig's work did (Post is not from Hahvahd, after all, I think he's from Temple) but I think it's well-done. (I'd be interested in any Lessig rebuttals to that Post rebuttal, though.)
JMR

* I assume that my mention of the dreaded "L. word" will cause downward moderation, and I also don't care. :)

Freedom

I think that a lot of what people here aren't noticing yet (mostly 'cause it involves a lot of reading the Zero Knowledge/Freedom docs, etc.), is that Freedom isn't for anonymous internet, it's for pseudonymous use--if you're not careful (e.g. by switching to another pseudonym while on a site which actively places/updates cookies), you can have your pseudonyms connected together--or to your real name, if you shut off Freedom while surfing...

You can check out their page for lots of details on what they have going on.... It can take a little digging, but there's lots of info there...

From their FAQ:

How does Zero-Knowledge limit spam abuse of Freedom?

Zero-Knowledge is very much aware of the possibility that our technology may be used by spammers to distribute unsolicited commercial email. To discourage this, Freedom attempts to limit the potential for spam through a number of measures:

* Limits on the total number of recipients/newsgroups to which email may be sent on any day
* Reduced limits on the total number of recipients/newsgroups to which email may be sent on any day for trial nyms
* Limits on cross-posting to newsgroups
* Limited lifespans for trial nyms, discouraging their use for spamming purposes
* Internet users can block email from any particular nym

Moreover, Zero-Knowledge has a 'no-spam' policy which it will try to enforce, and reserves the right to delete any nyms or restrict users ability to send email for spamming on the Freedom Network. That said, given Freedom's design goals of complete privacy, if an individual hides behind a nym to send spam via Freedom, Zero-Knowledge will be unable to determine the identity of the nym's owner or to associate a particular nym with any others owned by the same individual.

Operating System:

Windows 95, Windows 98

Internet Connection (Modem or LAN-based) using standard Microsoft TCP/IP

Obtained from freedom.net webpage.

Right below you have Mozilla getting PKI source, and then you have an ex-Mozilla going to Zero Knowledge. Why is this significant? ZK is the maker of the aptly named "Freedom" (from privacy invasion) software, which acts as a very interesting model of secure internet access. White papers are here, and they've truly redefined (or is it defined) a new model for providing inet access privacy. I wonder if Mike Shaver's old ties at Netscape/AOL would help in the distribution of Freedom...

What Freedom basically does is provide you with different IDs to navigate the Internet. It also keeps your cookies in different profiles, and basically allows you to forge a complete "identity", or multiple ones, to surf. It's anonymity without the need for a proxy or any such crap.

It's too bad it's a proprietary project, though... I would figure that these guys would dig Open Source. I'd sure love to take a peek at their code and algorithms.

Cause right now, the price tag is a bit stiff.

(Hey Sig. :) )

Anonymity *can* work. Check out Freedom for one example. Proxying is the way to go - non-logging proxies, that is. Does this impede law enforcement? Yes, but only if they're very stupid and don't know what a packet sniffer is.

Another thing about anonymity - I can run off 100 copies of a position I hold against our Governor, which in this case is Ventura (I live in MN) and post it up across the twin cities - anonymously. To do this on the internet, I can use a service like Freedom. There are plenty of alternatives with equal functionality (so don't think I'm plugging /just/ this product), however.

Anonymity isn't dead... the problem is that modern media has the collective intelligence of a lobotomized flatworm... *sigh* it's very easy to cover your tracks... if it wasn't so-called "hacking" (it's cracking, ppl!) would be impossible.

Handle your own security. The Freedom client has been released! Your ISP could transmit everything on open airwaves in the clear, and nobody will be able to tell even what sites you're visiting.

...and they said I was *too* paranoid. This is very scary. Of course, this makes me wish that Zero Knowledge would hurry up with a linux client.

AFAIK, this is exactly the kind of thing that Freedom servers are made to prevent. The Freedom Network is designed to use strong encryption and other techniques to make it not possible to track your internet access. encryption makes sure they cant read it in the network, and proxies make it impossible to trace back to you. anti-traffic analysis makes sure they dont even know if you -are- using the net at a particular time.
has anyone tried Freedom? ive just read their www.