How do You Protect Your Online Privacy?

P asks: "In the light of the recent discussions about on-line privacy: What can one do to protect his/her on-line privacy, while still having a enjoyable web experience? For example, are you using PGP for all your emails and Zfone for all your VOIP traffic? Or are there better ways of protecting oneself? Share your tips and tricks."

Easy.

[isometrick]

I don't use the internet.

Re:Easy.

[LordEd]

Let's see you beat that!

I put on my robe and wizard's hat...

Forget it

[Gothmolly]

seriously, if "They" want your data, They will go through your trash, subpoena your pay records and phone records, and tap your phone line. "They" will know more about you than you can imagine, regardless of whether you use encrypted VoIP or not.

Want to feel safe on line? Write your Congressman, tell your friends about IP and privacy issues, affect a cultural change. As long as 51% of your friends are willing to trade freedom (theirs and yours) for security (mostly theirs), you're fscked.

Re:Forget it

[Bios_Hakr]

Politicians don't care. And maybe they shouldn't. There are bigger fish to fry right now.

I understand that in an online community, privacy is a big issue. Just like condoms in schools are a big issue with soccer moms. However, in the overall scheme of things, there are a lot of areas that need to be fixed.

If you really want to make a change, start demanding term limits on the Senate and House.

Demand a Constitutional ammendment limiting the ammount of money a single person is able to contribute to a political party. $500 sounds like a good number.

Demand that lobyists be forced to open their books on all expendatures. Make every cent that the AARP, NRA, NAACP, etc be accounted for and displayed on the web.

Demand that politicians be forced to committ to promises during their campaign. Failure to make serious headway towards campaign promises should be grounds for Impeachment.

Demand that the DoD and other government agencies reduce their budgets while maintaining manpower to accomplish their missions. Do we really need to spend $200m on the F-22 when the $40m F-16 and F-18 is still good? Sure, the F-22 is nice, but would you rather be defended by a single F-22 or 5 F-16s? Do you really think a pilot in an F-22 could take out 5 F-16s?

Privacy is *not* the problem; it's the symptom. When you start asking why our privacy is at risk, you'll eventually come to the core problem. Govenrment corruption and power grabs are the real problem.

Re:Forget it

[QuantumG]

Back in 1998 I was raided by the Australia Federal Police. They were looking for evidence on computer crimes allegedly committed by people I had allegedly spoken to on IRC. They weren't after me, but I was still thankful that my harddrive was encrypted and there we no laws, at the time, that could be used to force me to give up my encryption keys. Had there been evidence on my harddrive that I had committed a crime (there wasn't, unless I'm committing crimes and I'm not aware of it) I would have been facing jail time, even though the AFP did not have any justification to search that computer because of anything I had done.

Re:Forget it

[coaxial]

Demand that the DoD and other government agencies reduce their budgets while maintaining manpower to accomplish their missions. Do we really need to spend $200m on the F-22 when the $40m F-16 and F-18 is still good? Sure, the F-22 is nice, but would you rather be defended by a single F-22 or 5 F-16s? Do you really think a pilot in an F-22 could take out 5 F-16s?

First, we''re not going to be fighting F-16s, MiGs? Sus? Yeah. Mirages and ChengDus? Maybe. But not Fs. Anyway, it might be able to, I don't know. The F-14 was capable of downing six over the horizon targets simultaneously, and we retired that.

You're bigger point about weapon systems being political decisions rather than military decisions is dead on though. The RAH-66 Comanche program started in 1983, and 21 years and $31 billion laters it was canceled. What did Army Chief of Staff Peter Schoomaker say in February 2004 about its cancelation?

[The] Comanche was a wonderful idea up until about 1989. [...] We started seeing that kind of threat disappear, and then it continued to disappear over the last decade." Commenting on the Schoomaker statement, Defense News wrote on 1 March: "Army officials say the move reflects the more elusive enemies and weapons that have emerged since Comanche was conceived in 1983 to find and fight Soviet tank formations. Stealth, once the RAH-66's biggest selling point, is now deemed unnecessary and expensive.

That's just one example of an unneeded, and unwanted weapon systems. Unwanted by the military mind you. Why does this happen? The weapons mean jobs. And one one is going to vote against jobs in their district, and no one is going to vote against jobs in someone else's district for fear of retaliation. Why do you think the BRAC is now (supposably) apolitical and is hella hard to appeal?

Whenever I think about how much money is being wasted on undesired weapons, I think of Eisenhower's 1953 speech to the American Society of Newspaper Editors:

Every gun that is made, every warship launched, every rocket fired signifies, in the final sense, a theft from those who hunger and are not fed, those who are cold and not clothed.

The cost of one modern heavy bomber is this: a modern brick school in more than 30 cities.

It is two electric power plants, each serving a town of 60,000 population.

It is two finely equipped hospitals.

It is some 50 miles of concrete highway.

We pay for a single fighter with a half million bushels of wheat.

We pay for a single destroyer with new homes that could have housed more than 8,000 people.

This, I repeat, is the best way of life to be found on the road the world has been taking.

This is not a way of life at all, in any true sense. Under the cloud of threatening war, it is humanity hanging from a cross of iron.

Of course he was nothing but a goddamn pinko.

Easy!

[slashflood]

[x] Post Anonymously

GPG and Thunderbird

[chicken_tonight]

I was using GPG in Thunderbird, linked to my gmail account. This was just for signing though, so it was more to protect my identity than my privacy. I believe GPG does encryption too. It was seamless once it was setup, but I use gmail from too many places. It just wasn't worth it. Here's hoping Google adds support for this sort of thing to Gmail.

built-in security?

This isn't a direct answer, but it's directly related. I've always wondered why network applications don't use encryption by default. For practically everything, from web servers to instant message apps, you have to go out of your way to set it up with any decent level of security.

Why aren't all connections passed over ssl or ssh? I know it's a bit of overhead, but it's not that significant for modern desktops.

Why isn't it the norm to see web servers running SSL? Why is SSL reserved for only financial transactions? For high-traffic web sites, this will slow the server down a little, but isn't that a valid tradeoff?

People seem concerned about the NSA wiretapping scandal, but this would be largely moot if the traffic they were snooping were encrypted. I can't be the only person who wishes encryption was the standard rather than the exception.

Re:built-in security?

[redelm]

One more thing to go wrong and increase support costs. Or if you like tinfoil, 'cuz the NSA want their job easier. There's no way they could snarf anything beyond src/dst/vol/time traffic analysis if most of the net were encrypted.

I suspect some netzis like China (Singapore?) would ban encrypted traffic if they could.

tor

[compro01]

well, personally, if i'm doing something that i don't want traced, i'll fire up tor (http://tor.eff.org/)tor

i currently don't really worry about my email security (if someone wants to read my aunt's cookie recipes, thats fine by me). if i happened to be doing something important, i'd likely use some form of encryption, likely PGP or maybe something stronger.

Disable Cookies

About all I use online is a web browser. For this, I of course use Mozilla Firefox, but disable cookies (except for sites that I know really need them, like online banking) and disable certain javascript features (opening windows, removing location bar, etc.).

I also use adblock to disable tracking sites. You know, hitbox.com and the like which use included URLs to track you by your IP address.

Re:Disable Cookies

[DrSkwid]

the NoScript extension is also a MUST HAVE

From /.'s homepage :

<script src="//images.slashdot.org/prototype.js?T_2_5_0_11 1a" type="text/javascript">

<script src="//images.slashdot.org/common.js?T_2_5_0_111a" type="text/javascript">

<script type="text/javascript" src="http://a.as-us.falkag.net/dat/dlv/aslmain.js" >

<script type="text/javascript" src="http://an.tacoda.net/an/11711/slf.js">

<script type="text/javascript" src="http://a.as-us.falkag.net/dat/njf/104/slashdo t/mainpage_p2_top_right_skyscraper.js">

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
<script type="text/javascript">
        _uacct = "UA-32013-5";
        urchinTracker();
</script>

Re:Disable Cookies

[linvir]

For those of us who don't use Firefox, it's easier and way more satisfying to blacklist those domains completely. Tacoda.net could be in the business of giving away free signed copies of Windows 98 to 3rd world puppies for all I know, but as far as I'm concerned they've dirtied their name with the crappy type of advertising, and I don't want to see anything from their servers. It'll be an annoying day when google catches on and brings google-analytics.com under google.co.uk, though.

Simple

[halcyon1234]

It's simple. Don't ask stupid questions on a forum populated by a good chunk of people who consider BOHF to be non-fiction (and a training manual, to boot).

The ULTIMATE Solution

[ImaNihilist]

Lie. Lie about everything. Writing an email to your friend? Lie about it. Lie about everything that happened to you. Lie about who you are. IT DOESN'T MATTER. Signing up for some new service? Lie. Lie about your name, age, race, sex, address, credit card, whatever. Actually need to recieve the package? Send it to your neighbor and pick it up at the FedEx office with a fake ID that goes with your fake personality. Sometimes if you lie enough to a girl, you even get to sleep with her. Then, if you get herpes you can just lie to everyone else and say you don't have it! IT'S THE SAME THING IF YOU USE WINDOWS AND GET A VIRUS!! HOORAH! The lies will set you free.

I don't

[carlmenezes]

I just simply do not enter valid information. If they wanted valid information, there are enough ways of getting it. The more information a site asks for, the more I make sure that the responses I give are false. If a site only wants say, my date of birth, I might give my real date. If it wants my postal address, telephone number, yada yada without just cause...I will give them wrong info. Its my way of discouraging the use of such techniques. Maybe if enough people do it, then the next time they upgrade their site they will ask only for information that they absolutely need to have instead of every little detail.

Re:I don't

[plover]

Maybe if enough people do it, then the next time they upgrade their site they will ask only for information that they absolutely need to have instead of every little detail.

Heh-heh. You've never worked for a large company, have you?

Employee: "Hey, boss, this data's no good. Most people are just typing a-s-d-f for their names and addresses and registering fake info!"

Manager: "Yeah, but it's really important that we find out what they think of our site. Let's get them to take a customer survey after registering."

Employee: "???"

The only was is to browse the web anonymously...

[bergeron76]

The only way would be to browse the internet from a completely anonymous place like a public library.

Here it is take it!

[B5_geek]

John Smith
1234 Anystreet
Anytown, CA
90210
(123)456-7890

DOB: 1/1/1900
email: aolsux@aol.com
Mothers maiden name: mommy

Easy to remember on any site I visit.
the moral of the story, NEVER give out true information to ANY online site.
You make exceptions on an as-needed basis.
(eg. bank, 1 or 2 trustworthy sites to shop from.)

Re:Here it is take it!

[RedOregon]

It's not a "throw-off" credit card, but my MBNA card has a nice downloadable app called ShopSafe that I *love* and use religiously.

It lets you generate a "one-time use" number, with a limit on the amount and expiration date. Once that number is used, it can't be used again. I just used it to buy a radio for my Harley; the price was about $700 plus shipping, so I made the amount $800 and expiration date two months out.

Once the company uses that number, it's locked. I can go into ShopSafe and reclaim the unused amount afterwards. Even if that company's server (or any other broker company they might use) gets cracked, my *real* credit card number is still safe. I've been using ShopSafe for at least two or three years, for *every* purchase I make online, and only had the throwaway number rejected *once*.

I went to a competitor's site and ordered there.

No affiliation with MBNA, I don't gain anything from this, bla bla bla....

How do I protect my identity?

[Chuck+Chunder]

Easy, I just use someone elses!

Whois records

[Centurix]

I once received an abusive e-mail from some guy who was receiving loads of spam from a source using a rotation of from addresses. My address happened to appear on the mail he received and it he snapped, firing back at me. His mail address was from his family business, looked up the whois information which was correctly filled in. Phone number, address etc, simple google of the domain name showed me forums in which members of the family had posted in, different topics, cars, real-estate. From there I could build quite a profile of this person, his family, where they lived, google earth supplied satellite images of their house. I knew what kind of cars they owned, how much their house cost and when they bought it (purchasing records of individual houses was available online as part of the council areas statistics).

I sent him a mail explaining that it wasn't me sending the spam, and he wrote back apologising, then I explained to him all the information that I'd found including the google earth picture and he couldn't believe what I'd come up with by just roaming around the net.

Using a variety of tools...

[ESRB]

Firstly, tor with Privoxy and a Firefox plugin that makes it easy to switch between it and a direct connection. Others may use FreeNet, but I personally don't bother.

For IRC, connect using SSL (If you trust the network admins. Even if you don't, still better than nothing) and perhaps through Tor as well. For email, anything PGP-ish.

Also, for protecting my files, I use TrueCrypt.

The flaw in only using GPG for "important" stuff:

[KWTm]

i currently don't really worry about my email security (if someone wants to read my aunt's cookie recipes, thats fine by me). if i happened to be doing something important, i'd likely use some form of encryption
 

This reminds me of a joke that takes place in a courtroom:

Prosecutor: Did you see this woman in New York?
Defendant: I refuse to answer that question!
Prosecutor: Did you see this woman in Chicago?
Defendant: I refuse to answer that question!
Prosecutor: Did you see this woman in Atlanta?
Defendant: What!? Atlanta?? I never saw her in Atlanta!

Moral of the story: if you don't pay attention to your email security except when you really need to, then when you do pay attention, someone else would also know to pay attention!

If someone wants to read my aunt's cookie recipes, that is not fine by me. Eat my {/dev/random}-XOR'd dust.

Another approach that works 100% of the time

[AudioEfex]

...Just don't put shit on the Internet you want to keep secret. You never enter it in, it never gets out. AE

Cross platform tools

[Gallvs]

Some cross platform tools I use both under Linux and Windows:

• Firefox with PermitCookies extension (to easily enable cookies on trusted websites) and BugMeNot extension (to avoid compulsory registration at popular websites)
• When really needed (since it's pretty slow) Tor + Privoxy to surf anonymously
• Thunderbird + Enigmail for email
• Gaim + gaim-encryption plugin for IM
• Truecrypt for disk encryption (latest version runs great under Linux too, although there is no GUI yet)
• Throw-away email accounts like mailinator.com

But most importantly: /dev/brain

If you care about your privacy, don't give away your data to everyone!

Technologies to use...

[jurgen]

First off, use Linux. If your OS isn't reasonably secure, all bets are off, and Windows is just too difficult to keep secure for a casual user. With a good linux distro you're much better off so long as you keep it updated.

Secondly use encrypted filesystems for data you want to keep private. I can recomend encfs for Linux http://arg0.net/wiki/encfs... it's easy to use and can be installed with yum in Fedora. It uses file-level encryption which makes possible incremental backups which retain the encryption.

If you want protection from being forced by a court to give up your key, take a look at http://www.truecrypt.org/ . This is a filesystem that lets you keep multiple levels of data encrypted with different keys, and if you give up one key noone can know that there's more data hidden with another key.

For web browsing use Tor, http://tor.eff.or/. Tor is still under development and may not be secure against a focused attack on you specifically, but at least your ISP won't be able to easily spy on you and your IPSs logs (which as we know are being mass-analyzed by the NSA) won't show anything about your activity. Also tor is /very/ easy to install and use, especially with Firefox and the FF tor extension. Also you can use it in combination with privoxy http://www.privoxy.org/ for some protection against malicious cookies and other tricks used by the sites you access.

Plus, here's a good trick for ensuring that your web browser cache, history, etc., can't be easily searched by someone who gets access to your computer... put them on an encrypted filesystem, as follows. Make a script that mounts an encrypted filesystem (asking for the passphrase), sets your HOME env var to the newly mounted fs, then starts Firefox (which now places its cache there because that's HOME), and unmounts the encrypted fs after Firefox exits. You should do this even if your entire home dir is also on an encrypted fs, because your normal home dir is likely to stay mounted for longer periods of time, so this way you separate the risk levels. And it's easy. An additional little-known trick for this: set the LOGNAME env var to something other than your username to let you run a second copy of Firefox on the same X display (so you can have an "insecure" and a "secure" one running at the same time).

Of course use GnuPG for secure email. The Thunderbird Enigmail extension makes it painless.

You should also give money to the EFF and run a Tor server if you can, to help maintain our ability to have some privacy.

Finally, if you are a hardcore libertarian and/or think we should have a truly free Internet, experiment with FreeNet http://freenetproject.org/ and consider donating to its development. This project ran into some dead ends with scalability but the developers have taken a fresh approach and the new 0.7 dev version looks like it might be the start of something that could get big. They have a full-time programmer working on it paid by donations (and he's so dedicated to the ideal that his salary is the bare minimum he needs to live), so consider donating. (Btw., I'm not a libertarian in the political sense, but I think we need a strong counter-balance to the marching forces of fascism, so I donate to the Freenet project.)

:j

Re:Electronic Frontier Foundation, Tor, & Priv

or join the underground network named AnoNet, stops snoops on both the inside and the outside. its a self contained internet on top of the internet running over multiple vpn's, it might even have holes to the outside via a tor or proxy servers, i use it all the time, not only from an anonymous point of view but also the networking experiments, great community, great spirit.

free the nerd inside you!