Slashdot Mirror
Interview With Mozilla's Ryan Merkley: Tracking the Trackers
colinneagle writes "Among the eye-opening statements in his recent TED talk, Mozilla CEO Gary Kovacs said, 'Privacy is not an option, and it shouldn't be the price we accept for just getting on the Internet. Our voices matter and our actions matter even more.' After you download and install Collusion in Firefox, you can 'see who is tracking you across the Web and following you through the digital woods,' Kovacs stated. 'Going forward, all of our voices need to be heard. Because what we don't know can actually hurt us. Because the memory of the Internet is forever. We are being watched. It's now time for us to watch the watchers.' I've been using Collusion for some time now and it is jaw-dropping to watch all the sites that still stalk us across the web even with DNT and privacy add-ons. The Collusion page states: 'The Ford Foundation is supporting Mozilla to develop the Collusion add-on so it will enable users to not only see who is tracking them across the Web, but also to turn that tracking off when they want to.'"
Collusion Download/Demo. Looks like a pretty nifty tool. And completely without flash!
The Mozilla Foundation reportedly receives ~$300 million annually from Google.
Google is certainly an interested party when it comes to tracking user behavior.
Is this really a good move for Mozilla strategically?
And all our yesterdays have lighted fools The way to dusty death. --Will
"Among the eye-opening statements in his recent TED talk, Mozilla CEO Gary Kovacs said, 'Privacy is not an option, and it shouldn't be the price we accept for just getting on the Internet.
Evidently, Gary has never met Mark Zuckerberg.
I'm just a random Tor exit node, up one day, down the next, replaced by another random exit node.
Use the Tor Browser Bundle:
- https://www.torproject.org/
Read the Tor OPSEC article:
- http://cryptome.org/0005/tor-opsec.htm
- https://www.schneier.com/blog/archives/2012/01/tor_opsec.html
"HUGE Security Resource" - enjoy a smart selection of Security
Blogs and other security related information
- http://pastebin.com/Cm2ZHuz3
This is nice as a tool to increase users' awareness, but Idon't see the point of using this add-on more than a couple of minutes
Then you install ghostery if not already done, and you forget about trackers...
And therefore Slashdot itself forces two of them upon you.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Title says interview with Ryan Merkly, TFS says Gary Kovaks at TED talk. Maybe I'm just new here, but does anyone read anymore?
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
Just as well that computer of yours is off line.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Okay we know that Google, Facebook and other companies have a tracking system in place. But who's really watching? Is it possible that Larry Page or Mark Zuckerberg is reading this post right now and will click his iAmWatchingU app to find out who typed these words? Or is some other sentient entity looking over me like the deity of some theistic religion.
Maybe the greater danger isn't that we are being watched, but that algorithms are now in control of our lives, processing, analyzing, bankrupting us in a way where sometimes the only human intervention is someone clicking OK.
Because the memory of the Internet is forever
Provide a feature in Firefox to not request pages not on the current domain.
All those embeddable scripts are now useless and centralized tracking dies a horrible death. The overheads of doing this server-side would be crippling financially.
The idea is not to fight a losing battle, but to make it expensive and financially nonviable.
http://www.ghostery.com/
Politics is Treachery, Religion is Brainwashing
The reason why I would rather use blocking in my DNS server or software over the hosts file is because the hosts file cannot block hostnames on the basis of wildcards.
Also, a question for you, why do so many host file blocking providers use 127.0.0.1 instead of 0.0.0.0 (also can be shortened down to just '0' on many OSes, thereby saving memory) or 255.255.255.255? I find the fact the browser tries to establish a TCP connection is fairly annoying and slows down browsing more so than the addresses I have provided.
Change is certain; progress is not obligatory.
It is nice to see things like Collusion and Ghostery (will install when I get home), but I think power users of the internet and those of us that care about privacy and a free internet need to take it a step further. We need to not only stop tracking, but also figure out ways to mass spoof trackers and begin corrupting their data. If, on some mass scale, we can figure out how to report bad data to advertisers, they lose all power.
Mass advertising is the biggest scam of the last 30 years. These people provide no tangible service and their value is nothing more than perception. They degrade the quality and integrity of almost every medium. Let's figure out how to change the perception.
Does anyone know what ever happened to that project for salting the tracking data with false positives? I think it was called "Antiphormlite" and it had gotten up to version 1.3 I think.
I see it talked about on teh google but there doesn't seem to be any place it can be downloaded.
I love the idea of fouling tracking data. It's not enough to "track the trackers". I want to make sure they go away unless they reform themselves.
This is one of those areas where the "free market" is not going to come up with a solution. People say, "I want privacy" and the Free Market says, "Fuck you, pay me."
It's going to take vandalism on a massive scale to fix this one.
You are welcome on my lawn.
He's the Anonymous Coward with most negative karma.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
The fact this AC has a lot of knowledge does not make him less of a troll.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
I use Ghostery, an excellent tracker-phage for Firefox and Chrome. I installed Collusion and was a bit miffed it wasn't working, until I realized why: Ghostery works, period. It seems to me that Ghostery's list of web trackers already provides what Collusion is trying to create, so what is the point?
Only reason why the DNS server would be down on my system is if I shutdown the daemon or turned off the computer - It runs on the same system and makes little difference when it comes to performance since my Linux systems use caching DNS daemons otherwise.
I haven't noticed the difference honestly, it's that insignificant. Maybe if I was still on a 200Mhz system though...
The DNS caching daemon most distros use end up being just specialized configurations of DNS servers. Sorry, I don't run my systems without a DNS cache, so I'm unlikely to see any of these benefits. Nor do I even notice any CPU usage being used up from using it?
Dig measured 1ms time for a query for www.google.com ?
What bugs have I experienced again?
Sorry, I don't understand. If I made my DNS server an authoritative server for a domain to block access to the domain, how does an exploit to do with resolving, which means my DNS server will not even attempt or accept resolution for that domain mean it will get effected by that particular exploit?
Change is certain; progress is not obligatory.
Seems like a lot of people are praising Ghostery, which leads me to believe that you haven't heard the backstory.
Evidon, which makes Ghostery, is an advertising company. They were originally named Better Advertising, Inc., but changed their name for obvious PR reasons. Despite the name change, let's be clear on one thing: their goal still is building better advertising, not protecting consumer privacy. Evidon bought Ghostery, an independent privacy tool that had a good reputation. They took a tool that was originally for watching the trackers online, something people saw as a legitimate privacy tool, and users were understandably concerned. The company said they were just using Ghostery for research. Turns out they had relationships with a bunch of ad companies and were compiling data from which sites you visited when you were using Ghostery, what trackers were on those sites, what ads they were, etc., and building a database to monetize.
When confronted about it, they made their tracking opt-in and called it GhostRank, which is how it exists today. They took an open-source type tool, bought it, turned it from something that’s actually protecting people from the ad industry, to something where the users are actually providing data to the advertisers to make it easier to track them. This is a fundamental conflict of interest.
To sum up: Ghostery makes its money from selling supposedly de-indentified user data about sites visited and ads encountered to marketers and advertisers. You get less privacy, they get more money. That's an inverse relationship. Better Advertising/Evidon continually plays up the story that people should just download Ghostery to help them hide from advertisers. Their motivation to promote it, however, isn't for better privacy; it's because they hope that you'll opt in to GhostRank and send you a bunch of information. They named their company Better Advertising for a reason: their incentive is better advertising, not better privacy.
I'm disappointed with Mozilla's approach to privacy (or lack of it). Currently the biggest danger for privacy is not tracking (your bank also tracks your transactions) but collecting all the available threads of information to build a fairly complete profile of the user. Yet Mozilla is pretty much ignoring the problem to the point it is difficult to differentiate Firefox from Google Chrome (a browser specifically designed for collecting information).
The only thing I ask for is a good identity manager (Multifox v.1.x is pretty good) and a convenient cookie manager (for lack of better alternatives I use CookieCuller). Things I *don't* want are "do not track" efforts, which change nothing, except for giving Mozilla an undeserved label "we care".
Your TODO list:
Make the damn identities and cookies first class components of the browser and let the users control them as easily as they control URLs or tabs. In my current setup, I have several Firefox windows open, each with a different user being logged into Google/FB/you_name_it, and with different sets of cookies allowed. This works pretty well but currently this setup takes too much fiddling to work.
Identity management should be integrated. Period. Not as a clumsy session management dialog box, which only shows up at start-up (if you ask for it). Identity name should be displayed in the url/title bar, and integrated with the context menu ("Open as ...", or "New Window with Identity ..."), bookmarks, URL bar etc.
Cookies are still waiting for a good manager, with some sort of user contributed black/white lists (like Adblock did for URLs). Filtering cookies should be as easy as "block cookies from this provider when browsing as ..." (note that identity shows up here too).
Kat Sung, is that you?
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Just because two websites use the same service doesn't not mean that data is shared between those two customers, eg. Google Analytics,
You came up with things that were not relevant to me. I'm not infected by DNSChanger for example and have not experienced issues caused by it, and I doubt I ever will. Your forgot to mention that there is malware out there, that will also modify your hosts file, as opposed to DNS server settings - Both can be equally exploited this way.
To be honest, hosts would likely be slower for what I do in DNS. An example of doing a wildcard in hosts would require me to generate a hosts file that had very single combination of a subdomain and it's subdomains for each domain blacklisted. I'm pretty sure hosts would end up using more memory and be slower with that amount of records. Not to mention notepad would likely lock up for a good long while, considering it stalls loading file that are 1MiB, never mind larger files.
But as for the actual impact of my DNS server. I'm not seeing any time difference on my system while running a compile on one of my large projects when I turn the DNS server on or off with dig running in a bash script while loop performing a look up,
What exactly am I supposed to be crying about? I'm not seeing the impact at all on my system.
No, it's mixed mode. Any zones that are setup authoritative for blocking in the name server are not recursive, just like with a hosts file, it won't go out and attempt to resolve it and it's superior in the way that it won't even resolve an IP address, so the browser won't even try connecting to the address because it was told there was no records available for that type of query.
For anything that isn't blocked, the DNS server uses forwarding mode, using TCP instead of UDP with Google DNS.
By default the dns caching daemons in various Linux distros are actual DNS servers that are setup in forwarding, cache mode. I've only modified my setup to act as an authority DNS server for domains I want to block too.
Even if I switched to recursive mode, it wouldn't be vulnerable, since I have the server set to use TCP instead of UDP for queries.
My zone files are plain text and can be edited by any sane text editor?
The truth that I need to type out an SOA line at the top of a zone file? Oh nos.
No, I told you I don't have issues. I even explained to you in my initial post why I don't use hosts file, which was to do with the fact you couldn't have a wildcard entry.
(For the curious: I initially started using TCP because of packet loss issues on my home Internet, then later saw no need to change it as it didn't effect my DNS resolution enough to be an annoyance.)
Change is certain; progress is not obligatory.
And they'll only adhere once the settings are legally enforceable.
The trick to actually being the first post is to not spend any time being cute about it. FAIL.
I wouldn't bee too sure of that. Look at that farce they named "Do Not Call". The teleslimeballs aren't afraid and the government doesn't even react to complaints. Government mandates about privacy are a farce.
Since when is "public safety" the root password to the Constitution?
Woosh!
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
If it makes you feel any better, I didn't remember you. But wow, u really mad, bro.
Electricity wise, not enough to make any noticeable difference on my wattage meter when I turned the DNS server off. CPU usage, not enough to even be noticed as clarified before with my compilation test. Memory usage, I'm sceptical that a wildcard in a DNS server for a specific domain is going to use more memory than inserting every single possible combination of addresses for a specific hostname in a hosts file and I cannot be assed to write a generator to test it out. I/O wise, having a really huge list because of previous reason, yeah...
Let's not forget that without this DNS server, I wouldn't have DNS caching on my system, so by removing the DNS server, I lose DNS caching too.
Yes. However those issues do not effect me.
All my zones are split into separate files, although if you wanted it all in one file, I guess that works too.
You can do far more than a hosts file with it, so of course it's going to have more functionality. As for understanding, for me it's simple.
Hey guys, if you don't write your own DNS server, you're a script kiddy.
Change is certain; progress is not obligatory.
I'm the last to suggest I know more than you about some of the subjects you rant about.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Listen mad Guy, I don't know why. But for some reason you think I'm advocating some solution for you, I am going to clarify, I am not. I have never made any of my posts here to imply these are solutions for you. I am highlighting why hosts is not a viable solution for me.
Actually, I pointed out there was no notable difference. You should really be taking from that that, that if it does have an impact, it's so small, it doesn't matter. Your point really means nothing for my uses in practice and that is what I am getting at.
It uses so many more CPU cycles that I can't even get it to slow down any sorts of intensive processes on my system by any notable differences when it's on or off in practice? This is why not a single fuck is given.
I am not talking about you.
I don't know, the overhead of packet loss and numerous rerequesting might be far worse, since a lot of that won't be done on the kernel, router level? Notable overhead that is adversely effecting everything? Not seen it either.
Blocking an entire domain:
Do the same with a hosts file and you have to come up with every possible combination to block every subdomain too.
What I take from this is that you're saying is, you're really mad because an 'end-user' or 'script kiddy' as you put it can grasp how to configure a DNS server with little effort and cannot see your arguments being of any note in practice and you need to try to push 'authority' on the subject by posting your CV / resume.
Change is certain; progress is not obligatory.
The more I listen to various mozilla reps, the more I am convinced that they are extremely distanced from reality, and firefox's reduction in market share is direct consequence of this ignorance.
The problems he's talking about has been long solved by "there is an add-on for that" in firefox. Use ghostery. It has a good list of pretty much all meaningful tracking services and offers to block them for you on per-site basis or globally, along with a nice list of all trackers currently tracking you and if they're blocked or not.
And now, mozilla is essentially sponsoring a more gimp version of ghostery? Colour me unimpressed.
For some reason you don't understand, "Electricity wise, not enough to make any noticeable difference on my wattage meter when I turned the DNS server off." - In other words, it's highly unlikely I would see any difference in my electrical power usage. Wattage is a way to express power usage. No notable difference would mean that the numbers being returned is not showing any variance that seems any different from before.
They also use wattage measurements.
According to the data I have here, there is no difference in cost for me.
Again, I am addressing my uses, not yours.
I told you I am using forwarding, not recursion with Google DNS, which means it asks Google's DNS servers for queries that aren't filtered through an authoritative zone.
Cool story, bro.
Change is certain; progress is not obligatory.
Uhm, I said:
In other words, no, I don't run a separate machine for DNS, my workstation has it's own DNS server setup - Which is by the way is installed and setup by default setup by the OS under the forward+caching configuration - I only changed it's configuration slightly to support read zone files for blocking domains. Turning off the daemon showed no real difference in power consumption.
Change is certain; progress is not obligatory.
The hosts file can be shortened even more by appending blocked IPs, rather than a line for each. Like so,
0 badIP-1 badIP-2 badIP-3
And the localhost line can shortened to,
127.1 localhost
Works in XP and 2003.
Sure, it will have an impact, but not enough to mean anything at all on my system. As noted before, it's usage didn't effect power consumption. I noted doing the equivalent configurations I do with a hosts file instead would likely increase I/O, CPU and memory due to it's lack of support for things like wildcards, thus requiring a list of every possible combination of a domain if I wanted to block it. Not to mention the fact that when I block an address, the browser gets told there is no suitable response for it's DNS query means that it doesn't even attempt to try to do a connection over TCP, and wasting browser resources.
I'm not buying your arguments have any realistic meaning on modern day computers such as mine.
Change is certain; progress is not obligatory.
You have very selective reading. I've clearly stated numerous times now that in practice, it essentially doesn't matter. There is no notable difference taking any effect here. You choose to ignore it, repeatedly.
Change is certain; progress is not obligatory.
Wow bro, your selective reading is pretty bad.
Change is certain; progress is not obligatory.
Google provides the tools to allow you to opt out, and honors your choice.
BS - you have to be logged in to a Google account to be able to opt out.
No, you don't. If you opt out through the Google privacy pages, it installs a cookie which tells Google servers not to track you. There are two different opt-outs, one for ads and one for analytics. If you want to make sure that cookies don't get lost, Google provides plugins/extensions for IE, Firefox and Chrome which will reinstall them if they get deleted.
If you are logged in, there are some other options, many of which are off by default (i.e. opt-in). I think those are orthogonal to the ads and analytics cookies.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
They've already been answered, your selective reading is preventing you from seeing them, bro.
Change is certain; progress is not obligatory.
Because some people either haven't read or don't understand chapters 13, 14, 15 and 20 in one of Google's founder's books, "Artificial Intelligence: A Modern Approach". (13:Uncertainty, 14:Probabilistic Reasoning, 15:Probabilistic Reasoning over Time, 20:Statistical Learning Methods).