Slashdot Mirror
Ask Slashdot: How Do You Protect Your Privacy These Days? Or Do You?
An anonymous reader writes "The NSA snoops traffic and has backdoors in encryption algorithms. Law enforcement agencies are operating surveillance drones domestically (not to mention traffic cameras and satellites). Commercial entities like Google, Facebook and Amazon have vast data on your internet behavior. The average Joe has sophisticated video-shooting and sharing technology in his pocket, meaning your image can be spread anywhere anytime. Your private health, financial, etc. data is protected by under-funded IT organizations which are not under your control. Is privacy even a valid consideration anymore, or is it simply obsolete? If you think you can maintain your privacy, how do you go about it?"
not truthfully responding to such questions
Nothing you do electronically is anonymous. I don't use the Internet, I don't make phone calls, and I don't do email. Ever. At all. I only pay cash (coins actually, because bills have serial numbers that can be tracked). And I certainly would never, ever, post anything online.
My private data does not leave my home network. I lack off site backups, but Google spies on all my email. I rarely bother with Tor, just enough to draw suspicion. Gee, maybe I should rethink some of this, but that sounds like work.
I think my issue here is the same as a lot of peoples: maintaining privacy requires you actually bother to do stuff. My categorical banning of all cookies, java script and browser plugins except for white lists is really the only effort I've put into my privacy.
I don't go around spamming private stuff on Facebook, but I still expose my reading habits to web servers, my ISP etc. I don't host my own sites, so I'm leaking lots of info about my users/readers to the hosts. I lack HTTPs support on most of my sites, so I'm leaking lots of stuff.
I've toyed with Tor hidden services (I made one), and bitcoin (I have some), but never actually done anything with them. I have a big interest in privacy, but generally I don't bother with it. Its kinda sad really.
We need better tools to make having privacy not be a sacrifice: it needs to be easy, and not lose you features, or even the people who care (like me) won't even bother. We are a long way from this, which in the purest sense isn't even actually possible (You have to lose some features if you have true privacy).
Most people I have talked with are angry, but don't know how to act against it.
I send everything to Snowden for safe-keeping.
Table-ized A.I.
I don't have anything the NSA is interested in.
The people that are likely to try to gain from violating my privacy are likely to spend 10 times more then they gain.
I'm less worried about the likes of the NSA, and more worried about criminal gangs getting hold of my data and using it to make my life a misery through identity theft.
Anyhow, the way these things work is:
- Either a very small percentage of people are seriously affected by breaches in privacy, in which case I don't need to worry too much about it, or
- A significantly large number of people are seriously affected, so that it becomes a political issue and there's a push to do something about it.
Deal with reality - the world as it is - rather than ideality - the world as you would like it to be.
I think it's important to protect my privacy despite not having much they are interested in. I encrypt my harddrives, have my own domain with e-mail that I've set up with GnuPG on my workstation and laptop, I sometimes use the TOR bundle as well as a USB with Tails on it. The simplest thing is that I subscribe to https://www.privateinternetaccess.com/ to get proxy/VPN access to the net. Also, setting Firefox up with HTTPS everywhere, DNTPlus, NoScript etc. is important.
It doesn't take much to make their jobs harder. I use these things also for everyday items, it's not like I fire up PIA to "go dark and do evil stuff". I've plenty of friends that don't see the point of doing what I do when what I use it for isn't illegal, but privacy means privacy from prying eyes, I decide what I share with others.
For most of my personal communication I use the pidgin instant messaging client with the Off-The Record plugin for easy encrypted messaging on (nearly) any OS. The tough part is talking friends into using it as well. Of course, the NSA could still break into this stuff, but it would certainly waste their time and resources.
So you plan on never going to the doctor. Never getting a job. No girlfriend. Never walking down a city street. Never owning a car. Never renting or owning a place to live. Oh, and groceries...
About all you could do is head to the woods and live off the land, but not yours. ( Of course then you have the satellites to worry about.. ).
Good luck with that plan.
---- Booth was a patriot ----
The issue is you cannot protect your privacy directly from the NSA. They seem to have tapped communication between Google data centres, can request any information they wish from any company (Google, FB, your local ISB and phone provider, etc), so the only option is limiting the amount of data you provide. Interestingly I started taking the following steps even before the leaks simply because I became uncomfortable with the major corporations gathering my data and then changing their privacy policies at will. That's not how contracts are supposed to work, and disagreeing doesn't seem to have any effect. Once Snowden went public, my paranoia turned out to be justified.
In general terms, I do not share anything truly personal on a public forum. So on FB I never upload pictures, I do not share places I visit, and I do not provide a phone number. I just use it to set up events like Birthdays or nights out. I do not use twitter, foursquare, pinterest, instagram, myspace or whatever social fad of the day happens to be. It could be that in my early thirties I'm becoming a technology Luddite, but then I was never denied a job because my *insert questionable behavior here* is posted all over the net.
Google is a special case. I started using Gmail when getting invites was almost impossible, and Youtube when they were still independent. So giving up my Gmail account would be a VERY significant undertaking, especially since I couldn't come up with better alternatives (fast, supporting POP3, almost perfect uptime, and guaranteed not to shut down). But I never stay signed into Gmail outside checking my mail, I do not use G+, I stopped using YT while being logged in, and I search through DuckDuckGo. And if anyone can suggest a reliable email provider that is NOT Google, MS or Yahoo, I am all ears.
Getting to specific platforms, on a Windows 7 PC, I use Seamonkey with Adblock Plus and No Script. I also block all third party cookies. I'm also considering adding Ghostery to the mix. This takes care of most of the trackers, cookies, ads, etc. I have not used Linux on a desktop in years, and I am yet to touch Windows 8, so I can't comment there. I also never share my location, although it's pretty braindead to find out where my IP is located anyway.
On my smartphone, I run CyanogenMod without GApps, meaning no Google account, no PlayStore, no Google Maps, etc. You get the idea. Every single app on my phone is installed from F-Droid. I have a fully functional, OSS book reader (Cool Reader), browser (Firefox with Adblock Plus), map application (rmaps), email client (k-9). So my phone is fully functional for my needs without any connection to the Google servers. As before, I never share my location which on a smartphone does make a difference.
This is pretty much what I've done to avoid Big Data without using any functionality and giving up only a bit of convenience. Any suggestions for improvements are more than welcome.
Anything I care to keep private, I don't put on the internet. That's about it.
"First they came for the slanderers and i said nothing."
So you plan on never going to the doctor. Never getting a job. No girlfriend. Never walking down a city street. Never owning a car. Never renting or owning a place to live. Oh, and groceries...
Slashdotters don't do any of these things. Especially not the job or the girlfriend or leaving the basement.
That is the question I'd like to start with. Because I'd answer yes it is. I don't want my identity stolen, my economic future decided by whether my boss sees a photo a friend of a friend of mine posted 5 years ago to a social networking site I didn't join, or my emails to my ex-girlfriend read by anyone other than me or her. So if it is worth protecting, then when we realize "how can you protect your privacy" is really broken up into subdomains, and for many of those the answer is "right now you cannot", we have motivation to then ask "how can we change that?".
The main thing I do to protect my privacy is not to use "free" services, such as Gmail, Hotmail for personal email. I maintain my own server which has a mailserver installed. This means that no-one except me (and anyone who manages to break in) can just access my email.
I live in the Netherlands where ISPs are forced to keep "traffic records" of me. Because I'm an academic I get to use the academic ISP, which is not bound by that law, at least for Internet traffic. But having my own mailserver means that also my my email traffic is not monitored and can not be requested by the police. Furthermore, having your own mailserver and domain also makes it very easy to compartmentalise service subscriptions. Just make a new email address for each service.
I used to use Google Calendar, and Contacts but stopped with that since I discovered that OwnCloud is a really decent private drop-in replacement that you can host yourself.
I use many different privacy plugins (Ghostery, Adblock, etc.), while being aware that this makes my browser ID somewhat unique and identifiable. At least I'm making it harder for them.
Don't worry, it's all just 1's and 0's anyway...
It's been deemed acceptable to gather data on the entire population - though still illegal.
Proportionally, it's acceptable to gather data on everyone in any position of power. Though still illegal.
It's the only way to even the game.
Build your own energy sources from scratch. http://otherpower.com/
> And if anyone can suggest a reliable email provider that is NOT Google, MS or Yahoo, I am all ears. ========= Give these guys a try: https://www.fastmail.fm/
I don't use my real name on the internet. This is no small thing, because Facebook will throw you off their network for using a fake name, and while I find facebook to be ubelievably drab and awful, I suffer a penalty in relationships from not being on it, since nearly everybody I know has some kind of presense on Facebook, I'd rather not trust the NSA with my personal information, but since i am not a criminal, the potential negative consequences involved are finite. I could be harassed for my views, though they're not particularly extreme, or falsely accused of a crime, But there are a billion people on the internet, and they've got a billion agendas, and i know from experience that some of them can truly be evil motherfuckers. There's no sense in trying to measure or aniticipate what can happen, what they're going to individually decide or figure out. I'm probably safe. I'm a 55 year old male with not much money. Nobody's going to want to stalk me for anything, but I refuse to participate in this crazy experiment whereby we turn down the privacy settings for civilization, and see who thrives, and who gets hurt. Zuck you, Fuckerberg!
Worried about governments?
All data leaks eventually.
Your best bet is a thick layer of data that defines you as normal, therefore boring.
Worried about ID thieves?
Try to minimize the number of online retailers you do business with, or credit cards you have - but do keep at least one throwaway card it's really easy to just drop in case it's taken over, for transactions you don't quite trust.
Worried about purchases being tracked back to you? Use cash.
Basically it's not good enough to be worried about "privacy", the term is too all encompassing. Instead start to think about who exactly you are worried about getting what and minimize that risk.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
...at least in this day and age. The trick is to remember that any information that is recorded to any form of media, can be stolen, copied, or given away. If you want to maintain something in privacy, it can't leave your head. You can't write it down, or draw, or paint the idea. You can't make a tape of it or a video of it. You can't say it to your lover or spouse.
Of course that makes it incredibly difficult to act on what you maintain in privacy, but that is more of a problem of getting others to work with you in suport of that idea.
There is a presumption of privacy codified in law, however that presumption does not seem to be all that relavent to our current state of govornment or business, so you are pretty much stuck with what you can control. At the moment that's pretty much restricted to what's in your head.
No, I'm not much happy with that either.
You never know...
Everything Snowden released has shown that the NSA doesn't have magical ways to break modern encryption. They rely on strong-arming various organizations and hacking vulnerable systems.
Real men host their mail themselves.
Anti-Spam, anti-virus, blacklists, security updates, and dealing with shit when it goes wrong? ... and it only costs me a fiver to sign up for that grief?
Most real men have better things to do than administer a personal email server.
And to what end? When most of the personal email I get is from other people with gmail/hotmail/outlook/yahoo/or major ISP addresses... so the 'other half' of every conversation is just wide open anyway.
For most of us in that boat, we might as well just use gmail or whatever with imap and pgp or something with as many people as you can. (Makes the web client worthless... but if you can't read it on the web client, neither can google or anyone else.
Worried about someone finding your child-porn stash?
Don't store it with Google
Basically a lot of the answers to how to avoid "X" would be, don't store that with Google.
It's a rough question though as I have to say I'm OK with Google poking through Picasa in order to catch a real child molester.
Basically I've always assumed myself that anything marked "private" and uploaded to a server I do not control, means it is for my eyes only - plus the eyes of every admin on the system.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Give these guys a try: Your own dam server that you control.
faraday cage cell phone case
Just take the battery out. Physically remove it. Or if you want to be 110% sure don't carry a phone at all, it's not like it's law that you have to carry one.
Don't use windows. Even if you don't believe the NSA backdoored windows the NSA do get every bug alert long before anyone else does. They also have no problem using script kiddie tactics.
Using windows is like storing your data in a transparent bag in full view of the world.
I use Seamonkey with Adblock Plus and No Script. I also block all third party cookies. I'm also considering adding Ghostery to the mix. This takes care of most of the trackers, cookies, ads, etc.
Not Ghostery -- it has a dubious mission and works by parsing lists that are growing longer by the week. Try the Request Policy extension for Firefox. Request Policy is simpler. It blocks off-site requests and shows you a list of what each site is requesting. You'll learn just how much tracking is happening and you may begin to avoid sites that you used to trust.
The latest Firefox has a "click to play" feature. Type "about:config" and search for "click_".
I have not used Linux on a desktop in years, and I am yet to touch Windows 8, so I can't comment there.
I prefer Linux on my desktop in every way. Just don't buy Nvidia and Broadcom hardware. Linux provides the tools that show exactly what your computer is doing. Debian 7 is excellent.
Windows 8, like ChromeOS, ties your computer to an e-mail account. Stay away.
Rich And Stupid is not so bad as Working For Rich And Stupid.
Here's the thing:
There are two levels of private here. There's keeping things private from potential employers, friends, family, associates and so on and there's keeping things private from the NSA, GCHQ, Chinese Government and so on. The average guy or girl has absolutely no hope of keeping their online dealings private from the latter. From the former, you don't so much keep them private as be a bit circumspect when making use of the internet, your mobile phone and so on.
So far over the last 10 years I've had 1 credit card attempted theft (tried to transfer £4,000 out of it, bank caught it as "suspect" so it didn't happen) and I've had 2 email accounts hacked and used to send spam. Of the latter, the problem was weak passwords. I now have a "system" for passwords and none are weak, but that doesn't mean the NSA and GCHQ can't still read them. I have no intention of fighting a room full of Mathematics PhDs for my data.
Even if you get the NSA to stop doing this through political action, the Chinese, Russians and so on will still be doing it.
I use a very customized m0n0wall running on some older hardware I had laying around. Multiple VPN connections and the biggest factor of all I am not on Facebook blabbing about the mondane details of my everyday life.
Chris Sheppard
Here's some nice tips which won't ultimately solve the problem but which will greatly improve your privacy.
1) Use common sense. Try to imagine which routes your data will take and which providers will it meet. Will those parties snoop on your data (datamining or wiretapping)? What kind of privacy policies do they have?
2) Use encryption in as many places as you can. HTTPS and IMAPS are good start.
3) Do not put important data into services provided by Google, Facebook or other datamining companies. If possible, switch your e-mail account from GMail to your home country ISP or other locally produced service.
4) Consider using Tor for crucial communications. If you need maximum safety, do not send your message through Internet and all.
5) If you need maximum safety, use an open source operating system. For example, NSA may have talked in backdoors to Windows and OSX.
I can't find DNTPlus.
I found something similar-sounding on addons.mozilla.org, called DoNotTrackMe, but it's proprietary software so there's no way I'd trust it with my privacy.
(I'm also looking for a free software alternative to Ghostery if anyone has suggestions.)
Expert in software patents or patent law? Contribute to the ESP wiki!
The government snooping around doesn't bother me all that much, as while it might be a waste of money, it really doesn't affect me. It's just dead data sitting around on some NSA server. There is more interesting stuff to read then my email. What I am bothered by is the leaking of private data that happens all over the place, things like the people you follow on Twitter or Youtube being publicly visible information. Why exactly does every modern social webpage treat what are essentially bookmarks as public information and publishes it to the world? Why is everybody just accepting that and not complaining about? You can't even switch it off most of the time. I find that incredible annoying and avoid any service that does that when I can. I don't have much of a problem with my information being out there, but at the very least a service should make it very clear what kind of information is public and what is private and modern services don't really do that.
Another thing I have a real issue with is the starting pervasiveness of requiring real life authentication to log into a webpages. Mobile phone numbers started as just a way to get your password back, but now quite a few webpages are requiring them and Google+ and Facebook have their real name requirements. Furthermore there are more and more webpages that only allow you to access them via your Facebook or Twitter login, not via a webpage specific account. So once Facebook or Google switching on the requirement for a mobile phone number or real name and enforce that, that means your real life identity is linked to a ton of a webpages and you can't stop that from happening unless you completely avoid that webpage, as even Tor doesn't give you a free anonymous mobile phone number.
My idea of privacy is closing the window whenever I watch porn. I don't want to deal with my neighbors complaining to me about having to listen to loud screaming creampies. I don't give a fuck that the Illuminati looks at my browsing history, it doesn't bother me in the slightest.
There are no pictures of me on the internet. Or, if there are, I have been unable to find them. You can't tag what doesn't exist.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
It is just why I always insist that any so-called Crypto Phone Program is basically worthless since any of them does nothing to hide a FACT of communication between specific persons. The 3-letter agencies need not know the conversation itself since they can always torture it out of your correspondent.
Now, I see some developments in this direction but all of them are quite far from fruition since every really anonymous protocol is by definition slow.
Yet.
I don't have anything the NSA is interested in.
It's correctable. Just ask your congressman to make your everyday activity punishable. Here in Russia I read about 3 reports per day about people punished due to use of social networks to publish dissent with official national policy.
Very nice in theory, but having administered an Internet-facing mail system myself that quickly becomes a real pain in the butt. It's not as simple as slapping together Postfix and Cyrus IMAP or whatever and setting up your DNS records. Administering an Internet-facing mail system can very quickly become a full-time job if you want the mail system to be anything approximating usable. Spammers will see to that.
Since it isn't obvious, there are two ways that VPNs help:
(1) They mix your traffic in with everybody else using the same proxy -
Once upon a time when the trees were green I logged to some VPN. Then I found the output proxy address of this VPN and entered
$ ssh this_address
- and logged into my own system. It means that this specific proxy does NOT mix any traffic. And BTW I don't fear NSA which supervises this VPN, I fear only The Party. And also if you think that The Party cannot separate your traffic from the mix - you are wrong.
You should take it on yourself to educate them. Tell them about cheap VPN services and how easy they are to set up. I even give people cheap flash drives I bought of eBay and loaded with a portable version of the Tor browser bundle. I'm trying to figure out if a portable VM with Tails is possible.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
If you believe that anti-virus and security updates are really needed then you possibly believe that the program should have .exe extension to be executable. Throw away this belief. After this your only problem will be spam. And it's quite easy to fight. You just tell your important correspondents to include some keyword to header and tune your mail client to mark it as NOT SPAM. Every other mail is sorted by built-in spam filter of your client.
I have a job and two girlfriends (one three year relationship one four year relationship - both still going strong).
I hope they don't find out about each other.
No left turn unstoned.
Security by obscurity is never a good thing. Basically, if you think that your door will never be kicked down because THEY don't know about your belongings - you are wrong. Your door should never be kicked down because it's strong enough. And while they kick you should have enough time either to shoot or to exfiltrate.
You live in your cardboard and sheetrock cabins - and think it's normal. The normal building is at least wooden one where you need a chainsaw to enter. Here in Russia the Police needs about a hour and a grinding machine to enter an apartment against owner's will.
Your best bet is a thick layer of data that defines you as normal, therefore boring.
You don't live in a country where normal is punishable.
Three things:
- I am making an effort - both privately, and for the companies I consult with, to move away from US-based services. This is a long-term strategy, as changing company infrastructure can take time.
- Encrypt everything. It take a bit of work, but you can set up encryption so that it is transparent to the casual user. Just as an example, with EncFS you can automatically and transparently encrypt data you store in the cloud. The user sees the unencrypted version, but the encrypted version is synchronized with the cloud.
- Teach people about password managers like KeePass. Get people to use long, cryptographically difficult passwords. Bonus points: copy-paste out of a password manager eliminates over-the-shoulder observation, keyloggers, passwords written on post-its, etc.
Enjoy life! This is not a dress rehearsal.
Come on, you're asking the wrong question!
The sun doesn't revolve around you or me.
Those here who answer "I don't care" are halfway right.
None of us will be betrayed by Google or Amazon - that's bad business.
NSA won't post your private stuff or steal your money - they just want to do their job, damn the consequences.
However, after the next economic depression and mass unemployment, or after the next great war,
when we elect our Führers, or support revolutions ending in a totalitarian states,
they will find it convenient that our governments have built the infrastructure for their tyranny.
To answer the question that your should have asked:
* Voice your opinion.
* Support EFF https://www.eff.org/action and similar organisations.
* Contact your representative.
* Vote with your head and your heart - not your wallet.
No sig to see here. Move along.
1. Fill your ISP logs with TrackMeNot http://cs.nyu.edu/trackmenot/ .. how many millions is been created/printed and spent on overtime and "cleared" contractors per person
2. Know the US brands that willingly and knowingly helped the NSA and run any different OS/file systems.
3. Learn to think like a protester in 1980's Eastern Europe. Just keep been political active and know its all been filed, linked, watched, tracked, logged.....
Voice print, face scanning, OS, telco, ISP, cell tower tracking
4. Pay for other brands that are more privacy aware.
Domestic spying is now "Benign Information Gathering"
Exactly. If a state actor is interested in you, they'll target and exploit you no matter what you do. If they're not intested in you, you don't need to worry. 99.999% of people are in the latter group.
My current solution is: - NAS (QNAP) at home with various apps - Exposure towards the internet is SSH, VPN and https (with self-signed certificate) The only weakness in this scheme is possible flaws in SSH, OpenVPN or SSL. Ignoring those, whatever I do remotely on my NAS is for my eyes only. Accessed through either my smartphone (n900) or debian based linux systems.
What do you 'muricans plan to do about the problem? Why are you already not starting a revolution to turn down NSA?
I just can't be bothered. I try to maintain some sort of security w.r.t my accounts, but int he end, there's no stopping the avalanche. I've given up. They already have all my data.
Move sig!
We've seen a lot of this propaganda in the past years and I refuse to believe it. What I mean is the attempt to spread a meme that says "post-privacy" or "privacy is done for anyways".
Look who the proponents of this meme are. Always, always the people who want it to be the case - Zuckerberg, government spy units, advertisers.
No, the battle isn't over while one side still fights. And there is quite a lot you can do to maintain your privacy. And like everywhere, there's a law of diminishing returns, which means the first steps, that bring you a ton of privacy back, are really, really easy.
Step No. 1: Don't post all your life to Facebook, Instagram and Twitter. Security researchers have demonstrated years ago how from that data alone they can create extensive profiles on you, including movement data that police would need a search warrent for your mobile provider for.
Step No. 2: Keep your secrets secret. If you want to share them with someone because you just have to talk with someone about the guy you murdered last week, or the hot chick you cheated on your wife with last month, or how you really hate your grandma even though you always play nice at the family events because she's rich - or whatever is on your conscious, do it in person, face-to-face only.
And that's about it. 80% of your privacy restored right there.
Whine about the NSA all you want, but if I can reconstruct where and with whom you have been with at what time on which day from your social media data, the biggest threat to your privacy is yourself.
Assorted stuff I do sometimes: Lemuria.org
Use multiple vendors located in multiple countries. I use Google translate, which reports to the NSA. My e-mail is Yandex, which is in Moscow and reports to the KGB. The NSA and the KGB don't talk to each other. I can use a search engine in Europe which does not talk to either. Bejing is my next market to shop at; what does China offer in the way of Internet services? Everywhere you go there will be someone watching you, but if you travel around it is different watchers. The Internet is GLOBAL - spread your business among many vendors all over the world and no one knows all about you.
I think even the Nvidia and Broadcom problem isn't so bad these days, I haven't had any trouble with their hardware in the last few years.
"When information is power, privacy is freedom" - Jah-Wren Ryel
You said "And if anyone can suggest a reliable email provider that is NOT Google, MS or Yahoo, I am all ears.". Look into Yandex (www.yandex.com). It's located in Moscow. I have been using it for a year now. It seems reliable to me. And the most important thing to me is that Yandex does ***NOT*** report to the NSA.
Tell them about cheap VPN services and how easy they are to set up. I even give people cheap flash drives I bought of eBay and loaded with a portable version of the Tor browser bundle.
By buying something off of eBay, you exposed more information then you could possibly hope to protect via a VPN and Tor.
I don't respond to AC's.
So you teach them that it is ok to accept flash drives from others. Great.
Don't fight for your country, if your country does not fight for you.
You live two lives. One is an ordinary, boring life that you don't mind the NSA finding out about. The other is as secretive as possible. No using credit cards. Nothing that requires ID. No flying, no buying alcohol.
One obvious problem with this is withdrawing cash. You have your public life, and the NSA sees you going to an ATM and grabbing $450, then it sees a transaction for $447 with an unknown person -- that's evidence linking your private identity to your public one. This is ameliorated if your public identity has a habit of withdrawing extra cash and a means of disposing of extra cash in a publicly acceptable way, like giving it to beggars, but it's still present. If your private identity has an income, though, and that income is sufficient for its expenses, then you can have wholly separate finances for both, which severs that link entirely.
A weaker link is one of location over time. Let's say the NSA can plot your public identity's location over time using things like bus pass usage, credit cards, phone calls, and security cameras with facial recognition, and they can plot your private identity's location over time using phone calls and security cameras. Eventually they'll realize that your private and public identities are occasionally colocated, or that whenever your public identity is in use your private has gone dark and vice versa.
Of course, that only matters if it's worse for you if the NSA has linked your public and private lives than if they merely have the ability to detain you during the course of your private affairs.
On Slashdot, I never post except as "Anonymous Coward". As you can see from the examples above, that prevents anyone from attributing my many contradictory, inane, and often foul opinions to my real pseudonym.
I keep the battery out of my mobile phone when I'm not using it, which is 99% of the time. Apparently I am lucky to have a phone which makes it easy to do this. Various court releases, leaks, research papers and other publications suggest that mobile phones can easily be updated remotely by carriers (and maybe adversaries) to act as listening devices on command, which is why I do this.
I also use multiple web browsers for different purposes (e.g. one for normal web browsing when I don't reveal my identity, another for a few logins, etc.), use Tor, avoid using "cloud computing", use only free (-as in freedom) software, use encryption where possible, keep up to date with security updates, encrypt traffic in my local network (I don't trust my D-Link router very much), etc.
...
Right, because they don't know about exploits for other OSes long before the developers do ... I mean, its not like they would watch the same shady back channels for Linux exploits as they do for Windows exploits ... oh, and Linux of course is universally immune to all attack vectors, past present and future because OMGBBQSOURCE.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
And the most important thing to me is that Yandex does ***NOT*** report to the NSA.
How do you know?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Wow. At first you've got two strong-going long-term relationships, 109 minutes later you've married and dumped both.
What a day!
CLI paste? paste.pr0.tips!
faraday cage cell phone case
Just take the battery out. Physically remove it. Or if you want to be 110% sure don't carry a phone at all, it's not like it's law that you have to carry one.
Try removing the battery from an iPhone.
One is an ordinary, boring life that you don't mind the NSA finding out about.
Perhaps, but they still collect the data, and store it away for later.
---- Booth was a patriot ----
But pizza delivery will get them every time.
---- Booth was a patriot ----
Won't happen or it'd be illegal to forget to charge it or forget it at home. Assuming you want or need to be carrying it around most of the time it's more effective as a screening device, if you are going to a clandestine meeting and five others also happen to have their cell phones go dark at the same time that's a pattern, particularly if it repeats itself. If you're normally online it's probably better to leave it turned on at home, in which case they'd need to look for secondary clues you aren't actually there like number plate readers, CCTV, paying with plastic, facebook tagging, missed calls or collaborating data that you are there like power usage, internet traffic or whatever and start building statistics on how often you are where you appear to be.
I'm not in the cloak-and-dagger business but I have worked on risk assessments on whether you can dig out of personal information out of statistical information and you need to be very careful on how you do that, subtracting a baseline often reveals a surprising amount about the rest. Like say you have a small town with 1000 people and you put in lots of safeguards if the numbers drop to <5 individuals. But if you can get numbers for New York + small town - that will all be big, then subtract New York you'll find that 102-100 = 2 people in that small town belong in that category. Imagine you started combining cell phone data with other data, okay there's your tax records on your work so that's you going to and from work. We have birth and marriage certificates on file, so that's you visiting relatives. That's a friend on Facebook, old classmate.
And then there's something "left over", which is where you can start putting in the effort. Of course you can avoid that by meeting in public where there's lots of people, but you probably wouldn't want to hold a very private conversation nobody should hear there either. And if you keep your cell phones on because you are in public anyway, you can do clustering to find that the same people are meeting in the same place despite there being many other random signals there as well. Give people enough seemingly innocent data and they will dig up something you thought wasn't in there, I'm sure of it. At least I've seen people underestimate it time and time again, only to have to demonstrate it.
Live today, because you never know what tomorrow brings
I don't post to internet fora. Not even under a pseudonym. If they know me well enough, they can figure out who I am from my alias. Oh. oops.
soylentnews.org
A few commenters have suggested that they have nothing to worry about because they let no "sensitive" information out onto the web.
Sorry to break it to you, but the world is not fair. People are sometimes framed or kangaroo-ed into apearing guilty of something when they are clearly not (I have had it happen). Sometimes, various authorities need to catch someone to hang blame upon for some crime. I've even heard cops tell a public defender, "We know he didn't do it, but we know he's a bad kid, so we got him."
Also, numerous (unregulated) consumer-monitoring agencies scrape up everything from public databases, buy lists from shops, service providers, your bank, your phone company, your credit card company, and your grocery "club card," sold subscriber lists, and so on. All of this data is correlated based on a few unique or semi-unique identifiers such as full name, SSN, phone number, credit card transaction number (it's illegal to track by CC #, but they get around this.), bank and account's last-four digits, addresses, and so on. This approach does produce some viable correlations, but typically yields "profiles" that are rife with errors.
HR departments use reports from these aggregators as if they were 100% accurate. There is no law in place that will allow you to opt out, to see their entire file on you, or to correct errors. There are anecdotes of people searching months for a job, only to find out at some point from an interviewer that, "you have XXXXX crime in your profile," even if you don't have a record. I once had collection agencies coming after me from Time-Warner Cable for bills on a Texas account — I have never lived in Texas, but the burden of proof was on me.
Despite what the aggregators would have everyone think, names are not unique. Phone numbers are not unique, as they are recycled. Email addresses are often not unique, as they are recycled.
Like it or not, there are many profiles on you that are beyond your access, and the law has not yet caught up with these practices.
Happy privacy!
I have two states of privacy:
1. Never leaves a machine that is never used to browse the internet, and
2. Public
I simply assume that any "privacy controls" on websites are useless and treat them as public postings, disabling most of the security along the way. Just like good ole' slashdot posts.
I do not fail; I succeed at finding out what does not work.
It's true enough that the world doesn't revolve around you or me. "Government" is a lovely, abstract concept. The problem is: governments are made up of people. Individual people who can make mistakes or take deliberately evil actions. Like spying on ex-lovers, harassing disliked colleagues, or causing problems for companies that they don't like.
The NSA overreach means that tens of thousands of people have access to data that should never have been collected. Can you be sure that you, your family and your friends - that no one you care about has ever pissed off any of those tens of thousands of people? That no one you care about ever will?
It's bad enough that the government has access to this data, which might be misused officially. However, the real problems arise from the fact that the data exists: it can, will and already has been misused by individuals.
Enjoy life! This is not a dress rehearsal.
How do you solve the tagging problem? Your friends get on FB, someone posts a photo of you, that person or someone else tags it with your name and possibly other info. How do you keep your friends from adding you to the FB collective?
Wear a burqa. It's a remarkably effective technology invented by Muslims ages ago!
If Pandora's box is destined to be opened, *I* want to be the one to open it.
Your personal information is accessible.
Nice try, NSA.
False positives is one problem. Do you want to have your life ruined by a database error caused by a PFY in a spook data centre?
Excuse me, but please get off my Pennisetum Clandestinum, eh!
In Iran your'e ok untill they cannot read your fucking network traffic, since that moment you are under 24/7/365 surveillance.
And As you can guess that ship has sank for me, So I have my own way of doing it now, which can be basically summerized like this:
Use different airgapped computers with different keyboard layouts(as in dvorak, qwerty), different monitors, different OSs(linux, BSD, haiku), different CPU architectures(mips, arm, x86), different browsers(yes, it includes lynx) with different ISPs for differnt identities and use different encryption suits with different tunnels and or VPNs with servers in different counteries.
I know It's hard, but once you live in Iran you get used to it.
Hell I'm gonna change my coding and writing style on different PCs now.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Mne chto, pokryt' tebya russkim matom, chtoby ubedit' v obratnom? I know about LG Smart TV. I simply don't watch TV since there is pro-Putin propaganda and stupid serials specially crafted to make Putin's electorate more controllable. The only satisfactory channel is "Kultura".
Soviet anecdote: Pet'ka comes to Chapaev (Chapaev was a famous Red commander during Civil war and a hero of lots of anecdotes).
Chapaev: Pet'ka, why haven't you ironed your uniform?
Pet'ka: This morning I turned on my radio and could receive nothing except translation of XXV Congress of Communist Party of the Soviet Union. I tried a TV and there was the Congress too. And I was afraid to turn on an iron.
Hope you understand how we Russians love a TV.
And the last. THEY will NOT monitor what I watch. If everything goes OK and our TV becomes at least as good as during Soviet era, with education programs, good cartoons for children a.s.o., I would watch it with DVB-2 receiver which never reports anything. If not, I'll watch P2P downloads which shall be untraceable due to efforts of your *AA to suppress everything traceable. Really, they are untraceable already.
I have a bot which goes into the various nasty parts of the web and grabs whatever's available, but erases it before it has a chance to make it into persistent storage. The NSA may think I'm a perv, but they'll never figure out which kind of perv.
I always log out and post anonymously.
Doh!...
I can't control what providers do with my data. If my dentist sells my information to a marketing firm, and then that gets sold to someone looking at setting up new id's for people, I don't have much control over that. I also don't have a lot of control over how my phone can be used to track me (which is why I use it a lot less, and am going to be installing CyanogenMod to reduce that control footprint).
What I can do are two things- put as much of my information under my direct control as possible, and make it easier for myself and others to continue doing so.
I'm still migrating off of Google services. I didn't realize just how much they have taken over so many aspects of "making things easy". Looking back on it, it was naive to put things there, but at the time there really weren't any affordable services that offered me what I needed. If anything, the only reason I used Google for free was because there wasn't anything low cost and reliable that I could have used instead. That included self-hosting. And it wouldn't have mattered if I had everything in another cloud or vps, because it still would have been a US based service, and that means it would still have to migrate to a server in my home or on a vps in someplace like Switzerland. The end goal is to get everything important being served out of my home off of equipment that I have secured and verified, and to stop using external services (even the ones in places like Switzerland, because laws can and do change). I'm also no longer sharing services that I do host on my own, because I do not want to be considered an ISP for the purposes of receiving something like an NSL.
The second thing is what is causing me to do this slowly. I'm critically looking at all the things that I need to do and use, and what I am finding to be really important and what isn't. I'm keeping track of my time in setting all of this up, and figuring out what is a time sink and what isn't. Going forward, I'm developing my own installation packages under my favorite OS to streamline my effort to make the hard things I've had to do easy for other people, and at some point I will probably contact a hardware shop that deals in small production runs of ARM microsystems and have a platform put together so I can make it easy for people just to "plug and play" darknet services. And, more importantly, I'm helping anyone out who is doing the same in whatever small ways that I can. It is one thing to tap the communications of most Americans and others in the world by working with willing partners (Google, MSoft, Apple, etc), it is quite another to try to monitor millions of systems that all have major differences and none of which are going to be open to cooperation.
What are the reasons we want privacy?
http://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
"If any question why we died, Tell them because our fathers lied."
I create a different email address for every web site I sign up to, and use different passwords and usernames. I have a Facebook account under my real name, but I post false information, false updates, and false photos by morphing four faces together and photoshopping it into the image. It's very easy to get those four faces at various angles because they are pictures of people in my extended family. My Facebook friends are all random people that accepted me for some reason. I clear my browser and use a different user agent for each of the sites I visit. Any other browsing is done in a private mode in a different browser on a per site basis and I rotate the browser, and this is in a VM that I refresh every day with a backup image. I also force https. I have two different VPN services I use based on the sites I want to visit.
Twinstiq, game news
I think you just described the uni bomber. Ted headed for the woods and gave up pretty much all normal modes of life. And the man was a genius with just a couple of surprising quirks.
There is opportunity in all things. When snoops gather information about you they also have the problem that they just might gather false information about you. That boomerang may be used in endless ways. Can you imagine a divorce in which a wife starts ranting to a judge that you have a doctorate in high energy chemistry from Georgia Tech. and refuse to take a job in your field that is super high paying to support your family under oath when in fact you have never spent a day at Georgia Tech.? In short by having people declare falsely you can destroy their credibility and you just might open them up to a devastating law suit.
Everything I do online is based on a fake alias. airgapped from my real life. yes even my cellphone and internet is via a fake alias I pay for a second internet line to a neighbors house, then I ran my own wires back to mine buried. I asked for no paper billing and it's set to an automatic credit card payment.
Works great.
Do not look at laser with remaining good eye.
Yes but then again, the more you lie, the more you have to remember. It's better to say nothing than tangle yourself up in all of that.
That isn't teaching them anything, because they already would accept them by definition. Also, there's probably much more benefit from being given a flash drive with TOR than being taught not to accept flash drives for multiple reasons (the latter doesn't happen too often, flash drive with program seems much more appealing than a lecture, etc).
I think you're making some assumptions about Google that aren't true. Yes, it does appear that the NSA tapped data center connections, but Google has responded by strongly encrypting all of those. And the "they can get anything by asking" notion isn't as true as it appears. Yes, they can, but only if they go through proper channels and issue a narrow and specific request. More importantly, the numbers Google publishes show that such requests are issued for data only about a very tiny percentage of the user base.
And if anyone can suggest a reliable email provider that is NOT Google, MS or Yahoo, I am all ears.
Whatever other provider you use is going to be subject to the same legal requirements to comply with warrants, subpoenas and National Security Letters -- and odds are that they won't do as good a job with securing your data as Google does.
Anyway, I'm not criticizing your decisions, just pointing out that a portion of your rationale may not be factually correct. Personally, I don't have any concerns about Google handling my personal information, but I'm a Google employee so I have a little better visibility into exactly what the risks are and are not. To be completely honest, I also don't worry about it much because I don't have anything to hide... not that I think people shouldn't have anything to hide. It's just that I personally don't. And, yes, I understand that things can change, but if things change so that something I do "needs" to be hidden, I'd rather stand up and fight than hide. But that's just me. YMMV.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
It's really not a fuckload of work. It's a load of work to set it up and very little ongoing work to keep it updated.
It's really not for everyone but this is slashdot isn't it?
I've done it for many years, it's not so hard. Spamassassin + greylisting + spamhaus DNSBL + SPF checking keep the spam down to a very small amount. The little spam I do get is tagged and filtered into a separate folder. You do need a lot to different anti-spam measures but once they are set-up they keep on working.
Linux has some security issues from time to time and isn't perfect. But Windows has a very bad security history and it's a known fact that the NSA are advised of every security issue MS know about before any other MS customers. The NSA tried to get backdoors in Linux and failed, do you think they failed with closed source windows? Unlikely.
If Linux isn't secure enough for you then you might like OpenBSD.
You live two lives. One is an ordinary, boring life that
...has a future....
The cesspool just got a check and balance.
Game's still not even. They can rendition you, beat you silly with a pipe wrench, waterboard you, electrify your genitals, etc. You may not return from this little exercise, either. If they don't want to go to that much effort, they can simply charge you with any one of a huge variety of crimes you may or may not have committed, and then use jail (or release from jail) as leverage to ensure you go back to behaving in such a manner as pleases them, in the process ruining you financially almost as an afterthought.
It's all about power. They have it. Oodles and oodles of it. You don't have any. As long as that situation remains stable, you can't fix this.
I've fallen off your lawn, and I can't get up.
a hammer and chisel will take care of that. or a hacksaw.
If Linux isn't secure enough for you then you might like OpenBSD.
A hypervisor-based OS is much more robust than any BSD by itself; Serious people don't rely on traditional kernel-based security anymore.
You need to use VMs to reduce the attack surface as much as possible, and IMHO there is no better VM configuration than Qubes OS which is the most secure desktop out there. Actually, its designed to go beyond what most VM configurations will do for security by running the display and IP stacks in special VMs, for instance, and you can even use it to assign hardware devices to specific user-defined VMs.
The downside is that you end up separating your data into different domains (having varying levels of trust), but that's not so different from using jails. The upside is that you can run most Linux and Windows apps.
So my overall advice is to run I2P on top of Qubes if you value privacy.
Using I2P obviates 1-4 in that it keeps everything encrypted end-to-end and mixes your packets with traffic from many other people (this also addresses #6 from StripedCow). Its the P2P twist on Tor-- everyone routes packets thus contributing to bandwidth and overall privacy. Make Google and your ISP irrelevant with respect to your data.
For the general populace today, your list just looks like a convoluted mess (and there is no common sense when it comes to IT... we only see the tip of the internal system iceberg at any given moment). Online privacy can't be done piecemeal, one security scheme per application; that's just a disincentive to follow through and actually use it.
As for a secure open source system, see my tagline. Qubes is hypervisor-based and enforces security to an extent that I've never seen in other desktops.
Thanks. I've made a page on the libreplanet.org wiki and added Disconnect:
http://libreplanet.org/wiki/Privacy_addons_for_web_browsers
And I've emailed the gnuzilla folks asking them to add it to their list of free addons:
https://www.gnu.org/software/gnuzilla/addons.html
Expert in software patents or patent law? Contribute to the ESP wiki!
You're a good shill. I am sure you are aware of this. Google does actively report to law enforcement.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
Actually, I wasn't aware of that, and it disturbs me.
I want to know if the photos were shared publicly. If so, then I have no problem with this, just as I have no problem with Google telling law enforcement (or, actually, the National Center for Missing and Exploited Children, which is who actually informed law enforcement) about kiddie porn web sites the Google spider finds while crawling the web. I see no reason why the same logic shouldn't be applied to public postings on Picasa, Google+, etc.
But if the photos were merely stored in a private account, though, I think that's a different story. If that was the case here, then I think Google did cross line, and should stop, and I think lots of other Googlers will agree. I'll raise this question at TGIF* next week (no meeting this week due to the holidays), assuming someone else doesn't (which someone almost certainly will). Thanks.
(*TGIF is a weekly company-wide meeting which includes a 15-20 minute Q&A where anyone can put any question to Larry Page.)
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I don't think you can do much about the NSA, or what companies like Google or Facebook know about you. However, when it comes to your friends, family, employers, etc. there is plenty you can do. For one thing, it is not necessary to articulate every thought you have. Mark Twain's advice applies more than ever, "It is better to remain silent and be thought a fool than to open one's mouth and remove all doubt." I am surprised at what some people post on Facebook. Even friends who are intelligent, mild-mannered people could come off as complete nut jobs based on some of the things they post or pass along. It's madness. Even if you feel strongly about something, it is often better to just STFU about it, rather than proclaim it to all the world.
Proverbs 21:19
That's funny and creative but not really on-topic.
Shall I just tell under which rock my house key is hidden?
I use them myself.
However, they have one big drawback: servers on US soil.
Yet Another Information Security Professional, working in a sensitive information startup.
Of course, a lot of these have been in use long before the NSA revelations...
A few of my personal tools and our corporate-used tools:
All OSX shop configured with strict firewall, fileVault, and openVPN,
Browser plugins to block ads (adBlock Plus), scripts/flash (NoScript), popups (Adblock Plus Pop-up Addon), trackers (Ghostery), and enforce HTTPS (HTTPS-Everywhere).
GPG Tools for encrypting individual files / emails - https://gpgtools.org/
OTR for secure messaging (use Adium which has OTR support off the shelf) https://otr.cypherpunks.ca/
Silent Circle for encrypted voice and text - https://silentcircle.com/
Personal VPN for traffic encryption for browsing outside of corporate purposes, e.g. one of these:
https://www.bestvpn.com/blog/4809/best-vpn-service-top-10/
note that several offer payment methods that are anonymous, e.g. gift cards purchased with cash, i.e. http://www.paygarden.com/
Obligitory Schneier:
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
---------
There is no try at jedinite.com
Thanks, that is hugely reassuring that it disturbs some employee(s) of Google. Hope you are listened to at the TGIF.
I do realize that it is less of an issue if it was a public post. I don't particularly share your enthusiasm to report victimless crimes. But I guess I don't have a leg to stand on, as lots of countries have severe laws against victimless crimes, including mine.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
Thanks, that is hugely reassuring that it disturbs some employee(s) of Google. Hope you are listened to at the TGIF.
I do realize that it is less of an issue if it was a public post. I don't particularly share your enthusiasm to report victimless crimes. But I guess I don't have a leg to stand on, as lots of countries have severe laws against victimless crimes, including mine.
Child pornography is not a victimless crime. Perhaps sharing the pictures is, once it's made, but the making is definitely not victimless. And shutting down the sharing reduces the incentive to make it -- even better, in the process of shutting it down it may be possible to track it back to the source.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Google has any chance to only report the victimless part of the crime.
Bingo Dictionary - Pragmatist, n. A myopic idealist.