Snowden's Tough Advice For Guarding Privacy

While urging policy reform as more important than per-person safeguards, Edward Snowden had a few pieces of advice on maintaining online privacy for attendees at Saturday's New Yorker Festival. As reported by TechCrunch, Snowden's ideas for avoiding online intrusions (delivered via video link) sound simple enough, but may not be easy for anyone who relies on Google, Facebook, or Dropbox, since those are three companies he names as ones to drop. A small slice: He also suggested that while Facebook and Google have improved their security, they remain “dangerous services” that people should avoid. (Somewhat amusingly, anyone watching the interview via Google Hangout or YouTube saw a Google logo above Snowden’s face as he said this.) His final piece of advice on this front: Don’t send unencrypted text messages, but instead use services like RedPhone and Silent Circle. Earlier in the interview, Snowden dismissed claims that increased encryption on iOS will hurt crime-fighting efforts. Even with that encryption, he said law enforcement officials can still ask for warrants that will give them complete access to a suspect’s phone, which will include the key to the encrypted data. Plus, companies like Apple, AT&T, and Verizon can be subpoenaed for their data.

Text messages

I send text messages to "myself" for fun. Keeps my crew on their toes.

No Google

Living without google would be hard. A lot of people use it for some app like gmail or playstore.

Re:No Google

Indeed. While I see value in Snowden's tips, many of them make life quite clunky. To go with a car analogy, it would be like having to constantly avoid highways and grinding your way through crumbly outback routes.

Re:No Google

[Noah+Haders]

Search: duckduckgo
Email: numerous options
App Store: isn't a benefit of android that there can be many app stores? Alternatively, use iOS.

It's not that hard to get away from goog (or fb, for that matter).

Re:No Google

[whereiswaldo]

Google analytics and ads are everywhere so even if you don't directly use their services like Search and GMail, you are still being tracked by them.
Also, your browser sends referrer headers which tells whatever site you're visiting where you came from. Your browser + browser plugin profile can be used to narrow down who you are even behind Tor. Browser plugins like Adobe Flash save their own set of cookies separate from regular browser cookies.
If you use the Internet, you're being tracked. You may be able to help yourself be tracked _less_ by taking some precautions, but that's about it, I think, for the average person.
I used FB for years before finally closing my account down. No doubt that data will stay in their system forever. Like a drug, better to not start at all than to have to quit.
Basically it boils down to: law enforcement are going to do what they're going to do. I know I'm being tracked, I try and keep my nose clean, and whatever happens happens. I'm not going to live my life all paranoid.

Re:No Google

[Famak1994]

Apple isn't any better than google. But at least with android devices you have the option of installing custom roms some of which improve both security and performance.

Re:No Google

[Noah+Haders]

Apple isn't any better than google.

[citation needed].

1) All iOS devices are encrypted such that even Apple can't access.
2) After #Celebgate apple rolled out 2 factor authentication throughout the OS and services.
3) iMessages and Facetime are encrypted end-to-end, so even apple can't access them when they're on the server.
4) apple's business model is not to spy on their users in order to make more money from them.
5) if you look through all the NSA leaks and all the hacker actions, none of them have been able to penetrate a iOS device that is not jailbroken.

Re:No Google

[Famak1994]

Well, that"s why you use throwaway identities: http://www.fakenamegenerator.c... It may not be 100% foolproof, but it certainly makes it harder for others to build an exact profile of you. Most especially use something like Lastpass to import 3000 generated identities that you can randomly pick from to auto fill forms.

Re:No Google

[Famak1994]

Neither are more secure than the other and that's a fact and will always remain a fact so long as humans are using these devices. Nevertheless, everything you've listed is also available on android devices so I fail to see what point you're trying to make?

Re:No Google

[Noah+Haders]

that's actually a really cool site, thanks for this. the user sets his his name set. the name sets are what you expect: american, hispanic, german, etc. but they also have hobbit. My new name is Tomburän Mugwort.

Re:No Google

[ArmoredDragon]

Try startpage.com. It uses results from Google, but isn't Google. As far as I can determine, they don't log anything you do.

It also happens to be the default search engine of the Tor browser, which should say something as it goes way out of the way to make sure your activity is completely anonymous.

Re:No Google

[tqk]

... it would be like having to constantly avoid highways and grinding your way through crumbly outback routes.

Really? Other than youtube, I don't think I've bothered with google in years. ixquick is a reasonable search engine (and there are others as good). It even has a google gateway, and it's https. mail.com (among others) offer free email.

Other than the wonderful feature of NSA slurping everything you do, what's google really do for you?

I've nothing really against google. I just prefer not to go that way.

Re:No Google

[Noah+Haders]

Neither are more secure than the other and that's a fact and will always remain a fact so long as humans are using these devices.

I agree, in a sense if a human is in the equation then there's always going to be an element of insecurity. But one choice can still be more secure than the other.

Nevertheless, everything you've listed is also available on android devices so I fail to see what point you're trying to make?

Now you're just trolling. Of the five things I listed, number 2 -- 2-factor authentication -- is on android as well. But numbers 1, 3, 4, and 5 are all iOS or apple specific and definitely not on android.

Re:No Google

The problem is not so much with GPlay, as with app designers. Most of them are idiots enough to request license checks every other day, so it is impossible to use an app without being online and reporting to the mothership. Greed and stupidity work hand in hand to sell us out to BB.

Re:No Google

What Google analytics? What ads? I don't even see them, haven't since before they were there. Privacy Badger, ABP and noscript take care of that and of facefuck also. As a bonus, you don't see any stupid aggregators that rely on Google for their javascript trinklets.

Re:No Google

[Famak1994]

Listen dude, I'm not trying to get into a pissing match, but your fanboism is starting to wreak. "Of the five things I listed, number 2 -- 2-factor authentication -- is on android as well. But numbers 1, 3, 4, and 5 are all iOS or apple specific and definitely not on android." Yeah they are, it's called using a custom rom that Google has no control over and avoiding the use of specific services. If your really believe that Apple is some Angle from heaven that's here for the good of humanity then you are insanely naive. Most especially if you consider the fact that their OS is not open source thus closed to in-depth scrutiny.

Re:No Google

Alternatively, use iOS.

iOS isn't free software. If you want to secure your privacy, it's better to use only free software.

Re:No Google

As far as I can determine

But what's that worth? They're pretty much silent on their internal operations. Who owns them? Who runs them? What does their infrastructure look like? How about their business model?

I don't trust any of the search providers as far as I can throw them. If you've got to make a search and you're worried, do it over a public network somewhere else with a spoofed mac and/or over Tor (for starters). Start by locking down your box and then lock down your habits.

Re:No Google

If you want to secure your privacy, it's better to use only free software.

Charlatan. You never read the source code. You don't know if your free software is secure.

Re:No Google

You need to take Apple at their word for most of those. There's proprietary hardware and binaries in the mix. There's no independent outside audit. Your level of trust is disturbingly naive in an era where corporations and governments lying to citizens is the norm.

Apple may well be telling the truth about all of them. But to put actual trust in it is fanboiism itself. Right now, you can't trust much of anything. In short, we're stuck between a rock and a hard place. We need to get work done, to interact with others, to be productive in general--but the best options available to us are lousy.

Trust comes at a high premium and isn't given lightly.

Re:No Google

Opera (old 12.x version that is) has a nice option (not burried deep within some arcane configuration menu) to disable referrer headings. I also disable javascript (on a per website option, something that Firefox that beacon of free software won't let you do anymore). Say what you will, but Opera 12x is infinitely more privacy conscious than any other browser out there.

Re:No Google

Actually, I do read source code, you imbecile. I and many others. You think I'm the only one?

The point is that you *can* read the source code. *Anyone* has that ability, or can learn to do so. Many people do so. You're safer in such a scenario than in a scenario where the company is doing who knows what with the software. It's not perfect safety, but it's better.

Re:No Google

Whoops, meant to reply to the poster above you.

Re:No Google

If your really believe that Apple is some Angle from heaven that's here for the good of humanity

Strawman arguments are lies.

Re:No Google

Actually, I do read source code, you imbecile.

Careful who you're calling "imbecile" there. Reading source code doesn't do a damned bit of good unless every line of code on your machine was built *by you* from the same source you audited, using a known good compiler. Every executable, every driver, every library, every damned line of code that executes on your hardware.

Re:No Google

Careful who you're calling "imbecile" there. Reading source code doesn't do a damned bit of good unless every line of code on your machine was built *by you* from the same source you audited, using a known good compiler.

Perfect solution fallacy. All I am saying is that it's better to be able to view the source code than to not be able to see it at all.

At some point, you're going to have to trust someone. I get that. But you're going full retard by suggesting that if you don't build everything yourself, that means that free software is outright useless. Seriously, you can't be this ignorant; you're trolling.

Re:No Google

[SigmundFloyd]

Google analytics and ads are everywhere

Blocked in my 'hosts' file. See: http://winhelp2002.mvps.org/ho...

Re: No Google

And you have to trust the compiler too

Re:No Google

[allo]

But i know, that there are people working with the source code. An obvious backdoor would have been found i.e. by the cyanogenmod people, so it needs at least to be more subtle.

Re:No Google

[allo]

irony: to login you should use a google account.

Re: No Google

And since that is open as well there is still way more trust in the open system than in the closed one.

Re:No Google

That only has a limited effect. https://panopticlick.eff.org/ This is one of the SIGNIFICANT downsides of being a geek. Running Linux, alternate browsers, having unusual plugins, etc. all make it very easy to identify your particular machine on the 'Net.

Re:No Google

[jones_supa]

The point is that you *can* read the source code. *Anyone* has that ability, or can learn to do so. Many people do so.

Almost no one but the actual developers of the project read the source code. Software projects are so large these days that people seldom wade through the multiple thousands lines of code just for fun.

Here's an experiment people here can do: download the source code of some small project and read it thoroughly. Just try what it feels like. Understanding how the program actually works can take surprisingly big amount of time.

Do that experiment now.

Re:No Google

I will just tell you this.
Somewhere in the internet, there is a forum dedicated to a group of people that spend all of their time injecting backdoors into open source projects.
There is a whole tricky art of how to design malicious code that seems inoccent enough to pass peer review. Every single time the malicious code is commited along a useful commit, and in many cases even spread out over multiple commits/months for obfuscation.
While most of them target not-so-popular open source projects, I know of at least 2 very big projects that have backdoors injected and them and no one has a clue.

Every single time I see a guy saying they trust open source more I just laugh. Who really spends a huge time studying the codebase of a open source project before installing it?
Both open and closed source methods are insecure, and even if you're writing the whole software yourself you're still vulnerable due to the compiler that you did not write yourself (hint hint) or the OS itself, or the drivers, or everything single fucking thing that you did not write and did not properly audit.

Re:No Google

Almost no one but the actual developers of the project read the source code

This is nonsense. What part of of this is hard to understand? People *can* read the source code. That's automatically better than proprietary software, full stop. We don't need perfect security; all I'm saying is that being able to audit it (either yourself or others) makes it better than just going in 100% blind and having absolutely no say in the matter whatsoever.

Re:No Google

Every single time I see a guy saying they trust open source more I just laugh.

I trust it *more* than proprietary software. You haven't given me one reason to think otherwise. Now show me a single person who says that open source software is 100% free from bugs and exploits. Most are just saying it's more trustworthy than proprietary software. So basically, what you're implying is just a straw man.

Both open and closed source methods are insecure, and even if you're writing the whole software yourself you're still vulnerable due to the compiler that you did not write yourself (hint hint) or the OS itself, or the drivers, or everything single fucking thing that you did not write and did not properly audit.

You people really like the perfect solution fallacy, don't you? It doesn't need to be perfect; it just needs to be better than proprietary software, which is a low bar. More prying eyes = greater chance of discovering such things. You can even hire people to conduct audits. There is simply no comparison to proprietary software.

Re:No Google

[The+Ickle+Jones]

I know of at least 2 very big projects that have backdoors injected and them and no one has a clue.

Really? Well, it's free software, so either inform someone or get cracking. I see you're being very vague about this.

Re:No Google

But what's that worth?

Well look at it this way. They can't be worse than google, because that really isn't possible. And there's a nonzero chance they are better: they claim not to log your search history, and other people concerned with privacy have decided this a better situation than with google.

I can't prove they're not just as bad as google, but I think there's a realistic chance they are. I'm no worse off if they are equivalent to google, and there's a chance I'm better off if they are better.

Re: No Google

Unless its a honeypot

Re: No Google

I suggest using bitsearch, a decentralized web search that uses indexing of new content as proof of work

Re:No Google

[NoZart]

Sadly, Opera 12.x breaks more and more pages these days :(

Re:No Google

[allo]

And in closed source software, you do not even have the chance to see the backdoor.

Re:No Google

[worf_mo]

For chrissake, talk about waking a sleeping bear...

Re: No Google

[Ronin+Developer]

Exactly how does that custom ROM get installed??? Does it require modification of a device? Hardware modifications are not stock, are they? Are these devices readily available from a major supplier or must they be custom ordered?

There has been no reported successful hack of iOS devices to install malware where the device wasn't jailbroken. If you know otherwise, please provide relevant links? This can not be said of Android.

Now, what happens on the backend is open to interpretation and subject to debate.

You called the other poster a fanboi. He might be, but you are clearly a FAndroid with a chip on his shoulder and something to prove.

Re: No Google

[Famak1994]

"Exactly how does that custom ROM get installed??? "

http://www.android.gs/install-...

"Does it require modification of a device? "

Absolutely!

"Hardware modifications are not stock, are they? "

I think you mean software modifications, but no they're not stock. But you can make a stock backup of the original rom.

"There has been no reported successful hack of iOS devices to install malware where the device wasn't jailbroken. "

http://www.theverge.com/2014/9...

"Now, what happens on the backend is open to interpretation and subject to debate."

No it's not, because the information is not publicly available.

"Now, what happens on the backend is open to interpretation and subject to debate."

A fanboi of what exactly? If you recall, I'm treating both Apple and Google exactly the same...Using an Android device does not always mean you're a fan of Google.

Show me an Iphone that I can install a custom rom on while avoiding all of their services and I'll buy it.

Re:No Google

[lgw]

It's not about the obvious backdoor. It's often about the random number generator used for generating keys. Maybe that keyspace is smaller than you think.

How many of the e.g.cyanogenmod people collect a paycheck from the NSA? We've seen very subtle flaws in open source code that looked plausibly like a typo, but weakens security just enough for a powerful attacker while remaining secure from a script kiddy.

Not like it's just open source. Trust was lost for the hardware RNG in Intel CPUs (I'm not sure there was ever any evidence of tampering, only evidence of how subtly it could be done: only one guy messing with a mask at the last minute, and the RNG output would still look random).

Re:No Google

[allo]

Security is just not black and white.
For opensource you have the chance to see something, with closed source you do not have it.

The only argument could be, that flaws in opensource can be found easier by the bad guys, because of the open source. But i doubt it. At least for this not so obvious ones.

I think stuff like the debian ssl bug was known by the nsa. But not because they read the source, but because they collected A LOT of ssl keys. So its like blackbox testing.

Re:No Google

[lgw]

Are you looking at the code? I don't think that's relevant.

Companies like Google, Apple, and yes Microsoft have plenty of smart people looking at their closed code for security flaws - well-trained people who's day job is to do just that.

The once-believed advantage of open-source was that companies might be in bed with the NSA, putting flaws in deliberately, but open-source projects wouldn't be. Turns out, not so much. Both groups are just as vulnerable to malicious insiders, and both are filled with techies who would be quite angry to discover a flaw deliberately hidden in their codebase.

Re:No Google

[allo]

> Google, Apple, and yes Microsoft have plenty of smart people looking at their closed code for security flaws
same for big opensource projects.

And now show me a case of malicious insider in an open source project.

Re:No Google

They can't be worse than google

I don't think you know what that means.

You don't know either way. It's 50/50, because you have no knowledge to base your decision on. You ought to be more careful about making assumptions. It'd be quite easy to be worse than Google. All they need to do is be run directly by a three letter agency. At least Google is nominally independent and collection for TLAs isn't their primary mission. As you point out, the reverse is also possible--they could be better--but you really don't have any information on which to base your decision. It bears repeating that you're making assumptions here. There is a realistic chance of both scenarios: 50/50.

they claim not to log your search history, and other people concerned with privacy have decided this a better situation than with google.

Claims don't mean squat, and the opinions of other people have no bearing on the facts of the matter. The cold, hard truth is that we don't have any facts to support either their claims or the opinions of those people. We just don't know. Now, stop making silly assumptions (it makes you sound like an NSA shill or someone very naive).

Re:No Google

betelgeuse, betelgeuse, betelgeuse!

Re:No Google

[The+Ickle+Jones]

The once-believed advantage of open-source was that companies might be in bed with the NSA, putting flaws in deliberately, but open-source projects wouldn't be.

With open source, you can start making your own version and modifications. If there is an apparent conflict of interest, someone will start a new project, possibly using the source code. Or you can hire people to work on it for you. You're not beholden to a single company.

Both groups are just as vulnerable to malicious insiders

No, they're not. It's much easier to spot when everything is out in the open. Not only do professionals often look at big open source projects, but 'normal' people also do so; there are more prying eyes.

We already have countless pieces of evidence of companies being in bed with the government, but with open source, there's a greater chance any such malicious activity will be spotted. Not 100%, but then again, who has ever claimed that?

Re:No Google

[lgw]

With open source, you can start making your own version and modifications

That is the one real advantage. It's not cheap or easy. It's not going to be a hobby project. But it's possible.

The replacement of OpenSSL, the TrueCrypt audit and fork. That's where you see open source step ahead.

We already have countless pieces of evidence of companies being in bed with the government

There's a big difference between a company giving data to the government -- security doesn't enter into that -- and adding deliberate flaws to security products. There hasn't been much evidence of the latter, though wasn't RSA tainted? The bigger worry with proprietary security products is that they're scams, and that happens a lot, but that's a different issue.

Re:No Google

mail.com / email.com got bought out by AOL years ago (remember the godawful improvements to the interface?), and require google to be unblocked when you need your password back

They were compromised directly somewhere around 2008, check the helpful infographic on the NSA's "signup" program that was one of Greenwald's first releases, I forget the name of the program

So that's 2 large companies with cross-scripted access to your password/data, and two points of agency entry - catch22 when you forget your password

Re:No Google

[lgw]

It's hard to google pre-heartbleed OpenSSL flaws, but there were some serious, subtle flaws in OpenSSL that looked remarkably like typos. After the NSA leaks, there's no doubt: someone committed those flaws deliberately. And the NSA leaks showed a large and well-funded program to do just that: to subvert every public cryptographic tool and standard in subtle ways, vulnerabilities that left tools secure unless you knew about the backdoor (which is particularly pernicious, as when the backdoor is inevitably discovered, the tools are in widespread use).

The open/closed source debate is like a school yard brawl when the Marines land - entirely trumped by vastly more resources spent subverting the tools than went in to writing them. What a damn waste.

Re: No Google

[Ronin+Developer]

The hack you posted is not an exploit of the phone - it was a hack against one of the services provided by iCloud. The phone, itself, was not compromised.

There was a report of spyware that could be installed on an iPhone - it required a jailbreak to install. It could not be done OTA and without physical access to the device.

Replacing a ROM chip is both a software and hardware modification. It is not stock, is it? So, out of the box, which platform is more secure at this time?

Now, once you modify the device as you have indicated, it's possible to make the Android more secure. But, as a stock device, it still lags, doesn't it?

And, you are right...you can't insert a custom ROM in an iOS device - best you can do is jailbreak - something I would never do because of the inherent risks.

Why do I refer to you as a "Fandroid"? You attacked the original poster's arguments where they stated that all but one of the items they listed were iPhone only. You said the features were available on Android as well. They aren't without custom, hardware and software modifications as you noted. You ignored their original point and called them a "fanbois". I called you on it.

Re: No Google

[Famak1994]

Well, apparently it's officially a pissing contest now. But to clarify my reasoning behind my previous posts: I was merely promoting freedom of choice over blind trust. It's a double edged sword since the more freedom you give up the more susceptible you become to the fat cats; while the more freedom you have, ultimately, makes you more susceptible to black hats. Either way, I could give two shits less which is more secure for the 'general populace' nor how many retards get themselves hacked due to poor decisions SO LONG as I have FULL control over my devices and am able to implement my own security protcols. Which currently, Apple does not offer...End of debate.

Re: No Google

[Famak1994]

In good contentious, I have to reply to you twice since... "The hack you posted is not an exploit of the phone" Then what is it? "Replacing a ROM chip is both a software and hardware modification. It is not stock, is it? So, out of the box, which platform is more secure at this time?" Do you even know what you're talking about? "Now, once you modify the device as you have indicated, it's possible to make the Android more secure. But, as a stock device, it still lags, doesn't it?" No, it doesn't since everyone involved works closely together in improving whichever device is in question. A most notable case is CPalmar, who not only did it for his wife and his own personal enjoyment, but has done it all for free and has continuously refused donations! Even the creators of Cyanogen (the most popular custom rom) have refused to sell themselves out, even in the face of a billion dollar acquisition offered by Google: http://www.droid-life.com/2014... "And, you are right...you can't insert a custom ROM in an iOS device - best you can do is jailbreak - something I would never do because of the inherent risks." The only risk that's involved is your naivety. People don't just get malware from doing nothing, they download pirated copies of app and single handedly fuck themselves. And you know what, I'd rather people have the freedom to go fuck themselves than no freedom at all since I could care less about these rejects.

Re:No Google

[Famak1994]

I believe you have no idea what constitutes a logical fallacy. So I'll point you to a site that makes it easy for you to print and/or purchase a board that clarifies all of this for you: https://yourlogicalfallacyis.c...

Re:No Google

Reek.

Angel.

Re:No Google

[brantondaveperson]

Recent major security blunders with open source software beg to differ.

Re:No Google

[AHuxley]

FBI quietly forms secretive Net-surveillance unit (May 22, 2012)
http://www.cnet.com/news/fbi-q...
Somewhere between a tame telco, tame hardware, tame software and the "Communications Assistance for Law Enforcement Act" https://en.wikipedia.org/wiki/...
an average users gps, voice, text, images, voice print and all other cell related data will be as easy to get as always.
An average user might be sold on the idea that some user data is protected from wider outside network man in the middle efforts but that will not help with CALEA and a tame brand having to sell compliant telco products in the USA over generations.
Staff often then move into the private sector and then contract methods and skill sets back at a city and state level. Thats a lot of people with the keys to consumer grade telco standards.

Re:No Google

[tqk]

mail.com / email.com got bought out by AOL years ago ...

I don't much care about that. Yeah, AOL in its day was pretty silly, but mail.com seems not bad. Anything I've talked to them about seemed handled professionally. Yeah, I tend to edit my replies in emacs, then attach that to an otherwise empty email (to preserve formatting), but that's the way of the world (Microsoft and its related apps' embrace & extend corruption) that I've come to expect to have to work with in many ways. They didn't invent that. FTP need[ed|s] to be told explicitly when it was handling binary data too.

... and require google to be unblocked when you need your password back

Didn't know that, but I won't forget my email provider account's pword, barring senility or ethyl alcohol (feature! :-). I don't bother going out of my way to block G. I just try not to use them/it, other than Youtube. I don't have much to hide, and I assume something's always been grepping what's been going through the main network nodes. Now, they're just better (more capable, technically speaking) of doing it.

They were compromised directly somewhere around 2008 ...

ty, but that was a long time ago, yes?

So that's 2 large companies with cross-scripted access to your password/data, and two points of agency entry - catch22 when you forget your password

So don't do that. I'm looking forward to getting IMAP access with them. $20/a. IMAP would eliminate my need to use their (IMHO) icky webmail interface. All webmail interfaces blow chunks (imho).

Re:No Google

A few major security blunders in some open source software do not disprove the rule. Saying otherwise is ridiculous.

Something needn't be perfect in order for it to be better than the alternatives. Again, saying otherwise is just bad logic.

Ignoring the countless major security flaws in proprietary software and focusing on the ones in free software in an attempt to discredit it. It would be mighty foolish to do that.

You can look at the source code, hire others to audit it for you, modify it yourself, or pay others to modify it for you. You are not beholden to a specific company, and there are far more prying eyes (most without conflicts of interest). This doesn't mean open source software is 100% immune from all flaws, but not a single person made that claim.

Re:No Google

[citation needed].

Apple includes of an undocumented file-relay service in iOS that is only useful for spying.

"Its sole purposes is to dish out data, bypass backup encryption, and give you almost the same amount of personal data you get from a backup on the phone, in some cases even more. We really need someone at Apple to step up and explain why this is here. There's no logical reason why it should be there on 600 million devices," points out Zdziarski.

http://www.techtimes.com/artic...

The NSA may be responsible for iOS 7’s biggest security vulnerability.

According to a tweet from Jeffery Grossman, this vulnerability has been present in the software since iOS 6. Based on the leaked PowerPoint document which exposed PRISM, Apple and its devices were added to the NSA program in October 2012, just one month after the release of iOS 6. Whether or not the NSA planted the exploit itself, Gruber believes there is a chance the government agency was aware of it and took advantage of it to gain access to private information.

“Once the bug was in place, the NSA wouldn’t even have needed to find the bug by manually reading the source code,” wrote Gruber. “All they would need are automated tests using spoofed certificates that they run against each new release of every OS. Apple releases iOS, the NSA’s automated spoofed certificate testing finds the vulnerability, and boom, Apple gets “added” to PRISM.”

http://bgr.com/2014/02/25/appl...

Re:No Google

[Famak1994]

A single word does not make a sentence. But thanks grammar cop for correcting something that doesn't matter in the slightest bit.

Re:No Google

[allo]

Yeah, i suspect the NSA to infiltrate BIG projects like openssl as well. But i fear closed source the same. The only difference is, that commercial (!= closed source) software can easliy be affected by a NSL and that open source (which may be commercial as well) software can be read if something is suspected. And you can patch as soon as possible without waiting for a patch day.

Don't avoid them

Google and Facebook make our lives easier in many ways. Just understand that what you say is not truly private and use common sense about what you post there.

Re:Don't avoid them

Just understand that what you say is not truly private and use common sense

Honestly, meatspace isn't any different.

Re:Don't avoid them

[tqk]

What an incredibly shallow thinker you are. A bullet to the head would make your life easier too. Try it.

I can't believe how lazy minded some people have allowed themselves to become. 21st Century sure does suck.

Re:Don't avoid them

[Seumas]

Wait... what?

Okay, I get how Google makes our lives easier (as far as searching and maps go). I get how CamelCamelCamel telling us where the cheapest thing to buy is and when makes our lives easier. I get how that little thing that helps you find the cheapest local gas station makes our lives easier. I totally get how email does. But Facebook? In what possible way does it even remotely offer any service that makes people's lives easier?!

Re:Don't avoid them

> But Facebook? In what possible way does it even remotely offer any service that makes people's lives easier?!

Any grandmother with an account on facebook could tell you how much easier it is to see what's up with their grandkids via facebook.

As long as you think facebook serves no purpose, despite the fact that nearly everyone on the internet has a facebook account, you will be completely useless to improving the situation. Sheldon Cooper is not a role model.

Re:Don't avoid them

[scum-e-bag]

But Facebook? In what possible way does it even remotely offer any service that makes people's lives easier?!

Facebook is arguably an aggregation of some of the best online/telephonic communication mediums ever developed. For the hoi polloi, it's an effective "one stop shop" to communicate with each other.

Re:Don't avoid them

[Pumpkin+Tuna]

You see, there are these things called friends. They are other humans we like to interact with. Some of these "friends" no longer live close to us so we like to see pictures of them, their families, and their activities. Facebook allows us to do these things.

Re:Don't avoid them

But Facebook? In what possible way does it even remotely offer any service that makes people's lives easier?!

Facebook is arguably an aggregation of some of the best online/telephonic communication mediums ever developed. For the hoi polloi, it's an effective "one stop shop" to communicate with each other.

And it makes the FBI's job so much easier too!

Re:Don't avoid them

But Facebook? In what possible way does it even remotely offer any service that makes people's lives easier?!

Facebook is arguably an aggregation of some of the best online/telephonic communication mediums ever developed. For the hoi polloi, it's an effective "one stop shop" to communicate with each other.

And one of the best walled gardens of its time, see what AOL or Compuserve did in the 1990s

Re:Don't avoid them

Do you actually have something to add to the conversation, like why what I said is a terrible idea? Or are you just another one of those people who have nothing to say except "trust me when I say it is bad and that you are a moron for thinking it ok, even though I provide no reasons why."?

Re:Don't avoid them

[jader3rd]

Some of these "friends" no longer live close to us so we like to see pictures of them, their families, and their activities. Facebook allows us to do these things.

There were many solution to that problem before Facebook, and there are still many solutions to solve that same problem today.

Re:Don't avoid them

And you're still a fucking idiot. People like simplicity, and ease of use. Facebook/G+ make that REALLY simple for them.

Re:Don't avoid them

[tqk]

Do you actually have something to add to the conversation, like why what I said is a terrible idea?

If you insist. It's been common knowledge for a long time that FB is not your friend in any way. Their product is their users' data (sold to advertisers & etc.). Now, we even have Snowden's insider view of the NSA confirming they're in no way protecting their users' data. With all the !@#$ that's been going on with NSLs and AT&T (et al) coughing it up for nothing more than a demand written on a Post-It note, everyone on-line world-wide ought to be horrified.

Most of us didn't need Snowden to confirm this. EFF (among others) have been screaming about this for years. You been living under a rock or something?

Re:Don't avoid them

[tqk]

Any grandmother with an account on facebook could tell you how much easier it is to see what's up with their grandkids via facebook.

My mother (a grandmother) would argue that with you. She was quite happy with email and despised FB. When lazy brats like you decided a spam email or two a day was too much to deal with and gave up on email in favour of FB, she was disgusted.

It's hard to believe that we're *still* arguing about this on /.

Re:Don't avoid them

[tqk]

Facebook is arguably an aggregation of some of the best online/telephonic communication mediums ever developed.

When you use the word "arguably", it means both sides of the argument may have validity. Are you really going to try to argue that FB ranks *anywhere* near TCP/IP (and tools like SMTP, NNTP, FTP, ...)?

Kids these days.

Re:Don't avoid them

[tqk]

And you're still a fucking idiot. People like simplicity, and ease of use. Facebook/G+ make that REALLY simple for them.

No, they're not (still a fucking idiot). You're delusional. What's hard about email, for instance (from the user's point of view)? Okay, if you're stuck using Win*, it's a !@#$%, but that's not email's fault. *Everything* on Win* is a !@#$%.

You're on /. how long, yet you've not bothered to listen to (read) the *many* discussions *many* forums have been reporting on this over the years, or bothered to research this ancient (in "Computer/Software Years") topic?

Correct me if I'm wrong but /. has a search function built into it, yes? I just checked. At the bottom of the /. home page, see "Story Archive". In there is a link to view by "Topic." In the resultant list, find "Facebook."

Have fun.

Re:Don't avoid them

As a light user of Facebook, I'll try to answer. (I friend people on Facebook and read my "news feed" regularly and occasionally reply to statuses, but I never like anything or post statuses or photos of my own.)

For me, the primary usecase of Facebook is as an address book: e-mail requires me to have someone's e-mail address. With Facebook, if I meet someone at a party, I can friend them on Facebook as long as I remember their first name, even if I don't know what spelling they use (remember, I met them at a party, so we probably have mutual friends). E-mail has no built-in equivalent (it's pretty clearly out-of-scope); the normal way to get someone's e-mail address is to ask them (like trading phone numbers in person, but even more awkward because phone numbers are just 10 digits while e-mail addresses tend to be longer), Google their full name spelled correctly (assuming they have a web presence, which many of the people I socialize with don't), or, go more similar to the Facebook approach, and ask a mutual friend whose e-mail you already have. Because, of course, you met this random person at a party and you know which mutual friend actually knows them. Sure, if you thought they were the coolest person ever, then you'll get their contact info, but most of what I read my Facebook news feed for is actually interesting posts and links by people I actually don't know that well.

Also, e-mail is really terrible at comment threads if you don't have a mailing list to manage it. Maybe you could get a similar effect to social networking status by agreeing to put "[SOCIAL]" or "[SPAM]" at the start of any e-mail that would have been a status update in the current system, but you still have (1) everyone has to setup their e-mail clients to handle that, (2) there's no way to edit or delete posts, (3) you have to deal with top-vs-bottom posting, and (4) there's no lightweight agreement operator (i.e. like/+1/favorite, which, while obnoxious on articles, is actually quite useful for civil discussions among a small number of people; specifically, it prevents piling on "I agree" messages and "liking" an opponent's post in a debate is a civil way of conceding the debate).

In the end, empirically, a lot of people use Facebook and not e-mail, which suggests it's providing some value, at least that e-mail did not easily provide when Facebook launched.

Is this counting Apple's new encryption scheme?

Perhaps I'm mistaken, but Isn't the whole premise of Apple's new encryption scheme to essentially making 'giving the keys' essentially an impossible task since they would never have ownership of said keys in the first place?

Re:Is this counting Apple's new encryption scheme?

[wiredlogic]

The key is on the phone. Easy enough for any TLA to get unauthorized access to without the owner's knowledge. Apple's new policy changes nothing.

Re:Is this counting Apple's new encryption scheme?

[the_B0fh]

They never had the keys in the first place. What they have done is to enable more things to be covered by encryption.

Re:Is this counting Apple's new encryption scheme?

[gronofer]

I'm not sure whay "key" means in this context. If I encrypt a file archive, I need to enter a pass phrase, preferably over 20 characters and not easily brute forceable. This pass phrase is they key, as far as I know. What is the equivalent on Apple's devices? Are they encrypting with a 4 digit pin?

Re:Is this counting Apple's new encryption scheme?

[NotInHere]

This encryption is only useful when the phone never were unlocked after authorities got suspicious of you. The moment you unlock, it connects to the carrier, the baseband downloads the rootkit (or they use one of the various other backdoors they have), and the authorities get the key, and any other phone content they wish.

Re:Is this counting Apple's new encryption scheme?

So if you think you're about to get arrested, turn off your iPhone?

Re:Is this counting Apple's new encryption scheme?

[ShanghaiBill]

The key is on the phone. Easy enough for any TLA to get unauthorized access to without the owner's knowledge.

I fail to see how it would be "easy" for a third party to access a file on my cellphone without my knowledge. If they do it with my knowledge, then they need a warrant, and have to go through proper legal channels.

Apple's new policy changes nothing.

It seems to me that Apple's policy, along with the policy changes by other big tech corps, change everything. Pervasive encryption is coming, and coming fast. These companies no longer have any reason to voluntarily cooperate with the NSA. The NSA screwed them, and that screwage is costing them billions.

Re:Is this counting Apple's new encryption scheme?

Here is the rub:

A company breaks up a key into pieces and says that no single division or part can decrypt data.

However, with the proper "encouragement" via a government (similar to how India "encouraged" RIM to give them access to BIS servers), the data can still be obtained. iPhones are quite closed devices, and in theory (mind you, this is theory), Apple could push some code to the phone belonging to a person of interest that would either install a backup key, pull the key out, or download data in the background.

Android, similar... but with Android, there are so many different ROMs, phones, and configurations out there that it would take some doing and not just typing an IMEI number, click "spy", and be done with it. It is quite possible, but not as easy.

Do I trust Apple? There are other big companies who have started to play policeman and actively sift through their subscriber data and hand things over without being told to do so. Apple doesn't actively do the virtual equivalent of going through one's belongings with a fine tooth comb, then bringing in the police if something illegal is found under a couch. There is already enough fighting to keep government powers at bay. Having private companies act as another police force is unacceptable, no matter how noble their aim.

Would I stay at a hotel knowing that my stuff there will be sifted through for anything illegal, and my phone calls taped and actively listened to for any activity? Nope. I'm sure the "do you have anything to hide" argument will be brought to bear, but if the company storing my data is now someone actively trying to find a way to cause me legal issues, I'll take my business to another place that doesn't do that. I feel that Apple hasn't tossed anyone to the wolves, so they are probably a lesser evil in this department, although who knows where their data ends up, as their devices are made in China, and the Chinese government has just as much say in what goes into them as Tim Cook does.

Don't forget -- "illegal" applies globally. The US has extradition agreements with Saudi Arabia and Turkey, so technically, a US citizen can be extradited to KSA for something anti-Islamic (giving a church flyer to a Muslim), and then beheaded even though the person never set foot outside the US. So, what may be something one doesn't worry about now may be something (and their families) that one might be killed over in a few years.

Another example is Thailand's lese majeste laws. A US citizen who poked fun at Thailand's leaders can be deported there, even though the person never was in the country. Having a private company look for these types of things, items that people never thought of, then they get arrested and shipped overseas to stand trial in a country they never even seen is something that is inevitable. Someone may be a 100% law abiding person in the US and have nothing to hide... but with extradition treaties, they might be breaking laws in a country they never have heard from and can be hauled off for that (Kim Dotcom, anyone?). So, privacy is a must.

Do I trust Facebook? Rule 1 of the Net. Don't put it up unless you want the local DA, Feds, and your worst enemies seeing it. With that in mind, plus common sense partitioning (run your FB Web browser in a sandbox or container separate from everything else), FB is tamable. It is a must these days (I've been turned down for jobs because I didn't have a FB ID, as an IT worker without a FB or Twitter account is considered a "fossil".)

Do I trust Google? I use their services, and have found that Android is well written. Even the disk encryption is decent, especially if you separate the dm-crypt partition passphrase from your unlock PIN, making your /data partition extremely tough to brute force open. I'm not really worried, as they are not any worse or any better than other places.

Do I trust Dropbox? Similar to above. Neither worse or better. However, I do pack my own parachute and use Boxcryptor (not 10

Re:Is this counting Apple's new encryption scheme?

[Famak1994]

You can block and remove Carrier IQs...

Re:Is this counting Apple's new encryption scheme?

[sexconker]

they need a warrant, and have to go through proper legal channels.

I take it you've been living under a rock for the past decade.

Re:Is this counting Apple's new encryption scheme?

[bigfinger76]

Don't forget -- "illegal" applies globally. The US has extradition agreements with Saudi Arabia and Turkey, so technically, a US citizen can be extradited to KSA for something anti-Islamic (giving a church flyer to a Muslim), and then beheaded even though the person never set foot outside the US. So, what may be something one doesn't worry about now may be something (and their families) that one might be killed over in a few years.

I don't think that's what extradition agreements are for.

Re:Is this counting Apple's new encryption scheme?

[tqk]

These companies no longer have any reason to voluntarily cooperate with the NSA. The NSA screwed them, and that screwage is costing them billions.

*Golf Clap*.

You pathetic moron. You think Apple or Google umbrage is going to stop NSA suckage? Ho. Ly. ...

Re:Is this counting Apple's new encryption scheme?

Burn it. In Russia in the 90s they used to sell kit that could destroy a computer remotely in case the mob or the police visited. Maybe they have the same for the iphone?

Re:Is this counting Apple's new encryption scheme?

[mtempsch]

Burn it. In Russia in the 90s they used to sell kit that could destroy a computer remotely in case the mob or the police visited. Maybe they have the same for the iphone?

Ooooh, I sense a business opportunity - thermite cases! Shouldn't be any less safe to walk around with than the phones themselves, given the batteries. Must just not make the trigger too sensitive...

Re:Is this counting Apple's new encryption scheme?

the mob or the police

B-

Too wordy. Suggest cutting redundant nouns.

Please revise for your final draft next Tue.

I want to give you an A so you can get into a good [0] college [1] and can participate [2] in the planned Russian-style
global economy [3], but work with me here.

My hands are tied. They will cut my funding if enough of you little angels don't pass [4]!

Good day, Sir/Madam [5].

You WILL like my newsletter and you WILL subscribe to it.

Love, the Department of Education/Labour

[0] controlled
[1] indoctrination camp
[2] subjugate
[3] taxpayer-funded bailout/bribe bonanza
[4] do as you are told
[5] Sir/Madam

Re:Is this counting Apple's new encryption scheme?

[Famak1994]

Disturbing news tonight on the 9 O' clock news. A father accidentally blows his own son's head off after remotely triggering his cell phone case to detonate. Ironically, his son was trying to call his father at his office to let him know that he found his phone.

Re:Is this counting Apple's new encryption scheme?

Except that thermite doesn't detonate. It deflagrates. They're two distinct processes occuring at distinct speeds (differentiated by whether or not the propagation of the shockwave exceeds the speed of sound in the material). Many materials are capable of a deflagration to detonation transition, but thermites are not in that class.

Re:Is this counting Apple's new encryption scheme?

---------> how clever you think you are

---------> cleverness of the average Rob Schneider movie

---------> how clever you actually are

Re:Is this counting Apple's new encryption scheme?

[countach]

Hmm... the key is NOT on the phone. I don't understand Snowden's comments or yours. The IOS file system is encrypted, and if you use a decent length pass phrase it should be unhackable. No?

Re:Is this counting Apple's new encryption scheme?

[countach]

I think his point is that while the NSA has been able to sniff around the internet with impunity, to actually take your phone and examine it, they would need a warrant.

Re:Is this counting Apple's new encryption scheme?

It is a must these days (I've been turned down for jobs because I didn't have a FB ID, as an IT worker without a FB or Twitter account is considered a "fossil".)

This is probably the dumbest thing I've read today (and I've read other articles on slashdot). How does having a narcissistic "me-too" account help you do anything better in any tech job?

The answer is, they don't. Would you want to work for anyone who thought otherwise?

Re:Is this counting Apple's new encryption scheme?

I think his point is that while the NSA has been able to sniff around the internet with impunity, to actually take your phone and examine it, they would need a warrant.

A warrant that's far too easily obtained these days thanks to lenient judges who rubber stamp any warrant that hits their desk regardless of reason.

Re:Is this counting Apple's new encryption scheme?

These companies no longer have any reason to voluntarily cooperate with the NSA.

Until when they invoke those pesky compulsory NSL letters.

Re:Is this counting Apple's new encryption scheme?

[Famak1994]

The thermite would cause the battery to explode...

Re:Is this counting Apple's new encryption scheme?

[wiredlogic]

if you use a decent length pass phrase it should be unhackable. No?

Only if you're naive enough to believe that a keylogger can't be installed surreptitiously.

Re:Is this counting Apple's new encryption scheme?

It would still be a deflagration. Lithium and air? Doesn't just explode. You might think it looks an awful lot like an explosion, but it's really not. Needs to move faster for that.

Re:Is this counting Apple's new encryption scheme?

To clarify, it wouldn't be a detonation or a formal explosion. In common English, you might refer to something as an explosion if it ruptures a container, whereas, in formal terms, it wouldn't be classed as an explosion unless it actually underwent a D2D (detonation to deflagration) transition. Things like dust explosions are a perfect example of the two usages of the word. In common usage, it's an explosion. In formal usage, it's an extremely rapid confined deflagration. I'm done being pedantic now. Just be aware that there is a distinction.

Re:Is this counting Apple's new encryption scheme?

Derp. *deflagration to detonation. Should've used Preview more carefully.

Re:Is this counting Apple's new encryption scheme?

[ColdWetDog]

In the interim, why you crazies are arguing the difference between deflaguration and detonation, the kid's head falls off.

I hope you are happy with yourselves.....

Re:Is this counting Apple's new encryption scheme?

I hope you are happy with yourselves.....

Very. Who doesn't like a good beheading every now and then? Frankly, I prefer mine to be quick instead of that messy sawing business... /s

But on a more serious note, I've got an interest in designing dead man's switchs and I don't think that thermite is a particularly good option. Better options are tamper-resistant devices which trigger a wipe of a key stored in a crypto-chip. You also need manual triggers, and possibly remote triggers. After all, a robust dead man's switch needs to assume that the user is incapacitated and possibly even being tortured. How long can you hold out? 10 seconds? 30 seconds? It needs to activate reliably in that time-frame and minimize false positives, while reducing physical risk (thermite has a nasty tendency to burn through things, acid is too slow in most instances, etc.).

Suggestions welcome.

Re:Is this counting Apple's new encryption scheme?

Then why did he say "access a file on my cellphone"?

Re:Is this counting Apple's new encryption scheme?

[sexconker]

I think his point is that while the NSA has been able to sniff around the internet with impunity, to actually take your phone and examine it, they would need a warrant.

Step 1: You are pulled over while driving for .
Step 2: Cop determines that you are acting suspicious and refusing to comply with his orders.
Step 3: Cop tells you to step out of the car, puts you in handcuffs, empties your pockets, and searches your vehicle.
Step 4: Cop takes your phone and plugs in AutoFascist 3.0 device while you watch, pressed up against the hood of your own car.
Step 5: "Thank you, Officer."

No technical solution for a social problem

[iamacat]

Of course government can read my e-mail. All they have to be is waterboard me. Or install enough camera in public places to capture my unlock pattern. The question is what we allow the government to do, and in democracy we deserve what we get. No amount of encryption is going to solve this problem. We should have a direct popular vote for a commission of constitutional enforcement and then if majority of them rule that some secret agency is in violation, they will be able to disclose it legally.

Re:No technical solution for a social problem

Of course government can read my e-mail. All they have to be is waterboard me. Or install enough camera in public places to capture my unlock pattern. The question is what we allow the government to do, and in democracy we deserve what we get. No amount of encryption is going to solve this problem. We should have a direct popular vote for a commission of constitutional enforcement and then if majority of them rule that some secret agency is in violation, they will be able to disclose it legally.

Your "No technical solution for a social/political problem" title (with my addition in bold) is the most crucial point in this discussion - but your suggestion to have "a direct popular vote for a commission blah blah blah" (with my addition in bold... again!) is wasteful when you already have a constitution (that secret agencies should respect) and a popular vote that elects the officials that control those secret agencies. So you should just use your "popular vote" to elect the right people...
(sorry for my English, my Greek are better!)

Re:No technical solution for a social problem

Of course government can read my e-mail. All they have to be is waterboard me.

But, but, Obama, he promised change, man!</whiny-hippie-greybeard>

Re:No technical solution for a social problem

> No amount of encryption is going to solve this problem.

Sure. But, encryption of in-flight and at-rest data thwarts both passive and dragnet surveillance. This is *exactly* the thing that we've been screaming about for the past year or so.

If the government wants to get *you*, then *you* are screwed. They control orders of magnitude more people and money than you. Thing is, if dragnet surveillance is impossible, then the government has to expend resources to learn about a person. They have to be choosy about who they track and who they listen in to, because they don't have *unlimited* resources. *Targeted*, *justifiable* surveillance is what cypherpunks are trying to force the government back to.

Re:No technical solution for a social problem

[The+Ickle+Jones]

Of course government can read my e-mail. All they have to be is waterboard me.

"All they have to do"? Doing that to everyone would take forever. The point is to make sure they have more trouble automatically gathering everyone's emails.

Or install enough camera in public places to capture my unlock pattern.

Nice pseudoscience. And this would still be more difficult than what they're doing now.

There are indeed technical solutions to some social problems.

Re:No technical solution for a social problem

Sure. But, encryption of in-flight and at-rest data thwarts both passive and dragnet surveillance. This is *exactly* the thing that we've been screaming about for the past year or so.

Uh, no. What has been screamed about is that meta data collection is happening on a broad scale and so not even something like Tor or Freenet can fundamentally bypass the government's tracking of your actions (even if they're not 100% sure of what those actions are) through a retroactive search for their meta data database. So, as much as I agree that encryption should be used as much as possible, it's mostly a non-sequitur to the issue at hand.

If the government wants to get *you*, then *you* are screwed. They control orders of magnitude more people and money than you. Thing is, if dragnet surveillance is impossible, then the government has to expend resources to learn about a person. They have to be choosy about who they track and who they listen in to, because they don't have *unlimited* resources. *Targeted*, *justifiable* surveillance is what cypherpunks are trying to force the government back to.

Except that there is no technological solution to the problem of what is fundamentally political one. Long ago the government, especially the Judiciary, decided that (1) meta data being a necessary component for a third party to route data was not covered under the 4th Amendment, (2) that the government engaging in broad subpoenas of meta data or just outright bribing/buying the data from third parties was okay, and (3) it was fundamentally acceptable to have secret courts and secret commissions that fundamentally undermine the ability of the people to make any sort of functional voting for or against any of these sorts of programs. To say that we are screwed if the government wants to get us: yes, we're all screwed because a dictatorship always wants to get all the people and keep them under its thumb.

The media should not be and isn't who defines the discussion. But, never the less, the public at large needs to change the discussion to really have any hope of the US not turning into a dictatorship with all the tools laying the very framework for our control. We're not so lost yet that we can't have that discussion in the open, unencrypted or vote for change. At the point at which the cyberpunks are right and encryption must be the way to go? That's the point that nothing short of a very bloody revolution (likely multiple failed coops with thousands or even millions killed) will work. It is, after all, a social construct on what's private or not. For too long society hasn't been the one defining things but instead it's been left up to lawyers and judges too invested in a system, seeking their own idea of justice even when the ends do not justify the means.

*sigh*

Re:No technical solution for a social problem

[itzly]

The question is what we allow the government to do

Or maybe the question is what the government allows you to do. In the US, they won't allow a 3rd party, for starters. And the two remaining parties have a great deal of overlap regarding surveillance.

Re:No technical solution for a social problem

[DigiShaman]

"More than one-third of Americans cannot name a single branch of the United States government"

The nation is lost! How do you think we got the assholes - we have in office - in the first place?! People are just fucking ignorant and dumb!!! Ideas of how to govern is useless if people don't even understand the basics fundamentals of the existing government they have already.

Re:No technical solution for a social problem

[The+Ickle+Jones]

And yet even if they could, it wouldn't change a damn thing. People have been voting for the 'lesser' of two evils since the beginning. It's partly because our system is poorly designed, but that doesn't mean that people are worthless idiots for going along with it.

Re:No technical solution for a social problem

[Livius]

Of course government can read my e-mail. All they have to be is waterboard me.

Wrong.

I can't understand why people are so confused about this. It has nothing to do with government needing to resort to extreme measures to get its way.

All it takes is a warrant. People have been getting warrants for close to a thousand years. Getting a warrant is not hard. Getting a warrant is a routine part of professional law enforcement. Nowadays getting the warrant is actually easier than all the theatrics they're doing instead. All these efforts to circumvent constitution guarantees (in multiple countries) are about making the political statement that the government is above the law. It is intimidation with no constructive purpose. Citizens are worse off not just because it violates their rights, but also because it encourages sloppy police work.

Re:No technical solution for a social problem

that doesn't mean that people are worthless idiots for going along with it.

Um, I never said it did. What it does mean though, is that they are worthwhile idiots. Worthwhile because they are worthwhile to the assholes in office, and idiots because they seem to have fooled themselves into thinking that a red candidate can win in a blue state, or a blue candidate can win in a red state. Sure, it isn't technically impossible, but it is statistically unlikely, and is far more equivalent to "throwing your vote away" than voting third party will ever be.

Re:No technical solution for a social problem

[The+Ickle+Jones]

Um, I never said it did.

I meant to say, "but that doesn't mean that people aren't worthless idiots for going along with it." Well, I guess they are worthwhile to someone, so you have a point there.

Re:No technical solution for a social problem

[iamacat]

Forever? Just round up people based on nationality, participation in a protest or a house of worship. Then carry out waterboarding in public view, giving each person in line a choice to spill the beans or experience waterboarding and then spill the beans. Should take no time at all. Regimes far less wealthy than US have been doing great job keeping tabs on their citizens with good old secret police work rather then tech. Weather we allow that, or Prism, or consequences of no secret surveillance at all is really up to us.

Re:No technical solution for a social problem

You haven't been keeping up. The warrant clause of the Fourth Amendment has been riddled with so many exceptions since the 1970s that today, a valid warrant is rarely necessary. And after the Patriot Act, is generally unnecessary.

Re:No technical solution for a social problem

[the_B0fh]

Sure. But, encryption of in-flight and at-rest data thwarts both passive and dragnet surveillance. This is *exactly* the thing that we've been screaming about for the past year or so.

Uh, no. What has been screamed about is that meta data collection is happening on a broad scale

Methinks someone doesn't understand what dragnet means.

Re:No technical solution for a social problem

[lsatenstein]

Of course government can read my e-mail. All they have to be is waterboard me. Or install enough camera in public places to capture my unlock pattern. The question is what we allow the government to do, and in democracy we deserve what we get. No amount of encryption is going to solve this problem. We should have a direct popular vote for a commission of constitutional enforcement and then if majority of them rule that some secret agency is in violation, they will be able to disclose it legally.

After a mental debate about the pros and cons of NSA surveillance, I have reached some conclusions.
With total secured data and transmissions, businesses have the confidence that what is private to them remains so.
With total secured data and transmissions, criminals have the confidence that what is private to them remains so.
With total secured data and transmissions, NSA have the confidence that what is private to them remains so.
With total secured data and transmissions, terrorists have the confidence that what is private to them remains so.
So what?
As a citizen of a multi-cultural democratic country, can I obtain all my information about criminals and terrorists only by infiltrating their organizations? Can the NSA, in proactive mode, be able to do so before an illegal act occurs, or only after the bodies are buried. When do you want them to do the searching?

A positive point to consider:
If the NSA surveys the transmissions with sophisticated search engines, looking for illegal activities, and from the algorithms within the search engines, obtain a list of messages and meta data about the sender/recipient, can they protect us better?

A negative point to ponder.
Can the NSA search engine software be audited by some authority to insure that the searches are against legitimate use are not done, what would be your stance?

I don't feel threatened by NSA and it's probing, as all my uses of email, web browsing, encryption, and purchasing of crap through the internet is for legal purposes.

So, draw your conclusions from my ponderings. Where do my thoughts lie?

   

But but... Google is too big to fail

and so big they are in the NSA's pocket.

Re:But but... Google is too big to fail

and so big they still have to obey US laws.

FTFY.

Taking it a step further

[Opportunist]

Simply avoiding Facebook, Google and the rest isn't going to serve much. Because that makes you stand out, too. Use them. Fill them with enough goody-two-shoes garbage that you're uninteresting enough. Invent some innocent hobby or two for you to have so you can fill that page with something. Invite friends (whoever you run across will do, just make sure that they're not in some way "odd").

The important bit is just to keep your real life apart from your official one. And yes, before you ask, your work belongs on the "official" side. Along with your official family and everything else that can easily be connected to you with existing data. Don't try to hide what can be proven to belong to you.

And yes, 10 years ago I would have agreed that doing something like this means your tinfoil hat is sitting too tight. Today, I ain't so sure anymore...

Re:Taking it a step further

[SternisheFan]

So we've basically told several generations that they aren't trustable, and everthing that they do will be monitored, and they cannot trust anyone. I feel a darkness has encroached on the population.

Re:Taking it a step further

[rtb61]

The abandoning privacy argument. If you believe the government already consider you very suspect better that they can find out everything about you, which is nothing and make it easy for them. Rather than protecting your privacy and making it very difficult for them, so they end up wildly overreacting and place you in the life threatening situation of a search warrant swat team.

The catch with that, is they want to believe. They will believe that all the information they easily find about you is fake and that you are in fact very dangerous and hiding something and the life threatening search warrant swat team descend upon you anyhow.

So you take some security precautions but you remain generally open, you control you communications (no drunk or angry or let alone drunk and angry communications) and you generally directly take the piss out of them as you also don't want to appear to be crafting a low profile. Take up a harmless but unusual pass time. Say, convince them you believe in psychic abilities and aliens and they'll consider you a harmless nutter, although both types of forums remain useful places to conceal communications as they are very global in nature on the internet ;).

Re:Taking it a step further

[ArcadeMan]

I'm not so sure about psychic abilities, but statistically aliens are almost a certainty. The real question is: are they amongst us?

Am I flagged as a harmless nutter yet?

Re:Taking it a step further

I'm not so sure about psychic abilities, but statistically aliens are almost a certainty. The real question is: are they amongst us?

Am I flagged as a harmless nutter yet?

The solution is to kill everyone! Any one of you evil deceitful scum could be an alien robot skeleton wrapped in a biological shell and surrounded by a perception filter!!!!! Am I flagged as a harmful nutter yet?

Re:Taking it a step further

[The+Ickle+Jones]

Because that makes you stand out, too.

Not using Facebook and such just means that you're not a fucking idiot. Are people who aren't fucking idiots that rare, and would the NSA and friends actually say, "Wow! We've somehow determined that this specific person is not using Facebook! Get him!"?

Re:Taking it a step further

The GP didn't make the abandoning privacy argument. They made the very same argument you're making--which is to act innocuous in one capacity and do everything else in another. You didn't read very closely. You're talking past each other, despite agreeing with each other.

Re:Taking it a step further

I'm not so sure about psychic abilities

Nah, just ask Stephen King. Writing and reading is a form of telepathy.

Maybe not as "magic" as you expected, but it is just a matter of degree.

What may be commonplace and laughably simple to you, would be "magic" to a rabble serf X-thousand years ago
who saw your amazing, everyday abilities today.

In other words, sufficiently-advanced de-psychic abilities is indistinguishable from the lack of psychic abilities.

Or, psychic ability is in the eye of the beholder.

Put another way: all that is necessary for psychic abilities is to retard the observer.

Just because we are experts at "decoding" how such psychic abilities are done in many cases, does not mean
further abilities could not "evolve" that are trickier to discern what is going on.

Re:Taking it a step further

[Opportunist]

Since governments prefer fucking idiots since they're easier to control, I prefer them to see me as a fucking idiot.

Re:Taking it a step further

[operator_error]

This is an interesting premise, especially for I.T. workers. For everyone else, there's enough computer illiteracy and lack of access, (and apathy) that such a diversion isn't necessary. I think you can also draw a sort of curve, given to the age of people and what is expected of them in terms of computer literacy. That age curve also provides a relative form of plausible deniability. But IT workers are screwed in this way.

Re:Taking it a step further

[FuzzNugget]

Isn't it incredulously absurd that engaging in this spy-game double life nonsense has actually become a completely rational behavior?

Fer crissake I just wanna live my life with a reasonable expectation of privacy.

Re:Taking it a step further

[Opportunist]

Especially if you're an IT worker in the area of security. You needn't wonder if there is a file about you. There near certainly is. You're after all potentially dangerous, you know how "it" works.

Re:Taking it a step further

[Opportunist]

The price of privacy is eternal vigilance...

Economics

Earlier in the interview, Snowden dismissed claims that increased encryption on iOS will hurt crime-fighting efforts.

The problem Snowden needs to realize is that the "hurt crime-fighting efforts" is a red herring. Politicians do it all the time (and, yea, the head of the FBI is more a politician than a law enforcement officer). The say "think of the children". They say "it'll kill jobs". They say "it'll increase teen pregnancy"--not as much as that or the "turn you gay".

The answer is to acknowledge their red herring for what it is. "Sure, it'll hurt crime-fighting efforts just like the FBI's quest against drug cartels and hit men hurts the economy and kills jobs. Because, you know, the FBI whose consistently shown to abuse any lax protection of one's privacy, even if to violate that privacy is to violate the law, is really concerned about 'hurt crime-fighting efforts'. If you believe that, I've got a bridge to sell you."

gpg

[mrflash818]

gpg, when you can.

To encrypt, but have the encrypted output be encoded as text (so can be put copy/paste into an email)
gpg --symmetric --cipher-algo AES256 --armor example.txt

(gpg will then ask for a passphrase, make it long, as random as possible, upper and lower case, a punctuation, and a number)

TO DECRYPT
gpg example.txt.gpg

Steve Gibson has a very cool Internet resource for helping people learn about password strength: https://www.grc.com/haystack.h...

Per the haystack page:

Example passphrase = search space size

64characters of hex = 4.13 x 10^99

63characters of hex, plus adding a punctuation symbol = 4.93 x 10^117

62characters of hex, plus adding a punctuation symbol, plus adding an upper case letter = 3.79 x 10^126

Re:gpg

[tqk]

62characters of hex, plus adding a punctuation symbol, plus adding an upper case letter = 3.79 x 10^126

Nice. However, the devil's in the details. We're often told that strength of the algo won't out anyone. Social engineering or stuff we haven't considered will, and the latter's complicated. My key mentions an ISP (email addy) I haven't used in a couple of decades. How to fix? Revoke old key then release a new one. Er, how, exactly?

If this's non-simple for a geek like me, how's my (late) mom going to handle it?

Re: gpg

Or just use SMIME. It's baked into most mail clients, even some flavors of PINE. It just transparently works and sends mail encrypted with your private key and your recipient's public key. The military uses it: I get mail from Navy friends signed with a DOD-issued cert, and we can communicate securely with no difficulty at all. I got my 70-year-old mother using it on her iPad, no problems. I'm astounded that it isn't more popular.

Re:gpg

[antdude]

Tell that to computer illiterates who don't know command lines. ;)

Re:gpg

[CronoCloud]

To encrypt, but have the encrypted output be encoded as text (so can be put copy/paste into an email)
gpg --symmetric --cipher-algo AES256 --armor example.txt

There's no need to go to the command line to encrypt an e-mail. Just use a proper e-mail client that supports GPG/MIME.

Re:gpg

[CronoCloud]

My key mentions an ISP (email addy) I haven't used in a couple of decades. How to fix? Revoke old key then release a new one. Er, how, exactly?

Via some quick googling:

Generate the revoke certificate (you can keep this stored until you need it)

  gpg --output revoke.asc --gen-revoke KEYID

Import the revoke certificate when you want to revoke the key.

gpg --import revoke.asc

Send the updated pubkey to the keyservers.

gpg --keyserver KEYSERVER_ADDRESS --send-keys KEYID

Re: gpg

[CronoCloud]

I get mail from Navy friends signed with a DOD-issued cert, and we can communicate securely with no difficulty at all. I got my 70-year-old mother using it on her iPad, no problems. I'm astounded that it isn't more popular.

The cert thing is the problem, because the cert is usually installed into the web browser and then you have to export it from there and then import into the client. Then thre is getting the pubkeys. S/MIME doesn't use keyservers so basically to send someone an encrypted mail, they have to send you a signed mail first.

Re:gpg

[CronoCloud]

You can use gpg without command lines. In fact I created my key using "GPA" (Gnu Privacy Assistant), because I couldn't get enough entropy on the command line for some reason.

Re:gpg

[CronoCloud]

I know it's bad form to reply to self...but you can do all of the above in a GUI like Seahorse too.

on phone, passphrase. on iCloud, not really encry

[raymorris]

On the device, the data that is encrypted uses a key derived from the password or pin. This is very similar to how you'd encrypt any local file. Anything you can still get to after forgetting your password and resetting it obviously was not encrypted with that forgotten password.

On their cloud, some things are technically encrypted, but the encryption isn't very effective. Anything you can access via their website or apps, including email and photos, they have access to. Email is a good example- their web site shows you the To, From, and Subject lines of the messages, so obviously their server has access to read the emails.

In general, encryption of live, working data on a server is _often_ largely security theatre. Sure, if a bad guy physically broke into the datacenter and walked out with the server, the encryption of the disk would make it hard for him to access the data. As long as the server is up and running, any data the server can access can also be accessed by a hacker with a presence on that server. In these cases, the key is for one of the server's disks, so it's generated by Apple and probably sitting on the same server where the data is. With tens of thousands of servers, you don't have human beings walking around typing in passwords, so the key needs to be on the server. If the hacker is in the server ...

The data is encrypted in transit via ssl/tls. For that time period, it's encrypted via tls/ ssl. First Apple's ssl key is used, then a per-connection key is generated.

Holes, where the data is not encrypted at all, and there is no key, occur at transition points. They web server takes the ssl encrypted data, decrypts it, and hands it off to the storage layer to be "encrypted" on disk. Quotes are on the disk encryption because as discussed above the encryption on disk is largely illusory. Similarly with the transition from your phone to the upload to the server. Your phone decrypts it with your key, encrypts it with the ssl key, and then sends it to the server.

Those transition points in which the data is unencrypted are vulnerable points which are targeted for attack. I've confirmed at least one case where I've seen the transition point on the server compromised. Fortunately, I _think_ I may the one who tapped the data and logged at it that point, for debugging and recovery purposes. I forgot to turn off the logging when we went into full production, I think.

can be subpoenaed for their data

[fustakrakich]

Um, so what was the encryption for again?

Re:can be subpoenaed for their data

Marketing, obviously.

Re:can be subpoenaed for their data

Mainly to make the authorities go through the front door, you know, as the constitution says they should.

They hate having to follow that old rag's commandments though.

Re:can be subpoenaed for their data

[The+Ickle+Jones]

You shouldn't be using phones that other people can control in the first place.

Re:can be subpoenaed for their data

[kualla]

Too bad any long-distance wireless frequencies are regulated and would result in breaking the law with very stiff fines and possible jail sentences. Plus you could be sued from the big telcos for interfering with their paid-for air-waves. Even HAM radio does not allow noise or encryption to be transmitted over the radio waves.

You can always use an encrypted VOIP service I suppose, but technically that is controlled as well, not to mention that the NSA is also developing/buying 0-day exploits so they can break into your computer/router/modem/etc and spy on you that way so even the encryption will not be secure... A bit tin-foil paranoia on that level, but not impossible as it is already being done here in the USA, and who knows how many other things that they are doing that the public is unaware of or how bad it will get into the future.

Re:can be subpoenaed for their data

[fustakrakich]

Mainly to make the authorities go through the front door...

Yeah, with one of these....

Believe me, until you elect people with a conscious that will appoint people with a conscious, your constitution isn't going to mean squat, just a little tidbit from the history books...

Re:Edward Snowden

[the_Bionic_lemming]

Thanks Ed!

Don't use a Tablet they're loaded with spyware

Take a typical Android Tablet from Samsung, comes loaded with DSMLawmo, which can remotely take control of everything on the tablet and do anything from intercept phone calls, take pictures, read files, send SMS's, it can even modify words in the dictionary.

It runs by default on all Samsungs newest tablets and it cannot be disabled.

The claimed use for it is as a helpdesk app, but people are reporting it consuming lots of processing power, and those people are not calling Samsung's helpdesk.

So don't touch an Android tablet (and quite likely Windows tablets are the same), riddled with Spyware.

Re:Don't use a Tablet they're loaded with spyware

The first thing you do on your typical Android tablet is to burn it and install your custom, privacy-enhanced ROM. It is easy and pays off.

Welcome to the world of the social

Keep your communications limited.
Only talk to people you need to talk to.
PGP, Encrypt, Key-pass, everything, I mean everything.
Hide it all from any networked service

Once a security hack that worked for his former employer, my take away from his recommendations are:
a. hide your cash in your mattress--then again cash has serial numbers (even bitcoin sort of...). Convert to gold.
b. put on your tin foil hat.
c. don't talk to anyone.

BUT what he's doesn't realize is... if you want to be apart of any society:
a. Communications is a 2 way street, I see you, you see me. There's no privacy, just trust. Big Data and the Internet just exposed what's been known by the affluent for what, 300 or so yrs.
b. "Security" in Snowden terms is a pipe dream, and stuff like PGP is nothing but security by obscurity [philosophically] via Math (it's a key no one knows...)--TRUST is the key factor in making communication work.
TRUST, TRUST, TRUST. If you don't have it the system WILL breakdown and no one's going to be happy.
c. what to be useful in society? talk to someone, anyone.

Just vote. And tell your congressman what you want. As for the non-US citizens voicing their opinion on here about how the US should handle their affairs, thank you and your opinions will be considered.

Every movie needs a PR angle--they obviously are playing the fiddle in TFA. Gotta love the Internet.

You know what stays on my mind?

Windsong.

REZA FARTED

whoa

this one is making the plants wilt and the wallpaper fall off the walls

maybe if she weighed less than 800 pounds she would have a healthier and less smelly diet

Re:gpg - rubbish maths

64characters of hex = 4.13 x 10^99

63characters of hex, plus adding a punctuation symbol = 4.93 x 10^117

62characters of hex, plus adding a punctuation symbol, plus adding an upper case letter = 3.79 x 10^126

That is some very bad maths.

64 characters of hex is a much smaller (10+6+6)^64 search space.

And is one knows that at least one of the characters must be a punctuation character then that actually reduces the search space!

In general, forcing one or more of the characters to belong to some smaller character set (like punctuation) reduces the search space.

No Google

[Seumas]

"No Google" from the guy who does seemingly every interview over Google Hangouts (and, yet, supposedly, we remain absolutely clueless of his whereabouts - oh my!).

The simple fact is that there is no security and there is no privacy. At best, we can take what we think are the wisest and most conservative precautions, but once something leaves our head or our mouth, there is no guarantee. There are only protocols and services and mechanisms which we do not yet know are compromised. If the last two years have taught us anything, it's that anything we rely on probably *actually is* compromised.

Hell, even anything in our head isn't confirmed safe, anymore. Not in a world where we have observation systems that determine your intention by your gait or your facial expression or your body's thermal signature. Not in a world where we're just starting to be able to visually represent actual thoughts from a brain, onto a screen. And not in a world where conclusions are drawn from assumptions of your collective data where you have far less control over it -- from borrowed library books to your database of grocery purchases to your Amazon shopping history and Netflix viewing history.

Worse, I don't see any indication that any truly guaranteed modes of encryption and security and privacy would not simply be outlawed. It is amazingly simple to coerce the American people into accepting any desired infringement upon their rights. If they're not willing to give them up "just because", then tell them that it'll help us protect ISIL from cutting off your head in your living room or will help protect your children from getting Ebola at school. Maybe get a few religious leaders on-board to help spread the propaganda that it's the "Christian/whatever thing to do".

factually false

[raymorris]

The US does not have an extradition treaty with Saudi Arabia.
http://en.m.wikipedia.org/wiki...

The US treaty with Turkey is first limited to crimes which BOTH countries consider felonies. That requirement is on page 1.
Them there's another 20 pages of requirements for it to apply.

Re:factually false

I think Kim Dotcom and others would disagree on this, as he didn't commit any crimes in their native land.

Even though the treaty is dismissed, the precedent is there. because one can be shipped to another country for laws broken there, even though nothing is violated on native soil, it is even more imperative to watch one's privacy.

stupid

His advice is so stupid that I'm really beginning to wonder whether he is still working for the NSA. It's not only inconvenient, it actually puts you at a greater risk.

Computer security is really not that different from physical security: locking up everything from everybody is a lot of work, inconvenient, and expensive.

For most things, Google and Facebook are perfectly fine. Hysterical avoidance of them is not only inconvenient, but switching to supposedly more secure services will either make you appear suspicious, or you may simply be running into the open arms of some intelligence service that is using those services as a front.

Information you don't want to fall into the hands of criminals, you should encrypt; online storage may be fine for some if you are good about encryption and it's not that critical. For really critical information, use local USB drives or paper.

Is there information you don't want to fall into the hands of government? Yes, even if you are law-abiding. You want to avoid being a false positive on some witch hunt for terrorists or drug offenders, and you don't want to give corrupt prosecutors the ability to blackmail or pressure you into admitting things you didn't do. So, keep your Magic Pony gay porn collection off the Internet and encrypt it, keep your medical information on paper, and purchase your fertilizer and cold medication with cash when you can.

Re:stupid

[The+Ickle+Jones]

or you may simply be running into the open arms of some intelligence service that is using those services as a front.

Like Google and Facebook, which just give the government whatever they want, while sometimes putting on a show of fighting back but really accomplishing nothing? I'll take unknowns over knowns any day. Besides the government, both Google and Facebook are scummy companies that I want nothing to do with. I'm not going to hand my information over on a silver fucking platter to companies proven to be scumbags merely because there's a chance (however small) that the government controls every service in existence and everything is actually a honeypot. That's incredibly dumb.

Re:stupid

[g4sy]

Ok I don't know why I should believe AC's theory of hiding in plain sight vs. Edward Snowden (who is pretty vetted, and shown to be a smart cookie and trustworthy to boot). Further, he's not asking paranoid people only to avoid these services, he's using the time period when non-nerds around the world are shocked and horrified to encourage a move to better tools and more privacy. Perhaps even starting a move to federated and decentralized, multi-company, multi-platform communication tools. Think email, IRC, BBS and USEnet for the 21st century. And for everyone.

TL;DR: Hopefully using better, more "real internet" communications with encryption won't be a hallmark of people with things to hide, but all of us. It's about good citizenry.

Re:stupid

>His advice is so stupid that I'm really beginning to wonder whether he is still working for the NSA. It's not only inconvenient, it actually puts you at a greater risk. Computer security is really not that different from physical security: locking up everything from everybody is a lot of work, inconvenient, and expensive. For most things, Google and Facebook are perfectly fine. Hysterical avoidance of them is not only inconvenient, but switching to supposedly more secure services will either make you appear suspicious, or you may simply be running into the open arms of some intelligence service that is using those services as a front.

And this is why the battle is lost: the unremitting certainty of ignorance. This fucking idiot should do a little research before making silly statements like "Google and Facebook are perfectly fine." A good place to start might be with "Dragnet Nation," penned by WSJ journalist Julia Angwin. Her bottom-line advice is a heckuva lot like Snowden's: Google is actively amassing enormous amounts of data about its users. Absolutely fucking enormous. At one point, she requested Google's records of her search terms and, after some wrangling, received tens of thousands of (searchable, structurable) strings going back over a decade. She called it "a trip down Memory Lane." "Oh, here's where I was pregnant and was doing a lot of shopping for baby furniture & clothes. Oh, and here's back when I was planning to take a trip to the Middle East, when I was searching travel sites and sites about Islamic culture...." if even this sounds innocuous, imagine structuring all this information into an ontology of a knowledgebase, corroborating it with gmail messages, Android-phone geolocation data ("based on past data, we believe that this person is likely to be driving down Route 80 at about 6PM on Tuesdays and Thursdays"), call logs, and browser tracks. Even if you anonymize everything, as any forensics expert will tell you, your patterns will still identify you, even without such an enormous, highly detailed compilation of your personal data loaded into an inference engine. Google knows almost fucking everything about you -- and it can infer the rest. You can't stop this trend by eliminating Google, Facebook, and Twitter from your life. But you can at least slow it down.

Most disturbing trend: People under 30, who have grown up with the Internet, seem to me to give a lot less of a shit about this than do older folks. As a friend who emigrated from the Soviet Union once told me, it takes only one generation for despotism to become normalcy.

hardly new

[silfen]

People have always been suspicious of people who were different. And people have always had to keep some things secret from their neighbors.

Despite all the beating of chests, I think we are probably better off today than ever before. Many things people used to be able to blackmail you with (homosexuality, extramarital affairs, illegitimate children, bankruptcy, atheism, whatever), people don't give a f*ck about anymore. Furthermore, none of the NSA or CIA bullshit is new, but finally, people are finding out about it and getting upset. I expect these agencies will face more serious restrictions on their operations than ever in their history.

Yes, we need to be vigilant and take action. No, the sky isn't falling.

Encrypted Text App?

So, any tried and tested apps for iPhone?

How about all of them?

[antdude]

Everyone seems to be collecting data even /.. :(

Re:How about all of them?

Everyone seems to be collecting data even /.. :(

Data collecting is the new stamp collecting.

Standardize one-time pads

[poodlediagram]

Given the amount of data we can store on memory cards (now up to 512 GB), now would be a good time to standardize the one-time pad.

For example, Alice and Bob meet in person. They plug their credit-card-sized one-time pads into each other and exchange giga-Bytes of truely random numbers generated on-card. Then when Alice wishes to send Bob a message over an untrusted chanel (i.e. the internet), she adds a section of the random numbers to her message (modulo 256). Bob then decrypts with his matching set of numbers.

The used numbers are then deleted on both Alice and Bob's cards.

A single meeting between A & B would be enough to encrypt every text message they send for ever after. All that is needed is an international set of standards for doing this and the associated hardware. For example, you could take your OTPad to your bank and plug in into a socket and exchange random numbers, and use them for secure banking at home. No CA's required.

This is future-proof and unhackable (assuming A & B's computers are not compromised).

You could even exchange the random numbers over an untrusted chanel. Just make sure there's a huge number. If everyone does this, it would overwhelm the storage capacity of the NSA and friends.

Re:Standardize one-time pads

You also need to put some precautions around your friend being compromised. Note that this scheme only raises the bar for one particular problem. So, you have multiple OTPs on a card and encrypt each separately. When you communicate, you use the current (unlocked) OTP. At the end of the conversation, using the tail-end of that pad, you send them the key to unlock the next pad. Now, this avoids relying on any encryption less secure for communication (which would compromise the security of the OTP scheme if you SENT the pad over an imperfectly secure channel using said encryption).You still need to exchange the pads in person. Even if they somehow get the key to the next pad, they still have to get the encrypted form of the pad as well. Where you would store that key (to unlock the next pad) until you need to chat again is another problem...

Maybe I'll whip something up over the next week. Off to the computer mines I go.

No Google

It's trivially easy.

Oh hell ya

[AndyKron]

Of hell ya he's a hero, and fuck the government for not saying so. Come to think of it, just fuck the government in general because it's generally fucked up. Thanks for voting!

Is this where they dangle a puppet?

[HnT]

Is this where "the man" dangles a puppet in front of your eyes so you forget about everything else? Say I never used facebook, dropbox and google and steer clear. Now "they" only have phones, credit cards, bank statements, anything I get shipped, plane stubs, hotel reservations, car license plates, cell- and/or smartphones and a bazillion other things to know exactly what I ate last Tuesday and to violate my privacy which, judging by the attention wh**ing online, nobody cares all that much about anyway it seems.

Re:Is this where they dangle a puppet?

[Spectra72]

Spot on. Social apps are the least of the problems.

Add in databases of criminal records, medical records, etc, etc.

As people are wont to say about the TSA, dropping out of social media is just security theater.

Re: Is this counting Apple's new encryption scheme

[Applehu+Akbar]

US extradition treaties only cover actions that are crimes in both countries, which means that the only crimes you could be extradited to Saudi and beheaded for are drug offenses.

The matrix has you

[markus.neifer]

Like it or not, there's no escape. We've chosen this way.

Not that tough

[jader3rd]

Given that I don't use two of those services, and occasionally use the other, that advice is not that tough.

Use 12 reputable security community sources

That supply custom hosts file data: My FREE hosts program adds speed, security, reliability, & more, by doing more, more efficiently vs. addons + fixes DNS' issues:

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o...

---

A.) Hosts do more than:

1.) AdBlock ("souled-out" 2 Google/Crippled by default http://techcrunch.com/2013/07/... )
2.) Ghostery (Advertiser owned) - "Fox guards henhouse" http://en.wikipedia.org/wiki/G...
3.) Request Policy -> http://yro.slashdot.org/commen...

B.) Hosts add reliability vs. downed/redirected dns (& overcome site redirects e.g. /. beta).

C.) Hosts secure vs. malicious domains too -> http://tech.slashdot.org/comme... w/ less "moving parts" complexity

D.) Hosts files yield more:

1.) Speed (adblock & hardcodes fav sites - faster than remote dns)
2.) Security (vs. malicious domains serving malcontent + block spam/phish & trackers)
3.) Reliability (vs. downed or Kaminsky redirect vulnerable dns, 99% = unpatched vs. it & worst @ isp level + weak vs DGA, & Fastflux + dynDNS botnets)
4.) Anonymity (vs. dns request logs + dnsbl's).

---

* Hosts do more w/ less (1 file) @ faster levels (ring 0) vs redundant inefficient addons (slowing slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ os, & 1st net resolver queried w\ 45++ yrs.of optimization).

* Addons = more complex + slow browsers in messagepassing (use a few concurrently & see) & are nullified by native browser methods - It's how Clarityray's destroying Adblock.

* Addons slowup slower usermode browsers layering on more - & bloat RAM consumption + excessive cpu use too (4++gb extra in FireFox https://blog.mozilla.org/nneth...)

Instead, work w/ a native kernelmode part - hosts (An integrated part of the ip stack)

APK

P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apk

Ask yourselves these questions... apk

Can adblock do these 15 things hosts files can for more speed, security, reliability, & more:

1.) Secure you vs. known malicious sites/servers (beyond malicious adbanners - see 2 thru 6 below next)
2.) Secure you vs. downed DNS servers aiding reliability
3.) Secure you vs. DNS redirect poisoned dns servers
4.) Protect you vs. fastflux using botnet attacks and stop their communications back to their C&C servers
5.) Protect you vs. dynamic dns using botnet attacks and stop their communications back to their C&C servers
6.) Protect you vs. domain generation algorithm using botnet attacks and stop their communications back to their C&C servers
7.) Speed you up for websurfing not only by adblocking but also hardcoding favorite sites
8.) Get you past a dnsbl you may not agree with
9.) Keep you off dns request logs
10.) Do all of those things and block ads (better than adblock) more efficiently in cpu cycles and memory usage
11.) Work on ANY webbound application (think stand-alone email programs, for example).
12.) Give you direct, easily notepad/texteditor controlled data for all of the above
13.) Block out trackers
14.) Block spam mails sources
15.) Block phishing mails sources

"?"

* Simple YES or NO answers will do for repliers to this - that's all.

APK

P.S.=> The ANSWER ="NO" to each enumerated item above as far as "Almost ALL Ads Blocked" (crippled by default & 'souled-out' defeating it's very base purpose) is concerned -> http://techcrunch.com/2013/07/...

So, *IF* you feel like doing things LESS efficiently as well -> https://blog.mozilla.org/nneth... ontop of doing less than hosts do (by far) with more complexity + from a slower mode of operations (usermode with more messagepassing overheads vs. hosts in kernelmode, also starting up w/ the IP stack itself, before REDUNDANT inefficient addons even BEGIN to operate, & as the 1st resolver queried by the OS as well)?

That'd be illogical: I can lead a horse to water, but I can't make them drink!

... apk

Addendum: True story, AdBlock vs. Hosts

W. Palant wrote me by email 1st saying "hosts are a shitty solution" to which I replied:

"Show us adblock can do more for added speed, security, reliability, & anonymity than hosts can, + that adblock does it more efficiently than hosts"

Which on my latter 'point-in-challenge' on efficiency AdBlock's proven by research to be MASSIVELY inefficient -> https://blog.mozilla.org/nneth... & adblock does FAR less than hosts (especially crippled by default).

I sent Wladimir Palant that challenge in response to his statement from 2 different email addresses I use!

Result = Still no answer from him in regard to my challenge put to him to this very day MONTHS later - that tell you anything? It did me!

He knows his addon is less efficient & features laden by FAR vs. hosts - Wladimir Palant RAN like a scared rabbit!

ClarityRay's also DESTROYING AdBlock - via native browser methods to DUMP what addons you use (it can't DO THAT to hosts files).

I only tell it how it is on hosts' superiority vs. AdBlock - Funny part is, Wladimir Palant running does too!

Especially considering "Almost ALL Ads Blocked" has 'souled-out' -> Google And Others Reportedly Pay Adblock Plus To Show You Ads Anyway: http://news.slashdot.org/comme...

APK

P.S.=> Bottom-Line: Hosts = a superior solution that also fixes DNS redirect security issues (vs. browser addons & their inefficiencies + messagepassing overheads as well as myriad lack of abilities hosts have from 1 file that's part of the IP stack itself - faster, more efficient, & less redundant as well, since TCP/IP has 45++ yrs. of refinement & optimization in it, & runs in a higher CPU serviced ring of privelege & operations in kernelmode vs. slower usermode layering over browsers slowing them more, & hosts = 1st resolver queried by the OS itself also)... apk

Re:Addendum: True story, AdBlock vs. Hosts

On an offtopic tangent, how's the other hobbies? It's not really the season for gardening, but do you keep busy during the fall/winter?

No Google

[tom229]

Living without [a google account] is certainly possible. I've been doing it for years. I would agree that "app" developers seem obsessed with publishing their offerings through a single medium, that takes 30%, and requires their users to buy into the google/apple ecosystem. However, I blame this on the typical "app" developer being a mindless dullard, addicted to the status quo. The entire IT spectrum has been infested with these types of late. It's been frustrating.

New Zealand has treaty, money laundering, racketee

[raymorris]

New Zealand does have an extradition treaty with the US, and recognizes money laundering and racketeering as felonies.
The precise opposite set of facts vs GGP's imagination.

Re: Is this counting Apple's new encryption scheme

[bigfinger76]

I don't think committing the crime in the US is grounds for extradition.

Free is not free

[theshowmecanuck]

People use Gmail because it is generally reliable, they abstract them from whatever ISP they may have at the moment, and appear to be free. But mostly because they appear to be free, because the other two can be had elsewhere. But we all know it isn't free. They have your data. I personally don't believe they don't mine your data. The cost is your personal information not really being personal. But cash money is a powerful thing. And with new job creation tending towards "would you like fries with that," saving cash is more important to most than saving privacy.

Redphone, Silent Circle? Perfect targets

Seriously, these are two massive choke points. Easy to focus on and intercept. If you think using these makes you secure, lol, you lose.

Warrants?

We don't need no stinkin' warrants!

AdBlock = Souled-Out + Inferior

My FREE hosts program adds speed, security, reliability, & more, by doing more, more efficiently vs. addons + fixes DNS' issues:

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o...

---

A.) Hosts do more than:

1.) AdBlock ("souled-out" 2 Google/Crippled by default http://techcrunch.com/2013/07/... )
2.) Ghostery (Advertiser owned) - "Fox guards henhouse" http://en.wikipedia.org/wiki/G...
3.) Request Policy -> http://yro.slashdot.org/commen...

B.) Hosts add reliability vs. downed/redirected dns (& overcome site redirects e.g. /. beta).

C.) Hosts secure vs. malicious domains too -> http://tech.slashdot.org/comme... w/ less "moving parts" complexity

D.) Hosts files yield more:

1.) Speed (adblock & hardcodes fav sites - faster than remote dns)
2.) Security (vs. malicious domains serving malcontent + block spam/phish & trackers)
3.) Reliability (vs. downed or Kaminsky redirect vulnerable dns, 99% = unpatched vs. it & worst @ isp level + weak vs DGA, & Fastflux + dynDNS botnets)
4.) Anonymity (vs. dns request logs + dnsbl's).

---

* Hosts do more w/ less (1 file) @ faster levels (ring 0) vs redundant inefficient addons (slowing slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ os, & 1st net resolver queried w\ 45++ yrs.of optimization).

* Addons = more complex + slow browsers in messagepassing (use a few concurrently & see) & are nullified by native browser methods - It's how Clarityray's destroying Adblock.

* Addons slowup slower usermode browsers layering on more - & bloat RAM consumption + excessive cpu use too (4++gb extra in FireFox https://blog.mozilla.org/nneth...)

Instead, work w/ a native kernelmode part - hosts (An integrated part of the ip stack)

APK

P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apk

Ask yourselves these questions... apk

Can adblock do these 15 things hosts files can for more speed, security, reliability, & more:

1.) Secure you vs. known malicious sites/servers (beyond malicious adbanners - see 2 thru 6 below next)
2.) Secure you vs. downed DNS servers aiding reliability
3.) Secure you vs. DNS redirect poisoned dns servers
4.) Protect you vs. fastflux using botnet attacks and stop their communications back to their C&C servers
5.) Protect you vs. dynamic dns using botnet attacks and stop their communications back to their C&C servers
6.) Protect you vs. domain generation algorithm using botnet attacks and stop their communications back to their C&C servers
7.) Speed you up for websurfing not only by adblocking but also hardcoding favorite sites
8.) Get you past a dnsbl you may not agree with
9.) Keep you off dns request logs
10.) Do all of those things and block ads (better than adblock) more efficiently in cpu cycles and memory usage
11.) Work on ANY webbound application (think stand-alone email programs, for example).
12.) Give you direct, easily notepad/texteditor controlled data for all of the above
13.) Block out trackers
14.) Block spam mails sources
15.) Block phishing mails sources

"?"

* Simple YES or NO answers will do for repliers to this - that's all.

APK

P.S.=> The ANSWER ="NO" to each enumerated item above as far as "Almost ALL Ads Blocked" (crippled by default & 'souled-out' defeating it's very base purpose) is concerned -> http://techcrunch.com/2013/07/...

So, *IF* you feel like doing things LESS efficiently as well -> https://blog.mozilla.org/nneth... ontop of doing less than hosts do (by far) with more complexity + from a slower mode of operations (usermode with more messagepassing overheads vs. hosts in kernelmode, also starting up w/ the IP stack itself, before REDUNDANT inefficient addons even BEGIN to operate, & as the 1st resolver queried by the OS as well)?

That'd be illogical: I can lead a horse to water, but I can't make them drink!

... apk

Addendum: True story, AdBlock vs. Hosts

W. Palant wrote me by email 1st saying "hosts are a shitty solution" to which I replied:

"Show us adblock can do more for added speed, security, reliability, & anonymity than hosts can, + that adblock does it more efficiently than hosts"

Which on my latter 'point-in-challenge' on efficiency AdBlock's proven by research to be MASSIVELY inefficient -> https://blog.mozilla.org/nneth... & adblock does FAR less than hosts (especially crippled by default).

I sent Wladimir Palant that challenge in response to his statement from 2 different email addresses I use!

Result = Still no answer from him in regard to my challenge put to him to this very day MONTHS later - that tell you anything? It did me!

He knows his addon is less efficient & features laden by FAR vs. hosts - Wladimir Palant RAN like a scared rabbit!

ClarityRay's also DESTROYING AdBlock - via native browser methods to DUMP what addons you use (it can't DO THAT to hosts files).

I only tell it how it is on hosts' superiority vs. AdBlock - Funny part is, Wladimir Palant running does too!

Especially considering "Almost ALL Ads Blocked" has 'souled-out' -> Google And Others Reportedly Pay Adblock Plus To Show You Ads Anyway: http://news.slashdot.org/comme...

APK

P.S.=> Bottom-Line: Hosts = a superior solution that also fixes DNS redirect security issues (vs. browser addons & their inefficiencies + messagepassing overheads as well as myriad lack of abilities hosts have from 1 file that's part of the IP stack itself - faster, more efficient, & less redundant as well, since TCP/IP has 45++ yrs. of refinement & optimization in it, & runs in a higher CPU serviced ring of privelege & operations in kernelmode vs. slower usermode layering over browsers slowing them more, & hosts = 1st resolver queried by the OS itself also)... apk

Putin == Snowboy

Subject says it all. You want to listen to enemies of our country trying to take Russia back to the Soviet Union? Be my guest.

Standardize one-time pads

[AHuxley]

The problem is text is decrypted back to plain text looking for advertising on the free email services after they offer their free new https all the way.
The message is then seen as classic random numbers and is then flagged at some stage as using encryption and further sorting by gov/mil.
The gov/mil does not care what is in your message but the slightest hint that any person is using crpyto like numbers or letters in bulk would ensure any ip, user, isp is noted.
That message glows.
Expect 3-4 level of hops to all other communications to be looked at retroactively and users listed for future tracking. Friends of friends going back. "Collect it all" gets it all and can then be given a sorting task.
The good news is the one time pad works. The fun part is getting the format to look very normal and be machine readable for advertizing.
The bad news is random numbers stand out, the path of the message stands out and will ensure a lot of interest from gov/mil with global reach and years of storage.

I like spying

Cybercriminals and terrorists are bad guys. I want 'the gummit' to find them. The question for me is, is it better for law enforcement to find them, or to hide the fact that I've been searching online for viagra?

I choose the former. They are welcome to my data, if having access will help them dig these shit fucking assholes (who make my online or rw experience so fucking dangerous) out of the mud they live in.