Flash?
Being a Linux user I would guess that the biggest security risk on my PC would be Adobe's Flash.
Has the NSA the ability to switch my microphone and web-cam?
Whatever the answer ,the sooner Flash is retired the better.
Revelations of US spooks monitoring the internet have freaked out consumers so much that privacy protection software will be The Next Big Thing. That's according to antivirus firm AVG, which reckons the market for products that safeguard online freedoms will be huge. Siobhan MacDermott, chief policy officer at the company, …
I wouldn't trust any software 'off' switch.
Considering the debate and fears over privacy now, it won't be too long before we see laptops with slidable caps over the camera and an hard 'off' switch for any mics.
In the mean time, blue tack of sticking plaster if you're doing anything in front of the computer you'd rather not have recorded.
Lynx is available from a repository if needed.
It can come handy, if you need to browse a website or configuration page from some lightweight system without GUI.
No need to bundle unneeded packages with the distribution, if anything you need can be installed easily on a whim.
Say, you still use a proprietary OS?
Eh, read this...
And then have a look under the hood of the thingy your o/s is running on...
And to which your webcam and microphone and ethernet or wi-fi and every other darn thing that can be classified as hardware is connected.
Who the heck knows what those circuits are doing with your bits?!
(And don't give me the whole, you need device drivers for all the devices... well, that's true, but the spooks just need the bits, they can figure out what device drivers to use later, when you've gone and blown something up for instance.)
PRISM is just the tip of the iceberg.
I think she may be right - but it needs to be seamless. Install and forget and all communications are automatically encrypted. And given the lack of trust for the suppliers in the middle, it'll need to be encrypted between the end-users, so the servers in the middle only ever see/store encrypted traffic (bar the routing info perhaps, and even that can hopefully be obfuscated?) - and if everything is encrypted the NSA/GCHQ will be storing an awful lot of traffic.
When will Gmail incorporate automatic PGP?
When will Gmail incorporate automatic PGP?
Hushmail touts PGP encrypted mail as one of its big benefits. Unfortunately, the private keys are held server side, and as a result they can pretty much decrypt whatever the hell they wanted and indeed did: http://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_privacy
I'm not aware of a javascript based system that would let you do client-side encryption of webmail, yet, and that's what would probably be needed for GMail to run PGP in a way that actually stopped the likes of the NSA having free reign of your private keys. Now if Google added PGP/GPG support to their standard Android mail clients and let you set up a key pair as part of the Google account registration system, that would be rather different and much more interesting. I'm not holding my breath though.
Even with Javascript decryption, you'd have to trust the site providing it. Who's to say that the JS decryption code isn't secretly sending your keystrokes back to Gmail.com? For that matter, you can't trust the browser makers either - and if the spooks can corrupt Microsoft, Google, and Apple, then most likely they can corrupt the Mozilla foundation too. Technical solutions aren't the answer - only legal solutions.
Even with Javascript decryption, you'd have to trust the site providing it
I did think about this. Ultimately, it is possible to examine the behaviour of software running on your own machines and tranmissions over your own networks. Covert channels can be very stealthy indeed, so you can never be 100% certain, but you can go a long way by logging what the javascript (or whatever) client is trying to send.
I'd prefer to be running my own client software, but even the javascript approach is more useful than Hushmail's.
Technical solutions aren't the answer - only legal solutions
Legal solutions generally have legal workarounds, especially when it comes to issues of national security which often grants those working around the problem with legal immunity of various kinds, and gagging orders. The best you can hope for is a decent audit trail and responsible oversight, which ultimately boils down to a matter of how much you trust Google (or whatever other service provider) and your local friendly security services, vs how much you trust the implementation of GPG in your mail client.
In the spirit of "trust, but verify", I'd lean towards the latter because I can take some minimal steps to ensure it isn't misbehaving. Bit hard to do that with big corporation and government agencies in your own country, let alone foreign ones.
Only partially effective, unless you want to verify every time the code comes down. Javascript can be altered easily. Sending every user a 'null operation' script would get notice, but they could easily target it at anyone the NSA's algorithm considers suspicious.
To be any good, encryption needs to run at the client end. What we really need to see is integration into something like Thunderbird.
Not that it matters. People don't actually email that much any more: The masses just communicate through facebook messages.
"When will Gmail incorporate automatic PGP?"
PGP encrypts the email for transmission through the interwebs. That doesn't stop the NSA snooping if they have a backdoor into Google (which they apparently do, despite official denials which Google is required to make under the law). They can just see your message before it is encrypted.
However, you can use gmail via an IMAP or POP client like Thunderbird. I have GPG installed on that and can send encrypted messages to recipients that even Google cannot read, because they're encrypted on my machine. Only down side is cannot read them via the Google web interface.
I suspect the next NSA scandal is going to be backdoors build into all manner of software and not just OSs. Basically if you have anything compiled and produced by a US corporation on your machine, the NSA can (it appears) force them to compromise it. Having access to the device allows them not only to view all communications coming in/out without encryption, it also lets them read anything you have stored locally, and operate your camera and mic. Pretty scary considering we're all carrying around phones with OS from Google, Apple or MS on them.
"When will Gmail incorporate automatic PGP?"
What would be the point? The 'security' services are generally more interested in who you are talking to rather than what you are actually saying. Though obviously if you are sending lots of encrypted emails then they will probably flag you up for further investigation and try to find out what you are talking about.
But if it was the accepted default. "Everything everyone does, send, recieve, create, read, is encrypted end to end."
Then it's not suspicious is it?
So if we all start using proxies, vpn, PGP, truecrypt, then it's no longer something unusual.
Why shouldnt the best available encryption and privacy be the expected default on for everything?
Not just to avoid Government agency snooping, but also criminal and insider attacks?
The security expert was astonished by the reaction to the scandal of the web-snooping NSA PRISM project, which left consumers feeling "violated".
Apart from a few Daily Mail types, the average consumer's reaction appears to have been resounding apathy, either because they don't understand, or they don't think it applies to them.
"In Europe, people remember a time when you could be killed for having the wrong political beliefs or religion. The people who run Facebook and other big social media companies don't have that baggage, so privacy can be something of an abstract concept to them in a way it isn't in Germany, for instance, with memories of the Stazi and Nazis."
In many places, you can STILL be killed for having the wrong political beliefs or religion. A good enough reason on its own for having a bit of privacy when using the net in whatever form.
The comment about Facebook and privacy issues being a tad abstract compared to those who had clearer memories of the Nazis is strange, given that Mark Zuckerberg is Jewish. Not many people have a clearer memory of the Nazis than the average Jew. Not being snarky, by the way - I'm Jewish, too.
Yeah, but the original point was that US companies like Facebook, et al don't see privacy as much of a concern as certain European countries as they have never grown up under a Communist/Fascist government, as many Germans, Poles, Spaniards, etc did.
Are you saying Zuckerberg being Jewish means he does know what that is like? Or are you just living vicariously through the suffering of your ancestors, in which case we can all do that.
<---- Irish
Not quite comparable to Nazi Germany or Poland under Stalin, but whatever....
It should be mentioned, that Hitler was democratically elected in a real and functioning democracy. He first became chancellor, then bullied the parliament into granting him more and more power, but it was only when the president died, that he made his final grasp for power and became "president and chancellor" in one person. Up to that moment pre-war Germany was still a democracy.
So no, I don't agree. It is quite comparable, what happens here. democracies are very fragile things that need a proper balance of power between government and people. Secret courts, a unseen external threat, a all seeing spy network that is out of control - that is the stuff dictatorships are born from.
OK, I agree that Obama is not Hitler. He will not misuse this power. But there will be another president after him. What about that guy?
This post has been deleted by its author
I already mentioned Cryptonomicon tangentially in another post, but anyway: one of the most profound ideas there is that to prevent a future Holocaust one needs to educate potential victims, not potential perpetrators. And privacy seemed to be a pretty important means to that goal. I wonder why?
Where this really makes sense in on smart phones. Many Android apps require a list of permissions, that if abused could easily reveal personal information. Facebook, for eg activates your GPS. Now, I, for one would love to be able to disable this!
Predictably, someone (me) is going to say custom ROM's are blazing a trail here.
Cyanogenmod has granular permission toggles, but even better the recent builds have Privacy Guard, which enables spoof empty contact , calls and message databases that can be enabled for individual apps, and set as default for new apps.
Obviously not everyone can have this, most are tied to the OS the phone came with.
Cyanogenmod has granular permission toggles, but even better the recent builds have Privacy Guard, which enables spoof empty contact...
Woah, seriously? That's a feature I've been waiting for in Android for years. My next Android device will definitely be a Cyanogen-compatible one.
The only problem I have with all these custom ROMs, is that you have to trust them, that there isn't any trojan already sending all the sensitive data back to the base.
Google should incorporate these features in their codebase, but I doubt they ever will.
Wait, let me get this straight - you wouldn't trust a "custom ROM" (which is basically a recompiled version of a somewhat further developed open source Android codebase) to behave, but if a ROM offered as a binary blob directly by Google (and / or one of its partners) would include those features, you'd be ready to trust it...? Yeah, sounds legit...
Ironically the new Huawei Ascend P6 has this functionality out of the box. Of course, it being a Huawei, it is questionable what kind of backdoors, etc are build in, as well.
On the other hand, it might give some pressure on other makers to also include such kind of functionality.
Given how Microsoft put back doors into Outlook for the NSA to access a users stuff (according to Snowden), why would anyone trust a system with MS OS on it under any circumstances?
Given that MS dispute this and claim that the Grauniad has misreported what Snowden said - and is allegedly going to court for the right to tell people what information they've given NSA as reported here on the Reg - while Google (for example) aren't denying anything.... why the hell would anybody choose Android or ChromeOS for anything?
But nice try, Eadon.
That so many companies still transmit commercially sensitive information, unencrypted. For some reason, a "Need to transmit commercially sensitive information? Here's my public key," in the signature of an email, is extremely rare.
Because it is so rare, BTW, I assume any evidence of encryption will be flagged by organisations like the NSA and GCHQ.
I think she's right, I think there will be a surge in demand for simple seamless encryption products, whether it's the next Big Thing, not sure, but I reckon it'll be significant. The only gripe I have with it is surely any U.S company and many Western software security companies will simply be pressured (one way or another) into releasing algorithms or making some sort of backdoor for 'national security' requests anyway. If it were too difficult to break and became popular, they'd then just make it illegal, surely.
I'm not expert on this sort of thing, maybe someone can enlighten me?
But it would defeat the object wouldn't it?
any U.S company and many Western software security companies will simply be pressured (one way or another) into releasing algorithms or making some sort of backdoor for 'national security' requests
Adding a backdoor that's untraceable by cryptanalysts is a tricky job. Creating a cryptographic algorithm that actually works well is also pretty hard, that's why most folk use standard ones like AES. AES may be an NSA approved standard, but ultimately it has seen some serious investigation and appears to be sound. Remember that vulnerable encryption is bad news for big western businesses, and they're the ones who keep the political parties propped up. If nothing else, it'll be quite hard to stop end-users making use of their own cryptographic software.
No, instead you'll see other means for the security services to get the information they need. In the UK at least they'll just lock you up if you don't hand over your encryption keys. The Fifth Amendment appears to protect US folk for now, but I wonder if all it would take is a bomber using encrypted email or files to give police additional powers if they suspected terrorist activity?
This may turn into a big market indeed. Maybe short-living as well. As any snake oil promotion.
It seems to me that any such solution will lie between useless and impractical.
1. A gazillion privacy/encryption providers with different offerings will mean hardly anyone will be able to talk to anyone else. Even 2 or 3 is too much. So, will they all need to agree on an (open) standard?
2. 99% of one's likely correspondents probably have problems attaching a file or copy/pasting stuff to emails - I doubt any encryption software, even install and forget one, will be practical unless you only talk with geeks. Most people wipe lots of stuff from their disks often (due to virus infestations, negligence, whatever), which will necessitate re-generation of security keys, etc. NB: encryption must be done on the client side, cannot be done by Google on their servers.
3. Assume a known encryption scheme, e.g., something like public/private key pairs. How would keys be exchanged by laymen? Will public keys be sent by email? Each time they are regenerated (see above)?
4. Who are the companies offering privacy solutions? Are they American? British? European? Russian? Ah, registered in the Sultanate of Kinakuta! Thought so.[*]
5. Your metadata will not be hidden - email needs to be routed somehow. That is arguably more important than content.
6. VPNs, Tor, etc. won't help much, either - they do nothing to application-specific metadata, such as your account name. So you connect to GMail using an obfuscated IP address, but you log in as so-and-so, and Google know. [If your address is identified as Tor your location may be deemed as foreign by the NSA with a higher probability - happy?] Then you send an email to me at Yahoo! - that is also known to both Google and Yahoo!. Then I use Tor and hide my IP address, but what has really been achieved in terms of hiding our communication? It's become a bit more difficult to figure out we talk, but not by very much, IMHO. And it's still beyond the technical capabilities of most people. And even for you and me - shall we create new online identities using Tor and never, ever, ever do anything without Tor or with our existing accounts, emails, etc., again?
[*] Reaching to my copy of Cryptonomicon on the top shelf. They seemed to have a solution based on a particular legal regime in a country that was independently wealthy. Yes, on the top shelf - who mentioned Kindle?
The solution isn't a technical one, in the long term. It needs to be addressed via the democratic process, assuming there still is one, or by (dare I say it) revolution otherwise.
In the interim the best you can do is little more than a futile exercise in risk reduction, which is basically just a placebo. Running Free Software helps. A lot. And I mean everything, from the OS itself, the networking stack, encryption and other security tools, to your own personal "Cloud" (hosted at home, naturally, and hidden behind an ssh tunnel on a closed, non-standard, high port that you open by knocking).
Will that help? A bit, but then you need to be clear about your objective, which should be determined by threat analysis. To me, the biggest threat is Western (primarily US) corporations and their political lackeys, so whatever measures I take need to focus on protecting myself from that threat, and not have the delusional objective of being totally anonymous and secure against all possible threats.
That means moving the end point of my communications outside Western jurisdictions (using VPN), into territories considered "hostile" by those corporations and governments (i.e. the enemy of my enemy is my friend). I don't care (and moreover can't afford to care) that some Russian/Chinese data centre operator is able to monitor my online activities - neither he nor his country is the threat, my own country is, and it's not like he can do anything to me with that information anyway (OK, maybe identity theft and bank fraud, if I'm not paying attention). I don't have privacy, anonymity and security from the whole world, but I do have it from the thing that actually threatens my freedom - my own jurisdiction. Hopefully.
Although it's debatable if any Western-hostile territories exist any more, given that most of them have been annexed by the US, by force or otherwise. For now I use Russia, which is really just a Western "ally" in name only, but in practice is a fairly safe harbour. China might also be an option, if it had anything resembling a reliable Internet service (I do have a proxy there, but it's basically useless). China also suffers the problem of censorship, but then so does the West (DMCA, EUCD, etc.), so that's not really a determining factor.
What else could I do?
Short of giving up on the Internet completely, and probably giving up on computing in the process, not much.
I doubt this issue is going to spawn a new huge market, but it could well get enough interest to substantially increase the sales of security companies, which is presumably what this AVG spin is all about.
But then you have to trust AVG, or whoever you go with. So now they're no. 1 target for NSA infiltration. Ultimately, I don't see the proper solution being reached by going down that route unless the security firms can find some sort of distributed trust system that doesn't give them any privilege. But that's probably incompatible with the profit motive. So I'm inclined to think FOSS is pretty much essential here. Too bad that generally fails so badly on ease-of-use.
Even with end-to-end encryption - if it can be made practical for the novice - metadata and traffic analysis is still way too powerful to be ignored. Unfortunately, the options here are pretty limited. Re-mailers, VPNs and the like all place trust in those providing the service. Various dark nets have addressed the issue in a distributed manner but nothing of much practical use seems to have emerged. Tor is perhaps a borderline exception, but I don't think it handles most messaging requirements too well (not even email). Also, the fact it hasn't already been shut down makes me think the security services aren't too much troubled by it.
Possibly that might change if Tor were to become large enough that it's impossible to observe enough of it to draw conclusions, but that's unlikely to happen as, being FOSS, ease-of-use isn't exactly high. Possibly if someone were to market a small Tor appliance that would plug into a home router, though, that might make a difference to take-up.
But on the whole, I'm not optimistic that this whole snooping issue will lead to anything more than a whole lot more bloat in existing security suites.
I totally agree with you. Any solution will have to Open Source by nature, so that multiple eyes can guarantee the absence of any backdoor, given that government guarantees in this domain are totally not credible (hey NSA, remember that little thing called the Constitution ?).
It will also have to be idiot-proof, which is a major stumbling block right there. Finally, all operators will have to agree to use it, which will mean setting aside their own solution - and that will be another major issue.
Since AVG has brought this issue to light after having purchased a company dealing in securing privacy, it seems obvious that this is a ploy to trumpet their own horn and it will be that more difficult for them to abandon the investment and adopt an Open Source solution.
So, right from the start this whole issue seems practically moot already.
Although I do agree that privacy is going to become a more important concern than it is now, but given that it's level of concern is currently nil (otherwise Facebook, Google and the US government would be facing quite stiffer resistence), that doesn't seem to mean much.
This post has been deleted by its author