So when
will El Reg switch to HTTPS then?
If you want to limit how much governments and companies know about you and your private life, then use Tor, download specific apps and plug-ins, encrypt your hard drive, and use a password manager. Those are among the tips provided by NSA whistleblower Edward Snowden in an interview with "digital bodyguard" Micah Lee. The …
There's no excuse not to. It can even be free: letsencrypt.org
I would agree that it would be nice if it was at least be made available. It's not difficult or expensive to set up.
There is, however, a cost involved. Every request made over HTTPS puts a greater load on the web server. Depending on the traffic, content and method of generation this could be negligible, or it could be expensive.
Is it really that important for a news site to be on HTTPS? Does anyone post sensitive information here?
To go back to the article, it's up to everyone to weigh up their own risks level and take appropriate action.
Is it really that important for a news site to be on HTTPS? Does anyone post sensitive information here?
Probably not, but they could post things via HTTPS that they won't if their employer can read them. I know I'm a lot more vague when posting anything that my employer could misconstrue as being related to them, and that probably applies to a lot of commentards in significantly more interesting roles than mine.
Also, shouldn't what was/is/wants to be one of the premier tech news sites on the web be demonstrating something just a little closer to best practice?
pretty pointless when your work uses man in the middle on the proxy server.
I agree, but my workplace doesn't, or if they do it is well hidden and doesn't show in the certificate path. I asked about that very issue on this site a few months back and verified as best I could that we don't have one.
I post sensitive information here, as frankly I've lost any privacy long before now. There is a "chilling effect" even for lost boys like me though knowing everything I post here is inevitably on my 'permanent record'. For example, on the Spanish Granny Kinder Egg story I was about to joke about wanting to smuggle drugs into prison if I could buy any drugs on the outside except from my drug-dealer 'complainant', but I realised that comment would be an invitation for an anal probe. Aw fuck it, I'm long over due a prostrate exam anyway.
Anon Cow status via Tor on security stories here is my best advice unless you are cheer-leading for the state, it is awfully embarrassing that El Reg isn't yet HTTPSed up with it's own secure drop box.
"...erm, you do when creating an account and logging in...
usually in the form of an email address..."
Who uses their real email address for things like this? That's what services like Mailinator are for.
So when will El Reg switch to HTTPS?
.. and stop using Gmail? (also mentioned time and time again)
~$ dig +short theregister.co.uk mx
10 aspmx4.googlemail.com.
10 aspmx3.googlemail.com.
10 aspmx2.googlemail.com.
5 alt2.aspmx.l.google.com.
5 alt1.aspmx.l.google.com.
1 aspmx.l.google.com.
10 aspmx5.googlemail.com.
Having said that, this Snowden guide only works for geeks, and leaves out a couple of important things like "consider avoiding countries where agencies and law enforcement have powers without accountability". As long as we address symptoms rather than causes there will be no end to an arms race which you are funding yourself through your taxes.
"the man had deleted all of his Facebook data. A huge pain and shame"
Indeed, the shame being he should have deleted it himself!
Even if keeping on FB then please delete and create a new profile with a new disposable email every year or so. It limits what FB can easily gather on you and evidence of past indiscretions, and a perfect excuse to dump those "friends" who are sufficiently important not to appear to single out for un-friending, but that you really did not want watching your every post.
Edited to add: And don't give FB your email log-in password or mobile number, mkay?
Seriously? Why the HELL would I want to carry a second phone just for 2FA when it could be done much better with an app on the phone?? The reason they want to do it via text message is very simple - Facebook and Google aren't doing this for security, they're doing this to grab more of your personal information.
The Wileyfox Swift also allows you to deactivate an installed sim, so you don’t need to drain your battery keeping two mobile networks active.
On a side note, if you have a dual sim with both sims active, different networks, would that improve accuracy of location by triangulation methods?
In Britain it probably wouldn't do much to improve triangulation accuracy given the pressure on networks to co-locate their transmitter/receivers. But for those with the power to demand information from all networks, it would improve their confidence that both SIMs relate to the same person.
"Seriously? Why the HELL would I want to carry a second phone just for 2FA when it could be done much better with an app on the phone?? "
Because, you fool. For that very reason. A cheap throw away phone with anonymous PAYG SIM, which costs peanuts in total, is far more secure than anything you care to do on your main phone.
To be clear - the multiple sim cards DONT have to be in the same phone. The point is you have another way of getting in , you leave in your desk drawer.
And the point about the PGP key, is not that Facebook etc don't trawl your data anyway, but it is so *someone else* can send you a message without them inspecting it.
I haven't tried it, but I think if you have a PGP key, it might volunteer it when you send a message...if not it *should*!!!
P.
And the point about the PGP key, is not that Facebook etc don't trawl your data anyway, but it is so *someone else* can send you a message without them inspecting it.
FB doesn't need to. What FB collects is not data, but meta data: who do you communicate with, and why. You have to thank the forgotten Bletchley Park genius Gordon Welchman for that: he's the one who worked out that meta data was at least as important as data, which is what he did before he improved Turings' work on breaking Enigma codes.
PGP doesn't do squat to protect you against that.
"2nd sim card, PAYG, works a treat. You can use it in any throwaway, but allows you 2FA."
the phone still uses the same IMEI number...
So you really need cheap 'burner' phones... keep your real phone for normal comms, but anything you don't want them to know about, use a disposable phone
>>"2nd sim card, PAYG, works a treat. You can use it in any throwaway, but allows you 2FA."
>"the phone still uses the same IMEI number... "
No it does not. It IS a separate "throwaway" phone...
>"So you really need cheap 'burner' phones."
Which is EXACTLY what he said... "you can use it in any throwaway..."
> They need to support a better 2FA, like using the RSA app on your phone to generate OTP codes.
Google already do use this, or something similar. There's an Authenticator app that I use, which spews out six-digit codes every 30 seconds or so. Handy for internet cafes when I'm travelling.
...then you shouldn't be on facebook."
That would be 99.999999999% of all facebook users then...including geeks, tinhats, etc.
I was recently added to a group of people that all know me and each other. The purpose was to share each others full address and phone details! I kid you not.
When I said I would not share my details, unless an alternative secure method was agreed, I was ridiculed multiple times by each and every one of the group including those who work in IT.
They all seemed to think that privacy is: a) a joke, b) unnecessary, c) for paranoid losers. They then go back to their traditional newspaper that spouts lies to them on a daily basis, bury their heads in the sand and refuse to believe what is real, preferring the fantasy of illusion presented to them.
I was shocked at the outright refusal to believe that even basic identity theft could be a problem for any of them if any of their FB accounts were to be hacked. Said hacker would have each and every address, phone number, name and email. (S)He could go a long, long way with such information, but no, that could never happen. How stupid I was to even suggest it...
Even if keeping on FB then please delete and create a new profile with a new disposable email every year or so. It limits what FB can easily gather on you and evidence of past indiscretions, and a perfect excuse to dump those "friends" who are sufficiently important not to appear to single out for un-friending, but that you really did not want watching your every post.
You base that advice on what I consider at best an unproven theory: that Facebook genuinely deletes your data when you close a profile. Until there is independent evidence of that I would not consider that to be the case, EXACTLY because your advice suggests you are so addicted to the platform that you have a need to come back to it.
I suspect that the "old" records will quite swiftly be again associated with you, but with a marker that prevents any of the "old" data be played back to you other than by means of remarkably accurate predictions of with whom you should connect.
After all, if LinkedIn retains anything even after you delete it, I cannot see why Facebook would do itself a disservice either.
I agree Facebook probably keeps your information that you "delete". After all, when you leave Facebook all it does is deactivate your account - I have friends that have left for a year or two and when they come back they pop up in my friends list without me having to do anything. Obviously nothing was ever deleted.
What's more, I know that Facebook and Linkedin are sharing data. I do not have anyone I have a professional relationship with as a Facebook friend, but I do have a handful of Facebook friends who I'm connected with on Linkedin despite a total lack of any overlap in our careers or workplaces. It is really creepy that Facebook will make friend suggestions for me with people I work with (but am not connected with on Linkedin) with whom I have zero mutual friends on Facebook - in fact probably would have to go through several layers of friends of friends, Kevin Bacon style, to get to them!
This is only possible if Facebook is sharing data with Linkedin to be able to make that association between those people and people I'm connected with, and connecting it with my Facebook identity. (It isn't cookies, I'm very careful about clearing those and hardly ever login to Facebook other than mobile anyway and when I do it is in a private window)
What's more, I know that Facebook and Linkedin are sharing data.
I'm not convinced by that, if only because Zuck doesn't exactly come across as the sharing type. If one or more of your LinkedIn contacts have been daft enough to allow access LinkedIn access to their email (as it keeps asking for on every logon) they already have all the relationship data they need to map your relationships. These companies are *way* ahead of you in working around any protection of your privacy you might deploy: they simply do not ask you, they ask your friends.
The only way to stop that is to stop having friends and colleagues which is a feat few of us manage unless we use a false name, but having a false name means you then have to protect any link between that false name and you. You can't win, which is why hitting them with every privacy law you can think of is almost mandatory. In the words of a cosmetics brand (I think), "they're worth it".
LinkedIn is creepy.
Trolling through your contacts and sending requests on your behalf when you only gave them access to your contacts is one thing. Being able to send things to people you know when you don't give it permission is another.. That stopped after I a) changed my Gmail password (I run my own email server but use the gmail for a couple of things still) and b) started a policy of not using LI in the same browsing session as I use gmail (cookies always cleared when I close browser, AB+ + NS + no third party cookies etc to help).
I seldom check LI now anyway, just due to my part in a thread discussing their actions. Including that they send emails from people on their behalf without asking..
Oh.. And something to note. LI started suggesting I knew the owner of a 5 star hotel in some luxurious tropical resort. Quite insistent. It wasn't for some months that the guy I worked for then let me know what was going on.. this hotel owner was a close friend of one of our customers, the customer and the owner were arranging a surprise trip for the customer's wife, and the customer was using our computers to hide his email from the wife... The only thing in common was the IP address used, but LI used that to link us.
Which makes sense in some other cases.. There's been a few that creep me out even more.. Like some darling people I know I'd never tell mommy and daddy about... Or the first girl I ever kissed (well, she kissed me...) when we were like 5 or 6. Those people, some I have no online association with and some I haven't contacted for over 30 years - those contacts from LI creep me out no end. Or would do if I looked at it..
Oh, and when we set up our business my partner and I looked at Google, LI and Facebook's T&Cs. LI is very very nasty about what you put on their site (put your company logo on there? Guess who owns the rights to it now!), Google is not as bad but still bad (also perpetual rights to make money from your material).. But Facebook? Their T&Cs I could surprisingly live with!
I'd never heard of TAILS before, so I did a search. Quoth Wikipedia:
"On 3 July 2014, German public television channel Das Erste reported that the NSA's XKeyscore surveillance system contains definitions that match persons who search for Tails using a search engine or visit the Tails website."
https://en.wikipedia.org/wiki/Tails_(operating_system)
I expect people who read The Register are also watched. Especially people who comment.
Snowden doctrine suits freedom warriors but doesn't protect your ordinary private life. Vital universal liberty.
It turns out that the government can simply give itself permission to read everything that you send and receive on the Internet - for instance, the British government intends to have (if the prime minister decides that he wants to see it) a list of names and home addresses of anyone who in the last twenty-four hours accessed BlackLivesMatter.com, IMayBeGay.org, HowTradeUnionsWork.info, BorisJohnsonWouldDoItBetter.net . No warrant and no reason, just for fun. Or to pass it to a Taxpayers Alliance murder gang to carry out a few hits. (You say that isn't what -they- do, but, how do you know that?)
And it really will be illegal to supply, and presumably to possess, encryption software that the government can't see through.
That's the plan -here-. Try blowing your whistle wiht all that going on.
It must be stopped if possible, I suppose by the government being made to accept and actually abide by rules that properly limit what our governors can know about us and why. Which sounds difficult.
There are more unprincipled regimes around the world, of course. But our lot have a natural inclination to move in that direction.
Then let's poison the well by all searching for it.
Heh heh. Oops. Too late. I already added myself to their lists by searching for that before I knew it'd add me to a list. Doh.
If the NSA / GCHQ really want to waste their time keeping tabs on anything I've ever said or done then they must have money to burn. It's not worth logging my past escapades or youthful indiscretions, mostly because I'll never climb high enough to join what today's kids call "the elite", such that I may need to be influenced, and partly because I'm quite open with friends & family about pretty well everything.
If the NSA / GCHQ really want to waste their time keeping tabs on anything I've ever said or done then they must have money to burn. It's not worth logging my past escapades or youthful indiscretions, mostly because I'll never climb high enough to join what today's kids call "the elite", such that I may need to be influenced, and partly because I'm quite open with friends & family about pretty well everything.
And yet they still do it and you're still having to pay for the pleasure. You might not "have anything to hide" but they're still billing you. This is just one of the many problems.
Fools rush in, where wise men fear to tread...
You cannot predict the future, and also cannot turn back the clock. Once you tell them everything, they will have it forever, for ANY eventuality.
Fools like you live in the fantasy that spooks are somehow not abusing many ethical boundaries, many democratic principles, many rules of law etc.
If they're "all" (on a technical level) compromise
Although he mentions compromised implementations, the main concern is the legal vulnerability.
It is likely that the majority of VPNs out there have some sort of log of who is connecting to them and when. Only those which are set up specifically with privacy in mind, and whos admins and architects have done a thorough job, will have any chance. Even without this, there will likely be a record somewhere that you have connected to a VPN. While this won't immediately allow joining the dots between an individual and his communications history, it will allow a starting point if someone (e.g. the govt) wants to find out what you are doing.
In addition, it's likely that VPN providers are already watched with a higher priority by the security services. If you use one, so their logic will goes, you must have something to hide.
it doesn't bode well for the security of... TOR... does it?
There is a big difference with TOR. The whole design of onion routing is set up to avoid traceability. Your packets bounce around nodes, with each node only able to see the next and previous hop (if I remember what I read about it years ago correctly). Although there is suspicion that spooks control enough of the nodes to compromise the network...
there's another weakness of tor: suspicion by association (you mentioned it ref. VPN). Sure, the spooks can't (well, maybe) see what you used tor for, but they know YOU use it, and as the tor user base is relatively small in the uk (thousands, out of milions of users) it's much easier to "focus" on those few. And, I'm sure, there are other means and ways of finding out just what those people are up to...
tl;dr he said to use TOR. It's better than a VPN for privacy: it uses multiple proxies and doesn't require payment which can be used to trace you. (Although it is slower than the VPNs meant for casual pirating and geoblock circumvention)
And he suggests people use TOR as much as possible to decrease the surveillance signal/noise ratio. I'm down with that. It'll also protect me from IP-based tracking, and websites have gotten so slow that TOR's routing delays are pretty insignificant.
The theory is that Diffie-Hellman key exchange which VPN cryptography, HTTPS and other protocols rely on are all based on the same prime number as it was thought it would be impossible to compute but a nation state could throw a lot of hardware at it and do it within about a year.
With most products being based on a few prime numbers, every year so they can crack a new one and use it to decrypt data from all the apps/hardware that use that prime. Each year the percentage of encrypted communication they can decrypt goes up as a result.
Something like that anyway.
I was taken down by a cheapo Canon printer last week. An elderly relative bought it against my advice, was disappointed that 'wireless' still meant a power-cord. I rushed at it because I've far more important things on my plate just now. The software didn't work with Win10, even the latest download, insisted on being logged on as admin to access the internet rather than just asking for an admin password, and even then it said I've have to change the household wifi encryption to it's lower standard - I refused and it crashed the PC losing hours of unsaved unrelated work. Totally my fault I know, a litany of errors, but still, sadistically poor programming. The shop didn't even question it's return, they could tell the mood I was in.
I'm not at all a Microsoft fan, but I rather suspect every NT based version flushes the dirty buffers several times a minute, so perhaps scepticism is in order here. Software not working with Win10 is credible but unless the printer is at EOL is likely to be corrected in due course. On the other hand, I would not connect a wireless device to my network that had to log in at all, let alone as administrator. A statement of either that or downgraded link encryption as a requirement ought to generate an immediate return.
it's always the wifi connectivity that causes grief on setting up printers, especially on the low end printers
Upvote for that. Due to circumstances I'm of a sufficient distance away from the access point that my (rather new) printer really struggles to keep a link up. The result: *very* slow printing.
I tried WiFi extenders but these things have other side effects, so in the end I just jacked the printer in via an old 20m ethernet cable I still had around from when I was messing with VoIP. Problem solved.
I'm seeing some random mentions that the NSA (or NORKS or Mensheviks or whatever) have figured out how to intercept all traffic.
Now, this may be a dis-information campaign to push everyone onto AOL or a honeypot to get everyone to read the article and get Pooh-Beared. But still, don't trust anything you read on the internets, or especially here!
TOR has never claimed to be immune to types of traffic flow analysis (i.e. the "intercept all traffic" thing). The problem is balancing usuability in real time with anonymity. If you want to play with those that are designed to deal with that kind of attack, you need to look at using CypherPunk remailers and FreeNet.
Your traffic can be detected at exit nodes. My understanding is that TOR is good for looking up -say- contentious things; but using TOR for any service you have to log into is risky. Good for evading ISP filters and country blocks and other barriers; but any passwords are at risk unless there's also another layer of encryption or two. Especially plaintext ones *cough* El Reg *cough*
Quick in-and-out, non-repeating beaviour (like -say- looking up symptoms that you don't want your insurance company to associate to you); fine.
Persistant use and logins; some caution.
As a quick aside; despite film/music downloading being perfectly legal here, Vodafone have taken it upon themselves to block The Pirate Bay. So non-TOR queries take you to this page:
http://castor.vodafone.es/public/stoppages/stop.htmopt
...which calls this javascript
http://castor.vodafone.es/includes/jscUtils.js
...(some kind of fingerprinter?). Anyway, 5 seconds and TOR later, blocks like these are not a problem.
Tor has always been compromised. It was built as a honeytrap with US government funding. People who use it are kidding themselves if they think there is any security at all as a result of using it.
Tor's full name is 31-tor - which is ROT-13 backwards. .
Depends what you're using it for and who you're hiding from. The receiving site can't tell where you're coming from and that's enough for many purposes. It provides an alternate route; which can be handy if there's area filters in the way of whatever you want to look at. It's useful for coming at each point in a route from a different angle; which I find useful for diagnosing routing problems. It's also good for skipping past your ISP if they're getting a bit cheeky.
Now looking up contentious stuff is a little shakier ground; but the way I figure it is that it's only state-level actors who are capable of consistently intercepting your traffic (because the entrance and exit are random-ish, so you have to monitor all of them) and if you're of no interest to them then it doesn't matter. Even if the system is as compromised as you maintain it is and you look up something bang in the centre of their word list (like "Ooh. Ricin. How does that work then?") then they can call up your profile and see a lot of random searches on both contentious and non-contentious subjects and work out just how much of a threat you are. In fact the real danger there is if the security services are not as competent as you allege; they see one dodgy search term and get all black-helicoptery on a sample of one. But then, that would be expensive and they would end up looking like muppets.
You don't know who is running TOR nodes, so basically assume they are compromised and use public wifi rules...no usernames or passwords unless you also have other prophylactic measures in place. Also monitoring of just one end (via your ISP, say) can reveal patterns of usage which can tell people a lot.
TOR is a tool just like any other. It's certainly not enough on it's own if you're going up against state level actors...there is no one-stop-shop for that sort of thing. Having no plans to topple any regimes (I've got other stuff to do this weekend) I find it pretty useful for a number of things.
"You have zero privacy anyway. Get over it."
Provably false. Do you know everything about Scott McNeally? Can you even find out everything about him? No. Privacy is a matter of degree: nearly no-one has absolute privacy and nearly no-one has no privacy at all. Blanket statements like this are just attractive soundbites --- any more than superficial analysis shows them to be fundamentally unhelpful in any mature debate about how much privacy we can reasonably expect in various circumstances.
I am so f*ing tired of a*holes like McNealy spreading FUD on behalf of the goons, especially since he's probably not getting paid to do it anymore. The purpose of the national security state, of course, is to defend and extend the wealth of those who own it. They use surveillance to keep us in line and provide inside information to their paymasters. McNealy is one of the beneficiaries of that system, and so his opinion can't be trusted.
But what the hell, some weeks ago Snowden was just Snowden, but in this article again "NSA whistleblower".
A rather short search on ElReg come up with the following:
master blabbermouth Edward Snowden.
former NSA sysadmin Edward Snowden
rogue sysadmin Edward Snowden
Uber-leaker
Whistleblower Edward Snowden
Master NSA blabbermouth Edward Snowden
NSA master blabbermouth Edward Snowden
whistleblower in chief Edward Snowden
The People's Whistleblower
Whistleblower-in-chief Edward Snowden
international whistleblower Edward Snowden
a champion of privacy
Fast Eddy / hero whistlebower
What about having some more competition on this. (whistlebower was quite nice).
I have tips to muck up your life.
1. Tolerating psychopathic lovers
2. Tolerating psychopathic politicians and public servants
3. The wrong type of psychoactive substances at the wrong time and place
4. Mocking the security services (they don't like it up 'em)
You got any tips yourself? I have some tips for you lot to improve my life. How about doing away with 'Contempt of Court'? I'm a freaking anarchist, contemptuous of nearly everyone, how is that not an in-built trap?
In full tinfoil mode one has to wonder.... is this a list of things one should use and do, or is this just another character in the play, a harpie calling us to the rocks to wreck our own boats on the shore of already broken "solutions".
Who to trust... and how to trust..... hard times ahead,
I recently had a phone die; I had a spare phone but needed a different size sim card for it.
I've read about people with two-factor authentication losing bitcoins via clever social engineering of their phone provider, so I was completely unprepared for what happened when I went to the AT&T store to get it.
I gave them the phone number, they gave me an activated sim card. No ID needed, no questions asked, not even my name.
Did they at least ask you for the existing sim card before giving you a new one ?
Because if they did, then it's rather okay since you are replacing an existing item with an identical one in a different size. They don't really need to know who you are, the sim card is an appropriate passkey.
But if they didn't even need that, then yes, one wonders exactly what the word "security" means today if one can go to a store and ask for a sim card for any phone number with a blanket excuse like size.
This post has been deleted by its author
I thought there were big questions about Tor's efficiency against US agencies, notably the NSA ?
Also where did I read that most cryptography algorithms were implemented using the same big prime number, and that in all probability the NSA took advantage of the rarity to make precalculations that helped crack most keys in minutes/hours at the most.
Anyhow if someone has a recommandation for a good password manager, I'll take it.
The same Micah Lee has a guide to privacy in PDF:
https://freedom.press/sites/default/files/encryption_works.pdf
There are also many informations on the Tails site. https://tails.boum.org/
The question I have is, Tails team tells you that you can add an encrypted volume to your tails USB key to store your documents, hyperlinks, encryption keys and more, but that it isn't recommended.
In this case, what's the alternative ? Can one assume there is a safer cloud storage somewhere ?
If you want convenience just download the Tor Browser Bundle and run it in your everyday OS when you just need to look up info without logging into sites. It'll increase your privacy quite a bit.
"Safer cloud storage"? lol, not really. Maybe a pastebin? Write down the random URL on paper, and only access it via TOR.
If you're truly paranoid, go with Tails on a throwaway laptop via open wifi far from your usual haunts, and don't bring your phone. It's the kind of thing they do on Burn Notice. Real pain in the ass unless you really need that level of secrecy or are training for it.
"The same Micah Lee ...The question I have is"
You do realise that you'd better post that question on the original article, https://theintercept.com/2015/11/12/edward-snowden-explains-how-to-reclaim-your-privacy/?comments, or directly to micah.lee@theintercept.com
No offence to you, I was myself perturbed by Tails dropping TrueCrypt, just saying...
I'm not particularly technical and consider myself a user more than anything else. So I was surprised that, with a little searching and common sense, over the last year I've actually come to do all of the things on that list except using Signal.
In my small circle of friends there is nobody as privacy/security conscious as me. Or paranoid as some have said. OMG! Someone has to lift a finger to install a free and easy to use app on their iPhone or Droid! Too much effort. So although I have Signal on my device, nobody else does that I would care to use it with. I've pretty much given up trying to convince them to install it.
One thing not touched on in the article was private browsing, which is the default in Tor but not in other browsers. As Snowden notes above, Tor can be slow compared to other less private browsers. So when not using Tor I only browse using the StartPage search engine, which is the same one defaulted to in Tor.
Also not mentioned is simply being aware of security and privacy oriented news like the EFF web site. And of course The Register.
1. Epic fail, provably true or undeniably untrue, whichever.
Snowden was indeed hired and trusted with private data, OUR private data his employers had no right to have. He eventually realised that was morally and legally wrong so he told us about it at great risk to himself.
Your 'truth' is equivalent to "Don't keep records of the torture of your prisoners", when the actual truth is don't torture anyone, ever.
This post has been deleted by its author
Think of a crowd of people, the bigger the crowd the more anonymity you have. Tor isnt all that great but its not bad as a concept or its implementation so long as large numbers of people use it.
Tails isnt that safe either if you want real safety use a more secure os not linux or if you like linux, checksum all the source read it, understand it, edit it, patch it, and compile it. a good secure lsb base system can be compiled in 2 or 3 hours.
I use encrypted ram, and tresor, selective stealthing on ports, and a whole lot of other goodies that would never see the light of a default setting on a linux distro. failing that i use z/os on the basis most people couldnt ipl a system if their life depended on it.
Why are we still listening to this guy? Political figures like Snowden and the EFF are out of their depth on all this stuff. Private citizens afflicted with garden-variety paranoia would be better served taking the NSA's advice on cybersec matters. Go ahead, disable every ciphersuite with known vulnerabilities in your browser and try connecting to some of the domains hosting so-called security software. If they can't keep up on their own site security, what are the chances they really know how to protect yours? A lot of this stuff is little more than security-theatre-du-jour, except now they're promising to protect you from the big bad TLAs instead of the blackhat malware coders the AV vendors of yesteryear were terrorizing us with.
Make it reboot and refresh the ISP assigned IP addy every 6 hours or once a day. I bet that would make someone's job just that little more tedious. Especially if everyone was playing musical IP addresses rather than sitting on the same one for months on end.
In fact that could be quite a handy feature if your router code be programmed to refresh its IP address every so often. Just adds to the admin at the other end.
the following post is encrypted for my safety:
sss4lskekk6 k799dsjjjjjjjjffdo kre8887576e wjjjjjjdfffffffffffffffffk fkkrrkeodksdsd defeffjjjjjjjjjjjjjj eererern4367nmm23s9vfre de983ej jf439rjer9ifjowemcfnt4uu axm233rt dek kr4oktokuy79yh85tkj5tnmfrrr
there, i hope you all enjoyed that and benefit from it