Migrating away from 'Prism' companies

zumbar

Hey,

So I've started the process of moving away from google et al and it's relatively painless so far.

Email - I set up an account with Opera - a Norwegian company which should be relatively safe from Prism. Emails to my gmail account get forwarded to my opera address for the moment, but once peoples contacts lists get updated with my new address, I'll download my inbox, archive it somewhere and disable it. Any phone email client can be used to sync with opera mail.

GChat - I created a jabber (an open chat protocol which lots of providers support - I'm using an opera server) account which works fine. And can be used to chat to people who use GChat.


Google search - DuckduckGo is a good replacement which prides itself on it privacy features.


Google maps - there's the Dutch TomTom maps (I actually helped build their map site - it's brilliant :-)) but it's very traffic / car routes oriented.
www.routes.tomtom.com
The Finnish Nokia maps which is pretty good.
http://here.com
Open Streetmaps : www.openstreetmap.org - also pretty good.



Calendaring is the hard one. Finding a good non-american company that does a good calendering website that can sync to your phone is tough. If anyone has any suggestions let me know.
Google Docs / Facebook - I can live without them. I'd pretty much stopped using facebook anyway ........


Anyone else trying something similar ? I'd be interested to read what people are switching to.



Cheers,
Zumbar

Khannie

Good thread. I'm at the point where I consider certificate authorities have probably been compromised. Honestly, if I was the NSA they are the first place I would hit up. Sure you'd be mad not to. To that end I consider everything where I'm not in control of the key to be compromised. Essentially that means I need to host my own services for the most part. Pretty sure I'm going to purchase a domain and host email and jabber on my HTPC.

Google docs will be a hard one to replace. I'm very fond of it. I have heard of people using truecrypt containers with dropbox. That seems decent.

Play store also. I'm open to suggestion there. I haven't really looked at alternatives.

I replaced lastpass with keepass2 + browser plugin. That's working very well so far. I'm not concerned about the password database falling into the wrong hands. It's a bit like the truecrypt + dropbox idea. I just don't care because it's all encrypted.

For calendar, I may look into hosting my own again. Seems prudent given the switch of email anyway.

zumbar

bedlam wrote: »

Owncloud will give you calendar / addressbook syncing to your phone.

Thanks Bedlam. I'll give it a go.

silentrust

Excellent, I wanted to start a thread like this.

Good thinking Zumbar on switching to Opera. For now I have decided to stay with Gmail but use Thunderbird with POP3 access to regularly check for messages, download them and Google claims to delete them from their servers as soon as this is done. I am skeptical but it'll have to do for now!

For those people who do as I do using Dropbox with a Truecrypt container, I suggest that you use a strong password as well as a keyfile stored on your computer to access your container. As I understand it keyfiles significantly increase the security of your container.

Other tweaks I have made:

- Installed DuckDuckGo Plugin to my version of Firefox to reduce chances of search engine results being retained.
- Using OpenStreetMap as an alternative to Google Maps.
- Deleted personal data and closed Facebook account. (Drastic I know but I really didn't see an alternative).
- Switched to using Pidgin + OTR to speak to friends & family via Google Talk instead of using web page.

I already use the plugins Adblock Plus, Ghostery, and Https everywhere in Firefox which can significantly increase your privacy online. If anyone hasn't used these before suggest you take a look at the websites linked above.

Finally as a last line of defence, I have full disk encryption though most of the security gurus I spoke to so far seem to think this is unnecessary - perhaps because they believe it'll be too late by the time the secret police hoof in your door? :-D

silentrust

Just been on the Prism-Break site and don't like their suggested alternatives to e-mail.

Does anyone have any suggestions about alternative e-mail providers to Gmail, Yahoo, Outlook etc. ? I imagine it would have to be somewhere outside the jurisdiction of the US and their buddy boys in Europe - should we just find a Russian/Chinese provider?

I would like to use Tormail for day to day e-mail but it would raise too many eyebrows and the 2MB attachment limit is too restrictive.

zumbar

silentrust wrote: »

Does anyone have any suggestions about alternative e-mail providers to Gmail, Yahoo, Outlook etc. ? I imagine it would have to be somewhere outside the jurisdiction of the US and their buddy boys in Europe - should we just find a Russian/Chinese provider?

I went for Opera - A Norwegian company. The Scandinavians have a good record with privacy in general. My sense tells me that while English and Irish companies might roll ever and give the Americans what they want, companies from other European countries would kick up a huge fuss. Could be completely wrong though.

I'm using AdBlock plus and ghostery. I hadn't heard of Https Everywhere. Will install it now.

silentrust

zumbar wrote: »

I went for Opera - A Norwegian company. The Scandinavians have a good record with privacy in general. My sense tells me that while English and Irish companies might roll ever and give the Americans what they want, companies from other European countries would kick up a huge fuss. Could be completely wrong though.

I'm using AdBlock plus and ghostery. I hadn't heard of Https Everywhere. Will install it now.

Thanks buddy, I took a look at Opera Mail (found an excellent list of Scandanavian e-mail providers) - couldn't see a free one for OperaMail so am going with Spray.se - trying to set up an account with them as they speak, 5GB mailbox. Do you think Sweden will respect our privacy or do you think perhaps Norway would be a better road to go down?

Prodigious

Would ye be going as far as to moving off mainstream OS's onto a linux distro? I'm seriously considering doing that.

silentrust

Prodigious wrote: »

Would ye be going as far as to moving off mainstream OS's onto a linux distro? I'm seriously considering doing that.

Absolutely, I have been a proud Ubuntu Linux user for years. It can be a little tricky to set up but I think the extra peace of mind is worth it. Am particularly pleased with the latest version where full disk encryption is now offered on the regular install CD, no more messing around with downloading alternate versions.

I am sure though there are gifted Security gurus on here who will tell us that they're capable of using Windows and MacOS in a secure way, good for them but I'd rather run a system used by 2% or so of people as it'll be less likely that keyloggers and other malware will work on it.

zumbar

Well the Swedish Government were using google apps internally and dropped it like a hot potato as soon as the surveillance revelations came out

http://www.itnews.com.au/News/346885,swedish-privacy-watchdog-bans-official-use-of-google-apps.aspx

so any Swedish provider is probably relatively safe. I'd make sure they support https though.

Opera mail can be found here : https://mail.opera.com/

Their mailbox limit is 1Gb though. Enough for me, but your mileage might vary .....

Prodigious

silentrust wrote: »

Absolutely, I have been a proud Ubuntu Linux user for years. It can be a little tricky to set up but I think the extra peace of mind is worth it. Am particularly pleased with the latest version where full disk encryption is now offered on the regular install CD, no more messing around with downloading alternate versions.

I am sure though there are gifted Security gurus on here who will tell us that they're capable of using Windows and MacOS in a secure way, good for them but I'd rather run a system used by 2% or so of people as it'll be less likely that keyloggers and other malware will work on it.

I have a guide somewhere, I must dig it out, on basically a VM setup inside a truecrypt container. Pretty handy, you set up a two layer Truecrypt container, one is a "dummy" where you can access it with a password, in the case where law enforcement wanted a look at it. The other section has a different password and inside a virtual machine, off which you'd run a linux distro. Pretty nice. I'll upload it in the next few days if I can find it.

zumbar

Prodigious wrote: »

Would ye be going as far as to moving off mainstream OS's onto a linux distro? I'm seriously considering doing that.

.

Like silenttrust I've been using (x)ubuntu for years on my home laptop and have had no issues with it. If you have a resonably standard desktop / laptop hardware-wise, it should work pretty much out of the box. Then as silenttrust said - the peace of mind from not having to worry about viruses or backdoors is great. The only thing you might be missing out on is games - which isn't an issue for me.

silentrust

zumbar wrote: »

.

Like silenttrust I've been using (x)ubuntu for years on my home laptop and have had no issues with it. If you have a resonably standard desktop / laptop hardware-wise, it should work pretty much out of the box. Then as silenttrust said - the peace of mind from not having to worry about viruses or backdoors is great. The only thing you might be missing out on is games - which isn't an issue for me.

Funny you mention it zumbar as this actually came up on a separate thread where a poor chap's lost his Windows 7 installation on a laptop he keeps "for the kids" and I found out there's actually a surprising amount of games that will work just fine on Linux including Angry Birds and Plants versus Zombies (there's actually a Linux port of the latter).

Naturally Flash games like Farmville on Facebook would work just as on a Windows machine so unless you're an avid gamer I don't think you need to worry too much. You can always get a gaming PC and buy a cheap second hand laptop for personal stuff like e-mails, surfing etc. I suppose.

Victor

zumbar wrote: »

Migrating away from 'Prism' companies

Realise that someone somewhere is likely to be looking at and analysing all internet data at some level. There is no such thing as a 'PRISM company' - anything that at any point goes through the USA (and likely other cooperating countries) at any stage will likely be looked at. The harder you go to avoid monitoring, the harder you will be looked at for assessment if you ever come to their attention.

And while you may be hosted by X company in Y country, who is to say that they don't subcontract part of their service to a company that is a subsidiary of an American (or any other country) company, where a high level admin (based in the USA and subject to PRISM) has access to all data worldwide?

silentrust wrote: »

Does anyone have any suggestions about alternative e-mail providers to Gmail, Yahoo, Outlook etc. ? I imagine it would have to be somewhere outside the jurisdiction of the US and their buddy boys in Europe - should we just find a Russian/Chinese provider?

You are just changing who is looking at your e-mail, so as to exploit you. Russia and China aren't known for their IT privacy or security.

silentrust wrote: »

Good thinking Zumbar on switching to Opera. For now I have decided to stay with Gmail but use Thunderbird with POP3 access to regularly check for messages, download them and Google claims to delete them from their servers as soon as this is done. I am skeptical but it'll have to do for now!

They will likely keep the header data.

zumbar wrote: »

I went for Opera - A Norwegian company. The Scandinavians have a good record with privacy in general. My sense tells me that while English and Irish companies might roll ever and give the Americans what they want, companies from other European countries would kick up a huge fuss. Could be completely wrong though.

You do realise that most of Europe is in NATO and that the rest are likely to cooperate on security issues anyway?

I'm using AdBlock plus

Congratulations, Adblock will now know every site you visit.

Prodigious

Phonewise, would you be cautious choosing a phone?
Looking at it, if I got any required apps in their .apk form online and transferred them to the phone by usb it should be alright? Wouldn't need a google account or anything. Alternative browsers such Firefox or Orweb could be used.

Prodigious

Victor wrote: »

Realise that someone somewhere is likely to be looking at and analysing all internet data at some level. There is no such thing as a 'PRISM company' - anything that at any point goes through the USA (and likely other cooperating countries) at any stage will likely be looked at. The harder you go to avoid monitoring, the harder you will be looked at for assessment if you ever come to their attention.

And while you may be hosted by X company in Y country, who is to say that they don't subcontract part of their service to a company that is a subsidiary of an American (or any other country) company, where a high level admin (based in the USA and subject to PRISM) has access to all data worldwide?

You are just changing who is looking at your e-mail, so as to exploit you. Russia and China aren't known for their IT privacy or security.
They will likely keep the header data.
You do realise that most of Europe is in NATO and that the rest are likely to cooperate on security issues anyway?
Congratulations, Adblock will now know every site you visit.

You are not being very helpful. At all.

silentrust

Prodigious wrote: »

Phonewise, would you be cautious choosing a phone?
Looking at it, if I got any required apps in their .apk form online and transferred them to the phone by usb it should be alright? Wouldn't need a google account or anything. Alternative browsers such Firefox or Orweb could be used.

Do you mean to place calls securely or to use it to access your secure e-mail/VOIP applications? The gurus on the Silk Road when I spoke to them said that they would never trust a smartphone e.g to access Tormail using Orbot + an e-mail client like K9 as they thought Android was too full of holes.

I really don't know enough to form an opinion, would love to hear anyone else's thoughts on this. Needless to say proprietary OS like iOS are out of the question.

Prodigious

silentrust wrote: »

Do you mean to place calls securely or to use it to access your secure e-mail/VOIP applications? The gurus on the Silk Road when I spoke to them said that they would never trust a smartphone e.g to access Tormail using Orbot + an e-mail client like K9 as they thought Android was too full of holes.

I really don't know enough to form an opinion, would love to hear anyone else's thoughts on this. Needless to say proprietary OS like iOS are out of the question.

Was thinking email etc...
Maybe an ubuntu phone would be the best bet if you needed a smartphone.

Anyone know how legit the "anti tapping, anti tracking" phones are on SilkRoad/BMR?

silentrust

Prodigious wrote: »

Was thinking email etc...
Maybe an ubuntu phone would be the best bet if you needed a smartphone.

Anyone know how legit the "anti tapping, anti tracking" phones are on SilkRoad/BMR?

I toyed with the idea of selling encrypted Android tablets I'd imported on the cheap from china with Orweb/Orbot/GPG preinstalled but the reaction was bad as there's too much risk from their perspective that you're one of "da Fedz" trying to sell them a device which'll track them down.

Provided the device supports full encryption (I think all recent ports of Android since Gingerbread do this?) and you install open source apps, I can see the advantages! Tor as we've discussed works fully on there, there are attempts to port I2P to Android but I've seen nothing so far, although there is an app called Nightweb which is for secure social networking and uses the I2P protocol, sadly too new for my phone.

zumbar

Regarding phones - my current phone is a rooted nexus one running a modded version of android. Probably safe enough. When the time comes to get a new phone I won't be getting an android phone though - or an iphone or windows phone. I'll see what else is out there when the time comes - which won't be for a while. I don't need the latest phone - just one that does what I want, and I won't be replacing it until I lose it, or it falls apart.

@Victor - your points are all perfectly valid. It is impossible to keep all your internet wanderings perfectly secure and anonymous. That's no reason to just go with the flow though and accept that everything you do is monitored and be happy with that. As for your argument that making an attempt to secure yourself from snooping makes you more suspicious to the authorities !! That's just a bull**** and cowardly reason not to do something.

There's also the matter of principle - I'd imagine the CEO's of the prism companies are climbing the walls at the light in which their companies are being shown in now. If they see a big drop off in usage of their products they might think twice about doing it again. If they see no change in usage patterns they'll feel a lot more comfortable when the NSA et-al ask them to open their gateways a little bit wider.

I'm actually very curious why Amazon and twitter said no to Prism and google etc said yes. I wonder what the carrot and stick were. Especially with google and their holier than thou 'we shall not do evil' schtick.

Victor

Prodigious wrote: »

You are not being very helpful. At all.

Without wanting sound like I'm being condescending, but I thought this was the security forum, not the illusion of security forum?

silentrust

Victor wrote: »

Without wanting sound like I'm being condescending, but I thought this was the security forum, not the illusion of security forum?

The thing is Victor, Snowden himself said that strong encryption can work. I appreciate we need to delineate between privacy and security and that if we protect ourselves using PGP/Tor Hidden services/Encrypted VOIP/OTR messaging we may end up attracting the attention of the powers that be, but that's all the more reason to make sure that everyone is doing it, to make it more difficult to single people out.

I agree with you that we can't necessarily trust other companies with our data but if you take the time to look at how garlic/onion routing works for instance, you'll see that you don't actually have to trust people in order to be safe in the way you describe.

silentrust

zumbar wrote: »

Well the Swedish Government were using google apps internally and dropped it like a hot potato as soon as the surveillance revelations came out

http://www.itnews.com.au/News/346885,swedish-privacy-watchdog-bans-official-use-of-google-apps.aspx

so any Swedish provider is probably relatively safe. I'd make sure they support https though.

Opera mail can be found here : https://mail.opera.com/

Their mailbox limit is 1Gb though. Enough for me, but your mileage might vary .....

Decided to take your advice and switch to a Norwegian one instead, mainly because apparently Sweden actually has quite draconian snooping laws, after all they are trying to extract Assange from my country... Having said that it seems that the servers for OperaMail are based in the US with the backups in Norway so I'm not sure what to do, watch this space...

Trojan

There's a gap in the market for someone to do "Google Apps, Duck Duck Go stylee"

silentrust

Just for the record, this was the article I saw which made me worry about Swedish privacy laws.

Ok, so having looked at the available options I decided to go with the Norwegian provider Runbox. They seem to take Privacy seriously as does the Norwegian government if you believe their page on the subject.

Pricing is a little on the steep side. I shelled out €14.95 for a year's subscription for a 1GB Mailbox but then it's a small price to pay for peace of mind.

Looking forward to hearing everyone else's thoughts on staying Prism free.

nmop_apisdn

silentrust wrote: »

The gurus on the Silk Road when I spoke to them said that they would never trust a smartphone e.g to access Tormail using Orbot + an e-mail client like K9 as they thought Android was too full of holes.

I really don't know enough to form an opinion, would love to hear anyone else's thoughts on this. Needless to say proprietary OS like iOS are out of the question.

Android Malware Alert – Anatomy of the Most Sophisticated Mobile Trojan Ever Found

Khannie

nmop_apisdn wrote: »

Android Malware Alert – Anatomy of the Most Sophisticated Mobile Trojan Ever Found

Yeah, as a security platform I wouldn't be very fond of android. I looked at the play store there the other day for encrypted email options and then I though (hello! paranoia!) hell, if I were the NSA, I would just compile this stuff up with a nice little back door in it - publish open source code that differs from the binary that you publish on the play store.

I had already planned to move to the new Ubuntu OS when it comes out in a usable format (it's not there yet). As a Linux user already it suits me down to the ground. I trust the ubuntu repositories and even if you don't, you could go full retard (context) and compile from source.

Khannie

silentrust wrote: »

Pricing is a little on the steep side. I shelled out €14.95 for a year's subscription for a 1GB Mailbox but then it's a small price to pay for peace of mind.

I'm *way* too scabby to pay that. I'd rather set up my own mail server. With FTTC around the corner it's a realistic option too.

Trojan wrote: »

There's a gap in the market for someone to do "Google Apps, Duck Duck Go stylee"

Agree, but it's probably cost prohibitive. Google provide all those features to get people into their paid email. Google apps on its own is probably just a loss leader. It is definitely going to be the hardest thing for me to replace though.

Trojan

Khannie wrote: »

Agree, but it's probably cost prohibitive. Google provide all those features to get people into their paid email. Google apps on its own is probably just a loss leader. It is definitely going to be the hardest thing for me to replace though.

It's $50 per user per year for Apps. A European competitor could easily charge double that with privacy and security as the focus. Businesses would pay that.

silentrust

Khannie wrote: »

I'm *way* too scabby to pay that. I'd rather set up my own mail server. With FTTC around the corner it's a realistic option too.



Agree, but it's probably cost prohibitive. Google provide all those features to get people into their paid email. Google apps on its own is probably just a loss leader. It is definitely going to be the hardest thing for me to replace though.

How about the one recommended on Prism-Break, Etherpad? - Doesn't seem as polished as Google Apps but might allow people to collaborate on work which is what's important right?

silentrust

OK folks, so I know this has come up before but I wanted to share with you my efforts at finding a secure cloud storage solution.

Before we discussed the advantages of having an encrypted Truecrypt container in your Dropbox on the basis that even if they hand this over to the NSA it won't do them any good. Dropbox has the advantage of being able to edit files directly, which means you could use Truecrypt to access your files/apps without having to upload the whole container all over again.

This isn't particularly convenient though when it comes to the files in your Documents, Pictures, Music etc. folders. Dropbox can of course synchronise these for you (My own OS provider Ubuntu offers a similar service called "Ubuntu One") but if you like me feel uncomfortable with this then there seem to be a couple of other providers that offer the kind of "zero knowledge" cloud storage we seem to be after.

Firstly there's SpiderOak which offers 2GB of free storage. You need to download their open source client to your machine (there are versions for Windows, Mac & Linux), and the layout is very easy to navigate to automatically sync your personal files.

The 2GB can be increased free of charge to up to 10GB through referrals and provided you don't use their web interface to enter your password, it sounds like an ideal way to secure your data - at least it would be if it had simply failed to synch whenever I tried to use it on my version of Ubuntu. Perhaps our Windows/Mac users will have more joy...

In the end I went for Wuala who claim to offer the same service SpiderOak do i.e data is encrypted client side, they never see the key, but offer a more generous 5GB (I was able to bump this up to 6GB by getting my better half to sign up as well). Unfortunately the software they use is closed source so I am going to have to trust them not to have installed some kind of backdoor. That said, their server is in Switzerland - notorious for their banking secrecy and most importantly not part of the EU.

Would love to hear other people's thoughts on this.

Khannie

Mailvelope - GPG encryption for webmail clients. Pretty slick actually. Open source. Currently Chrome / Chromium only but a firefox version is apparently in the works.

Capt'n Midnight

No mention of moving from brandname routers to dd-wrt ?

silentrust

Capt'n Midnight wrote: »

No mention of moving from brandname routers to dd-wrt ?

Presumably this would make it impossible for the big brands to stick a backdoor into your firmware as you're putting your own on there?

Capt'n Midnight

silentrust wrote: »

Presumably this would make it impossible for the big brands to stick a backdoor into your firmware as you're putting your own on there?

means they'd have to be sneakier, but on a cheap consumer router that would cost too much.

you can get BSD firewalls that don't use IP addresses and just inspect the packets as they pass , but in a cheap router that extra HW would show up.


Also if truly paranoid you'd need to vet your compiler too :pac:
http://www.wired.com/threatlevel/2009/08/induc/

Security experts seem more intrigued than alarmed over a newly-discovered virus that inserts itself into a Delphi compiler, and replicates itself in every program compiled.

It can't be said too often that security is built up of layers and since any one layer could be compromised the more layers you have the better.

silentrust

Capt'n Midnight wrote: »

means they'd have to be sneakier, but on a cheap consumer router that would cost too much.

you can get BSD firewalls that don't use IP addresses and just inspect the packets as they pass , but in a cheap router that extra HW would show up.


Also if truly paranoid you'd need to vet your compiler too :pac:
http://www.wired.com/threatlevel/2009/08/induc/

It can't be said too often that security is built up of layers and since any one layer could be compromised the more layers you have the better.

Did you see that it had found its way into a trojan? Oh, the irony! :-)