PRISM - What have you changed?

Khannie

With hindsight I should have assumed it was happening. It seems obvious that it would have been now that I give it proper consideration. I value my privacy simply because I feel people have a right to privacy, so I have changed a few things:

1) I have encouraged friends to PGP encrypt email exchanges. I am using a plugin called "mailvelope" for chrome with my gmail. It's not ideal, but it is slick and easy enough for the average Joe to use (I have tested this with non-technical people and it has worked). A firefox version is hopefully forthcoming.

2) I am using OTR with pidgin. Super little plugin.

3) I have dumped google as my default search engine from all my browsers and am now using startpage.com.

That's all I've managed to change so far. I am seriously considering hosting my own mail server, but actually in a way it's less secure. If I mail someone from my gmail account who has a gmail account (lots of people) the exchange is entirely encrypted. Unless there is a court order to view my gmail (ridiculously unlikely) it is private. If I hosted my own mail server, it would be unencrypted unless both parties were using PGP.

Anyone else changed anything? Nothing at all? Were already doing such things?

Trojan

I'm not doing very well, not a lot of change at all.

I've been using duckduckgo.com as my search engine for a while now, 12-18 months, but find myself back in Google very, very often as the DDG results can be iffy at best. Startpage looks very interesting.

I'm still on Google Apps for email because the business convenience trumps privacy for the moment. I might consider moving at some point in the future but would need to make business sense. PGP is on my todo list to set up, primarily so customers can use it if they so choose.

I'm stuck using Skype because that's what all my suppliers and customers tend to use for IM, again inconvenience is too strong.

For OS, I like Windows (to the point where I installed it on my MacBook Air). Being a UNIX guy originally I would potentially switch to Linux if there was good driver and software support, but in reality it's fairly crap. I simply can't afford to waste minutes nevermind days trying to compile kernels or apt-getting stuff, so it's sticking to Windows until Linux makes massive strides in that direction.

All in all, pretty underwhelming changes.

AnCatDubh

I'll slowly and incrementally begin to detach myself from things that may not be good for me.

Funny that you should post that today. I began last night. Small measures and baby steps.

DuckDuckGo became my search engine on my 'go to' machine - wasn't aware of startpage.com, but i'll check that out.

With privacy in mind, I signed out of my google account and stayed signed out all day. I take it that this is what is enabling your search history to be recorded. I know, I know, there are privacy settings which can be exploited within your google account which I intend to investigate. Like I say small steps and gradually.

At the moment i'm still on Gmail. I think i need to get off that platform but i'm unsure as to where to go with this. As you've said, host your own is somewhat attractive in terms of control but does that make you ultimately more secure? Perhaps, but in % terms who are you going to be emailing that are wittingly or unwittingly using PRISM accessible email services - gmail, facebook, yahoo, outlook.com. Whether you are on such platforms or not your email is likely to land on them at least some of the time, and what else they may be sifting through over the wire would probably add up to a significant portion of what you'll email anyway.

To me, PGP doesn't appear ready for the masses. If you have technically adept friends and family then maybe but until it becomes integrated to an extent that you or your intended recipient don't even think about it, it will imho only be partially useful.

Again, like most, being honest about it, I won't have a whole lot to hide and it is a lot of consideration (and time) that you need to give this privacy thing [which generally is hard work] for respecting your perceived right to privacy but there is very little transparency as to what purpose might your data be put towards by foreign nations once it has been hoovered up, so i'm currently of a mind that it will be worth the effort to give it serious consideration.

Its a journey and I'm guessing most will through general complacency have arrived at a point of leaving themselves exposed by the lazyness of seeking 'an easier life' and technology which sucks you in to insecure habbits (leaving your various accounts signed in and so forth).

The journey continues.

Black Swan

I am following this thread. Taking notes. Very interesting topic and source of security info Khannie and other contributors.

If you haven't read WIRED's 15 March 2012 cover page story about No Such Agency building a massive Utah data center (or haven't read it in awhile), I would strongly suggest it. Any encrypted emails, IMs, VPNs, etc., that they do not decrypt today, will be stored there for decryption later, when it's convenient and after their latest super computer has been completed for that purpose.

Personally, I really have no need to encrypt the contents of my comms today, but may just do it to be a very slight pain in the backside for the various nations, corporations, and local javahouse hackers that love to snoop. And the more of us that encrypt, the more expensive it may become for the snoops to handle the load, especially as the encryption software demand and sophistication advances overtime.

Khannie

Black Swan wrote: »

Any encrypted emails, IMs, VPNs, etc., that they do not decrypt today, will be stored there for decryption later, when it's convenient and after their latest super computer has been completed for that purpose.

In fact a supercomputer that can decrypt well encrypted data will never be built. It is now trivial to encrypt to the point that decryption (even over vast amounts of time, with vast compute power) is not feasible. The best hope for decryption is that a flaw is found in the algorithm somewhere down the line. That in itself is pretty unlikely, at least for RSA. It was given a hunk of scrutiny by the best minds before being adopted and has surely been examined many times since.

edit: Oh yeah, startpage is very good. It is google without the tracking. You miss out on autocompletion, but other than that I am very happy with it. I'm using it on all my devices now.

hooplah

Like yourself Khannie I value my privacy, just because I think I'm entitled to. I haven't really changed much. I'm knee deep in college deadlines at the moment so I am going to return to look at this however.

I have looked at Firefox add ons, I previously had PrivacyFix and https everywhere. I have added Ghostery to block trackers.

Gmail is my main email account. I am reluctant to change that since I have had it so long and its the address people know they can get me at. I have set up pgp on various machines or with Thunderbird and Enigmail in the past but people I know just don't use it. Mailvelope (and openpgp.js means there should be more apps like this right?) doesn't look bad but it won't solve that problem.

hmmm.. startpage looks good. I switched off google web history a long time ago. Just wondering if there's a loss of function somehow with switching?

Grudaire

I find duckduckgo to be terrible at actually finding stuff. Particularly from an Irish perspective... I have tried a few times, but I always end up back with google :-\

@Trojan: I use Linux now all the time (at home). I have to say that I have very little trouble with drivers etc. I'd be semi-techie, but I have no time to be messing about with stuff either. I have only gone outside the Linux Mint Software centre a handful of times, and even then I haven't had to compile from source (Ubuntu/Debian precompiled packages).

Unless you have very specific needs (Software/Hardware) I think Linux is extremely user friendly now, and I always feel more secure using it

[-0-]

Khannie wrote: »

With hindsight I should have assumed it was happening. It seems obvious that it would have been now that I give it proper consideration. I value my privacy simply because I feel people have a right to privacy, so I have changed a few things:

1) I have encouraged friends to PGP encrypt email exchanges. I am using a plugin called "mailvelope" for chrome with my gmail. It's not ideal, but it is slick and easy enough for the average Joe to use (I have tested this with non-technical people and it has worked). A firefox version is hopefully forthcoming.

2) I am using OTR with pidgin. Super little plugin.

3) I have dumped google as my default search engine from all my browsers and am now using startpage.com.

That's all I've managed to change so far. I am seriously considering hosting my own mail server, but actually in a way it's less secure. If I mail someone from my gmail account who has a gmail account (lots of people) the exchange is entirely encrypted. Unless there is a court order to view my gmail (ridiculously unlikely) it is private. If I hosted my own mail server, it would be unencrypted unless both parties were using PGP.

Anyone else changed anything? Nothing at all? Were already doing such things?

I need to give you a shell on my server so you can chat on our secured IRC server too.

Rev Hellfire

I've changed absolutely nothing.

I did think about shifting off Google for mail, but tbh couldn't think of a compelling reason to do so.

Trojan

One thing I was thinking of years ago - but figured it would get me into trouble - was this: a set of plugins for browsers/servers/websites that create noise. Lots of false traffic including every word on every possible black list, plus a bunch of innocuous stuff, all being sent hundreds, maybe thousands of times an hour by every user and device on the web. Theoretically it could render a massive amount of anti-privacy methods so costly as to be impossible.

Gotham

For the past few years I've been running a private IRC server with forced 4096 SSL and authentication.
I don't use any chat clients that aren't IRC or on LAN.
I used throwaway emails for social networking, which I also fill with flaky information.
Online items are bought with a prepaid card with flaky credentials attached to paypal.

Nothing has changed. But I might start using buttcoins.

Addendum:
I cant find the article now because it's drowned out in all this PRISM stuff, but it was pretty clear to me that Skype was being monitored.
The article was an experiment where links were sent out to people who were supervised not to click. (http://website/link?param1&param2)
The links were not only clicked by some unknown entity, the url parameters were also changed.

Years ago, a friend and I joked about this theory on MSN. We spent days sending stupid messages to each other including words like "bomb" "semtex" "agent orange". His chat client started to become very unreliable, some messages not being sent at all. We were finally convinced a year later that we were being spied on (at least automatically) when he could reproduce his connectivity issues by saying "agent orange" repeatedly.

AnCatDubh

Have now deleted 15,600 google search history entries and turned it OFF for the future. My rationale - if I do search using google now which hopefully will be on rare occasion, it won't know it's me anyway. Yeah, I know..... too late - the 15,600 have already been sucked down into a data centre in Utah, but I’m thinking that's only relevant if they, in the future can figure out its me.

My web access via smartphone has gone into private mode by default, no history, no cookies, no persistent logins to anything, very few apps thus far. I intend to go that route with the browsers on machines which I use - private, zero cookies, blah, blah....

I'm reading the privacy statements of services which I may want to use. Yes, i'm READING the privacy statements. Sweet jeebs...... What is becoming of me

As I said earlier - small steps, and yeah I'll probably mess up along the way, but i'll be getting there - wherever there is.

hooplah

This might be useful for people looking for alternatives:

http://prism-break.org/

that said the functionality of many of the solutions they reccomend don't go anywhere near matching what they should replace. I have f-droid installed on my phone and it just doesn't have anywhere near enough software to contend with Google Play

Walker34

1)Windows is history....changed to linux.
2)Ccleaner changed for BleachBit
3)Tor installed.
4)Any private documents are kept on a pc with NO Ethernet card.....ie not on internet.
5)Dropped Firefox for Chrome, but looking for a better alternative security wise.
A host of other changes .......but they are PRIVATE Barak!........sorry.

Black Swan

Walker34 wrote: »

3)Tor installed.

I haven't used Tor in awhile. I stopped using it because during peak user times it became sluggish and sometimes I got timed-out of sites. Has it improved in the past couple years?

Walker34

Black Swan wrote: »

I haven't used Tor in awhile. I stopped using it because during peak user times it became sluggish and sometimes I got timed-out of sites. Has it improved in the past couple years?

I don't see any effect with Tor speed wise.....its the same on as off.I doubt that the NSA would allow Tor exist without means to circumvent it anyway:mad:.

Gotham

Walker34 wrote: »

I don't see any effect with Tor speed wise.....its the same on as off.I doubt that the NSA would allow Tor exist without means to circumvent it anyway:mad:.

The NSA don't really have a say in peer to peer networks. They can make it illegal to use certain strengths of encryption, but they cant use those laws on non-us citizens. In short, the NSA cant do sh­it about Tor with good encryption, that being said - when I checked years ago, the encryption wasn't particularly strong.

Tor used to be slow, but now that loads of universities are setting up exit nodes, they've effectively donated to the cause. Maybe for now, just check that the exit node is non-us

Grudaire

Considering that tor is funded by the Americans I'm not sure that it is safe from their prying eyes in the slightest..

Walker34

Gotham wrote: »

The NSA don't really have a say in peer to peer networks. They can make it illegal to use certain strengths of encryption, but they cant use those laws on non-us citizens. In short, the NSA cant do sh­it about Tor with good encryption, that being said - when I checked years ago, the encryption wasn't particularly strong.

Tor used to be slow, but now that loads of universities are setting up exit nodes, they've effectively donated to the cause. Maybe for now, just check that the exit node is non-us

With a multi billion dollar annual budget the NSA has a say in anything it wants to have a say in......all whistle-blowers do is create some mild irritation or embarrassment for presidents........nothing a blinding white-toothed smile and a calmly delivered threat of economic sanction cant diffuse........right Angela?

yoyo

Is there any decent encrypted Skype type voip app with video? Not too worried myself but have a mate paranoid about all these things (some understandable but taken too far imo). Tried that Jitsi thing and it's rubbish, welcome back to the year 95 and dial up voip... It would be great if you guys could suggest a "secure" Skype alternative. Open source would be a bonus. Ironically mobile conversations aren't an issue (although they cost money :P )

Nick

Walker34

yoyo wrote: »

Is there any decent encrypted Skype type voip app with video? Not too worried myself but have a mate paranoid about all these things (some understandable but taken too far imo). Tried that Jitsi thing and it's rubbish, welcome back to the year 95 and dial up voip... It would be great if you guys could suggest a "secure" Skype alternative. Open source would be a bonus. Ironically mobile conversations aren't an issue (although they cost money :P )

Nick

The only safe option is to be very selective about what you type,and before posting, imagine yourself in John Brennan's office with a couple of XeServices(formally known as Backwater) people idly toying with a megger and and 2 large crocodile clips and think to yerself "would I want these guys to log into Boards.ie and read my recent posts.......there is one last chance to delete before posting.....and don't forget this stuff is there forever.

howamidifferent

I've been intermittantly using various VPN services over the years, not for any real reason other than I likewise didn't like the idea of my traffic being monitored (mainly by my employer ).

But I had let that lapse since March and have now signed up for a year to Witopia VPN who have exit points in 35 countries , or 160 cities globally. It's cheap at $69 and the reviews are all good.

Likewise I'm looking for alternatives for email...

I used to have Truecrypt installed from version 1.0 upto version 7 but uninstalled it becuase it was on a work laptop and it looked likely my employer was going to encrypt all laptops with McCafee encryption. Didnt happen except for executive laptops so I may re-install Truecrypt and encrypt the whole disk OS and Data.

Nothing to hide but I dont want anyone compromising my privacy. :mad:

yoyo

Walker34 wrote: »

The only safe option is to be very selective about what you type,and before posting, imagine yourself in John Brennan's office with a couple of XeServices(formally known as Backwater) people idly toying with a megger and and 2 large crocodile clips and think to yerself "would I want these guys to log into Boards.ie and read my recent posts.......there is one last chance to delete before posting.....and don't forget this stuff is there forever.

Ahh I know, it's more I'm trying to find a voip service my m8 will trust as he won't trust Skype. :pac: . Pity all the Open Source ones we tried are sh!te. Actually he is on linux (of course ) and I'm Windows so it would have to be cross platform, does such a secured client exist? Jitsi has been tried and is thrash.

Nick

Black Swan

Walker34 wrote: »

2)Ccleaner changed for BleachBit

Why leave Ccleaner?

Walker34

Black Swan wrote: »

Why leave Ccleaner?

Could not find Ccleaner for Linux hence Bleachbit.

Permabear

This post has been deleted.

Gavin

This all seems rather crackers. You should simply assume that you have no privacy on the Internet and act accordingly.

There is no freedom of speech on the Internet, no automatic right to privacy. Think about all the services you use that make up the internet, from the low level network connection to web searching, forums (!), email etc. All that data is being routed all over the place through large numbers of different organizations, all with their own view on privacy and you think that they all respect, or even are required, to respect your privacy?

Using a VPN, or Tor, is an even worse idea. You are almost guaranteed that someone is monitoring the endpoint for unencrypted traffic.

KELTICKNIGHTT

i use StartPage.com,, like it works good
instead of google and tor , but as said, tor doesn't access some site but they know this and probably fix soon , tor downloads are up a lot since the prism leak

use gmail , so with till i can get a better way,, as many have said, small steps,,
think in long run, nsa will try too keep doing what they do regardless what people do as governments across world seem to let them or not even to stop them which is sad

Nika Bolokov

Looking forward to this coming on stream

www.heml.is

Macumazan

Nika Bolokov wrote: »

Looking forward to this coming on stream

www.heml.is

Sounds promising! Have you heard of Gibberbot by the Guardian Project? It works on every platform and provides for secure messaging, I would recommend this in the meantime.

Macumazan

KELTICKNIGHTT wrote: »

i use StartPage.com,, like it works good
instead of google and tor , but as said, tor doesn't access some site but they know this and probably fix soon , tor downloads are up a lot since the prism leak

use gmail , so with till i can get a better way,, as many have said, small steps,,
think in long run, nsa will try too keep doing what they do regardless what people do as governments across world seem to let them or not even to stop them which is sad

I moved from gmail to an icelandic e-mail server but you can set up your gmail account so that anything sent there will be sent to your new address.

You're right that the NSA will keep doing all they can to erode your privacy which is why it's important we do all we can to stop them through promoting open source software, encryption, use of VPN's and so on.

Speaking of which if you don't like Tor, try using a VPN. My favourite is BTGuard. They have servers in Singapore, Netherlands and Canada, where they're not required to keep logs. Whichever you choose make sure you find one which accepts payment in Bitcoins, as then you'll be able to sign up anonymously.

Macumazan

Cliste wrote: »

Considering that tor is funded by the Americans I'm not sure that it is safe from their prying eyes in the slightest..

An excellent Youtube video on Tor vulnerabilities here - messages between Tor nodes are encrypted in such a way that even if the NSA is twenty years ahead of us in terms of their ability to break encryption, it still wouldn't be feasible to do so - of course though this only applies to messages within the network.

If for instance, you were to log in to your internet banking via Tor, it would be fairly trivial for someone to monitor the Tor exit node and see a connection to the bank's website, although of course they wouldn't see your original IP.

As such for truly safe communications you need to keep them within the Tor network, such as using Tormail to exchange messages which are encrypted by GPG - I think at present the NSA is relying on the fact that only a small number of criminals communicate in this way.

Also ironically using Tor in itself can attract more NSA attention, as it's fairly trivial by default to detect someone is using it through traffic analysis (although not the actual sites you're visiting or information you're exchanging). You can mitigate this risk by using the obfsproxy bundle for Tor instead.

Macumazan

Gavin wrote: »

This all seems rather crackers. You should simply assume that you have no privacy on the Internet and act accordingly.

Using a VPN, or Tor, is an even worse idea. You are almost guaranteed that someone is monitoring the endpoint for unencrypted traffic.

Hi Gavin,

Please see my post below, if the video is too long, there's an excellent explanation here explaining how Tor works.

In the first instance, simply tracing the creation of a blog or e-mail account for instance back to a Tor exit node would not enable law enforcement or anyone else to know the original IP of the user connecting through the Tor network through simple traffic analysis alone.

If the user doesn't take certain precautions it may be possible to tell they were using Tor at their home address at the same time that a particular e-mail or message was sent of course. Also if the person gives away any identifiable information while using Tor e.g through using the same exit node to log in to their personal e-mail account while also writing their "hacktivism" blog but of course that's very easy to prevent.

One way to do this would be to avoid the problem altogether by locating your blog or respective e-mail accounts in the deep web itself so you never need to use exit nodes. (Tormail is a great example of this). You can add an additional layer of protection using gpg which provided sufficient key strength is currently uncrackable in any feasible amount of time.

VPN's similarly can be anonymous if used correctly. Naturally you need to make sure your VPN is in a country with no mandatory data retention laws, and also that you can pay using an anonymous methods such as using Bitcoins. I'd also recommend one which uses shared IP addresses making it harder for anyone to identify you. I use one for my day to day browsing but for extra private stuff you really do need to use Tor or I2P.

Let's not be too doom and gloom about this folks, securing your online activities is a practical goal!

Macumazan

Khannie wrote: »

With hindsight I should have assumed it was happening. It seems obvious that it would have been now that I give it proper consideration. I value my privacy simply because I feel people have a right to privacy, so I have changed a few things:

1) I have encouraged friends to PGP encrypt email exchanges. I am using a plugin called "mailvelope" for chrome with my gmail. It's not ideal, but it is slick and easy enough for the average Joe to use (I have tested this with non-technical people and it has worked). A firefox version is hopefully forthcoming.

2) I am using OTR with pidgin. Super little plugin.

3) I have dumped google as my default search engine from all my browsers and am now using startpage.com.

That's all I've managed to change so far. I am seriously considering hosting my own mail server, but actually in a way it's less secure. If I mail someone from my gmail account who has a gmail account (lots of people) the exchange is entirely encrypted. Unless there is a court order to view my gmail (ridiculously unlikely) it is private. If I hosted my own mail server, it would be unencrypted unless both parties were using PGP.

Anyone else changed anything? Nothing at all? Were already doing such things?

Good man, I was scared off mailvelope by an IT guru who said that it wasn't a good idea to let your browser have access to your private key but it sounds brilliant and I do think he was being a tad paranoid.

Startpage is excellent, as is DuckDuckGo, there are plugins for both for Firefox if anyone is interested.

You're right about having your own mail server, it seems too much trouble plus there's the issue of the server itself being more vulnerable to theft and tampering than Google's - of course if you're using GPG it's a bit of a moot point.

Other things I've done:

- Switched from using DropBox and Ubuntu One to Wuala, a cloud service which encrypts your data on your computer before storing on the cloud.

- Downloaded Boxcryptor for my Android phone to use with Dropbox so I can upload pictures and videos I've taken. (There's also a desktop version).

- Signed up with a VPN, which I paid for with Bitcoins. E-mail address I used to register was an I2P mail address. VPN server is in Canada which currentl has no data retention laws. (Although this is changing.)

- Used the wonderful "Keepass" program to generate super strong passwords for all my web services. These are copied and pasted into web forms as and when needed and I don't know them, which protects against key loggers.

- With reference to the above Keepass also makes use of a keyfile so anyone using Van Eck Phreaking to see the Master Password as it's being entered won't have much joy without physical access both to the device and keyfile. Keyfile is stored separately, my lips are sealed! :-)

- Encrypted my HDD but sadly not able to be as clever as you to put bootloader on USB! (The good news is that now all flavours of Ubuntu allow you to encrypt the whole Operating System as part of the regular installation DVD).

- Switched to using Jitsi with OTR for messaging now. My family keep in touch via Google Talk so have asked them to switch to using this so we can stay safe.

- Left Facebook and dabbled with alternative social networks like Diaspora and Nightweb.

Look forward to hearing what everyone else has done.

Nika Bolokov

Seems some U.S. payment companies are no longer working with the VPN ipredator.se

https://torrentfreak.com/paypal-cuts-off-pirate-bay-vpn-ipredator-freezes-assets-130724/

Wonder if it works well........................

Macumazan

Nika Bolokov wrote: »

Seems some U.S. payment companies are no longer working with the VPN ipredator.se

https://torrentfreak.com/paypal-cuts-off-pirate-bay-vpn-ipredator-freezes-assets-130724/

Wonder if it works well........................

Yes, I suppose it's quite a glowing commendation! In any case we shouldn't be using traceable methods of renting VPN's as it defeats the point. Bitcoins all the way. Try to buy them locally for cash if possible, if not then via wire transfer to a provider on localbitcoin.com

Gavin

Macumazan wrote: »

Hi Gavin,

Please see my post below, if the video is too long, there's an excellent explanation here explaining how Tor works.

In the first instance, simply tracing the creation of a blog or e-mail account for instance back to a Tor exit node would not enable law enforcement or anyone else to know the original IP of the user connecting through the Tor network through simple traffic analysis alone.

If the user doesn't take certain precautions it may be possible to tell they were using Tor at their home address at the same time that a particular e-mail or message was sent of course. Also if the person gives away any identifiable information while using Tor e.g through using the same exit node to log in to their personal e-mail account while also writing their "hacktivism" blog but of course that's very easy to prevent.

One way to do this would be to avoid the problem altogether by locating your blog or respective e-mail accounts in the deep web itself so you never need to use exit nodes. (Tormail is a great example of this). You can add an additional layer of protection using gpg which provided sufficient key strength is currently uncrackable in any feasible amount of time.

VPN's similarly can be anonymous if used correctly. Naturally you need to make sure your VPN is in a country with no mandatory data retention laws, and also that you can pay using an anonymous methods such as using Bitcoins. I'd also recommend one which uses shared IP addresses making it harder for anyone to identify you. I use one for my day to day browsing but for extra private stuff you really do need to use Tor or I2P.

Let's not be too doom and gloom about this folks, securing your online activities is a practical goal!

A few points.
1) Seeing as we are talking about the NSA here, it actually is feasible for NSA to perform stream correlation attacks against Tor, provided they can observe the entry and exit nodes. As they appear to be tapping inter-continental trunk lines, they could well do this. The Tor project acknowledge that they cannot defend against this attack, the system was not designed to best a global passive adversary. To do so would require introducing latency and/or dummy packets which would render the network so slow as to be unusable. So if they really wanted, yes I think they could defeat Tor anonymity.
2) The alternative approach is to simply monitor exit nodes for unencrypted traffic, which judging from the number of academic papers describing the type of traffic emerging from Tor nodes, is actually a widespread activity. There is no way I would trust that the operator of a Tor exit node is not monitoring outgoing traffic.
3) When you suggest an alternative is to use a VPN, what guarantee do you have that the operators of the VPN are in anyway legitimate and don't monitor or record your traffic ? None. It's blind trust.

If the NSA want to monitor your traffic, let's face it, there's pretty much nothing you could do to prevent them. Look at what Al Qaeda resorted to, effectively using couriers to move USB keys around, not trusting telecoms at all.

The best approach to take is to assume that nothing you say on the internet is private and act accordingly... Easier said than done of course, but probably something worth bearing in mind !

Macumazan

Gavin wrote: »

A few points.
1) Seeing as we are talking about the NSA here, it actually is feasible for NSA to perform stream correlation attacks against Tor, provided they can observe the entry and exit nodes. As they appear to be tapping inter-continental trunk lines, they could well do this. The Tor project acknowledge that they cannot defend against this attack, the system was not designed to best a global passive adversary. To do so would require introducing latency and/or dummy packets which would render the network so slow as to be unusable. So if they really wanted, yes I think they could defeat Tor anonymity.
2) The alternative approach is to simply monitor exit nodes for unencrypted traffic, which judging from the number of academic papers describing the type of traffic emerging from Tor nodes, is actually a widespread activity. There is no way I would trust that the operator of a Tor exit node is not monitoring outgoing traffic.
3) When you suggest an alternative is to use a VPN, what guarantee do you have that the operators of the VPN are in anyway legitimate and don't monitor or record your traffic ? None. It's blind trust.

If the NSA want to monitor your traffic, let's face it, there's pretty much nothing you could do to prevent them. Look at what Al Qaeda resorted to, effectively using couriers to move USB keys around, not trusting telecoms at all.

The best approach to take is to assume that nothing you say on the internet is private and act accordingly... Easier said than done of course, but probably something worth bearing in mind !

Hi Gavin,

You've made some interesting points but I think it's important to delineate between monitoring of traffic and actual interception of data.

The kind of attack you mentioned has been known to the Tor project for some time (see a Blog post from 2009 about it here). In practical terms it's not very feasible even for the NSA as you have to be in control of both the entry and exit relay, as well as modify the data which as the blog posts states, will likely cause the connection to drop.

Having said this, there's very little this would achieve in practical terms, even if it were successfully implemented. It would not even tell an attacker which Tor hidden service a particular person was using - indeed despite their best efforts US law enforcement have failed to trace the servers of websites like the Silk Road which receive colossal amounts of traffic in Tor terms.

I2P doesn't suffer from this problem in the same way as tagging attacks can't be implemented although you'll see that there are some threat models for both systems.

As regards Point 2, you're absolutely right in that you must assume that Tor exit nodes are being monitored but I think you're more likely to give yourself away by visiting an encrypted site than an unencrypted one e.g let's say you visit the unencrypted site of the Daily Telegraph in the UK, it would give an adversary a rough idea of at least your nationality. However if you used it to visit your SSL protected Gmail account, and any other malicious activity can be traced to the same exit node, you're in trouble, particularly if Google are handing over their records to the NSA as is rumoured. As I said though, you can avoid this issue altogether by making use of I2P eepsites and Tor hidden services to exchange information.

Regarding VPN's - there is a certain degree of trust involved which you don't need when using a P2P network like Tor. You can mitigate the risk of being caught by taking your time to find a VPN which is based in a country without mandatory data retention laws and subscribe by paying via Bitcoin, and use an anonymous e-mail service - of course it's not either/or, I connect to Tor via my VPN for instance.

What's good though is that we have a clear idea of what is practical in terms of security and you won't find anywhere on the TOR, I2P or Freenet sites any claim that they offer "perfect" anonymity - this is isn't necessary, you just need to make your activities so impractical and difficult to detect, that even the NSA won't get a look in.

Macumazan

Just one point in response to a PM I received last night :

"Out of the box" it is very easy for an ISP/Law Enforcement to detect you are accessing a pseudonymous network like Tor or I2P.

This could end up making you more likely to be singled out for surveillance, although with Tor at least you can eliminate this risk through using Private bridges.

When discussing issues like these, it's also important to bear in mind the difference between privacy and anonymity - P2P networks like these help disguise the IP address of your computer, but naturally if you use them to send an unencrypted e-mail for example, in which you give away personally identifiable information, then you'll no longer have privacy.

Similarly if you use your ISP's regular connection to send a GPG encrypted e-mail for instance to a friend's e-mail address, it would be obvious to any fool snooping on your connection who you are and who your friend is but it won't be possible by cryptanalysis alone to tell what was said between you.

Really looking forward to hearing what others have done to protect themselves.

AnCatDubh

Still doing research and taking small steps.

Most recent is that I've broken the link between allowing gmail to pick up email from a secondary email account (used to be my primary prior to going gmail) - one which is beyond the reach (in theory) of NSA programmes. It feels good to know I have one email account which isn't being scouped up \o/

Next up, settle on a non NSA accessible email service.

Then do the reverse, have the new email pick up anything in gmail (as heaven knows where I may have signed up to something in the past and may need it in the future), and then systematically redirect or eliminate any mailing list, subscription based stuff from having the gmail address to the new one. Reply to anything that comes in via the new email account and update contacts.

All this stuff is hard work eh

Dude111

Khannie wrote:

With hindsight I should have assumed it was happening.

Not to worry my friend,alot of ppl didnt realise it!

I knew it was going on a long time! (I remember when PRISM was started)

Quite scary stuff!!

Nika Bolokov

It is frustrating that so many changes that are being made are probably ineffective due to compromised hardware with which there are not really any suitable alternatives.

The ideal is a device built 100% from scratch with hardware and software that we can trust.

Now that would be an epic Kickstarter.

Heres a list of options (software)

https://prism-break.org/