State of Online Tracking

Really interesting research: "Online tracking: A 1-million-site measurement and analysis," by Steven Englehardt and Arvind Narayanan:

Abstract: We present the largest and most detailed measurement of online tracking conducted to date, based on a crawl of the top 1 million websites. We make 15 types of measurements on each site, including stateful (cookie-based) and stateless (fingerprinting-based) tracking, the effect of browser privacy tools, and the exchange of tracking data between different sites ("cookie syncing"). Our findings include multiple sophisticated fingerprinting techniques never before measured in the wild.

This measurement is made possible by our web privacy measurement tool, OpenWPM, which uses an automated version of a full-fledged consumer browser. It supports parallelism for speed and scale, automatic recovery from failures of the underlying browser, and comprehensive browser instrumentation. OpenWPM is open-source1 and has already been used as the basis of seven published studies on web privacy and security.

Summary in this blog post.

Posted on May 23, 2016 at 5:33 AM • 48 Comments

Comments

stineMay 23, 2016 8:57 AM

They ran this from AWS. I don't blame them, it probably lowered their costs, but unless companies have started running Websense (or other) proxies in AWS, don't you think that websites would know that queries from AWS are either 1) hacking or 2) studies like this one?
I also note that the study was strictly client-side. and that no attempt was made to deduce the existence of any carrier-cookies a la Verizon Wireless. Nor did I see Incapsula cookies mentioned.

Bumble BeeMay 23, 2016 9:22 AM

Sorry, I'm from Washington State, and I'll have to dodge chairs thrown at me for saying this, but isn't it about time to move away from proprietary, closed-source, what-you-don't-know-won't-hurt-you operating systems such as Microsoft Windows, and begin evaluating other options such as Fedora (with SELinux enabled), other GNU/Linux distributions, and OpenBSD or even other BSDs.

Whatever else one might say about it, open source ("free software" depending on philosophy) is subject to public audit on open mailing lists.

Then, let's tighten down the browser mess and all those proprietary insecure-by-design RFC-ignorant "standards" that just have to be supported for popular websites.

Clive RobinsonMay 23, 2016 9:35 AM

The "Audio Fingerprinting" is of interest from a technological perspective. However Im far from certain how effective it will be.

MayyMay 23, 2016 10:38 AM

@Clive

The Audio Fingerprinting techniques presented in the paper sure seem like they would effectively add a couple bits of information to an overall fingerprinting strategy. The audio configuration information seems like it would vary between OS/hardware combinations.

Gathering useful information from processing an audio feed is a lot more dubious. However, with the right processing you may be able to isolate some regular features of the environment like lots of wind (outdors), fan noise profiles (laptop/desktop, not a mobile device), typing noise (laptop or possibly tablet, not a desktop or external keyboard), etc...

Mickey BowlenMay 23, 2016 10:48 AM

@Clive,Mayy

I took the audio fingerprinting test using Tor Browser over several sessions and the results were somewhat underwhelming. Not the best technique on its own. Of course, if you combine it with a few other dozen indicators running simultaneously in the background, I suppose as far as Google & Facebook are concerned: every little helps.

Ivanna HumpalotMay 23, 2016 10:57 AM

@Bumble Bee

YES. But, better than vanilla Linux (with millions of lines of potentially vulnerable code in the kernel alone) is Qubes, since - courtesy of qubes-os.org -

-Based on a secure bare-metal hypervisor (Xen) [only several thousand lines of code]

-Networking code sand-boxed in an unprivileged VM (using IOMMU/VT-d)

-USB stacks and drivers sand-boxed in an unprivileged VM (currently experimental feature)

-No networking code in the privileged domain (dom0)

-All user applications run in “AppVMs,” lightweight VMs based on Linux

-Centralized updates of all AppVMs based on the same template

-Qubes GUI virtualization presents applications as if they were running locally

-Qubes GUI provides isolation between apps sharing the same desktop

-Secure system boot based (optional)

Then, if you combine this with say:

- OpenVPN
- Whonix template and multiple AppVMs separating critical tasks e.g. personal, banking, throw-away VMs for likely malware etc.
- Run hardened Tor Browser in highest privacy slider position
- Use TorVM to 'torrify' all activities
- Don't run javascript if you can avoid it (beats most API tracking and fingerprinting attempts)
- Use the Internet like the Stasi are breathing down your neck (which they are)
- Stay within the .onion network where possible or https as a minimum
- Don't ever use a real name policy or pissy email which is irretrievably broken
- Use hardened messaging/file sharing/video protocols instead of proprietary rubbish e.g. bitmessage, Tox, Jitsi, onionshare, OTR etc.
- Store critical data and personal stuff off-line on LUKS encrypted volumes
- Never use social media
- Use TAILS from Live CD or USB for critical tasks
- Preferably have full-disk encryption on host systems
- Consider anonymous 3G modems
- Disable TCP timestamps
- Disable ICMP timestamps
- Have a solid firewall denying all incoming ports
- Disable microphones & webcams (permanently where possible)
- Consider spoofing MAC addresses (depends on setup and situation if necessary)
- Disable NTP clients (prone to multiple fingerprinting and other attacks)
- If you must use email, use Thunderbird, enigmail, PGP and split GPG keys
- Spoof time zone to US on host system
- Clean meta-data off any/all critical files
- Don't disclose identifying data about yourself
- Don't alternate Tor with open wi-fi
- Don't open random files or links if you can manage it
- Don't do mobile phone verification
- Don't maximize the Tor Browser window
- Don't use browser plug-ins
- Don't bookmark sites (fingerprint vector)
- Don't change default Tor settings
- Use apparmor profiles where possible e.g. Tor Browser
- Never install unsigned software
- Consider payments with anonymous credit cards and gift cards (or preferably cash), since bitcoins is unproven and research has shown IP addresses could be linked to various accounts
- Attempt a GRSecurity kernel running within a Whonix guest or host (prepare to rip hair out of head)
- Consider use of private and obfuscated bridges with Tor (unproven against determined adversaries)
- If not using Whonix, permanently disabling IPv6
- If not torrifying all network traffic, then enforcing apt-transport-tor to prevent repository fingerprinting
- etc etc (basically spend weeks reading all Qubes, Whonix documentation and forums)

Then you are in a much better place. I would add that everything is broken and everything is under surveillance/added to your identifiable profile based on data-sharing between cops and spooks.

Longer term, we need:

- internet routing that doesn't send shit through multiple countries that collate data at every possibility
- stateless, fully open hardware/BIOS/all firmware
- quantum computer resistant encryption algorithms to be widely adopted
- killer end-end encryption to become the factory standard for all protocols, including email which is an outdated mode of communication and hopelessly insecure since they already scan everybody's shit for keywords
- massive upscaling of the Tor network and adoption by FF of a Tor button in their standard browser for their 100s of millions of users
- huge growth in regular Tor users to create a larger crowd to hide in
- etc.

Mass surveillance needs to become completely uneconomical for the Stasi, since the politicians have zero intent to shut anything down. If anything, they are just legalizing everything now retrospectively and accelerating their programs and scale of criminality i.e. what they have been doing in secret for 15 years already (or more).

Besides, they don't work for us. Notice every time there is a disclosure, they were found to be harassing another outspoken group they don't like e.g. environmentalists, civil rights groups, whistle blowers, left-leaning individuals etc but never seem to aim their power at the rich c**ts running the place e.g. Wall Street, offshore tax havens, corrupt plutocrats? That is no coincidence my friend. Further, Google, Microsoft et al are just key players in the system of intelligence getting off on Big Data utopianism.

BTW this post gets me marked as an 'extremist' in the new paradigm based on disclosures ie daring to share the privacy, pseudo-anonymity love. Go figure and good luck ;-)

Eager ScallionMay 23, 2016 10:58 AM

A little experiment you can try at home:

1. Install a stock version Firefox browser in a new, updated OS.
2. Run wireshark (or ss, netstat, iftop...).
3. Launch the browser for the first time.
4. Notice how your browser has dialed home to Google, profiling you and installing a cookie in your system even before you have had a chance to do any browsing or change any settings.
5. Optional: for a laugh, visit the Firefox page on privacy, where they tell us how much they care about privacy and how hard they fight to protect our rights.

This can be replicated in Chrome and Iceweasel (the Debian version of Firefox). Icecat (GNU's version of Firefox) does not dial home to Google.

rMay 23, 2016 11:02 AM

@ivanna,

I'll see your 'marked' as an extremist and raise you 'aiding and abetting'.

DanielMay 23, 2016 11:02 AM

@Eager

This is a well-known feature and it CAN be disabled by the following steps.

1. Disconnect from the internet.
2. Launch FF
3. Click on options/security
4. Untick the boxes "bloc reported attack sites" and "block reported web forgeries".
5. Connect to internet.
6. No cookie sent to Google.

rMay 23, 2016 11:07 AM

@ivanna,

Spoofing MACs is likely a crime in and of itself if I recall. And posting here to the international crowd Mr. Schneier attracts puts you easily within 3 shakes of the rabbit tail.

lisa lanMay 23, 2016 11:08 AM

@Daniel:

Wow, that's taking the hypocrisy of "it's an opt-out feature" to a whole new level.

Itchy AppendixMay 23, 2016 11:14 AM

@r
"Spoofing MACs is likely a crime in and of itself"

That is simply not true. In democratic countries, spoofing your MAC address is as legal as masking your address behind a VPN or signing a newspaper article with a pen name. In the USA there have been cases where ISPs have claimed that attempting to avoid their fees by spoofing the MAC addresses of devices and connecting to their service under a single account is unlawful, and they may have a point. That, however is not about the legality of MAC address spoofing, but rather the legality of using the spoofing to avoid paying your fees.

rMay 23, 2016 11:17 AM

Ignorance is not a valid defense, I think we should take a long hard look at the full USC Codes on computers and networking. The anti spam laws iirc covered the network origin obscuration. And blocking chrome from it's intended load sequence may be unlawful depending on any prior agreements you've made with Google.

It's a brave new world for those of us just now waking up to the Gestapo.

DanielMay 23, 2016 11:18 AM

@ Lisa. I'm not trying to defend FF. What I especially don't like is that this tracking method is obfuscated by language that on the surface is about protecting your security. FF is not telling the user the whole story and I think it is the height of disingenuousness for them to do that.

At the same time, the post I responded too wasn't being fully truthful either because the problem can be solved. So IMO both parties look bad.

rMay 23, 2016 11:20 AM

@itchy,

I'll try to dig up USC stuff for myself, thank you. Maybe I'll take a couple days to give what I can a fresh read.

windy galleyMay 23, 2016 11:40 AM

Whilst on the subject of masking the invasion of privacy behind security features, google has announced that any company that wants to use VirusTotal will now have to use google's official API, thus adding their unsuspecting users to google's tracking list:

blog.virustotal.com/2016/05/maintaining-healthy-community.html

JG4May 23, 2016 12:14 PM

slightly off-topic - offline tracking

https://www.rt.com/usa/343981-fbi-secret-biometric-database/
...
Meanwhile, there are companies making products that can confuse or fool facial recognition software. A Japanese company has invented a “privacy visor” that will “scramble digital facial recognition software,” Biometric Update reports.
Specially made clothes and camouflage make up can turn a face “into a mess of unremarkable pixels” in order to throw the technology off.

Illegal!May 23, 2016 1:22 PM

@JG4

Of course, if Feinstein has her way, since garbage dumps and toilets will be outlawed for being "obfuscation devices" surely that "privacy visor" will be too...

Dusty F.May 23, 2016 2:04 PM

This paper was a great read and very informative. Thanks for sharing!

I was curious why the researchers didn't include NoScript in their tests since it seems many trackers nowadays make use of scripts to do their work. One example they gave was WebRTC. Curious if NoScript would block this I used a proxy and went to the test site ipleak.net and without NoScript enabled it can see my real IP. With it enabled it could not. With NoScrpt being such a popular add-on I wonder why they didn't include it. The only tools they seemed to use was Ghostery and I believe AdBlock Plus, based on their mention of the EasyList and EasyPrivacy that AdBlock uses.

I may be mistaken, but if you add NoScript with tracker blockers like Blur and Ghostery that seems to stop the vast majority of trackers, with the exception of browser fingerprinting. The only thing that seems to work is Tor in my experience.

What privacy tools does everyone else use?

jaysonMay 23, 2016 2:17 PM

@r

Ignorance is not a valid defense, I think we should take a long hard look at the full USC Codes on computers and networking.

Given the sheer volume of the USC, I'd say ignorance is a valid defense, but not accepted.

Nick PMay 23, 2016 2:56 PM

@ jayson

That even lawyers and some courts specialize should justify that further. That each case brings interpretations from prosecution and defense actually guarantees we're ignorant of how many laws will play out. Yet, untrained, little people accused in court are supposed to have "known better" for any possible legal situation per some courts. Ridiculous.

Clive RobinsonMay 23, 2016 4:07 PM

@ Nick P, Jayson,

Yet, untrained, little people accused in court are supposed to have "known better" for any possible legal situation per some courts.

Ridiculous or not, there is a reason for such behaviour by courts.

It's all to do with show and theatre, when "the state" decides that somebody --anybody-- needs to be used to set an example to the rest of society that is what they do.

We all judges and lawyers included unknowingly break laws several times a day. Because there are way to many laws, but also many get abused from the legislators intent and the scope gets pushed way beyond that which is reasonable, so easy convictions can be obtained.

But you don't hear about the likes of judges and lawyers being arrested and prosecuted for these unknowing transgressions. Unless of course the offence is sufficiently aggrvious that it can not be ignored. It's the same with police officers and the "wall of blue silence". That is these people are in a club that you are not, and like all clubs, if you don't offend the other members then you can get away with murder (literally).

Historically punishment was "entertainment" and like Rome's "bread and circuses" was a way to keep the "great unwashed" away from those in power.

Since we have stopped public stoning, flogging, dragging on hurdles, hanging drawing and quatering, the entertainment value has moved into the court room with the visitors gallery etc. But to ensure the great unwashed understand the game, just like a track or field sport the participents wear uniforms to identify their role and rank.

The point is defendents need to understand their asigned position and this has to be clear to all observers, especialy the cartoonists and court sketchers.

After all if not how can "justice be seen to be done" for the "public interest" which in reality is propergander value... They are not called "show trials" without reason, and it is not hard to find them even today.

Behind such lack of real justice are the politicians, crying out at every oportunity for harsher punishments whilst taking kickbacks from lobbyisys of private prisons etc. They also set not just the punishment tariffs but the quotas by which those in the law enforcment and prosecution earn their income and political status...

But don't what ever you do peek behind the stage and tell what you have seen, as history shows those in power reserve the harshest of punishments for such temerity, the only worse crime is to break ranks and tell, at which point the ranks turn on you and your demise is as assured as any other Judas.

Not JusticeMay 23, 2016 4:14 PM

@Nick P

At its core it's not a system designed to administer "justice" or be "fair"... it's designed to be a game, where two opposing sides are supposed to pull any trick they can get away with to get their way...

Not JusticeMay 23, 2016 4:23 PM

@Clive Robinson

Dang it, you always explain it way more detailed than I do...

rMay 23, 2016 5:20 PM

OT, this time...

The cross device sound channel cookies we saw previously is only one of the recent audio advents, there's this: https://thehackernews.com/search/label/Audio%20Fingerprinting

i'm not sure that's the original article i saw.

but when i read it i quickly realized it wasn't the cross device communication but hardware fingerprints.

where there's a will, there's a way.

Cynical about CynicismMay 23, 2016 5:48 PM

@Clive - while corruption is a definite problem, in this case I think you've found a complex solution when a simple one would suffice; moral hazard. Judges don't accept ignorance of a law as a defense lest everyone avoid knowing the law. "Honestly, your honor, I didn't know that it was illegal to shoot my neighbor." Large organizations would pull this kind of stunt (more often than they already do). You'll actually see this play out in patent law where I've read attorneys will sometimes advise their clients to ignore patent infringement notices so that they can claim they didn't know they were infringing as the penalties are lower.

Clive RobinsonMay 23, 2016 7:56 PM

@ Cynical about Cynicism,

Judges don't accept ignorance of a law as a defense lest everyone avoid knowing the law.

Oddly perhaps in the UK that has a wrinkle and I suspect the same is true in other jurisdictions. Laws do have statutory defences but also some laws have the opposite.

In the UK Harold Wilson brought in one of the most draconian pieces of legislation you could imagine, the "Marine Offences Act" to quite illegaly under International law go after Offshore Pirate Radio Stations (who Wilson illogicaly blaimed for a previous ellection defeat, though his second guess of the UK Intelligence Services appears to be more likely).

Like the Wireless Telegraphy Act, a successful prosecution required that the Crown demonstrate that a defendent knew what they were doing was illegal. Thus many "first nicked offenders" could not be prosecuted.

The legislation it's self appeared even more quirky in that ownership of wireless telegraphy equipment was not an offense but operating it in contravension of the licencing requirments was... Thus when the Home Office raided a pirate radio station whilst they might cease equipment, they could not retain it if "the owner" came to claim it. Unless they could prove two things, firstly the equipment ceased was actually being operated illegaly and that the owner was aware it was being operated illegaly. For various reasons this was difficult to do.

Without going into all the details, it was not unknown for certain operators when a raid started to flip the power switch off and pull out the last stage "PA Bottles" and the crystal and put them in their pockets (as the Home Office Officials at that time had no rights to either search or detain anyone). Thus if the equipment was ceased "the owner" would turn up to claim it, and if push came to shove a simple challenge to the officials to demonstrate it was "working equipment" would fail, thus it could not have been operating...

Needless to say after a decade or two of this behaviour the WTA was updated to stop it. That said there is still other legislation sitting in the statute books like this, such as vehicle ownership / operation. As far as I'm aware nearly all things that required a licence to operate could be quite legaly owned without one. This used to be the case with non vintage firearms as well, you could own them display them but not operate them as firearms (to fire projectiles). It appears silly till you consider non breach loading weapons such as ships cannons, there are quite literaly thousands of them used as monuments or display pieces outside peoples front doors and on their front lawns (they do look beter than gnomes). Likewise yacht clubs, civic centers and other places where they would be fired as signals not projectile weapons. The administrative cost of licencing all of them or checking they were properly deactivated and remained that way was once considered to be prohibitively expensive (these days you need a shotgun licence with certain excemptions).

So yes there are times when a defence of "not knowing" is valid.

Carol BainbridgeMay 23, 2016 9:37 PM

@Ivanna Humpalot

Nice list, thanks. Why do you recommend OpenVPN however? Isn't it establishment propriety closed source evilware? It comes with a purchased computer so surely its owned? and, we known NSA has broken VPN's to a certain degree.

And question: what do you mean by 'Don't alternate Tor with open wi fi' and what is the security risk you are suggesting?
risk of breaching IP anonymity ?

I love idea of Firefox having a Tor button thus opening it up to everyone. Currently it's the other way around - Tor riding on Firefox

@ Clive Robinson
Audio fingerprinting, while ineffective it's another data point. Keeping microphone disabled in settings should already be usual for readers of this blog?

@ in general everyone
Firefox. There's a google pref cookie which checks everything against google databases. There are ad-ons like Decentraleyes which seek to subvert redirects to or through google in general.
As for fingerprinting Random Agent Spoofer ad-on which gives random browser configs to subvert profiling.
Firefox appears to receive a great deal of advertisers money and lots of google funding. It is by far the most configurable however.

Firefox phones home and leaks data officially and unofficially in a myriad of ways. This can be corrected in about:config
Below is a user pref file one can install or manually adapt which
alters hundreds of settings in about:config to make firefox light years ahead of default settings as far as privacy and security goes.
The official update is Jan 16 but there are more recent unofficial ones. A lot of work by the below crew has gone into refining and assessing how to constantly improve about:config toward a more private 'hands off' experience. There are also some hidden settings not visible in about:config. Mozilla won't make them known to any but their most intimate cabal. Some have been worked out,and with the right key words they can be altered in about:config. Some appear in the list below. Needless to say they seem to relate to privacy concerns


http://blog.ffextensionguru.com/2016/01/04/the-ghacks-user-js-firefox-privacy-and-security-list/

Carol BainbridgeMay 23, 2016 9:49 PM

@ Dusty F
Ublock Origin is lighter and much more effective than the (already very good) Ad Block Plus

Ghostery has a bad rap by many including Electronic Frontier Federation
While, it may appear to do what it says, it also has an option to send anonymous data about your habits to a third party. This doesn't automatically make them dodgy - but some say 'why trust someones motivations when you really don't know whats going on behind the scenes?'
But, eff.org have Privacy Badger which has gone many steps ahead by seeking to improve the industry through its mere act of being, and is designed to be user configurable. They explain why it is unique, it's a great effort.

No Script is fantastic but it requires a bit of attention - not for lazy users. one can allow the specific domain you are on, but when you've disabled the rest 'which of those 10 scripts I disabled will let me view comments?' Having said that it definitely is a huge leap forward in protection as per security, and, hopefully, with privacy

Ergo SumMay 23, 2016 11:22 PM

Browser based tracking is such a yesteryear technology. Who needs that when "telemetry" does much more that cookies, flash-cookies, HTML5 client storage, etc., will ever do.

Go ahead and install Firefox, change to the most private "about:config" file, add NoScript, Ghostery, Agent Switcher, whatever. You think you are ahead of the game by using TOR browser (based on Firefox); well, you are not. Once you turn your machine on, "telemetry" will get you even before you can get to the machine...

I was going to kid about this, but it doesn't really sound like that. Does it?

WaelMay 23, 2016 11:32 PM

@Ergo Sum,

You think you are ahead of the game by xxx

Good rhetorical question!

Carol BainbridgeMay 24, 2016 2:08 AM

@ Ergo Sum

nice response
My serious question is 'where does the telemtry come from?'
my non serious addition was going to be 'is it from the microchips in my brain direct to satellite link?'
so, yes where does the telemetry come from and how does one beat it?
If it's hardware like a 3G connection hidden in intel chips, which aside from using a faraday cage or an underground carpark there isn't much one can do about (no one has mentioned checking this with a RF meter however - you would need a fairly expensive sensitive one. Anyone tried, to prove or disprove this?)
In response to a recent comment, am amused by the idea that microsoft created a free 'no windows 10' malware upgrade designed as free ware, to force people to adopt the windows 10 malware that is being forced upon them.
otherwise, I know people are using older windows like 7, and removing all the updates by code number that relate to telemetry - lists are available of the dodgy ones.
@ Ergo, I am genuinely interested by the source of 'your' telemetry. Incidentally, I noted in the firefox about:config list I referred to, there are explicit 'telemetry' settings that need to be turned off manually

Here's the thing. Unlike everyone else on this blog, I am a non-smart non security profesional that only understands a portion of what I read here. When I read the sophisticated design models for
attempting to improve upon security I start getting a contracted feeling and a sore brain - not from things I don't understand - but from the suspicious minded approach, trying to cover every single possible hole, trying trying trying. When it really isn't relevant for my circumstances - like that of most people. No corporate secrets or whistling documents.

The wonderful very smart people here are discussing how to amp up security from a, say 93% level, and are wondering 'how do I add an extra 1.2%?' and it makes my head hurt. What I find, in these kinds of discussions, is there no little regard for the level of threat model. People think in an absolute worst case scenario operating at super super high end level of security, when if it was drummed down by about 30% it might actually be practical, realistic, accessible, easy to use and able to be implemented mainstream. So, I write here as an outsider because I get that people here may have a need for the ultra high end security
If we put aside a targetted attack against a person or company of interest (Whether it be state level or private actors perpetrating the attack) for most people most of the time the issue is dragnet surveillance. Finding ways to reduce the attack surface for most people most of the time is what doesn't make my brain hurt - so long as I don't start trying to cover every single tiny little hole in the bucket - because I know I don't have the time, the inclination, the patience, the et cetera, to study the intricate methods that Ivanna Humpalot detailed. Hell, Bruce doesn't even use Linux.

What exactly are you trying to protect - well if you are not the next Edward Snowden, and don't have military grade(sic) secrets, then getting yourself up to for example 60% ( instead of the %95 suggested above) is still going to be pretty good against dragnet surveillance and have a basic foundation of privacy we are all entitled to online, but don't currently have.

while we can feel sorry for princeton, being an elitist precious white male establishment and all that (joke from a non-US person is that okay) what is relevant in these studies (aside from what appears to be slightly non realistic methodology) is how they apply to the bulk of the population. everyones being spied upon. That is important. Snowden said the NSA ride upon the back of corporate third party trackers , so if you use a blocker that will give you an extra step ahea
i don't have anything to protect so secret I need to refer to the famous cartoon that compares heavy encryption with a $5 wrench for an outcome
if I'm an everywoman, and I want to stop being low hanging fruit, i know that 100% is impossible unless your name is Clive Robinson, and going from %95 to %97.5 makes your brain burst a vessel..
We need to consider what the global human population deserves. Whats the %65 solution? We accept email is broken. I am thrilled that Proton Mail has become available, and sorry that there's been no mention of it on this blog for years. Why not? Are people here using Proton Mail?
It's finally ticked every box (Again, provided ones hardware is not targetted personally) and made zero knowledge encryption easy and available. they have proven their street cred. if you read through their web site you have to agree they've done a really good job. Impressive non? Last year they were hit by some of the largest DDos attackss ever, only a state level actor could really be capable of that. And they raised the money to protect against it happening again. And they explained the mechanisms they are now using as a result. they are being really public about virtually everything.
one of the admins admitted to me they have been received DDos fairly regularly ever since their recent public launch but won't give the attackers the satisfaction of giving them publicity on social media.
if you think about all the general problems, and theres a long list, with end to end zero knowledge public encryption 'for the masses' being the operative word, proton mail have covered every one of them. we need to think about what we can do for humanity at large, short of unplugging completely. sorry for the long post

TheHairyBananaMay 24, 2016 3:07 AM

@Eager Scallion @Daniel

Just to clarify the safebrowsing aspect of Firefox, read this post, written by a Firefox engineer: https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/

I'm not defending Firefox, just clarifying. For starters, the cookie is kept in a separate jar. Firefox also strips out any identifying parameters. Google (not that I would trust them) also say this is anonymized. Default out of the box protection for end users against a small set of known malicious sites is not necessarily a bad thing. For the more technically minded, you can turn it all off, thanks to Firefox's preferences.

HERE is some information for you (from my user.js):
// 0410a: disable "Block reported web forgeries" This setting is under Options>Security
// this covers deceptive sites such as phishing and social engineering
user_pref("browser.safebrowsing.enabled", false);
// 0410b: disable "Block reported attack sites" This setting is under Options>Security
// this covers malware and PUPs (potentially unwanted programs)
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.downloads.enabled", false);
// 0410c: disable google safebrowsing downloads, updates
user_pref("browser.safebrowsing.provider.google.updateURL", ""); // update google lists
user_pref("browser.safebrowsing.provider.google.gethashURL", ""); // list hash check
// 0410d: disable mozila safebrowsing downloads, updates
// NOTE: These two prefs are also used for Tracking Protection (section 0420)
user_pref("browser.safebrowsing.provider.mozilla.gethashURL", ""); // resolves hash conflicts
user_pref("browser.safebrowsing.provider.mozilla.updateURL", ""); // update FF lists
// 0410e: disable binaries NOT in local lists being checked by google (real-time checking)
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.url", "");
user_pref("browser.safebrowsing.appRepURL", ""); // google application reputation check
// 0410f: disable reporting URLs
user_pref("browser.safebrowsing.provider.google.reportURL", "");
user_pref("browser.safebrowsing.reportMalwareMistakeURL", "");
user_pref("browser.safebrowsing.reportPhishMistakeURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");

Clive RobinsonMay 24, 2016 4:36 AM

@ Carol Bainbridge,

i know that 100% is impossible unless your name is Clive Robinson, and going from %95 to %97.5 makes your brain burst a vessel..

If you hunt around, one of the threads about getting laptops across jurisdictions you will find I made a comment to @Nick P that I did not think I could make a laptop secure against High Level State attackers. You will also find I've refrenced a 1930's pre Turing/Church thesis from Godel[1] that indicates it's not possible to make a single computer 100% secure...

Which means with conventional security ideas of laying down solid foundations and building on them don't work 100%. Because you are not trying to build a castle on solid rock nore even shifting sands but on stormy waters with High Level State attackers. Thus without solid foundations all would appear lost on a tempest of uncertainty. Thankfully though there are ways you can cheat such things, like building boats and ships as Henry VIII did that were floating castles. Which is why I'm very much into mitigation techniques, and it appears other researchers are now heading in that direction as well.

One such mitigation is like the old joke about the viper pit "If you don't want to get bit, don't play in their pit". Nobody is yet --as far as I'm aware-- forcing people at the point of a gun to put their entire private life into social media, but people still do though, often without a thought. I don't have any social media accounts, and I gather Bruce only has place holders to prevent others impersonating him. Likewise I do my browsing entirely seperatly from any of my other activities with even the simplest of projects being air-gapped (I do however energy-gap some stuff).

One area I've consistently complained about when it comes to developers especially of web technologies is "personal roles". The assumption is "one person one technology" so you have one email account through which all private, personal, business and social information goes. This makes life very easy for data gathering types as it's a single point of failure. Likewise nearly all browsing is done through a single instance of a browser, thus you get finger printed. The solution which is "the human way" is to have different browsers / email clients running on different machines from different places. Whilst this is difficult at best technology like VMs and Mix Nets does help, but to use it you need to practice "good OpSec" and for most people, they just can not do it, they make mistakes and "collect it all" catches them and links the roles together...

It's why I mention using CD based distro's and PC's without semi mutable memory (in built hard drives etc). If you have several CDs setup for different roles in your life it makes things easier from that OpSec aspect. But you need to also think about how you manage removable media etc.

The important take aways are security is about mitigating not solving risks, and technology can not teach or solve habits that users don't want to change. Thus training yourself not to take target practice at your feet is the first important step. Otherwise you are weaving your own rope to swing from.

The other advantage is that by taking the time to learn and doing things bit by bit you "fade slowly off the radar" which raises less alarm bells than suddenly dropping off, which catches the eye of the watchers.

[1] It was not just Kurt Godel working on this issue at the time Alfred Tarski was also working on it, who got there first is unknown but Tarski is a little bit easier to grasp,

https://en.m.wikipedia.org/wiki/Tarski%27s_undefinability_theorem

Ergo SumMay 24, 2016 7:32 AM

@Carol Bainbridge...

Telemetry comes from everywhere, OS, apps, browsers (just another app), network devices, etc., you name it, it's all around. Not just the Windows platform, telemetry is built-in to all OSs including OSX, Chrome, some of the Linux distros (pointing at you Ubuntu), mobile platforms, etc. LEOs don't perform mass surveillance, software companies do and they share all of the data with LEOs.

Yes, one can take steps to disable some of the telemetry that subsequently re-enabled by the next "security" update. Yes, you can uninstall certain patches by code numbers, that may or may not break the system that depends on the code number in question for its stability. Not to mention that the telemetry code could simply be included in critical system files. It's an uphill battle and one slip up can make the whole effort of preventing OS and/or app monitoring the user pretty much useless. The information about the user had been uploaded, by the time one gets around to actually do it...

One can try very hard to remain anonymous on the web, where email addresses tied/correlated to one another, browsers collect data and online gathered information correlated to "offline" user data. You can somewhat anonymize your web browsing via TOR, VPN, etc., that throws off advertisers, browser based user tracking, etc. While these efforts are worthwhile, it does nothing against the OS and apps doing the same...

Disclaimer: Yes, I do remove as much telemetry as I can, use TOR, ProtonMail and other means of anonymizing my web access. But I agree with Clive that there's no way that one make his/her web access anonymous. Other than staying off the web that is... Even that cannot prevent identity theft, but that's another story...

Bumble BeeMay 24, 2016 9:50 AM

@Ivanna Humpalot, Carol Bainbridge

YES you agree with me at first, and then you spew out a hump of nonsense (it's called FUD, the old Fear, Uncertainty, and Doubt) that does nothing but "cloud" the issue in order to keep the masses in thrall to Microsoft Windows. Oh yeah, if Windows isn't secure enough, just put it in the cloud, where your data are locked up in some proprietary paid-for format. Just so you can dupe someone into believing there's someone to sue if it all goes to pot, which it already has.

It's time to move on, folks.

rMay 24, 2016 11:49 AM

@ergo,

I believe it's fully possible to anonymize your web access.

You just have to operate with a border line maligned pre distribution mindset and...

Invest in raspberry pi's and other larger IoT devices.

You could install cellphones too keep them in airplane mode and parasitize connections that way but it's considerably more work adapting to power issues hiding the hardware and praying that some subset of the system you're setting up isn't backdoored.

I struggle with homogenization issues.

rMay 24, 2016 11:51 AM

@ergo,

Then chances are you've left physical breadcrumbs like purchase orders, DNA, video evidence and cellular proximity.

rMay 24, 2016 11:55 AM

@ergo,

For the time being if you own or have access to a work van or truck you can parasitize solar lights in people's yards. They contain batteries and power collection devices and I doubt one of twenty would be missed for a day or so.

Dusty F.May 24, 2016 12:23 PM

@ Carol Bainbridge

I've heard Ublock Origin is a great program and I did try it a while back but for some reason I didn't like it and uninstalled it. I cannot remember why, but I think I'll try out the program again and see what I think. I'm thinking it may have interfered with some other add-ons, but I don't recall.

I've looked at Privacy Badger too and if I recall it's not really a tracker blocker, but it allows trackers that promise to abide by their DoNotTrack policy and knowing how advertisers already ignore Do Not Track requests I didn't think it would be as effective as a total blocking solution, like Ghostery.

I agree that Ghostery's practice of providing the effectiveness of various trackers to ad companies isn't that great for a privacy company (I don't believe they send any private info as far as I'm aware) but they are upfront about it and allow you to easily opt out during set up. I must admit that given its reputation I have often wondered if perhaps its doing something malicious in the background but after reading the above report the researchers didn't notice any suspicious activity and they said it was very effective at blocking what the user wants blocked. That was reassuring to read. But if you know of any evidence of their doing something malicious behind the scenes please let me know so I can reevaluate my use of it. Thank you!

It's funny you say that about NoScript. For years I have been a bit anal when it comes to the security of my computer. I've have at least tried or used the vast majority of privacy and security programs out there and on my old Windows machine (that I no longer use) at one time half of the programs I had installed were security programs, which slowed down my computer significantly. All of the blockers I had, layer upon layer, multiple programs handling similar tasks, and all of the pop-ups drove my friends crazy when they wanted to use my computer. I had friends who didn't even want to use my computer at all after a while! I suppose I've just gotten used to it. Once you use NoScript for a while and experiment you know which sites to allow and which not to. For example there are only three sites you need to allow with YouTube then it works fine, at least for me.

@ Ergo Sum

I agree with you. It really upsets me how so many of these companies track you and log your activities. I remember when the only time you saw ads was when you downloaded a free program, and that was only to help out the developer. That was OK so long as they were non-intrusive and they were only small ones within the program itself but nowadays Apple, Google, and now Microsoft (among countless others) are gathering up all of your data, even when you pay hundreds of dollars for their services!

I don't like what the net has become, taken over my multinationals. We need to take the net back so it's free to use for everyone without the user being bought and sold.

rMay 24, 2016 1:18 PM

@dusty f,

Setup a legitimate service over tor. The free web has gone partly underground and running a quality service over/under tor, i2p or freenet is a good way to make such a statement.

To reinforce that concept, run properly such a site can be more secure and more private than any respective alternative on clearnet.

Imnsho.

rMay 24, 2016 1:20 PM

@dusty,

As an added bonus, there's no way your home ISP can tell you're running a business from your house.

It's up to you to passively resist the trend of fine grained commercialization.

Dusty F.May 24, 2016 4:15 PM

@ r

Just a random thought. @ r (or whoever) seems so impersonal. Why not, Hi, r! 8-D

I agree. I'm actually using Tor now and have never posted comments here without it. After all, I would be shocked if the NSA wasn't actively monitoring everyone who has had access to the Snowden documents.

I've made use of my "freedom of speech" in the past and have paid for it, so I make sure I use Tor all of the time now. All I can say is that I was incredibly naive back then.

rMay 24, 2016 4:30 PM

@dusty,

I post here currently from an unadulterated connection. I'm probably where you were before they drew blood...

So you're aware, aside from my inability to reinvent my lingual habits... I was thinking about maybe adopting 'hairbrained' earlier, chances are though the mask would quickly wear as I have little impulse control apparently.

مخابراتYNMay 24, 2016 5:39 PM

Most of the time your privacy protection doesn't need to be perfect: just don't be the low-hanging fruit. That's because commercial and government surveillance operate on the same principle: pick the low-hanging fruit and brag about it. NSA brags about the tiny African wastelands they spied on, and the trusting NATO satellites like Germany that they betrayed. Doubleclick brags about the helpless social-media victims they spy on. And if you're an investigative journalist and you want to catch shit-for-brains criminals lying about violent crimes they have committed, you pick the stupidest, most ignorant low-hanging fruit:

http://www.capitalnewyork.com/article/city-hall/2015/03/8563947/edits-wikipedia-pages-bell-garner-diallo-traced-1-police-plaza

http://www.tcpiputils.com/browse/ip-address/206.212.144.27

...the shaved apes of the NYPD!

So here's your litmus test: Is the average NYPD Gunfighter stupider than you? (Hint: yes, if you can eat with a spoon.)

Then never fear, your OPSEC can protect you.

Dirk PraetMay 24, 2016 7:10 PM

@ Ivanna Humpalot

YES. But, better than vanilla Linux (with millions of lines of potentially vulnerable code in the kernel alone) is Qubes, since - courtesy of qubes-os.org

You may also wish to look into Subgraph OS.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.