2019 Resolution #2: Blocking Online Trackers

The Myth of Online Privacy
The Myth of Online Privacy
Background

Welcome to the New Year. This year could be a banner year in the fight to ensure our online privacy. Before now, the tools of surveillance have overwhelmed the tools of privacy. And the perceived need for new Internet content has outweighed the real difficulty of protecting your online privacy. For years, privacy advocates (including myself) have chanted the mantra of exploiting public key encryption. We have told people to use Tor or a commercial VPN. And we have told people to start using two-factor authentication. But we have downplayed the importance of blocking online trackers. Yes, security and privacy advocates did this for themselves. But most did not routinely recommend this as a first step in protecting the privacy of our clients.

But the times are changing.

Last year (2018) was a pivotal time in the struggle between surveillance and privacy. The constant reporting of online hacks has risen to a deafening roar. And worse still, we saw the shepherds of our ‘trusted platforms’ go under the microscope. Whether it was Sundar Pichai of Google or Mark Zuckerberg of Facebook, we have seen tech leaders (and their technologies) revealed as base – and ultimately self-serving. Until last year, few of us realized that if we don’t pay for a service, then we are the product that the service owners are selling. But our eyes have now been pried open.

Encryption Is Necessary

Security professionals were right to trumpet the need for encryption. Whether you are sending an email to your grandmother or inquiring about the financial assets that you’ve placed into a banker’s hands, it is not safe to send anything in clear text. Think of it this way. Would you put your tax filing on a postcard so that the mail man – and every person and camera between you and the IRS – could see your financial details? Of course you wouldn’t. You’d seal it in an envelope. You might even hand deliver it to an IRS office. Or more recently, you might send your return electronically – with security protections in place to protect key details of your financial details.

But these kinds of protections are only partial steps. Yes, your information is secure from when it leaves your hands to when it enters the hands of the intended recipient. But what happens when the recipient gets your package of information?

Encryption Is Not Enough

Do the recipients just have your ‘package’ of data or do they have more? As all of us have learned, they most certainly have far more information. Yes, our ISP (i.e., the mail man) has no idea about the message. But what happens when the recipient at the other end of the pipe gets your envelope? They see the postmarks. They see the address. But they could also lift fingerprints from the envelope. And they can use this data. At the same time, by revealing your identity, you have provided the recipient with critical data that could be used to profile you, your friends and family, and even your purchasing habits.

So your safety hinges upon whether you trust the recipients to not disclose key personal information. But here’s the rub. You’ve made a contract with the recipient whereby they can use any and all of your personally identifiable information (PII) for any purpose that they choose. And as we have learned, many companies use this information in hideous way.

Resist Becoming The Product

This will be hard for many people to hear: If you’re not paying for a service, then you shouldn’t be surprised when the service provider monetizes any and all information that you have willingly shared with them. GMail is a great service – paid for with you, your metadata, and every bit of content that you put into your messages. Facebook is phenomenal. But don’t be surprised when MarkeyZ sells you out.

Because of the lessons that I’ve learned in 2018, I’m starting a renewed push towards improving my privacy. Up until now, I’ve focused on security. I’ve used a commercial VPN and/or Tor to protect myself from ISP eavesdropping. I’ve built VPN servers for all of my clients. I’ve implemented two-factor authentication for as many of my logons as my service providers will support.

Crank It Up To Eleven

And now I have to step up my game.

  1. I must delete all of my social media accounts. That will be fairly simple as I’ve already gotten rid of Facebook/Instagram, Pinterest, and Twitter. Just a few more to go. I’m still debating about LinkedIn. I do pay for premium services. But I also know that Microsoft is selling my identity. For the moment, I will keep LinkedIn as it is my best vehicle for professional interactions.
  2. I may add a Facebook account for the business. Since many customers are on Facebook, I don’t want to abandon potential customers. But I will strictly separate my public business identity/presence from my personal identity/presence.
  3. I need to get off of Gmail. This one will be tougher than the first item. Most of my contacts know me from my GMail address (which I’ve used for over fifteen years). But I’ve already created two new email addresses (one for the business and one on ProtonMail). My current plan is to move completely off of GMail by the end of 1Q19.
  4. I am going to exclusively use secure browsing for almost everything. I’ve used ad-blockers for both the browser and for DNS. And I’ve used specific Firefox extensions for almost all other browsing activities that I have done. I will now try and exclusively use the Tor Browser on a virtual machine (i.e., Whonix) and implement NoScript wherever I use that browser. Let’s hope that these things will really reduce my vulnerability on the Internet. I suspect that I will find some sites that just won’t work with Tor (or with NoScript). When I find such sites, I’ll have to intentionally choose whether to use the site unprotected or set up a sandbox (and virtual identities) whenever I use these sites. Either way, I will run such sites from a VM – just to limit my exposure.
  5. I will block online trackers by default. Firefox helps. NoScript also helps. But I will start routinely using Privacy Badger and uMatrix as well.
Bottom Line

In the final analysis, I am sure that there are some compromises that I will need to make. Changing my posture from trust to distrust and blocking all online trackers will be the hardest – and most rewarding – step that I can make towards protecting my privacy.

The Egyptian Crisis Proves the Need for Anonymity

I had a very interesting conversation at work yesterday.  Someone I work with asked me about the “cool tools” that I really believe in.  After thinking long and hard about the question, I told him that I believe in freedom of speech and I believe in anonymity as a bulwark to ensure both the freedom of speech and the freedom of thought.  He nodded his head at the blandishment.  Then I told him about TOR (the onion router).  After a few minutes, he asked for a URL.  So I gladly pointed him to http://www.torproject.org.
Most of the time, I am greeted with crickets when I talk about TOR.  In fact, most people recite the old rubric that if you have done nothing wrong, then you should have nothing to hide.  While I often agree with this sentiment, I always cringe when I hear it.  Why?  Because Americans have a fundamental right to think and speak whatever is in our hearts and minds.  But in some places, the definitions of right and wrong are horribly twisted.  During times of great crisis, freedoms are routinely challenged.  And that is exactly what is happening in Egypt today.
I am not informed enough to know whether President Hosni Mubarak is or is not a tyrant.  He is unelected.  And he has been the unelected leader since the death of Anwar Sadat (over thirty years ago).  And he has suppressed speech – especially the speech of the extreme minorities (like the Muslim Brotherhood).  Do I want a stable regime that is peaceful towards Israel to be replaced by some unknown group that may be hostile to peace?  Absolutely not.  But I can’t read the future.  So I won’t comment on what I would like to see.  Again, I am not familiar enough to pick “right” and “wrong” in a complex multinational  struggle.
But I do know this: when freedom is challenged, geeks turn to technology.  And there are geeks in Egypt that are turning toward TOR.  When President Mubarak shut down cell phones, messages came from alternate sources.  And when folk feared that their browsing and their postings would be monitored, they turned to the tools of anonymity.
TOR usage has skyrocketed.  There are now four times as many people using TOR to ensure their anonymity.  And the number of relays supporting these users has also skyrocketed (see below).
This spike in relays is across the globe.  And geeks everywhere are bombarding Twitter and they are deluging Facebook.  And folks are starting to march in America.  I am so glad to see that people are engaged and active.  I am not certain what outcome I want to see.  But I do want to see freedom of speech and freedom of thought flourish in times of turmoil.  So count me in.
-Roo

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Why Use Tor?

So why should you use Tor?
That’s a good question.  First, you need to know what Tor does.  I find that simple descriptions are often the best.  So here is my simple version of what Tor is: Tor is a means of tunneling specific messages (i.e., traffic) through an anonymous (and reasonably secure) network.  Wikipedia describes it here.
Many people look at Tor and ask why is such a thing needed?  Their questions presuppose that they trust the networks that they communicate across.  Most folks think Tor is just for copyright violators, organized criminals or other unsavory netizens.  But that is both too simplistic and too trusting.  Tor is for anyone who needs to ensure that their communications across the network remain anonymous and/or secured.
Let’s consider a real-world example.  There are many nations that do not allow for the Bible to even be carried .  Further, many countries routinely persecute and prosecute people that publicly proclaim the gospel of Jesus Christ.  But the gospel cannot be silenced by mere mortals.  There are men and women who have always been willing to share the Word of God regardless of the cost to themselves.
And throughout the world, tyrannical governments seek to squelch opposition by monitoring the communications of their citizens.  Indeed, you could easily argue that the majority of people in the world are being “watched” by the very governments that should defend their liberties.
Like the early Christians in ancient Rome, there will always be those who stand for truth and justice rather than simply obey corrupt civil authorities.  And in these nations, tools that help maintain the anonymity of persecuted citizens are very important tools indeed.
If you don’t believe that this was true for our nation, then ask yourself why so many of our founding fathers used pseudonyms for their writings.  Indeed, even the authors of the Federalist papers used pseudonyms – although not just for the sake of anonymity.
-Roo

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Not So Seamless – But Oh, So Delicious

Sometimes, you have way too many balls in the air.  I saw the shiny bauble (Tor on my Droid 2) and I had to chase it.  Here is what happened:

  1. I tried to download the tool from the Tor site.  That proved fruitless.  I was connected via 802.11 to my home network.  And my home network has content filtering through a third-party.  And this site was blocked.
  2. Consequently, I had to disconnect from the home network and connect via the 3G network.  The download still had some problems.
  3. So I downloaded to my PC and connected up the USB cable.  From there, I moved and launched the package installer.  The installer did it’s job and Tor was on my phone.
  4. Too bad I couldn’t connect to the Tor network.  I tried the default test site from my Android browser and was greeted with the fact that my browser wasn’t using Tor.  That made some sense as I hadn’t pointed my browser to a local proxy that was configured to use the Tor connection.  Since Orbot uses Privoxy, I had the proxy.  I just had to configure the browser to use the proxy.
  5. Unfortunately, changing the proxy on the default Android browser is not as easy as you might think.  There are plenty of articles about how to update the settings if you have rooted your phone; I have not as I want to see what an average user can do with their phone.  But most articles also said that you could use adb to update the settings.
  6. I went ahead and tried to use adb.  But I had some issues getting adb to work from my PC to my Android phone.  The basic trouble is that I had already change my SDK to support Gingerbread.  And adb was moved in the new SDK to the platform-tools directory.  That one was easy to fix: I just had to change my PATH to include the new directory.
  7. The next attempt was also unsuccessful; I had authorization problems.   Rather than keep stumbling, I turned to “off-the-shelf” solutions to update the proxy setting.
  8. Fortunately, there are plenty of tools in the Android Market to change the proxy settings.  Once I downloaded one of them, I changed my browser’s proxy settings and retried the test that comes within Orbot.  The results of that test are found in the image above.

I’m not done with my tests.  But I am encouraged that I can now encapsulate everything from within a Tor tunnel.  More to follow…
-Roo

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It's About Time – In So Many Ways

This week was quite surreal.  I’ve spent almost thirty-five years working with computers.  [Note: That includes a few years as a teenager.]  I’ve built computers from scratch.  I’ve held practically every job you can imagine in the software industry.  But I have never been officially certified in anything.  So I’ve been confronted with one of my own personal boogeymen: I must take a test that I must pass in order to keep my job.  What’s up with that?
I have chaffed at the utter indignity of it all.  And I’ve been more than a little bit apprehensive about the upcoming test.  [Note: I’m taking my test on December 27th.  So I would really appreciate your prayers.]  And I’ve also laughed at the ridiculousness of such tests.  As a senior leader, I recognize the importance of such things.  And as an individual contributor, I recognize the fact that such tests are really poor predictors of performance. But as a man called by God to set an example, I must set any and all of these other considerations aside.  I must prepare as if I were doing this for the Lord – as indeed, I am.  And I must demonstrate my faith with my gentle attitude.   So I am soldiering on.
So after a long week of staring at LCD monitors, I was so glad to get home and just relax. Of course, that didn’t happen.  Things have just kinda stacked up at home.  So I finally got some time to attend to some overdue items.
I finally got my revised taxes submitted to my state’s department of revenue. This is always arduous, frustrating and altogether soul-rending.  But I just needed to set aside a few hours to pull all the pieces together.  Hopefully, the state will understand what I have submitted.  But if they don’t, this will take a whole lot more time to iron out.  But I’ve taken the first few steps in the journey.  So I have a smile on my face.
I also had to assemble all of my ‘dependent’ verification documents for my employer.  BTW, I’ve never had to provide so much data before.  I had to get birth certificates for everyone.  I even had to find my marriage certificate. Unfortunately, the marriage certificate was in a safety deposit box at a bank that I haven’t visited for over twenty year.  Neither Cindy nor I could find the keys for the safety deposit box.  So after paying to have the lock drilled out, we retrieved our marriage certificate.  And we bought a fire box so that we could securely store all of these documents in the house.  As of now, all of the older and newer documents that need to be protected against calamity are now safety tucked away in a hiding place that can survive fires or tornadoes.  With this done, I got all of the ‘dependent’ information bundled together and sent to my employer.
In addition to this, I’ve finally finished all of the retirement consolidations that I’ve been doing over the last few months.  It’s nice to have all of the administration in one place.  And it is good to have my retirement savings properly invested in a diverse number of well-managed funds.  I can’t wait to do my next quarterly review in order to see how well (or poorly) we’ve done with my new plans.  I certainly can’t do any worse than I did when almost everything was vested in (and through) only one corporation.
But these things aren’t what prompted me to write this post.  Yes, all of these things were woefully overdue.  But this morning, I got a chance to ‘geek out’ – just a little.  My classes have focused on information security.  And I have always been an idiot-savant in this area.  I’ve never had any formal training in the subject – even though I was a senior security engineer about twenty-five years ago.  I’ve always learned by doing.  And I have a passing familiarity with the subject.  [Note: If you don’t believe that last statement, just read some of my posts over the years.  You’ll see that I am wholly entranced by security and privacy matters.]
With the purchase of my Android phone, I’ve had to confront a whole lot of privacy issues.  I use my phone to securely connect to my home computers.  To do this, I tunnel VNC through SSH.  I also store some fairly important documents on my phone.  So I use Truecrypt (on my PC) to create and store a secure backup of a small number of important files.
But I’ve always had to encrypt the data myself.  Or I’ve had to use other tools on my phone and/or PC.  Basically, all of these tools were file-oriented solutions.  At the same time, there were very few options to securely encrypt streams of data between the phone and other computers.  Yes, I could use https to build a secure tunnel to the site I was interacting with.  But if I wanted to secure all traffic, I was out of luck – until now.
The folks at the Tor project have released an Android tool named Orbot.  I had a little trouble downloading the tool OTA.  But I finally got it by transferring the package to my SD card.  Over the next few days, I’ll be testing this tool to see how it works.  I am pretty darned psyched that this tool is now available – and it’s about time that phones could participate on the Tor network.

-Roo

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It’s About Time – In So Many Ways

This week was quite surreal.  I’ve spent almost thirty-five years working with computers.  [Note: That includes a few years as a teenager.]  I’ve built computers from scratch.  I’ve held practically every job you can imagine in the software industry.  But I have never been officially certified in anything.  So I’ve been confronted with one of my own personal boogeymen: I must take a test that I must pass in order to keep my job.  What’s up with that?

I have chaffed at the utter indignity of it all.  And I’ve been more than a little bit apprehensive about the upcoming test.  [Note: I’m taking my test on December 27th.  So I would really appreciate your prayers.]  And I’ve also laughed at the ridiculousness of such tests.  As a senior leader, I recognize the importance of such things.  And as an individual contributor, I recognize the fact that such tests are really poor predictors of performance. But as a man called by God to set an example, I must set any and all of these other considerations aside.  I must prepare as if I were doing this for the Lord – as indeed, I am.  And I must demonstrate my faith with my gentle attitude.   So I am soldiering on.

So after a long week of staring at LCD monitors, I was so glad to get home and just relax. Of course, that didn’t happen.  Things have just kinda stacked up at home.  So I finally got some time to attend to some overdue items.

I finally got my revised taxes submitted to my state’s department of revenue. This is always arduous, frustrating and altogether soul-rending.  But I just needed to set aside a few hours to pull all the pieces together.  Hopefully, the state will understand what I have submitted.  But if they don’t, this will take a whole lot more time to iron out.  But I’ve taken the first few steps in the journey.  So I have a smile on my face.

I also had to assemble all of my ‘dependent’ verification documents for my employer.  BTW, I’ve never had to provide so much data before.  I had to get birth certificates for everyone.  I even had to find my marriage certificate. Unfortunately, the marriage certificate was in a safety deposit box at a bank that I haven’t visited for over twenty year.  Neither Cindy nor I could find the keys for the safety deposit box.  So after paying to have the lock drilled out, we retrieved our marriage certificate.  And we bought a fire box so that we could securely store all of these documents in the house.  As of now, all of the older and newer documents that need to be protected against calamity are now safety tucked away in a hiding place that can survive fires or tornadoes.  With this done, I got all of the ‘dependent’ information bundled together and sent to my employer.

In addition to this, I’ve finally finished all of the retirement consolidations that I’ve been doing over the last few months.  It’s nice to have all of the administration in one place.  And it is good to have my retirement savings properly invested in a diverse number of well-managed funds.  I can’t wait to do my next quarterly review in order to see how well (or poorly) we’ve done with my new plans.  I certainly can’t do any worse than I did when almost everything was vested in (and through) only one corporation.

But these things aren’t what prompted me to write this post.  Yes, all of these things were woefully overdue.  But this morning, I got a chance to ‘geek out’ – just a little.  My classes have focused on information security.  And I have always been an idiot-savant in this area.  I’ve never had any formal training in the subject – even though I was a senior security engineer about twenty-five years ago.  I’ve always learned by doing.  And I have a passing familiarity with the subject.  [Note: If you don’t believe that last statement, just read some of my posts over the years.  You’ll see that I am wholly entranced by security and privacy matters.]

With the purchase of my Android phone, I’ve had to confront a whole lot of privacy issues.  I use my phone to securely connect to my home computers.  To do this, I tunnel VNC through SSH.  I also store some fairly important documents on my phone.  So I use Truecrypt (on my PC) to create and store a secure backup of a small number of important files.

But I’ve always had to encrypt the data myself.  Or I’ve had to use other tools on my phone and/or PC.  Basically, all of these tools were file-oriented solutions.  At the same time, there were very few options to securely encrypt streams of data between the phone and other computers.  Yes, I could use https to build a secure tunnel to the site I was interacting with.  But if I wanted to secure all traffic, I was out of luck – until now.

The folks at the Tor project have released an Android tool named Orbot.  I had a little trouble downloading the tool OTA.  But I finally got it by transferring the package to my SD card.  Over the next few days, I’ll be testing this tool to see how it works.  I am pretty darned psyched that this tool is now available – and it’s about time that phones could participate on the Tor network.

-Roo

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

A Maze of Twisty Passages…


I am definitely an old school gamer.  My son plays games like Modern Warfare 2 and Left 4 Dead 2.  But I started when games required thought and not just lightning-fast reflexes.  And one of the very first computer games I remember was Colossal Cave.  I first played it on an IBM S/370 that ran MVS and TSO (i.e., Time Sharing Option).  But some of my most favorite memories of the game were when I played it on the Heathkit H89 PC that I soldered together with my own hands.
And there was one part of the game that always fascinated me: the maze of passages.  Actually, there were two such mazes: one had twisty passages that were all alike and the other had twisty passages that were all different.  And in these tunnels, you could either become lost forever or find the pirate’s treasure.
So what does this game have to do with anything?  It’s simple: the use of tunnels can lead to frustration or it can lead to treasure.  For today, I’m going to talk about tunnels that can be used for treasure.
Most of us know about one form of tunneling or another.  Many people use (or know about) SSL tunnels and/or IPSec tunnels.  These kinds of tunnels are commonly used by many folks who must use VPN technologies to access resources that are secured behind corporate firewalls.   Most people have no real idea of what is going on “behind the scenes” when they use their corporate VPN’s.  But the basic premise is simple: one kind of data that is commonly blocked can be “wrapped” within another kind of data that can be allowed to pass.  Think of this as the knife in the birthday cake.  The guards won’t allow the knife to be given to a prisoner.  But the guards can be fooled if the real payload is hidden from sight.
Of course, this analogy is simplistic – and somewhat deceptive.  Tunnels are not used just to hide nefarious objects from the prying eyes of the world.  They are more commonly used to control the kinds of data that passes the sentry points in a system.  Think of it this way: if the cargo hole in a ship is shaped like a square, then valid cargo must also be shaped to accommodate the size and shape of the square entryway.
For those who have a little more knowledge, there are other forms of tunnels that are commonplace.  For example, SSH tunnels are de rigeur for most system administrators.  SSH tunnels can be associated with commercial tools (like VanDyke’s Secure Shell or BitVise’s Tunnelier).  But they can also be used with open and freely available tools (like sshd and PuTTY).  I use SSH tunnels for so many things.  SSH is used to secure my router.  It is also used to securely access my home systems from any location on the Internet.
But amongst those who work with security for a living, there are many other forms of tunneling – some widespread, others obscure.  For years, TOR (The Onion Router) has been used as a means of anonymous (and encrypted) browsing.  And TOR has often been used with local proxies that ease the burden of tunnel configuration and workload separation.  But recently, the use of TOR and local proxies has gotten a whole lot simpler.  You can now downlod a single package that will install and configure a browser, a proxy and TOR onto a portable platform (i.e., a USB key).  In this kind of configuration, you can insert a USB device into almost any system connected to almost any public hotspot.  Once the browser is launched, you can commence anonymous and secure browsing of the Internet.
And these tools can now be combined with all sorts of other tunneling tools.  For example, you could tunnel TOR traffic within SSH and then forward it across a DNS tunnel.  This would allow you to bypass most content filters established on the networks to which you might be connected.
Is this cool technology?  Most definitely it is.  Can this technology be used for good things?  Of course it can.  Consider an evangelist within a repressive country.  Such a person can connect and communicate with others within his country or with those who are outside his country.
But can this technology also be used for nefarious purposes? In candor, it certainly could be used for illegitimate purposes.  But I think of these kinds of technologies in the same way that I think of freedom of speech.  We must allow gross and unseemly speech if we want to have any freedom of speech.  Otherwise, our speech (however comely and delightful it might be) could be considered objectionable – and hence, controllable.
So what should we do about the maze of twisty passages?  In my narrow view, I must come down on the side of allowing such technologies.  They can be used for good or “twisted” into unacceptable uses.  Of course, the same thing is true about guns.  They can similarly be used for unsavory purposes.  But the protection of our liberties will lie in our ability to use tools that allow us to secure and protect individual liberties – even when this means that the state will have a more difficult time dealing with the criminals.
-Roo