Friday, March 29, 2013

Blog Series: How to be anonymous on the Internet

These days, it seems everyone wants your data. From hackers to corporations to governments, just about everywhere you look someone is buying, stealing, or grabbing your data. In many cases, the types of information these entities collect might seem harmless. But what happens if several of these data collectors partnered together to share data? What if they used the data they have about you to create a profile. What if your data painted a picture that wasn't accurate or, possibly, dangerous to your liberty?

In reality, that's exactly what's happening. Corporations and governments are partnering at an alarming rate to share data and profile everyone on the planet. If that sounds like the plot to a new Tom Clancey novel or some insane ranting of a conspiracy nut, spend some time doing searches on your favorite search engine for terms like 'CIA partners', 'NSA partners', 'Big data', 'CISPA', etc and you'll quickly see that the 'conspiracy' is dangerously real.

The scariest part is that the profiles of us that are created are often far from accurate.  For example, did you know that if you were a Ron Paul supporter in 2008, the FBI thought you were also likely to be a domestic terrorist (or one in the making)? Obviously, that's not true of most Ron Paul supporters but it illustrates how personal data linked to us can lie That's why destroying the link between our data and ourselves is vitally important.

Over the next few weeks, I'll be posting a series of articles on how to be anonymous on the Internet. We'll start with the basics and work up to the more advanced techniques and we'll be using all free, open source, tools to do it. I'll warn you ahead of time that it's not an easy task and it's one where one single mistake can completely destroy your anonymity. But it's a path worth following if you're seriously interested in your privacy.

So check back in a few days for my first installment of the series. And feel free to give feedback as we go along. If all goes well, by the time we're done, all of my readers will be completely anonymous to me.

And that's just the way I like it!

Friday, March 22, 2013

Using Skype can get you killed!


It might come as no surprise to you that the popular chat program, Skype, has some flaws.   But researchers have recently discovered a flaw so dangerous that, in the right circumstances, it could get you killed.

Anytime you connect to something online, be it a website, a chat program, or anything else, you leave a trace that you were there in the form of an IP address. Your IP address is a set of numbers that uniquely identify your computer while it's on the Internet. In some cases, those numbers change from time to time but the important thing to remember is that, whatever the numbers and however often they change, they always identify your specific connection.  These numbers are assigned to you each time you by your Internet provider every time you connect to the net.

When you connect to Skype, just like any other online service, you leave your IP address as a record that you were there. In most cases online, only a sites administrator can see your IP address by going through the logs but in Skype's case anyone can find it by using one of the many simple, free, 'Skype Resolvers' out there.

I'm not going to go into the technical details about how the flaw works but the threat is that Skype leaks the last IP address you were using the last time you connected (which might be your current IP address if you are currently connected).

Why is this dangerous and why do I believe it could get someone killed? Because your ISP keeps logs of what IP addresses it assigned to you at any given time. That means that, knowing your IP address, I can find your ISP. Finding your ISP means I can either social engineer or hack an account address for you from your ISP. Having that information means I can stalk, hararass, or even kill you.

This is a flaw that Microsoft (the current owners of Skype) must fix. Until they do, I'd like to encourage everyone to boycott Skype and send a letter to them letting them know why you're doing so. There are other, better, more secure, programs out there that do the exact same thing that Skype does and they're completely free and open source.

Some options:
  • Jisti      (www.jitsi.org)
  • Ekiga   (www.ekiga.org)
  • Pidgen (www.pidgen.im)
  • Adium  (adium.im)
Skype is proving to be a risky and outright dangerous program to use. It simply isn't acceptable for Microsoft to expect users to accept this level of poor security and users are the only ones who can do something about.

How serious are you about your security?

.

Thursday, March 21, 2013

AnonyMail 2 is on the way!


Over the last few months, since the release of AnonyMail, I've been reading user feedback and trying to think of ways to make the program better for version 2.0.  Two of the most requested features have been implementing Tor support so that even we have no way of knowing who you are and having the ability to stagger email delivery to make traffic analysis a little harder.

AnonyMail 2.0 is right around the corner and I've implemented both of these features. I'm also considering supporting routing traffic over the i2p network although, not being as familiar with it as I am with Tor, that might have to wait until the next upgrade.

The new release will have a number of improvements:
  • A 'cleaner' user interface
  • Support for multiple AnonyMail servers*
  • Support for AnonyMail Server chaining
  • The ability to route traffic over the Tor network
  • The ability to stagger mail delivery
  • Rich text email!
  • The ability to add attachments to email messages
  • Support for more than one recipient**
* With this release, I am also going to be releasing the "AnonyMail Server" as an open source Python script. This will allow anyone to easily setup and run an AnonyMail server and I hope many will. This will strengthen the network and make it harder for mail from the program to be censored or blocked.

** I'm still going to implement a limit on the amount of recipients you can have on one message because I don't want AnonyMail to be used for spam. But the limit will be high enough where it shouldn't effect regular users.

My 'estimated' release date for version 2.0 is April 15th. The program will be available for Linux and Microsoft Windows with a Mac port coming by July. The price will still be $2.99 for either version.

Wednesday, March 20, 2013

Under CISPA, who can get your data?

The Electronic Frontier Foundation posted an interesting article on their Deep Links blog on yesterday asking the question of 'who has access to your personal and private data if CISPA were to pass'. It turns out, the better question is who doesn't have access?

CISPA, which stands for the Cyber Intelligence Sharing and Protection Act, is supposed to streamline the sharing of data between private industry and governmental agencies. Ostensibly, this type of law was needed because of the threat of cyberwar with the Chinese or the Iranians or whoever the bogeyman of the week was when they came up with the legislation.

What the law actually does, however, is allow industry to share your personal information with just about any government agency from the Food and Drug Administration to the National Security Agency and leaves you with absolutely no recourse should that information be misused.

This isn't the first time CISPA has been a threat to our liberties. Two years ago, thanks to a concentrated effort of activists and companies, the law was defeated along with other ill-conceived privacy invading legislation like SOPA but CISPA sponsors vowed that they would reintroduce the bills when conditions were more favorable. Looks like that time is now and it's important that we band together to defeat this horrible legislation one more (and hopefully final) time.

What can you do? There are a few things:

1) Call your member of Congress (find their contact info here) and let them know you will not tolerate them voting for such a law. Explain how it violates privacy and why you don't support it. Make it clear that, if they vote for it, you will not vote for them in the next election.

2) Vote with your wallet! Find the names of the companies that support CISPA (old list but still valid) and don't do business with them. But don't just stop doing business with them, write a letter, make a call, whatever, and tell them why.

3) Educate your friends on what CISPA is and why it's bad and dangerous. Laws like these often get passed because most people have no clue what they are or that they are even being considered. Be the leader in your circle of friends and family and educate, educate, educate. The EFF has a few excellent articles on their blog about it that you should be able to use as a resource.

We can beat this bill again. But it's going to take a concerted effort from us all if we want to see a final victory.

.

Tuesday, March 19, 2013

Google starts to block instant messaging invites

Late last week, it was reported by the Free Software Foundation that Google had began filtering out instant messaging invites to its Google Talk service from non-Google services.  Google Talk uses an open protocol called XMPP for its messaging platform which, in theory, means that users of one XMPP service can chat with users on any other XMPP service by simply adding them as a buddy.

But on February 13th, Google's Per Gustafsson sent a post down the Jabber [Operators] mailing list complaining that Google was seeing an inordinate amout of 'spammy' invites and wondering if Jabber could 'do something about it' or else Google might be forced to tighten the amount of invites from non-Google XMPP services that would be passed to users per day.

It seems like Google made good on that threat as users are widely reporting that invites from outside of Google's domains are often mysteriously dissappearing and never reaching their intended recipient.

As the Free Software Foundation article pointed out, what Google is doing is akin to allowing only other Gmail users to email each other and blocking all emails from outside domains. It's forcing users who want to chat with their friends who use Google Talk to either convince their friends to move to another service or to give in and use the Google Talk service themselves.

One of the strong points of XMPP has always been its federation. Having the ability to add friends from Google Talk, Facebook, and other XMPP services is one of the reasons people are drawn to XMPP over more proprietary protocols. Google's move to restrict communication in this way is making sure the web is a more walled off, Google-centric, place for those who use the companies services.

Unfortunately, there doesn't seem to be much we can do about it at the moment but I encourage everyone to email Per and let him know you are unhappy with Google closing their users off from the rest of the Internet in this way.

This wreaks of control and centralization. Do you really want Google to decide who you can be friends with?

Saturday, March 16, 2013

The FISA/Echelon Panopticon


 

Is America being groomed by the surveillance state? James Corbett of "The Corbett Report" seems to think so and it would seem that he's right.

Friday, March 15, 2013

Why I can no longer recommend Ubuntu to friends and family

I've been an avid Linux user for almost a decade now and I've tried just about all of the mainstream distributions. For the most part, I found them adequate but sometimes cumbersome to use and it took me a long time to find a distro that I could recommend to friends and family.  When I tried Ubuntu in 2008, I fell in love. It was everything I wanted in a Linux system and it was something I thought even my most technophobic friends and family could easily work with.

That's why when I first heard stirrings of 'spyware in Ubuntu' circulating around the net, I was immediately very suspicious that this might just be some ploy to harm an pretty successful distro. But my suspicions were proven wrong when I started digging into the source of the accusations and saw it was, for the most part, tied to the new shopping lens that Canonical had introduced in 11.10,

The shopping lens, which is on by default, will send information about you to selected Canonical 'partners' when you do certain types of searches in the Dash. It was originally rumored that the Dash "Privacy Policy" included sending keystrokes but the current one seems not to include that particular bit of nastiness.

What information does Ubuntu collect about you and share with their 'partners'? Well, according to the Privacy Policy they share only your IP address and the term you searched for. Sure, that doesn't sound like that big of a deal on the surface but what if you're searching for something controversial or even illegal? Canonical has made sure that they share enough information with their partners (and maybe they log it on their end too) to draw a digital trail right to your door.

Some people have defended this unacceptable behavior by Canonical by saying "but you can turn it off" or "then don't do anything illegal".  I'm not going to touch the 'don't do anything illegal' aspect of it because we'd have to go into a long discussion about legality, morality, and oppression, but let's talk about the ability to turn it off.

As an experienced Ubuntu user, I know my way around the system pretty well. For me, it's easy to go from place to place, disable services, install and remove software, and all the things that are required to administer a home Linux system. But what about Joe Noob? What about the guy who knows very little about computers and just wants to escape the clutches of Microsoft or Apple? Or the grandma who doesn't want to buy a new computer so she installs Ubuntu on her older machine to eek out a few more years of life from it?

Allowing users to opt-out (if they know about it and if they can figure out how to do it) is not an excuse for install automatic privacy violations into a system. The correct way to handle it would be to make it an opt-in system where users who wanted that particular feature could easily turn it on and those who didn't even know it existed were automatically protected.

Canonical dropped the ball on this one big time. I know it's an old issue at this point but I wanted to wait a bit before saying anything to see if they would remove it in a future release. Looks like it's here to stay and so I'm gone from Ubuntu. I cannot recommend a system that, by design, violates privacy.

Don't get me wrong, I still really like Ubuntu and I'm not abandoning everything about it. Instead, I'm abandoning everything to do with the Unity Desktop Environment (of which lens are a part). I'm opting to use XUbuntu (a system based on Ubuntu but without Unity) instead of mainline Ubuntu and, I have to say, I couldn't be happier. It's what I'm recommending to others as well and have already done more than 5 installations of the system to those wanting an alternative to Windows and Mac.

I hope that, one day, Canonical realizes the error of this decision. But looking at how they are pushing things forward these days, I wouldn't hold my breath.

Thursday, March 14, 2013

The world does not need another mobile operating system

There's a lot of excitement around mobile these days. It seems like everyone from the 7 year old down the block to 90 year old grandmothers are getting on the app bandwagon and busying themselves coding up some new hotness that they think will be a hit. Personally, I think that's great. Putting the power of app development in the hands of everyone is a fantastic way to guarantee that you get some freaking awesome (and horrible, sometimes) apps. It's a win-win for everyone.

With all the excitement going on in app development, you might be forgiven if you completely missed the bloodbath going on in mobile operating systems. Mobile operating systems seem to have become the 'casual app' of large mobile centric organizations. Mozilla, Samsung, Microsoft, Blackberry, Google, Apple, and Canonical, all have bellied up to the bar to put their latest OS offerings on the table.

And I think it's completely silly and a waste of time and resources.

The world does not need yet another mobile operating system. We have enough and they work well. We even have an open source system that could easily be customized to any companies liking should they so desire: Android. To think that the market needs another system on which to run their mobile devices, on which to write apps, is lunacy.  We're focused on the wrong thing.

Overall, mobile os's are pretty good. They're reliable, easy to use, secure, and easy to develop for. The problem doesn't like with the operating systems these days, the problems lie with the carriers.

Mobile network providers are a greedy bunch. They do everything they can to squeeze every single drop of money out of their customers as they can. They pack new phone so full of garbage that a user often has trouble distinguishing what is and what isn't safe to remove from their device. This is especially true in the United States where customers are often tethered to long, hard to get out of, contracts, but it's true in other parts of the world as well.

The mobile experience isn't going to be made better by putting Ubuntu or Tizan, or Android, on a phone. Carriers will simply load their crapware on these new phones and carry on without even a pause. The mobile experience will only get better when consumers reject the garbage their carriers are forcing on them and demand both application and network freedom. This isn't something a shiny new operating system can solve. It's a business problem.

Don't get me wrong, I applaud both Canonical and Mozilla for trying to bring a little bit more freedom to the mobile industry. But a new operating system simply isn't the way to do it and is a colossal waste of time and energy.

Wednesday, March 13, 2013

Book Review: "Homeland" by Cory Doctorow



Cory Doctorow is an amazing writer. With every book and every article, he is able to take complex and sensitive topics like cryptography, government misdeeds, survellience, and freedom, and distill the topic into something that's both entertaining and easy to understand. 

When I first read that Doctorow was writing a sequel "Little Brother", the book that introduced me to his work and made me a fan, I was estatic. While this particular strain of books are marketed as 'young adult', I found my stick-it-to-the-man older self sitting on the edge of my seat from the first page on. Needless to say, with such a high bar set, I purchased a copy of "Homeland" the day it came out.

Even though I'm a fan of Doctorow, I didn't really expect "Homeland" to be as good as "Little Brother" had been. Authors tend to fizz out when writing sequels and I'd feared that Doctorow would do the same. Boy, was I wrong!

"Homeland" picks up only a few short years after the Bay Area Bridge is bombed. Marcus Yallow and his friends have been tortured by Homeland Security and the City of San Francisco has decended into a police state. Thankfully, Marcus and Ange are getting away from it for a while by going to Burning Man.

This book packs all the punch that its predecessor, if not more. You'll find yourself gripped by the story that could have been taken right out of a New York Times headline, and you'll get angry at the injustices perpetrated against innocent people; real injustices and abuses that could very well be done against us.

Overall, I give "Homeland" five out of five stars. It's creative, fun, hard hitting, and everything I love in a book. If you're a fan of dystopian fiction, cyber thrillers, or Cory Doctorow, you owe it to yourself to buy this book (which you can do by clicking this link right here).

A definite must read.

Monday, March 11, 2013

Why Ubuntu abandoing Wayland is a good thing

Once upon a time there was a display server called X.  It was a good display server for Unix/Linux and it was pretty powerful and forward thinking. People contributed to it, they patched it, and things around X moved pretty fast. But then something happened. X stagnated and started to show its age. Indeed the software was 25 years old and, in technology time, that's like being from another century.  It was time to move forward but it seemed to everyone that X just didn't know how.

One day, a smart group of developers decided to do something about the problems with X. Not by jumping in and contributing code to bring the software up to date and not even by forking it to create a 'modern X' derivative. No, these developers decided it was time for something completely new. They coded and coded and coded some more and birthed a promising new project called Wayland.


Wayland was an exciting project. Backed by the promise of 'a better display served that maintains some compatibility with X' the project got some of the major Linux distributions like Ubuntu behind it. In fact, the Ubuntu team was so excited about it that they even committed to use Wayland in place of X within a year.

As you probably already know, this is where things took a turn for the worse. The development of Wayland was almost as slow as the development going on with X. But the difference was that X is a functioning display server while Wayland was struggling to get there. It was not a pretty site.

Fast forward almost three years after that Ubuntu announcement (and five years since the initial Wayland release) and things are in a rather horrible state. How horrible you ask? So horrible that one of the 'goals' of Wayland is to allow windows to be minimized and maximized. Yeah, that horrible.

Needless to say, the distro makers weren't happy and, recently, Ubuntu delivered a major blow to confidence in Wayland by announcing that they were going to write their own display server called Mir. Mir is supposed to be everything Ubuntu was hoping Wayland would be except it's probably actually going to be usable and, of course, it's going to be open source so anyone who wants it can use it in their distro.

The announcement from Canonical (the corporate sponsor and caretaker of Ubuntu) was met with mixed reactions within the community. Some people praised it while other people even questions if, with this latest departure from the mainstream, Ubuntu could even be considered a Linux distribution anymore.

It definitely goes without saying that Canonical has some lofty goals for Ubuntu. The envision a future where desktop, living room, phone, and tablet, all converge into a cohesive union all running Ubuntu. It's ambitious, a little bit wild and crazy, and something that only a company like Canonical could pull off. If they pull it off. And I believe they will.

I've been a harsh critic of Ubuntu in the past. When they ditched GNOME in favor of their Unity desktop while almost the entire community screamed about it, I thought it was the most boneheaded move ever made by the company. So much did I hate Unity that I switched to XUbuntu and still use it to this day. When they announced Ubuntu TV right after a goal of 400 million desktops, I thought they were crazy and spreading themselves too thin. But, you know what? They seem to be doing it. Slowly but surely, Ubuntu is taking over the world. It's not just on servers and a few desktops anymore. Major players like Valve are taking notice and bring very cool stuff the the distro. Ubuntu has captured a segment of the market and it doesn't seem to be letting go anytime soon.

So to those of you who are whining about the distro ditching Wayland and writing their own display server, get a grip. Ubuntu wants to take over the wold and they aren't going to do that by waiting years while Wayland fights to have the ability to minimize and maximize desktop windows. They need to move fast and this is what they're doing.

We in the Linux community often complain about being ignored. Big software and hardware vendors pass us up because of market share is so small. Ubuntu is changing that. Ubuntu is making a path for those vendors that leads right to our desktops, laptops, phones, and tablets. What Ubuntu is doing is making the entire Linux ecosystem a better place and our lives as users a lot easier.  Unfortunately, that's going to come with a little pain and a little disruption.

Me, for the most part, am ready for it. I want to see Linux succeed. I want to see it grow. I want to see Ubuntu take over the world then duke it out for first place with other distributions. But that can only happen if we all work together and stop the silly whining about the projects forward motion. Don't like it? Then feel free to roll your own distro and use Wayland. No problem. But your distro won't be first or second place. Your distro won't take over the world.

Ubuntu is on fire right now. And I think it's time we stand behind it and keep doing everything we can to make sure that fire goes out. To misquote a former President of the United States:

"You're either with us or you're with Rebecca Black Linux".

And trust me, you don't want to be on the side of Rebecca Black Linux.