macbroadcast <[email protected]> wrote: > http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/?hpid=z1 > > i am asking the list, are there any "well know" practices to prevent spying
Actually, there are quite a few, but there are some caveats or limitations that apply to all of them. First off "well-known" definitely does not mean "secure"; this stuff is hard and there are some heavily marketed products that get it wrong. Second, no system can be secure if the underlying computer is not; if you download a trojan horse program that takes control of your computer, you're toasted. Any security software you run on that machine can fairly easily be subverted. Third, system admins have access. If you have unecrypted email or on a server somewhere or posts in some allegedly private online forum, the administrators of those systems can see them. That may be fine unless you have a dishonest admin or a government that leans on the hosting company, but it is certainly not secure against those threats. Fourth, it is almost impossible to protect against traffic analysis (http://en.citizendium.org/wiki/Traffic_analysis) if the enemy has lots of resources and is moderately smart and/or determined. Even if all your email and IM chats are encrypted so the attacker cannot read them, he can still tell who you are talking to. Finally, encrypting your data may draw attention; the revealed NSA documents show that they save /everything/ they see that is encrypted, just in case they can break it later. Some of those are reasons for the Freedom Box. For the first, we are trying to use only well-understood & well-tested components. Second, a simple do-a-few-things-well server is easier to keep secure than a desktop box or a busy commercial server. Third, you become your own sys admin & we are trying to make that more-or-less foolproof (which may be the hardest part of the Box project). As far as I know, we cannot offer a defense against the last two. Things you can use today that look trustworthy to me: HTTPS Everywhere: a browser extension that automatically encrypts all web connections to servers that support https. It falls back to plain unencrypted http if the server does not do https, so it does not offer complete protection, but it is far better than nothing and easy to install in at least Firefox & Chrome https://www.eff.org/https-everywhere This could be subverted by someone like a major government or large company who is in a position to manipulate the certificates it uses to establish trust. I am not up-to-date on details. Google "man-in-the-middle" plus one or more of "TLS" "SSL" "https" or "X.509" to find them. TOR, the onion router: anonymity provided by routing packets through a series of nodes. This gives better anonymous browsing than HTTPS everywhere -- safer, and more general since it works even for sites that do not do https -- but setup is not as straightforward and it may slow connections down. This is the only thing I mention here that offers some defense against traffic analysis. I do not actually know how complete or reliable that is, but I would guess pretty good. https://www.torproject.org/ PGP: end-to-end email encryption. This blocks snoopy mail server admins; it is encrypted on the sender's machine and decrypted on the recipient's so no-one in between can read it. There is a free version, GNU GPG, included in more-or-less all free operating systems (Linux or various BSD derivatives). I do not know if that exists for Windows or Mac; my guess would be yes. There is also a commercial version (http://www.symantec.com/products-solutions/families/?fid=encryption). A few years back, I saw several people claiming that it had a far better user interface than GPG, but that may have changed (or may not have been true in the first place). OTR, off-the-record (encrypted) Internet chat: http://www.cypherpunks.ca/otr/ -- Who put a stop payment on my reality check? _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
