Comment Re:Make it easy? (Score 1) 150
No source.
Non-free.
No Mac version.
Nothing for mobile devices.
No thank you.
No source.
Non-free.
No Mac version.
Nothing for mobile devices.
No thank you.
LBE Security, DroidWall and Permission Manager. Use all three.
Oh, and if you want to fool the Google Play into delivering an app that claims to be incompatible, use Market Helper, or install FDroid or AppBrain Market.
I use a combination of LBE Security, DroidWall and Permission Manager to lock things down tightly. Silly free flashlight apps that try to read my SMS datastore? Nope, denied. Calculators that try to use WiFi or my cellular network? Denied. Games that try to read my IMEI? Denied.
Super secure, tight controls and you can lock everything down, in or out. Use all three.
According to TFA, NSA knows full well exactly this and tried it, but couldn't gain control of a sufficient number of exit nodes. That's not surprising, it really would take controlling quite a lot of exit nodes.
Are we sure they didn't just root the botnet around mid-August/early September?
http://www.infosecurity-magazine.com/view/34453/massive-botnet-is-behind-tor-usage-spike-/
Can we be absolutely certain that the botnet itself, and every single node, is 100% secure and non-rootable from the NSA's 0-day toolkits?
Why did the FBI not just raid the location, take the physical servers and storage assets, clone them and then let the courts sort it out? That way they could go and fetch the keys themselves, MiTM the traffic to the host through his ISP, masquerading as Lavabit, and snarf whatever they needed. They're already doing it in other cases.
What I'm wondering, is that when someone comes to your door with a warrant, and you say "No" and close the door, why would they allow you to go back and manipulate the bits and digital information that comprises the portion the warrant asked for?
In this case, how was Lavabit even allowed to shut down their services, if the FBI was at the door asking for the keys?
Something doesn't add up here.
Do you turn your phone off when you drive your the car or go about your daily business? Unlikely.
If you leave your battery in your phone, even in the 'off' position, your phone is still on, still capable of receiving and sending, including E911. Just because the screen says it's been turned off, doesn't mean it's been turned off. Pull the battery out.
Soon though, that won't be enough, and your phone and other devices will be able to transmit their location, data, etc. without the need for a battery.
I picked up one of these (Black Hole Faraday Bag - RF Signal Isolation for Forensics, Large Window Size) and toss my gadgets in it, roll it up when I'm out traveling and don't need my phone broadcasting my location, GPS or AGPS every 3 seconds. Same with my iPad, GPS, EZ-Pass, and so on.
...aaaand, here's some code to use to make your own (which I just posted about only yesterday
#!/usr/bin/perluse warnings;
use strict;
use LWP::Simple;
use XML::RSS;
use HTML::Strip;
use File::Slurp;my $url = 'http://feeds.bbci.co.uk/news/world/rss.xml';
binmode(STDOUT, ":utf8");
my $hs = HTML::Strip->new();
my @newscanary = '';my $rss = XML::RSS->new();
my $data = get( $url );
$rss->parse( $data );my $channel = $rss->{channel};
foreach my $item ( @{ $rss->{items} } ) {
my $title = $item->{title};
my $date = $item->{pubDate};
my $desc = $hs->parse($item->{description});# Word wrap the output at 70 characters
$desc =~ s/(.{70}[^\s]*)\s+/$1\n/xg;push @newscanary, "$title\n$date\n" . "-"x70 . "\n$desc\n\n\n";
}write_file('canary.txt', @newscanary) ;
my $boilerplate = read_file('boilerplate.txt', {binmode => ':raw'});
my $newscanary = read_file('canary.txt', {binmode => ':raw'});print $boilerplate, $newscanary;
$hs->eof;
And what happens when those keys are transmitted in the clear, across the two endpoints, when SSL might as well be cleartext at this point, given the computational power, intentional design flaws and other mechanisms of the NSA to break the conversation in real-time.
Still trust the other end? I don't.
Do you trust your exit node or proxy? Defcon had a recent talk on setting up proxy servers as a very quick way to find people who have something to hide. Now you have their IP address and their destination.
It's not just about exit nodes anymore. The NSA can, and regularly does, de-anonymize users within the Tor network, with or without compromised or 'baddie-controlled' exit nodes.
Tor works only as long as exit nodes are not in the bad guy's control.
Correction: Tor only works (in its current implementation) when there isn't a single bad node in the entire network. IOW, not going to happen.
Let's also keep in mind that 60+% of the funding for Tor, comes directly from the Department of Defense (DoD).
Concerned yet? You should be.
But Trsst relies on a protocol (SSL) that we know is now suspect, and likely broken in most cases (weak keys, compromised CAs).
So what now?
Then they can make a public and private key for whatever.com. Then they use their fake Intermediate CA Inc.certificate to sign that. Unless you the person visiting whatever.com specifically have an original copy of the real whatever.com certificate public key, and you look at the public key of the certificate every time you visit the website, you'll never notice that the NSA has replaced the real certificate with theirs. As long as they're using the correct Verisign private key, your browser will not detect any problems.
This is precisely why you should be checking site fingerprints and using browser add-ons like Certificate Patrol, in combination with a secure browser (eg: TorBrowser).
If you blindly stumble around the Internet accepting certs, not checking source and destination, you deserve what you get. If you verify the authenticity of your connections, and deny/block/forbid those that don't match, you'll be much closer to the secure environment we're all striving for.
The important bit, the one that has value to *me*, is that it can hide my identity. It can hide the identity of people who are afraid of oppression, it can hide the identity of whistle blowers, it can hide the identity of people asking for help.
Actually, no, it can't. You're thinking of i2p, not Tor.
If you're confused, you need to read up on the major flaws and vulnerabilities in Tor that allow the NSA or enough controlling entities to de-anonymize anyone using Tor. In fact, the more Tor exit nodes, the easier it is.
The tremendous spike in users using Tor could be both in reaction to the NSA news, or proactive from the NSA ramping up their use of Tor to more-rapidly de-anonymize the traffic coming across those exit nodes.
They don't need to crack the traffic, if they de-anonymize the clients in and out of Tor, it's cleartext on both ends. With SSL and VPNs now being as wide open as cleartext and easily broken, it's a moot point.
http://blog.erratasec.com/2013/08/anonymity-smackdown-nsa-vs-tor.html
And direct yourself and others to Project Meshnet:
Sorry, but it's now too easy to de-anonymize traffic within and around Tor. The more Tor nodes there are, the -easier- it becomes.
Read and learn, then direct everyone to start using i2p and Project Meshnet (https://projectmeshnet.org/)
http://blog.erratasec.com/2013/08/anonymity-smackdown-nsa-vs-tor.html
"The four building blocks of the universe are fire, water, gravel and vinyl." -- Dave Barry