Cash for Anonymity shows serious intent

May 21, 2014 by lance in Anonymity, Anonymizer

Paying for anonymity is a tricky thing, mostly because on-line payments are strikingly non-anonymous. The default payment mechanism on the Internet is the Credit Card, which generally requires hard identification. There are anonymous pre-paid cards, but they are getting harder to find, and most pre-paid cards are requiring registration with real name and (in the US) social security number.

We are working on supporting Bitcoin which provides some anonymity, but not as much as you might think. New tools for Bitcoin anonymity are being developed, so this situation may improve, and other crypto currencies are gaining traction as well.

When it comes to anonymity, cash is still king. Random small US bills are truly anonymous, and widely available (1996 study showed over half of all physical US currency circulates outside the country). While non-anonymous payments only allow Anonymizer to know who its customers are, not what they are doing, that information might be sensitive and important to protect for some people.

That is why Anonymizer accepts cash payments for its services. Obviously it is slower and more cumbersome, but for those who need it, we feel it is important to provide the ultimate anonymous payment option. If you are looking at a privacy provider, even if you don’t plan to pay with cash, take a look at whether it is an option. It could tell you something about how seriously they take protecting your privacy overall.

Secret apps that have access to your message are not so secret.

May 15, 2014 by lance in Anonymity

Whisper

Whistleblowers Beware: Apps Like Whisper and Secret Will Rat You Out | Business | WIRED

Here is more evidence that, if a service has access to your information, that it can get out. In this case the privacy services Whisper and Secret have privacy policies that say they will release messages tied to your identity if presented with a court order, but also to enforce their terms of service and even in response to a simple claim of “wrongdoing” (whatever that might mean).

Anonymizer has no logs connecting user activity to user identity, thus we don’t have these problems.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+
.

The Privacy Blog Podcast - Ep. 19: Heartbleed, IE, and Internet Sovereignty.

May 07, 2014 by lance in Podcast

In episode 19 of The Privacy Blog Podcast, recorded for April 2014, I talk about:

The Heartbleed bug, and why it is such a big deal.
A major vulnerability in Internet Explorer, and why we are focusing on the wrong thing.
The reasons behind recent pushes for national Internet sovereignty.
and finally about the increasingly international reach of US search warrants.

Choose what you protect, because anonymity is really hard.

May 05, 2014 by lance in Anonymity

Pregnant belly

Meet The Woman Who Did Everything In Her Power To Hide Her Pregnancy From Big Data | ThinkProgress

Janet Vertesi, sociology professor at Princeton, recently tried an on-line experiment. She had just discovered that she was pregnant, and wanted to see if it would be possible to hide that fact from “big data”. Could she prevent advertisers and social media companies from discovering this one fact, and using it to profile and target her.

Janet only tried to hide this one fact. She used pre-payed payment methods, TOR anonymity tools, and took great pains to prevent her “friends” from mentioning the pregnancy on any social media platforms. She had already opted out of using Gmail, which would have been scanning her emails as well.

While she was able to be reasonably effective, the effort and cost involved was significant, and there were some slips from within her social network. This is a great demonstration of the idea that you really need to be specific about what it is you want to hide. The personal and social costs of trying to stay “off the grid” completely are completely unacceptable for most people. The more you can identify and isolate just the individual facts or activities you want to protect, the easier it is and the more likely you will succeed.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Stop using Internet Exploer, even with VPNs

April 30, 2014 by lance in microsoft, vulnerability

Internet Explorer 10 start screen tile svg

Governments urge Internet Explorer users to switch browsers until fix found | ZDNet

This and many other articles are relaying the information that governments are encouraging users to move to Chrome, Firefox, or Safari until this Microsoft Internet explorer bug is fixed. The vulnerability seems to have been in every version of IE since 6 through the current version 11. It is a remote exploitation vulnerability, so attackers can use it to run arbitrary code on your computer, effectively “owning” it. There are some work arounds within IE that may prevent the attack, but for now it is much safer and easier to simply move to a different browser.

It is important to remember that using a VPN like Anonymizer Universal does NOT provide any protection against this kind of attack. This is an attack directly against the browser using the content you have “requested”. The attack is launched from the site you are visiting, so the hostile content would flow through the VPN unhindered.

Anonymizer strongly encourages its users to move to Firefox, Safari, or Chrome, at least until this problem is resolved.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Most websites may already be completely pwned by the Heartbleed Bug

April 08, 2014 by lance in Security Breaches

Heartbleed Bug

Researchers recently announced the discovery of an incredibly dangerous bug in the OpenSSL encryption library. That library is used by about two thirds of websites, and many VPNs and other secure communications services.

The problem is in a memory leak that allows an attacker to request heartbeat responses which will contain up to 64KB of memory, and to do so over and over without being detected. This has already been shown to be able to capture the server’s RSA secret key. That is the key used to authenticate communications with the clients, and to encrypt the session keys. Other data could be captured as well, but those keys are really the biggest threat.

An attacker with that key could perfectly impersonate the server, or run man in the middle attacks undetectably.

It is unknown if, or how often, this attack has been run in the wild. It is entirely possible that major players, like national intelligence services, may have known about this for some time, and could have been silently intercepting traffic to certain websites, potentially for over 2 years. We just don’t know. There is a call for researchers to set up test sites to detect this activity going forward, but there is no way to know if it happened in the past.

The solution is non-trivial. All affected services need to install the recently available patch to fix the underlying problem. They then need to address the possibility that their keys have been stolen. All server certificates need to be revoked, so clients will know to reject them, and new certificates created and distributed. This is likely to take time, and many sites will be very slow to respond.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The Privacy Blog Podcast - Ep. 18: Zombies, encryption, bitcoins, and Turkish Censorship

April 02, 2014 by lance in Podcast

In episode 18 of The Privacy Blog Podcast for March 2014 I talk about:

Zombie iPhone Bluetooth settings
Proposed Australian encryption regulations
More from the Mt. Gox and bitcoin saga
The cat and mouse of censorship and circumvention in Turkey

Turkey is Tweeting Again!

April 03, 2014 by lance in Censorship, Turkey, Twitter

Turkey Unblocks Twitter After Free-Speech Ruling Yesterday the Turkish Constitutional Court ruled that the blocking of Twitter violated the guarantees of free speech in the Turkish Constitution. The government appears to have acted quickly to remove the blocks on Twitter’s IP addresses as well as the changes to DNS as ordered.

Celebratory tweets are gushing out over the wires.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Don't be an Ostrich about open Wi-Fi

April 03, 2014 by lance in Google, Wi-Fi

Back in 2010 I blogged about Google’s legal troubles over capturing sensitive open Wi-Fi data with their Street View cars. In a nutshell, Google was accused of violating the federal Wiretap Act when it intercepted the data on open Wi-Fi networks it passed. The purpose was to capture just the MAC addresses of the base stations to improve their enhanced location services. It appears that recording small amounts of data was accidental. Certainly if they were trying to collect data, they could easily have grabbed much more.

Google lost that case and is now appealing to the Supreme Court, hoping to overturn the decision.

Obviously it was inappropriate for a company like Google to drive around sniffing people’s Wi-Fi traffic, but they are not really the threat. What we all need to be worried about is hackers war driving our neighborhoods, either using our networks to hide their illegal activities, or capturing our personal information for their own purposes.

Whatever the legal outcome of whether it is “OK” to sniff someone’s open Wi-Fi traffic, the reality is that people do, and doing so is trivial. Anyone with a laptop can download free software and be sucking down all the Internet activity in their local coffee shop in just minutes. I think laws like this give a false sense of security. It is like saying that, as you walk down the sidewalk, you can not look in through your neighbor’s big picture window at night when they leave the curtains open.

Thinking that people are “not allowed” to sniff your open Wi-Fi just gives a false sense of security. What we need to do is make sure that ALL Wi-Fi is securely encrypted. Even public Wi-Fi should be encrypted, even if the password is “password” and is posted prominently on the wall. Using encryption changes the situation from looking though a window as you walk by to drilling a peep hole through the wall.

None of should be in denial about this. Open Wi-Fi is insecure. It will be sniffed.

If you find yourself in a situation where you have to use an open Wi-Fi hotspot, for whatever reason, make sure you immediately establish a VPN to protect yourself. I might be biased, but I use Anonymizer Universal for this purpose.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter and Google+.

Turkey extends censorship from Twitter to Youtube

March 27, 2014 by lance in Censorship, Turkey

Turkey Rubber Stamp Turkey Escalates Internet Blocking With YouTube Ban | Re/code

In their continuing effort to suppress discussion of corruption in the Turkish government, they have extended their censorship efforts from blocking Twitter to blocking Youtube. This appears to be in response to Google’s refusal to remove “offending” videos.

Reports suggest that the blocking is not completely effective. If you are in Turkey and being blocked, Anonymizer Universal is able to bypass the censorship. Our two week trial provides a quick solution.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Turkey Twitter censorship goes from DNS to IP based blocking

March 23, 2014 by lance in Censorship, Turkey, Twitter

Turkey has taken their censorship of Twitter to the next level.

Initial blocking was done through DNS, so it could be easily bypassed by using something like Google DNS at 8.8.8.8.

Turkey quickly responded to the masses of people using that workaround, and are now blocking Twitter by IP address.

As one often sees with attempts at censorship, this one was counter productive. It looks like tweets from Turkey actually increased 138% following the DNS block.

Now that the censorship is IP based, a VPN like Anonymizer Universal will be required to continue to access Twitter and any other services that may be blocked.

We continue to test that service from within Turkey, and it looks to be working well.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Turkey blocks Twitter to suppress corruption allegations.

March 21, 2014 by lance in Censorship, Turkey, Twitter

Turkey Anonymous Protest Turkish Prime Minister Tayyip Erdoğan announced that the courts have ordered Twitter be blocked completely.

This appears to be in response to Twitter refusing to take down tweets of audio recordings purporting to be of Erdoğan engaging in corrupt activities.

Twitter is suggesting that users fall back to an SMS interface to continue to access the service. I suspect most active Twitter users follow enough people that the feed would overwhelm their SMS plans completely.

A better solution is to use a VPN like Anonymizer Universal to punch a hole through the censorship. Through Anonymizer you would then be able to access Twitter, or any other website the Turkish government might be trying to block.

Update: We have re-confirmed that Anonymizer is still accessible and working from Turkey.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Now might be the time to sue Mt. Gox.

March 21, 2014 by lance in Bitcoin

Bitcoin Streetsign

Mt. Gox, the failed Bitcoin exchange, announced that it had found about 200,000 BTC in an old wallet that had not been used since June 2011. This information was revealed in a legal filing in Japan.

That is like finding $118 Million in your old wallet that got lost in the cushions of your sofa. With the newly discovered 200,000 BTC, they now have 202,000 BTC, so they are now missing only 650,000 BTC.

Unfortunately for those who lost their coins, they are not considered debtors of Mt. Gox. Anyone who hopes to recover some of those rediscovered Bitcoins needs to be boarding the lawsuit trains that will be leaving the station very soon.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Check your phone for evil Tor app

March 19, 2014 by lance in apple, Tor

TorAppLogo Fake Tor browser for iOS laced with adware, spyware, members warn | Ars Technica

There are a number of different Tor anonymity service apps in the Apple iOS app store. According to several people at Tor, one of them is unofficial and loaded with adware and spyware.

The bad one is "Tor Browser”. If you have it, you should un-install it immediately.

Apple has been requested to remove the app from the store, but no action has been taken so far.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

What you need to know about credit protection services.

March 19, 2014 by lance in Identity Theft

Are Credit Monitoring Services Worth It? — Krebs on Security

Brian Krebs has written an excellent discussion and analysis of credit monitoring / credit protection services, and some steps you need to take to protect yourself. You should read it.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Australians, you need to start taking ownership of your own encryption

March 17, 2014 by lance in Cryptography, International, Internet, Surveillance, Uncategorized

Australia computer mouse Attorney General's new war on encrypted web services - Security - Technology - News - iTnews.com.au Australia’s Attorney-General’s department is proposing that all providers of Internet services ensure that they can decrypt user communications when so ordered. Any services where the provider has the keys will obviously be able to do this.

Australians may want to start to start taking steps to protect themselves now.

End to end encryption is your friend. At least that way, you need to be informed and compelled if they want access to your data.

Another important step is to get your “in the clear” communications into another jurisdiction using a VPN service like Anonymizer Universal.

Finally, let your voice be heard on this issue by reaching out to your members of parliament.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

Why you need to double check your iPhone Bluetooth settings

March 13, 2014 by lance in apple, Tracking

Apple Keeps Turning Bluetooth On When You Update Your iPhone Recent iOS updates have automatically re-enabled Bluetooth for many users who keep it turned off for battery conservation or privacy reasons.

The increasing use of iBeacons and other Bluetooth based tracking systems make this a bigger privacy worry than before. Tracking via Bluetooth is now a widely and actively used tool in retail and other areas.

Conspiracy theorists suggest that Apple is doing this intentionally to increase the usefulness of iBeacons to track people, and thus encourage their adoption. While this is an appealing idea, the jury is still out on this one.

If you are concerned about this kind of tracking, you can quickly disable Bluetooth in the control center on your iPhone by sweeping up from the bottom of just about any screen and tapping the Bluetooth button. It is fairly easy and convenient to keep Bluetooth turned off most of the time, and just enable it when you want to use a wireless headset or other Bluetooth device for a short while.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast - Ep. 17: RSA Conference Wrap-up, @N, Bitcoin Fiasco, Apple Security and More

March 07, 2014 by lance in apple, Bitcoin, Podcast

In episode 17 of The Privacy Blog Podcast for February, 2014 I talk about:

The just completed RSA Security conference
How an email can expose your location
A guy who suffered extortion because his username was so valuable.
What happened in the latest Bitcoin fiasco
Exactly how secure Apple’s iMessage protocol is
And finally how insurance companies may drive changes in cyber security

Apple fixes GOTO FAIL SSL bug for Mac OS X

February 24, 2014 by lance in apple, vulnerability

Apple released an update for Mac OS X 10.9 fixing the serious GOTO FAIL SSL vulnerability. This update appears to resolve the problem for The Safari browser, and many other Apple applications that use SSL/TLS.

If you use a Mac, make sure you install this update ASAP. Go to Software Update and you should see the update available.

Mt. Gox bitcoin exchange appears to have failed, coins are missing.

February 25, 2014 by lance in Bitcoin

Bitcoin Pile The Mt. Gox Bitcoin Exchange Has Disappeared — Is Bankruptcy Next? | Re/code

Here is another example of he problem with storing your cash in an untrustworthy entity. Many Bitcoin services are based on having some third party store your coins for you.This has now lead to major thefts or losses of coins on a number of occasions. There is no insurance or mechanism for restitution to the people who have lost their coins. Reports suggest that 740,000 Bitcoin have gone missing. The precipitous loss of value on exchanges has also cause a further hit to the value of everyone’s coins .

I strongly encourage Bitcoin users to follow one of the following strategies to protect themselves.

1) Only purchase Bitcoins immediately prior to use, and convert your coins back to a conventional currency in an insured bank account as quickly as possible after receiving them. This minimized your exposure to loss, theft, or market volatility.

2) Keep your Bitcoins securely stored in your own, ideally offline, wallet. Only allow third parties to have the minimum possible amount of coins for as short a time as possible.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.