The Looming End of Network Neutrality and How to Protect Yourself

Let’s get this out right up front. I am a strong advocate for network neutrality. ISPs like Comcast say that these regulations strangle innovation, and that all the concerns about how they might abuse their position are just paranoia.

First a quick review. Network Neutrality is the principle that ISPs should not discriminate between the different sources of traffic on their network. My YouTube, your Facebook, his BitTorrent, her porn site, all should have the same access to, and performance on, the internet. In effect, the internet is like water or electricity, a utility delivered to your doorstep. Those utilities don’t get to control how I use those resources, or limit my ability to plug in certain brands of appliance. Similarly, the utilities should not be able to inject things into the water or send unwanted messages over your electric wires. They are just providing a simple service.

The big ISPs have a long history of abusing their near monopoly status. Way back in 2007, I wrote a blog on how Comcast was blocking BitTorrent traffic. Despite their repeated denials, the Associated Press was finally able to prove that they were.

In 2013, Comcast was called out for injecting code into the websites users were visiting. At that time the code was mostly notifying users that they were close to their data cap. To do this, Comcast is intercepting your connection to the website, reading the content, then modifying it to add their code before sending it on to you. They, and other ISPs, were still at it in 2015 despite all the backlash.

Now in late 2017, partly because of the Network Neutrality debate, we are seeing reports of this again. There is no way to opt out of this, and for most Americans, there is only one choice for a fast network connection where they live. Changing providers is simply not an option.

American ISPs have generally avoided obvious throttling of commercial content because of the threat of enforcement of Network Neutrality regulations, and the possibility of stronger ones to come if they did. They are claiming that if the regulations are removed, they will continue to act in good faith.

While the companies won’t let you opt out, you do have a technical way directly preventing them from messing with your traffic, a VPN. Services like Anonymizer create an encrypted path past your ISP out to the internet. There is no way for the ISP to see the contents of your communication either to modify it, or to throttle it.

If this is an issue that you feel is important too, you can make the issue more visible with some of the techniques and suggestions here.

Downloading files is dangerous, these tips can keep you safe

Hazmat computer user When it comes to checking for hostile files coming in from the web, it is much more difficult than simply scanning an email. Communications are being conducted in real-time and often encrypted. So in order to defend against the two ways to get malware when surfing the Internet — an exploited browser (which automatically downloads malware without the need for you to click anything) and being tricked into downloading an infected file — you need a secure browser and some common sense.

To effectively protect yourself against browser exploits it doesn’t take much, you just need to use a secure browser. Conventional browsers will always be vulnerable to attacks, while secure browsers like Passages provide complete protection against browser exploits. Regardless of where you go or what you click on, malicious files will never make it to your physical computer.

Read my whole article on the Ntrepid blog.

Unauthorized SSL certificates put everyone at risk

HTTPS Questionmark screenshot Google warns of unauthorized TLS certificates trusted by almost all OSes Ars Technica

“In the latest security lapse involving the Internet's widely used encryption system, Google said unauthorized digital certificates have been issued for several of its domains and warned misissued credentials may be impersonating other unnamed sites as well."

The existing SSL certificate authority structure is fatally flawed. Its integrity relies on a huge number of primary and secondary certificate authorities to follow the rules and only issue certificates to the valid owners of websites. Of course many of these certificate authorities are in places where they can be pressured or forced to issue certificates to other entities for other purposes, like surveillance.

In February we saw SuperFish installing it’s own certificate on every computer where it was installed.

In January we saw Gogo Inflight simply self signing certificates, generating errors which were widely ignored.

In July 2014 an Indian certificate authority was caught creating fake certificates for Google services.

In April 2013 Firefox black listed a certificate authority for this kind of thing.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Dutch ISPs no longer required to retain data

Tulips and windmill

DutchNews.nl reports that ISPs in the Netherlands will no longer be required to retain data for law enforcement.

Since 2009, national laws have required keeping records on the activities of all users for a period of one year. In 2014 the EU determined that such mass storage was a violation of fundamental privacy rights.

This court ruling brings the EU and Dutch rules into accord by ending the data retention requirement.

Sony hack shows how hard it is to stay anonymous

Asian woman headsmack FBI Director James Cormey says that the North Korean’s who hacked Sony were tracked because of bad operational security in their use of proxies.

We saw the same thing with the take down of the Silk Road website. Few people have the skills, tools, and discipline to be 100% consistent with their anonymity. Any slip at any time can blow your cover. Of course, this could have been an intentional false flag, the rabbit hole can get very deep. Jeff Carr makes the case that this is actually quite likely.

"FBI Director James Comey, today, said that the hackers who compromised Sony Pictures Entertainment usually used proxy servers to obfuscate their identity, but "several times they got sloppy."

Speaking today at an event at Fordham University in New York, Comey said, "Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using ... were exclusively used by the North Koreans."

FBI Director Says 'Sloppy' North Korean Hackers Gave Themselves Away

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The Privacy Blog Podcast - Ep. 21:

Standard-Profile-Picture.jpgIn episode 21 of our podcast for July, I talk about:

  • A decision giving Canadians more rights to Anonymity
  • Iraq's recent blocking of social media and more
  • Iran's outright criminalization of social media
  • A court decision requiring warrants to access cell tower location data
  • Another court stating that irrelevant seized data needs to be deleted after searches
  • A massive failure of data anonymization in New York City
  • A court requiring a defendant to decrypt his files so they can be searched
  • The Supreme Court ruling protecting cellphones from warrantless search.
  • Phone tracking streetlights in Chicago
  • And a small change for iPhones bringing big privacy benefits

Australians, you need to start taking ownership of your own encryption

Australia computer mouseAttorney General's new war on encrypted web services - Security - Technology - News - iTnews.com.au Australia’s Attorney-General’s department is proposing that all providers of Internet services ensure that they can decrypt user communications when so ordered. Any services where the provider has the keys will obviously be able to do this.

Australians may want to start to start taking steps to protect themselves now.

End to end encryption is your friend. At least that way, you need to be informed and compelled if they want access to your data.

Another important step is to get your “in the clear” communications into another jurisdiction using a VPN service like Anonymizer Universal.

Finally, let your voice be heard on this issue by reaching out to your members of parliament.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

The Privacy Blog Podcast - Ep. 13: Adobe, Russia, the EU, Experian, Google, Silk Road, and Browser Fingerprinting

Welcome to episode 13 of our podcast for September, 2013.In this episode I will talk about: A major security breach at Adobe How airplane mode can make your iPhone vulnerable to theft Russian plans to spy on visitors and athletes at the winter Olympics Whether you should move your cloud storage to the EU to avoid surveillance Identity thieves buying your personal information from information brokers and credit bureaus How to stop google using your picture in its ads Why carelessness lead to the capture of the operator of the Silk Road And how Browser Fingerprinting allows websites to track you without cookies.

Please let me know what you think, and leave suggestions for future content, in the comments.

Opt out of Google ads using your name

Google is changing its terms of service to allow them to use your name and photo in advertisements to your friends. Most people seem to have been opted in to this by default, although some (including me) have found themselves defaulted out of the program.

If you are uncomfortable with your name, picture, and opinions appearing in ads from Google, just go to Google's Shared Endorsements Settings page. The page describes the program. At the bottom you will find a checkbox. Uncheck it, and click "Save".

ID Theft service had access to 3 giant data brokers

Krebs on Security discovered that a major identity theft service populated its databases by raiding the vaults of three of the biggest personal information brokers, including LexisNexis, Dun & Bradstreet, and Kroll Background which does employment background, drug, and health screening.

This is very bad news. The stolen data includes SSN, birthdays, and the answers to almost any security question your bank or other sensitive website might ask.

This is further evidence of my thesis that: if the data exists, it will eventually get out.

MaskMe is a good complement to Anonymizer

MaskMe (introduced in this blog post) is an interesting new entrant in the privacy services space.

They provide the ability to provide "masked" Email addresses (like our old Nyms product), phone numbers, and credit cards.

Combined with Anonymizer Universal, you will be able to do a fairly comprehensive job of shielding your true identity from websites and services you use.

This is a brand new service, so it is hard to know how it will fair, but it is certainly worth watching.

Internet Explorer vulnerability allows mouse tracking

spider.io is talking about a bug they discovered in Microsoft Internet Explorer versions 6-10. Evidently the bug allows tracking of your mouse movement even if the browser window has been minimized and you have a different application active.

They say that at least two companies providing display ad analytics are already using this exploit to improve their analysis.

OUCH! Yet another good reason to use any browser but IE.

Yahoo to ignore IE 10 Do Not Track

From Declan's article on CNET.

The fight over the "do not track" flag continues.

In the latest version of Internet Explorer (version 10), Microsoft has made "do not track" the default setting. This makes tracking by websites an "opt in" rather than an "opt out" proposition. Privacy advocates have long favored this approach, but advertisers don't like it.

Yahoo feels so strongly about this that they say that they will ignore the Do Not Track (DNT) flag when coming from IE 10 browsers. The open source Apache web server is also going to come configured to ignore the IE 10 DNT flag.

So, even if you explicitly want Do Not Track, and would have gone in and manually enabled it, you will be tracked by Yahoo anyway.

Ironically, this means that if you actually want to not be tracked, you need to use a different browser and manually enable the setting.

I do appreciate the effort Microsoft, and shame on you Yahoo.

Picking Powerful Pins

Despite all the work on dual factor authentication and other new security methodologies, in general our passwords are the keys to the kingdom.

In many cases, such at ATMs, we are limited to 4 digit numeric PINs.

This post to DataGenetics does a good job of analyzing how bad we are at picking PINs and how easy we make things for the attackers.

It is worth a read.

Short answer: you can hack a over 10% of accounts by guessing "1234".

Specter of Mandatory Data Retention

In this CNET article by Declan McCulagh, he reports that the DoJ is planning to request mandatory data retention by Internet providers. Their argument is that the lack of data retention is interfering with law enforcement's ability to investigate cases. This implies some kind of shift in the balance of privacy vs. access. No such shift has taken place.

I think that they are more frustrated by the fact that a huge potential gold mine of information is out there to which they don't have access. Prior to the various modern technological revolutions people used pay phones, sent letters, and paid cash for toll roads.

Now they use Twitter, SMS, Facebook, Email, cell phones, electronic toll payment etc. There is way more information available to law enforcement now than before. The fact that this data retention is only on the Internet may make people feel better, but one would certainly learn more about me from my Internet activities than from following me around physically.

Lets look at what is being asked for with a real world analogy. This is like saying that the US Postal Service should photograph and database the address, and return address, on every letter which goes through the system. Physically is it like saying the cell phone company should record and retain my GPS location at all times. Either of those would actually be much less intrusive than monitoring how I use the Internet at all times.

Lets not get in to the cost of maintaining these records or the issues with leaks or hackers. Consider the Chinese attacks on dissident Google accounts. This plan would ensure that such information was much more widely maintained.

At this point it appears to be a only a request. I am curious to see how this evolves over the congressional term.

India continues move towards surveillance state

India to Monitor Google and Skype - WSJ.com. As an extension of their policy of pushing for access to encrypted communications on RIM BlackBerry devices, they are now demanding access to data from both Google and Skype. India is demanding that Skype and Google install servers within India so the government can access the information on Indian users.

Obviously bad guys can trivially bypass this through the use of VPNs and by taking care to use servers located outside of India. The real impact will be to open all legitimate Internet users to universal surveillance.