The Looming End of Network Neutrality and How to Protect Yourself

Let’s get this out right up front. I am a strong advocate for network neutrality. ISPs like Comcast say that these regulations strangle innovation, and that all the concerns about how they might abuse their position are just paranoia.

First a quick review. Network Neutrality is the principle that ISPs should not discriminate between the different sources of traffic on their network. My YouTube, your Facebook, his BitTorrent, her porn site, all should have the same access to, and performance on, the internet. In effect, the internet is like water or electricity, a utility delivered to your doorstep. Those utilities don’t get to control how I use those resources, or limit my ability to plug in certain brands of appliance. Similarly, the utilities should not be able to inject things into the water or send unwanted messages over your electric wires. They are just providing a simple service.

The big ISPs have a long history of abusing their near monopoly status. Way back in 2007, I wrote a blog on how Comcast was blocking BitTorrent traffic. Despite their repeated denials, the Associated Press was finally able to prove that they were.

In 2013, Comcast was called out for injecting code into the websites users were visiting. At that time the code was mostly notifying users that they were close to their data cap. To do this, Comcast is intercepting your connection to the website, reading the content, then modifying it to add their code before sending it on to you. They, and other ISPs, were still at it in 2015 despite all the backlash.

Now in late 2017, partly because of the Network Neutrality debate, we are seeing reports of this again. There is no way to opt out of this, and for most Americans, there is only one choice for a fast network connection where they live. Changing providers is simply not an option.

American ISPs have generally avoided obvious throttling of commercial content because of the threat of enforcement of Network Neutrality regulations, and the possibility of stronger ones to come if they did. They are claiming that if the regulations are removed, they will continue to act in good faith.

While the companies won’t let you opt out, you do have a technical way directly preventing them from messing with your traffic, a VPN. Services like Anonymizer create an encrypted path past your ISP out to the internet. There is no way for the ISP to see the contents of your communication either to modify it, or to throttle it.

If this is an issue that you feel is important too, you can make the issue more visible with some of the techniques and suggestions here.

Canadian privacy services insecure by law.

HiRes

It looks like people who care about Internet anonymity need to look outside Canada for their providers. It is not just a concern that the Canadian government would be able to subpoena the information, but it is also vulnerable to insider and external attack. If the data exists, it will eventually leak.

Starting today Canadian Internet providers are required to forward copyright infringement notices to their subscribers. This notification scheme provides a safe harbor for ISPs but is also expected to result in a surge in piracy settlement schemes. The new law further causes trouble for VPN providers, who are now required to log customers for at least six months.

Canadian ISPs and VPNs Now Have to Alert Pirating Customers | TorrentFreak

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Dropbox and bad password hygiene

Empty Cardboard Box The recent incident where attackers posted usernames and passwords for compromised Dropbox accounts really shows the importance of practicing good password hygiene.

GigaOm has one of many articles describing the actual events. The short version is that some hackers have been posting usernames and passwords to Dropbox accounts on a Pastebin page. Dropbox says that they have not been compromised, and that the passwords were actually taken from other websites or through other methods.

If this is true, and it seems reasonable, then those who have been compromised became victims because they reused their passwords across multiple websites. That is probably a bigger security error than choosing weak passwords in the first place.

The security at websites varies widely, usually based on the sensitivity of the information on that site. Banks tend to have better security than news sites or discussion sites. If you use the same password with all these sites, then if any of them is compromised the attacker can simply try your username / password on every other interesting website to see if they work there too.

The solution is to use a different password on every website. They should not be simply modifications of each other but actually completely different passwords. Additionally they should be long and random. This means that they will be impossible to remember, but a password manager or password vault can take care of that for you. It will generate the strong random passwords, fill in the forms for you, and sync between your various computers and other devices. There is no excuse not to use unique and strong passwords with every website, and you will be much safer if you do.

https://www.youtube.com/watch?v=XS7cyv_4o8A

[powerpress]

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Holder is wrong - backdoors and security can not coexist.

Eric Holder In the article below Attorney General Eric Holder said "“It is fully possible to permit law enforcement to do its job while still adequately protecting personal privacy”

This is simply not true, and harkens back to the discredited arguments made by the FBI in the 1990’s about the Clipper Chip. It is hard enough to make secure computing systems, and we are not very good at it as all the breaches demonstrate. Intentionally introducing a vulnerability, which is the essential nature of back door or law enforcement access, is madness. If there is a back door, then keys exist, and can be compromised or reverse engineered. It is an added complexity to the system, which is almost certain to introduce other vulnerabilities. Its use would not be restricted to the US. Once it exists every government will demand access.

Social media and the cloud have tilted the balance of power absurdly towards law enforcement. This argument that they must retain access to encrypted cell phones is fatuous.

Holder urges tech companies to leave device backdoors open for police - The Washington Post

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

False sense of security "exposes" escort service customers.

Hide head behind laptop

In many cases, a false sense of security causes people to put themselves at much greater risk.

The following article describes a “burner” phone service that re-uses the temporary phone numbers. It appears that number a security researcher received was previously used by a sex worker, who’s customers continued to send pictures and messages to the number after it had been re-assigned.

DOH!

 

Recycled 'burner' number sends sex worker's clients to security researcher | ZDNet

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Cosplay for Privacy!

Secret Identity All The Best Dragon Con Cosplayers Fighting For Online Privacy

In a brilliant campaign, IO9 and the EFF is having cosplayers pose with pro-anonymity, pro-privacy, and pro-pseudonymity signs. See the whole set here. The most popular seems to be “I have a right to a Secret Identity!”.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Anonymity is only as stong as the group you are hiding in

Unknown known

Your Anonymous Posts to Secret Aren’t Anonymous After All | Threat Level | WIRED

This article describes a clever attack against Secret, the “anonymous” secret sharing app.

Their technique allows the attacker to isolate just a single target, so any posts seen are known to be from them. The company is working on detecting and preventing this attack, but it is a hard problem.

In general, any anonymity system needs to blend the activity of a number of users so that any observed activity could have originated from any of them. For effective anonymity the number needs to be large. Just pulling from the friends in my address book who also use Secret is way too small a group.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The Social Network Show on KDWN Presents Lance Cottrell — The Social Network Station

Standard Profile PictureOn Sunday I appeared on The Social Network Show talking about general privacy and security issues. Follow the link below for the show’s post and audio. The Social Network Show on KDWN Presents Lance Cottrell — The Social Network Station

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The Privacy Blog Podcast - Ep. 20: Censorship, passwords, NSLs and cash

Standard-Profile-Picture.jpgIn episode 20 of our podcast for May I talk about:

  • The need to target your privacy efforts
  • Why your secrets may not be safe with secrecy apps
  • The possibility of more light shining on National Security Letters
  • Conflicted feelings about censorship in the Russian government
  • Google and the right to be forgotten
  • What you need to do to deal with all these password breaches
  • A demonstration of a stealthy camera snooping app for Android
  • and a quick announcement about Anonymizer

What you never create can't leak

Shhh finger to lips man

The latest leaked messages to blow up in someone’s face are some emails from Evan Spiegel, the CEO of Snapchat. These were incredibly sexist emails sent while he was in college at Stanford organizing fraternity parties.

These emails are like racist rants, homophobic tweets, and pictures of your “junk”. They are all trouble waiting to happen, and there is always a risk that they will crop up and bite you when you least expect it. If you have ever shared any potentially damaging messages, documents, photos, or whatever then you are at risk if anyone in possession of them is angry, board, or in search of attention.

Even if it only ever lives on your computer, you are vulnerable to hackers breaking in and stealing it, or to someone getting your old poorly erased second hand computer.

This falls in to the “if it exists it will leak” rant that I seem to be having to repeat a lot lately. The first rule of privacy is: think before you write (or talk, or take a picture, or do something stupid). Always assume that anything will leak, will be kept, will be recorded, will be shared. Even when you are “young and stupid” try to keep a thought for how that thing would be seen in ten years when you are in a very different position. Of course, ideally you are not sexist, racist, homophobic, or stupid in the first place.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

How to be forgotten (if you are in the EU)

Do forget note

Earlier this month I talked about the ECJ ruling against Google on the “right to be forgotten."

Google has now set up a web form and process for making these requests. You need to provide your name, the URLs you want hidden, and an explanation of why the URL is "irrelevant, outdated, or otherwise inappropriate”.

Google will then make the call about whether your request will be honored. They will "assess each individual request and attempt to balance the privacy rights of the individual with the public’s right to know and distribute information. When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information—for example, information about financial scams, professional malpractice, criminal convictions, or public conduct of government officials."

Remember, this only removes that URL from Google searches for your name, not from other searches, other search engines, or from the underlying website.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.