The Looming End of Network Neutrality and How to Protect Yourself

December 13, 2017 by lance in Uncategorized

Let’s get this out right up front. I am a strong advocate for network neutrality. ISPs like Comcast say that these regulations strangle innovation, and that all the concerns about how they might abuse their position are just paranoia.

First a quick review. Network Neutrality is the principle that ISPs should not discriminate between the different sources of traffic on their network. My YouTube, your Facebook, his BitTorrent, her porn site, all should have the same access to, and performance on, the internet. In effect, the internet is like water or electricity, a utility delivered to your doorstep. Those utilities don’t get to control how I use those resources, or limit my ability to plug in certain brands of appliance. Similarly, the utilities should not be able to inject things into the water or send unwanted messages over your electric wires. They are just providing a simple service.

The big ISPs have a long history of abusing their near monopoly status. Way back in 2007, I wrote a blog on how Comcast was blocking BitTorrent traffic. Despite their repeated denials, the Associated Press was finally able to prove that they were.

In 2013, Comcast was called out for injecting code into the websites users were visiting. At that time the code was mostly notifying users that they were close to their data cap. To do this, Comcast is intercepting your connection to the website, reading the content, then modifying it to add their code before sending it on to you. They, and other ISPs, were still at it in 2015 despite all the backlash.

Now in late 2017, partly because of the Network Neutrality debate, we are seeing reports of this again. There is no way to opt out of this, and for most Americans, there is only one choice for a fast network connection where they live. Changing providers is simply not an option.

American ISPs have generally avoided obvious throttling of commercial content because of the threat of enforcement of Network Neutrality regulations, and the possibility of stronger ones to come if they did. They are claiming that if the regulations are removed, they will continue to act in good faith.

While the companies won’t let you opt out, you do have a technical way directly preventing them from messing with your traffic, a VPN. Services like Anonymizer create an encrypted path past your ISP out to the internet. There is no way for the ISP to see the contents of your communication either to modify it, or to throttle it.

If this is an issue that you feel is important too, you can make the issue more visible with some of the techniques and suggestions here.

Hola VPN Service Security Train Wreck

June 03, 2015 by lance in Security Breaches

The Hola peer to peer VPN service suffered a number of very damaging security revelations today including exploit vulnerabilities, exposed administrative tools, & broken architecture impacting 45 million active users of the service.

Snipers at the Watering Hole

February 13, 2015 by lance in Podcast

New targeted web based attacks are like a poacher with a sniper rifle at a watering hole. Anonymity is the key to security against this.

Security implications of Lizard Squad Attack on Tor

January 05, 2015 by lance in Anonymity, Podcast, Tor

Lizard Squad did a bad job of attacking Tor, it could have been much worse.

Canadian privacy services insecure by law.

January 05, 2015 by lance in Anonymity, Canada

HiRes

It looks like people who care about Internet anonymity need to look outside Canada for their providers. It is not just a concern that the Canadian government would be able to subpoena the information, but it is also vulnerable to insider and external attack. If the data exists, it will eventually leak.

Starting today Canadian Internet providers are required to forward copyright infringement notices to their subscribers. This notification scheme provides a safe harbor for ISPs but is also expected to result in a surge in piracy settlement schemes. The new law further causes trouble for VPN providers, who are now required to log customers for at least six months.

Canadian ISPs and VPNs Now Have to Alert Pirating Customers | TorrentFreak

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Chaos Computer Club censored (and me too)

December 08, 2014 by lance in Anonymizer, Censorship, Internet, Podcast, UK

As a result of the "Great Firewall of Britain" the Chaos Computer Club discovered it is being blocked by Verifone. It turns out that ThePrivacyBlog is too!

How to protect yourself against new DarkHotel type WiFi attacks

November 12, 2014 by lance in Computer Security, hacking, Internet, Podcast, Security Breaches

A new APT called DarkHotel conducts very targeted attacks against executives in Asian hotels. There are several things you can do to protect yourself.

Two new attacks on Tor

October 25, 2014 by lance in Anonymity, Bitcoin, Podcast, Security Breaches, Tor

Two new attacks on Tor have recently been published. One inserts malware into software updates, the other compromises bitcoin transactions.

Who do you / can you trust for privacy?

October 22, 2014 by lance in Anonymity, International, Podcast

There are many considerations for which privacy services to choose. Location is one of the most important. What matters in location?

Dropbox and bad password hygiene

October 14, 2014 by lance in Online Privacy, Passwords, Podcast

Empty Cardboard Box The recent incident where attackers posted usernames and passwords for compromised Dropbox accounts really shows the importance of practicing good password hygiene.

GigaOm has one of many articles describing the actual events. The short version is that some hackers have been posting usernames and passwords to Dropbox accounts on a Pastebin page. Dropbox says that they have not been compromised, and that the passwords were actually taken from other websites or through other methods.

If this is true, and it seems reasonable, then those who have been compromised became victims because they reused their passwords across multiple websites. That is probably a bigger security error than choosing weak passwords in the first place.

The security at websites varies widely, usually based on the sensitivity of the information on that site. Banks tend to have better security than news sites or discussion sites. If you use the same password with all these sites, then if any of them is compromised the attacker can simply try your username / password on every other interesting website to see if they work there too.

The solution is to use a different password on every website. They should not be simply modifications of each other but actually completely different passwords. Additionally they should be long and random. This means that they will be impossible to remember, but a password manager or password vault can take care of that for you. It will generate the strong random passwords, fill in the forms for you, and sync between your various computers and other devices. There is no excuse not to use unique and strong passwords with every website, and you will be much safer if you do.

https://www.youtube.com/watch?v=XS7cyv_4o8A

[powerpress]

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Holder is wrong - backdoors and security can not coexist.

October 01, 2014 by lance in apple, Cryptography, legal

In the article below Attorney General Eric Holder said "“It is fully possible to permit law enforcement to do its job while still adequately protecting personal privacy”

This is simply not true, and harkens back to the discredited arguments made by the FBI in the 1990’s about the Clipper Chip. It is hard enough to make secure computing systems, and we are not very good at it as all the breaches demonstrate. Intentionally introducing a vulnerability, which is the essential nature of back door or law enforcement access, is madness. If there is a back door, then keys exist, and can be compromised or reverse engineered. It is an added complexity to the system, which is almost certain to introduce other vulnerabilities. Its use would not be restricted to the US. Once it exists every government will demand access.

Social media and the cloud have tilted the balance of power absurdly towards law enforcement. This argument that they must retain access to encrypted cell phones is fatuous.

Holder urges tech companies to leave device backdoors open for police - The Washington Post

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

False sense of security "exposes" escort service customers.

September 09, 2014 by lance in Personal Privacy

Hide head behind laptop

In many cases, a false sense of security causes people to put themselves at much greater risk.

The following article describes a “burner” phone service that re-uses the temporary phone numbers. It appears that number a security researcher received was previously used by a sex worker, who’s customers continued to send pictures and messages to the number after it had been re-assigned.

DOH!

Recycled 'burner' number sends sex worker's clients to security researcher | ZDNet

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Cosplay for Privacy!

September 02, 2014 by lance in Anonymity, Online Privacy

Secret Identity All The Best Dragon Con Cosplayers Fighting For Online Privacy

In a brilliant campaign, IO9 and the EFF is having cosplayers pose with pro-anonymity, pro-privacy, and pro-pseudonymity signs. See the whole set here. The most popular seems to be “I have a right to a Secret Identity!”.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Anonymity is only as stong as the group you are hiding in

August 22, 2014 by lance in Anonymity, Internet, Personal Privacy, Security Breaches, Social Networking

Unknown known

Your Anonymous Posts to Secret Aren’t Anonymous After All | Threat Level | WIRED

This article describes a clever attack against Secret, the “anonymous” secret sharing app.

Their technique allows the attacker to isolate just a single target, so any posts seen are known to be from them. The company is working on detecting and preventing this attack, but it is a hard problem.

In general, any anonymity system needs to blend the activity of a number of users so that any observed activity could have originated from any of them. For effective anonymity the number needs to be large. Just pulling from the friends in my address book who also use Secret is way too small a group.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The Social Network Show on KDWN Presents Lance Cottrell — The Social Network Station

July 22, 2014 by lance in Online Privacy

On Sunday I appeared on The Social Network Show talking about general privacy and security issues. Follow the link below for the show’s post and audio. The Social Network Show on KDWN Presents Lance Cottrell — The Social Network Station

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Why Private Browsing Doesn't Exist (and how to fix it)

July 08, 2014 by lance in Anonymity, Guest Post

Thanks to WhoIsHostingThis for providing this informative infographic (click to enlarge). They provide a cool service that allows you to look up the hosting service behind any website.

The Importance of Privacy & The Power of Anonymizers: A Talk With Lance Cottrell From Ntrepid — The Social Network Station

June 30, 2014 by lance in Anonymity, Online Privacy, Personal Privacy

The Importance of Privacy & The Power of Anonymizers: A Talk With Lance Cottrell From Ntrepid — The Social Network Station A recent interview I did, talking about data anonymization and mobile device privacy. Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

The Privacy Blog Podcast - Ep. 20: Censorship, passwords, NSLs and cash

June 04, 2014 by lance in Podcast

In episode 20 of our podcast for May I talk about:

The need to target your privacy efforts
Why your secrets may not be safe with secrecy apps
The possibility of more light shining on National Security Letters
Conflicted feelings about censorship in the Russian government
Google and the right to be forgotten
What you need to do to deal with all these password breaches
A demonstration of a stealthy camera snooping app for Android
and a quick announcement about Anonymizer

What you never create can't leak

May 30, 2014 by lance in Personal Privacy

Shhh finger to lips man

The latest leaked messages to blow up in someone’s face are some emails from Evan Spiegel, the CEO of Snapchat. These were incredibly sexist emails sent while he was in college at Stanford organizing fraternity parties.

These emails are like racist rants, homophobic tweets, and pictures of your “junk”. They are all trouble waiting to happen, and there is always a risk that they will crop up and bite you when you least expect it. If you have ever shared any potentially damaging messages, documents, photos, or whatever then you are at risk if anyone in possession of them is angry, board, or in search of attention.

Even if it only ever lives on your computer, you are vulnerable to hackers breaking in and stealing it, or to someone getting your old poorly erased second hand computer.

This falls in to the “if it exists it will leak” rant that I seem to be having to repeat a lot lately. The first rule of privacy is: think before you write (or talk, or take a picture, or do something stupid). Always assume that anything will leak, will be kept, will be recorded, will be shared. Even when you are “young and stupid” try to keep a thought for how that thing would be seen in ten years when you are in a very different position. Of course, ideally you are not sexist, racist, homophobic, or stupid in the first place.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

How to be forgotten (if you are in the EU)

May 30, 2014 by lance in Google

Do forget note

Earlier this month I talked about the ECJ ruling against Google on the “right to be forgotten."

Google has now set up a web form and process for making these requests. You need to provide your name, the URLs you want hidden, and an explanation of why the URL is "irrelevant, outdated, or otherwise inappropriate”.

Google will then make the call about whether your request will be honored. They will "assess each individual request and attempt to balance the privacy rights of the individual with the public’s right to know and distribute information. When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information—for example, information about financial scams, professional malpractice, criminal convictions, or public conduct of government officials."

Remember, this only removes that URL from Google searches for your name, not from other searches, other search engines, or from the underlying website.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.