Skip

Alternatives to Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, etc.
June 26, 2013 9:14 PM   Subscribe


 
I thought DuckDuckGo was a good option until I read this blog post. They sound a little jerky the way they handled this critic.
posted by mathowie at 9:24 PM on June 26, 2013 [7 favorites]


Why should the NSA bother with individual sites when they can go upstream to the ISP?
posted by Foci for Analysis at 9:29 PM on June 26, 2013 [11 favorites]


Ops, forgot about SSL encryption.
posted by Foci for Analysis at 9:30 PM on June 26, 2013 [1 favorite]


I was wondering that too. Then I just sort of stopped wondering and assumed they did.
posted by Ad hominem at 9:30 PM on June 26, 2013 [1 favorite]


That's link to DDG isn't ssl.

Those guys can MITM SSL anyway, they can get any root CA they want installed. There are like 50 of them installed by default with windows and I never heard of half of them. Until someone convinces me me they are all legit I'm going to assume at least one Cert authority is working with the NSA
posted by Ad hominem at 9:33 PM on June 26, 2013 [11 favorites]


If most of these services get to any size, they could still get FISA gag orders, and you would be none the wiser. Some of the apps are closed source, which means you've already lost the game, as you just have to trust they are doing what they've said they will.

Totally encrypting everything you do so that the powers that be can't intercept it is HARD, and also relies on everyone you communicate with not fucking up. It's telling that most of the hacking arrests have been when one person screwed up, and then ratted out their compatriots, ala Lulzsec.
posted by zabuni at 9:34 PM on June 26, 2013 [6 favorites]


SSL is only as good as the implementations and the CA system. Which aren't.
posted by ead at 9:35 PM on June 26, 2013 [1 favorite]


When a criminal used Hushmail encrypted email, the government managed to force Hushmail to install a special purpose back door into their encryption implementation (when word got out, it pretty much killed the company). It's just not possible for a for-profit company to really protect your privacy (although some are definitely better than others).
posted by miyabo at 9:37 PM on June 26, 2013 [2 favorites]


Also, what zabuni said: you need all sides of a conversation to play along. You send email from some private server to a friend in gmail, it's just as good as you using gmail. All goes in the same table.

Same symmetry problems for all systems. Not to mention correlation/metadata leakage. Experts can't do it reliably.
posted by ead at 9:38 PM on June 26, 2013 [2 favorites]


Maybe I'm cynical but I don't trust DuckDuckGo.

Part of it is that the founder made his millions by creating a "name database" website that he sold to classmates.com. I can't believe such a person suddenly developed a deep passion for privacy.

Part of it is that DuckDuckGo is a VC-backed company, backed by a VC who backed Zynga. That's a VC who cares about cash on cash returns, not ethics.

Part of it is just a baseless suspicion, similar to the one I had when Dropbox claimed that everything was encrypted client-side. That turned out to be a flat-out lie and was abandoned once they'd reached scale (and the lie was widely revealed).

Part of it is that many of the DDG guys have a strong love of Ayn Rand, Ron/Rand Paul, and Libertarianism. I know that it's possible for somebody to hold fringe political beliefs and also be honest, but those particular beliefs tend to be held by people who oppose customer protections, and I remember that when I'm doing business with them.

And honestly, part of it is simply that DDG doesn't control their upstream networks or the certificate authorities, so even if they're operating in totally good faith, it probably doesn't matter.
posted by grudgebgon at 9:39 PM on June 26, 2013 [41 favorites]


I am really kind of surprised that there are people who don't assume every modern day communication isn't logged or observed in some way.
posted by blaneyphoto at 9:41 PM on June 26, 2013 [8 favorites]


mathowie- did you read the comments on your link and this post linked from your, uh, link? DDG comes off looking actually pretty good, as far as I read it.
posted by Jpfed at 9:41 PM on June 26, 2013 [4 favorites]



I am really kind of surprised that there are people who don't assume every modern day communication isn't logged or observed in some way.


Its comforting to know that somebody is paying attention to me.
posted by Charlemagne In Sweatpants at 9:45 PM on June 26, 2013 [5 favorites]


Those guys can MITM SSL anyway, they can get any root CA they want installed.

Good point, forgot about this. For those interested, read about certificate spoofing and man-in-the-middle attacks and prepare to assume the fetal position.
posted by Foci for Analysis at 9:46 PM on June 26, 2013


I also find it extremely easy to believe that Verisign and the other big SSL certificate authorities have handed over anything these agencies have asked for. There's no reason to expect they would have some special sanctity when it comes to the National Security Letters or FISA warrants or whatever rubber stamp mechanism they're using today.
posted by feloniousmonk at 9:46 PM on June 26, 2013 [1 favorite]


Good point, forgot about this. For those interested, read about certificate spoofing and man-in-the-middle attacks and prepare to assume the fetal position.

You can delete the root certificates from your browser and only add those you explicitly trust.
posted by junco at 9:53 PM on June 26, 2013 [1 favorite]


Which ones do you trust? I don't even trust the ones I self signed.
posted by Ad hominem at 9:56 PM on June 26, 2013


When Microsoft can download and install updates to the OS even after explicitly blocking the 'updates' option in admin mode, then what is left to say?
posted by infini at 9:57 PM on June 26, 2013 [5 favorites]


Thinking through the infrastructure implications of eavesdropping on SSL got me thinking about some additional uses for this kind of data. I'm sure I'm not the first person to think of this, but SSL aside, if you aggregate IP traffic for the entire internet with cellular traffic for the entire cell network you can geolocate a particular lP address and then determine what cellphones were physically colocated, potentially connecting anonymous internet activities with real identities and the people they associate with. There are just so many uses for this data. It boggles the mind as it is and we are all probably still in ignorance of the true scope of these programs. It's like quantitative trading, but instead of pumping out buy orders it's an algorithmic surveillance system feeding everything it can gather about our lives into who knows what. I can't find a descriptor to adequately convey my disdain.
posted by feloniousmonk at 9:59 PM on June 26, 2013 [2 favorites]


prism-break.org
That's link to DDG isn't ssl.
When you go to http://duckduckgo.com it automatically redirects you to https://duckduckgo.com
Those guys can MITM SSL
While a man in the middle attack is theoretically possible I actually think it might be impossible to pull off en-mass without the cooperation of the people running the service. I mean look what happened when Iran tried it? They were caught immediately because the browsers all noticed the fingerprint changed unexpectedly.

So, if you try to 'narrowtarget' an a man in the middle attack, the browser will notice that the fingerprint changed unexpectedly from before you were being narrowtargeted.

On the other hand, if you tried to replace the cert for everyone, the people involved might notice the fingerprint changed if they used it from a computer that wasn't being excluded, and some people might try to confirm the fingerprint.

So ultimately if you try to guard against MTM by verifying the key fingerprint then it should work unless the NSA has AIs powerful enough to modify all electronic communications in real time, which strikes me as unlikely.
When a criminal used Hushmail encrypted email, the government managed to force Hushmail to install a special purpose back door into their encryption implementation (when word got out, it pretty much killed the company). It's just not possible for a for-profit company to really protect your privacy (although some are definitely better than others).
So, what actually happened is that Hushmail delivered a special version of their crypto libraries (I believe in a Java Applet) with a backdoor. Only the person targeted was affected, it wouldn't have allowed the NSA to spy on everyone. Had they tried, it would probably have been noticed right away. It would be obvious that the bytecode changed, and there are least a couple users, I'm sure, who would notice the change.
When Microsoft can download and install updates to the OS even after explicitly blocking the 'updates' option in admin mode, then what is left to say?
Use Linux?
posted by delmoi at 10:00 PM on June 26, 2013 [10 favorites]


I am really kind of surprised that there are people who don't assume every modern day communication isn't logged or observed in some way.

I think most people realize that there's a record of every electronic communication somewhere. People -- myself included -- do assume that any given communication is the most infintesimal drop in the largest imaginable bucket and that it is vanishingly unlikely that any specific (viz., not aggregated) record of it will ever be purposefully examined by any third party.

I still think this is a safe assumption in 99.9999...% of cases. Which is not to express support for PRISM or surveillance -- just my assessment of the actual day-to-day state of play.
posted by eugenen at 10:01 PM on June 26, 2013 [5 favorites]


It's kind of hard to articulate why I don't think it's safe to trust the root SSL authorities, or at least Verisign in particular, without it verging into conspiracy territory, but I'm not entirely sure that's unwarranted here. Verisign (and Network Solutions, who I believe originated the SSL business and then sold it) is based in Northern Virginia. I think they don't need to modify the root certs to spy on anyone because they got copies of them they day they were generated. Maybe I am missing something, I'm no crypto expert. I hope so.
posted by feloniousmonk at 10:09 PM on June 26, 2013 [2 favorites]


Which ones do you trust? I don't even trust the ones I self signed.

Well, that's a good point, but assuming that you don't think the Three-Letter-Acronym of your choice has undisclosed knowledge of a method to crack strong RSA (Snowden says they don't, FWIW), or of an attack against TLS setup, AND you trust the other party not to cooperate and to implement encryption competently, you can trust it. Big "ifs" there, but in ascending order.

When Microsoft can download and install updates to the OS even after explicitly blocking the 'updates' option in admin mode, then what is left to say?

How about "don't use closed-source software"?
posted by junco at 10:10 PM on June 26, 2013


We rolled out Blue Coat enterprise wide and nobody noticed. Granted that is not a country, but not one of 20k people noticed fingerprint changes.

I also change my own certs on my own sites, all self signed with my own root CA, and my browser never complains.

So I don't think the browser actually stores a fingerprint for very long if at all.

I could see it complaining if some shit changed while I was in the middle of checking my balance though.
posted by Ad hominem at 10:11 PM on June 26, 2013


The noise on Hacker News is now claiming that even using (currently-)unbreakable encryption is meaningless, since the government agencies will store all encrypted transmissions indefinitely until some new tech (like quantum computing) comes out that will decrypt everything.

I'm not quite sure how to even think about that, other than being mildly impressed since I grew up hearing stories about the complete technological incompetence of the FBI (like they had to go to a local library to access the internet). It turns out that quite a number of smart people went into government, in addition to businesses like Amazon, to build technologically amazing stuff.
posted by meowzilla at 10:13 PM on June 26, 2013 [1 favorite]


The noise on Hacker News is now claiming that even using (currently-)unbreakable encryption is meaningless, since the government agencies will store all encrypted transmissions indefinitely until some new tech (like quantum computing) comes out that will decrypt everything.

So, 10 years from now they could go back and read your old files?
posted by bongo_x at 10:16 PM on June 26, 2013 [1 favorite]


Distributed and Federated with strong controls for friend locking via strong encryption and FOAF/Web of Trust concerns (a la PGP/GPG) is really the only way forward, IMO.

The biggest issue we have is the centrality of the web. I won't even say "net" because let's face it, most of the old ways have died off as a core feature. Yes, we use SFTP/SSH, but that's for the hardcore nerds or people who have to do it for their jobs but never think about it otherwise. Nobody uses Archie anymore. Gopher, well, there's some people trying that. But that, obviously, is less secure than the web, AFAICT based on its architecture. E-mail, well, we all know that in itself e-mail is weak, and SSL as pointed out above combined with CA issues (again - centrality and flawed trust)...

I really don't know what we can do, but I know that continuing to place our trust in large service providers is not the way forward for those of us who were fortunate enough to use the net pre-2000 (yes, I know, yada yada, eternal september, etc...)

There are tons of projects out there that are working on federated social networks, whether by friendica/identica/pump.io, the gnu project, appleseed, diaspora and tons of others that I can't recall off the top of my head.

What I want to know is why... Why are we not seeing the hackers really pushing on this stuff? Is it because "money"? I mean, everybody works the web for a dayjob, so they work on projects that continue to feed the machine. Back when everything was less about the money (hahaha, DARPA? I mean there was money to be made, of course, but not commercial money, just federal money at research institutions) so they had more an incentive to explore things... I just... I mean, great, we've got Linux, but what good is that, when you've got SELinux integrated into the kernel since 2003? Why would I trust it? Because "open source"? The rest of the open source projects, what do you have? Ubuntu is now selling out to Amazon.

You've got bitcoin, bittorrent as the only new protocols really, that I can think of that have made any waves. Obviously protocols don't mean shit if they don't push forward the cypher/crypto angle or at least work in some ways to push towards decentralization. And we all know bitcoin isn't particularly secure for privacy due to the transactional history.

I2P, cjdns, and other projects to work around the DNS system are one part of the puzzle. But in the end, there are so many layers and levels required for trust and any link in the chain can be the weak one.

The OS? Hmm, maybe something got in there, and nobody caught it, even under open source. Especially if written with the support of large institutions, but even without, one never knows who the contributors are, or their motives. The bazaar, sure, is better than the cathedral, but...

Protocols? You need anonymity, you need encryption, you need decentralization.

Web of trust in connections.

And in all this, you STILL need to make it so people can access the mainstream internet, because who the hell is going to totally drop off this beast that we've created?

And any second too many people drop off into alternative systems, you know they're gonna be tailed and watched by the system as a potential danger, cuz "Hey, what are you trying to hide?" The more successful a project is, the more in danger it becomes of being compromised...
posted by symbioid at 10:17 PM on June 26, 2013 [7 favorites]


That they have the data is bad enough. The potential for faulty inferences is what really scares me. E.g., I'm sure a lot of people have SSL enabled by default with Google and Facebook today, but a historical archive of your traffic, even without breaking into SSL payloads, reveals when you turned it on. What does it mean if you turned it on the day it became possible? What do they think that means?
posted by feloniousmonk at 10:19 PM on June 26, 2013 [1 favorite]


They are going to be way out of the loop on what I pinned on pinterest. hahaha FBI, I already got all the shit off my amazon wish list. Thanks for buying me another copy of Born Sinner though.
posted by Ad hominem at 10:19 PM on June 26, 2013 [1 favorite]


meowzilla: " It turns out that quite a number of smart people went into government, in addition to businesses like Amazon, to build technologically amazing stuff."

I just heard about In-Q-Tel last night and did some reading. Who knows how nefarious it is, but it certainly is one push The Agency had in working with public/private partnerships to gain technology for their own benefit.
posted by symbioid at 10:21 PM on June 26, 2013


I also change my own certs on my own sites, all self signed with my own root CA, and my browser never complains.

I think you must have imported your root certificate into your browser, then, because I do the same thing and I always get the alert in Firefox.

The noise on Hacker News is now claiming that even using (currently-)unbreakable encryption is meaningless, since the government agencies will store all encrypted transmissions indefinitely until some new tech (like quantum computing) comes out that will decrypt everything.

That's likely true, if a practical quantum computer is ever produced. I will also point out that Google and NASA have publicly purchased one of D-Wave's supposed "quantum computers", as has Lockheed-Martin.

It's kind of hard to articulate why I don't think it's safe to trust the root SSL authorities, or at least Verisign in particular, without it verging into conspiracy territory, but I'm not entirely sure that's unwarranted here. Verisign (and Network Solutions, who I believe originated the SSL business and then sold it) is based in Northern Virginia. I think they don't need to modify the root certs to spy on anyone because they got copies of them they day they were generated. Maybe I am missing something, I'm no crypto expert. I hope so.

Verisign / Network Solutions' history points pretty clearly to government involvement, but they would need Google's (or whoever's) private key to decrypt their traffic. Although imagining that they haven't acquired Google's private keys somehow is perhaps naive.
posted by junco at 10:23 PM on June 26, 2013


Ultimately the only protection would be legislation and policy that protect privacy. As individuals we are increasingly powerless here.

Good luck with that? Cross your fingers, it's the only hope we've got left.
posted by justsomebodythatyouusedtoknow at 10:23 PM on June 26, 2013 [2 favorites]


Searching for news articles in the 2005-2007 time range should bring up a lot of the stuff that was being discussed on these things, including the sec supported VCs and the startups or tech they were investing in. In the subsequent chaos of 2009-2011 when it seemed like the whole web fragmented into incredulous and random so called news and pr, the short term memory of the hive mind was compromised.
posted by infini at 10:25 PM on June 26, 2013


think you must have imported your root certificate into your browser

I have it in the windows root CA store. Installed with the MMC snapin. Could just have easily been done with a GPO.

I gotta double check this now because you and delmoi both said my browser should notice a fingerprint change.
posted by Ad hominem at 10:28 PM on June 26, 2013


Also, I wonder if the bitcoin blockchain couldn't be used to avoid MTM attacks. Bitcoin is built on public-key crypto, but it has a single 'blockchain', which contains a record of every single transaction. It's several gigabytes at this point, and here is a way to sign messages as being from a person who controls a particular bitcoin address.

So how would you do a man in the middle attack on someone who used this protocol?

1) Alice downloads the bitcoin client and blockchain
2) Bob sends Alice a tiny amount of bitcoin, and she sends it to a third address
2) Alice and bob both GPG private keys.
3) Alice and bob both sign their GPG keys using the their bitcoin private keys, and transfer the signed messages to the other person.
4) Alice and bob verify the signatures on the GPG keys they got.
5) Alice and bob communicate using those GPG keys.

So, how does 'Marry' here do an MTM attack? It seems like she would need to create an entire fabricated blockchain, and intercept any attempt to download it from anywhere. But in order to do that, they also need to prevent any attempt by Alice or bob to verify the blockchain with someone else who's also on the bitcoin network.

Furthermore, it would require that the attacker has enough 'hash power' at their disposal as has ever been used by the entire bitcoin network.

Basically, in order to "mine a block" of bitcoin, you need find a random number that has a hash is a binary number below a certain threshold. Right now you need to create a fake block at the current difficulty, you would need to calculate about 178 quadrillion SHA-256 hashes, and you'd need to calculate 243,534 of them (I guess the average would be about a quarter of that)

And if you did that, you would need to make sure that you were able to MTM both sides of the transaction from the bitcoin network. But, that could be defeated by someone simply by asking someone else to generate a hash of part of the block chain, and send you the result. And that could be defeated simply by verifying the hash of the blockchain with another user.

And, of course if a user already has the bitcoin client, and already has an address, that wouldn't be possible.

So in a way the bitcoin blockchain is essentially a 'shared secret' that's shared between the entire world.

I'm not saying a system like this would be foolproof, but how exactly could it be defeated?
posted by delmoi at 10:35 PM on June 26, 2013


I mean, great, we've got Linux, but what good is that, when you've got SELinux integrated into the kernel since 2003? Why would I trust it? Because "open source"?

The Linux kernel has a huge number of talented people's eyeballs poring over it. There are plenty of people whose main role is just to review everyone else's changes. Nothing goes into the kernel without going through the public mailing lists first.

I'm not saying the kernel is bug-free, or even uniformly high-quality code, but the idea that the NSA created SELinux to sneak in a backdoor is extremely far-fetched.
posted by teraflop at 10:37 PM on June 26, 2013 [4 favorites]


So how would you do a man in the middle attack on someone who used this protocol?

Doesn't this scheme require Alice to send Bob her Bitcoin address? If she can do that securely, she can just send a public key and use GPG. What do you gain by involving Bitcoin?
posted by teraflop at 10:40 PM on June 26, 2013 [1 favorite]


I'm a fan of blekko for searches. Their privacy policy is quite good and from conversations with them (I met the founders, but don't have any continuing relation with them) and they seem quite committed to privacy. They don't tout this much as there isn't a great commercial advantage in this (or hasn't been).

Good for some subject matter searches (recipes, medical advice) as some of their search results are human curated (one of their founders used to be involved with dmoz).
posted by el io at 10:48 PM on June 26, 2013


Why should the NSA bother with individual sites when they can go upstream to the ISP?

Calyx has something to say about that. They're working on ISP backend stuff that encrypts everything up and down the chain and log as little as possible, so that even when they do get asked (they say that their privacy policy would be to purposefully not cooperate) they can say "sorry, no can do".
posted by Evilspork at 10:51 PM on June 26, 2013 [1 favorite]



That they have the data is bad enough. The potential for faulty inferences is what really scares me. E.g., I'm sure a lot of people have SSL enabled by default with Google and Facebook today, but a historical archive of your traffic, even without breaking into SSL payloads, reveals when you turned it on. What does it mean if you turned it on the day it became possible? What do they think that means?
Well, they can find out exactly what it means since Facebook and Google are prism partners. Either way, SSL is enabled for every single person on both platforms now.
That's likely true, if a practical quantum computer is ever produced. I will also point out that Google and NASA have publicly purchased one of D-Wave's supposed "quantum computers", as has Lockheed-Martin.
The D-Wave is super-sketchy and doesn't even claim to do 'traditional' quantum computing. It can't break crypto or do integer factorization or anything like that, as far as I know. It might be useful for protein folding or something like that, but it's not clear that classical computers couldn't do better:
But of course, D-Wave’s claims—and the claims being made on its behalf by the Hype-Industrial Complex—are far more aggressive than that. And so we come to the part of this post that has not been pre-approved by the International D-Wave Hype Repeaters Association. Namely, the same USC paper that reported the quantum annealing behavior of the D-Wave One, also showed no speed advantage whatsoever for quantum annealing over classical simulated annealing. In more detail, Matthias Troyer’s group spent a few months carefully studying the D-Wave problem—after which, they were able to write optimized simulated annealing code that solves the D-Wave problem on a normal, off-the-shelf classical computer, about 15 times faster than the D-Wave machine itself solves the D-Wave problem!
There are also crypto algorithms that can't even be theoretically broken with a quantum computer.
posted by delmoi at 10:57 PM on June 26, 2013


Unless you are actually breaking the law, what is the point of all of this? I can understand the position of being against these programs. This is a policy position.

But why go to this amount to protect communications which you don't really need to protect because the value of the information in there is low? A person is infinitely more likely to suffer measureable harm by a criminal exploit against personal financial data than any government program. And encryption draws attention.

I can get the, "its cool to have the latest secrecy" deal, its like cars. But unless you're paying for security, it doesn't really help to pick some new service that collects user data to use in advertising in exchange for free use by the public. That data is going to be vulnerable because it is the product sold by the company for profit. The biggest security issue out there is the 'free' internet. Its built on selling data.
posted by Ironmouth at 11:11 PM on June 26, 2013 [1 favorite]


(they say that their privacy policy would be to purposefully not cooperate) they can say "sorry, no can do".

How do they 'not cooperate' with a court order? That's laughable. If they defied the order, the judge just jails the CEO until compliance. Which would come swiftly.
posted by Ironmouth at 11:14 PM on June 26, 2013


But why go to this amount to protect communications which you don't really need to protect because the value of the information in there is low?

Why ‘I Have Nothing to Hide’ Is the Wrong Way to Think About Surveillance

"If the federal government can’t even count how many laws there are, what chance does an individual have of being certain that they are not acting in violation of one of them?"
posted by Blazecock Pileon at 11:15 PM on June 26, 2013 [19 favorites]


Unless you are actually breaking the law, what is the point of all of this

That's kinda my position. If they want to get me, they are going to get me no matter what I do. If I'm going to break the law,I'm not going to use my own computer or Internet connection.

I'd get a cheap netbook and get on someone else's wifi.
posted by Ad hominem at 11:16 PM on June 26, 2013


Unless you are actually breaking the law, what is the point of all of this?
People like privacy?

Do you remember the recording Jodi Arias made of her phone call to whatever his name was? Do you think he would have said she "screamed like a 12 year old" or that he wanted to tie her to a tree and, quote, "put it in her butt" if he knew he was being recorded? There are probably lots of couples who have similarly graphic conversations all the time.

Privacy is an end unto itself. It's like asking why people want money above a certain amount or a hot girlfriend/boyfriend. They are just things people want.
That's kinda my position. If they want to get me, they are going to get me no matter what I do. If I'm going to break the law,I'm not going to use my own computer or Internet connection.

I'd get a cheap netbook and get on someone else's wifi.
Why? If you use public wifi, your face or license plate will probably show up on security camera footage somewhere.
posted by delmoi at 11:25 PM on June 26, 2013 [3 favorites]


Because I'm not an American citizen and your laws can barely protect women or minorities in their own country?
posted by infini at 11:29 PM on June 26, 2013 [2 favorites]


But unless you're paying for security, it doesn't really help to pick some new service that collects user data to use in advertising in exchange for free use by the public. That data is going to be vulnerable because it is the product sold by the company for profit. The biggest security issue out there is the 'free' internet. Its built on selling data.
I've made money off free websites without collecting any user data, I just used an affiliate program related to the site content. When you have a search engine you can simply serve ads related to the search terms. You don't need to know anything about the user.

(I only made about $1,000 a year but could have made $100k with 100x the traffic :)
posted by delmoi at 11:31 PM on June 26, 2013


Unless you are actually breaking the law, what is the point of all of this?

Two things. First, this old chestnut disputably attributed to Cardinal Richelieu: If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him. Given recent events, it seems nearly anyone who runs afoul of nearly any government or LE official is potentially vulnerable to the "Richelieu" treatment.

And also, we do plenty of things that are both private and legal but that we do not want observed. I for example, don't usually want other people to watch me take a dump.
posted by digitalprimate at 11:34 PM on June 26, 2013 [15 favorites]


Ultimately the only protection would be legislation and policy that protect privacy.

Laws about what kind of surveillance is legal and illegal haven't made much of a difference in the past.
posted by ceribus peribus at 11:39 PM on June 26, 2013 [2 favorites]


I ask "what do they think it means?" in the sense of what flag does it flip in your individual NSA citizen profile when they become aware you're an early adopter of things like pervasive SSL? The actual scenario that flips the flag and what the flag represents are arbitrary. This kind of data represents a massive collection of "facts" which one can interpret and draw inferences from, but these interpretations and inferences are informed by preexisting biases, which is where I start to get worried.

Instead of six lines from the hand of an honest man, there is a record of all browsing history from drunken late night porn to random ebay expeditions to quotidian wikipedia searches and participation in online forums, including anything that was posted or uploaded. All of this can be correlated with every database they have access to now or gain access into the future, generating a timeline of your life and daily activities. The level of detail is proportional to connectedness. If you carry a cellphone, they know where you've been, if you frequently text your spouse, they have copies, if you've been emailing your mistress, they have that too. They probably have debit/credit purchase history, too.

There's no reason to assume they'll ever throw anything away, either. If you've ever signed into LinkedIn or Facebook and were surprised by the random person they pulled from deep out of your past and suggested to you as a connection, well, did that with significantly less data.
posted by feloniousmonk at 11:40 PM on June 26, 2013 [3 favorites]


Why? If you use public wifi, your face or license plate will probably show up on security camera footage somewhere.

I've thought about that. I'm pretty sure IR cameras that can catch me at night can be foiled with a bright IR source that nobody will notice. I just need to get someplace away from my apartment where there are enough people to get lost in the crowd and turn it on.

I'll take the subway to grand central, walk into a crowd of people in one of the older tunnels with no visible cameras and lots of exits. turn it on and walk out into the night.

Should be easy to find wifi in midtown.

I'm still torn on how to rid of the netbook.
posted by Ad hominem at 11:43 PM on June 26, 2013


Information wants to be free is a slogan of technology activists invoked against limiting access to information. In 1990 Richard Stallman restated the concept:
I believe that all generally useful information should be free. By 'free' I am not referring to price, but rather to the freedom to copy the information and to adapt it to one's own uses... When information is generally useful, redistributing it makes humanity wealthier no matter who is distributing and no matter who is receiving.
Stopping terrorist attacks is generally useful.
posted by stbalbach at 11:44 PM on June 26, 2013 [1 favorite]


Someone could (and surely already does) make pretty good money selling secure systems to regular folk right about now, funk soul brothers. Sell people encrypted anonymous wireless internet access that makes them feel pretty and ready to do thoughtcrime without the time.
posted by pracowity at 11:47 PM on June 26, 2013 [2 favorites]


If you sign into public WiFi often enough, the data exists to statistically correlate that to cellphone numbers active in the vicinity and determine your identity that way. You don't need to sign into any sort of trackable service, the combination of your browser user agent, operating system, plugins, and cookies is likely enough to uniquely identify your browser even if you remember to avoid signing into a service that associates to your identity. Of course, you can just not carry a cellphone, but that's hardly a solution.
posted by feloniousmonk at 11:52 PM on June 26, 2013 [1 favorite]


Unless you are actually breaking the law, what is the point of all of this?

It's also hard to behave within the confines of secret laws, decided and ruled upon in secret. How do we know we're not breaking some law or another with the conversation in this thread, for instance? It's unlikely, perhaps, but who knows what will be secretly illegal tomorrow?
posted by Blazecock Pileon at 12:05 AM on June 27, 2013 [5 favorites]


I've thought about that. I'm pretty sure IR cameras that can catch me at night can be foiled with a bright IR source that nobody will notice.
Okay, well good luck with that.

Just to clarify, are you saying you would do all of that but as opposed to using the latest crypto? Because you know you can do both right?

The problem is the more stuff you do to cover your tracks the more obvious you are, like, for example putting a super-bright IR LED on a hat or something. Why not just buy a t-shirt with blinking LED lights spelling out the word 'INCONSPICUOUS' on it? That would probably be as effective.
Of course, you can just not carry a cellphone, but that's hardly a solution.
Uh, actually that is a solution, at least to that particular problem. The browser signature can be fixed by using a custom user agent, disabling javascript and flash. (And it won't correlate to your 'normal' computer because you're using a special netbook). Doesn't mean it won't do more harm then good.
posted by delmoi at 12:11 AM on June 27, 2013


Of course all this is predicated on me being some kind of movie hacker that is always whipping up visual basic apps to track IPs or hacking gibsons or something, possibly with awesome spikey purple hair.

I mean in the real world I'd have to make contacts and lay groundwork to do anything interesting. I guess I could deface a bunch of web sites, that would be easy, but also pretty lame.

I'd have to find something worth doing the time for. Some kind of awesome electronic heist where I steal all the half pennies from the federal payrole or something.

But if I was a movie hacker I'd have like 100 proxies already and have my signal bounced of 3 satellites or something , have some kind of prototype computer nobody has ever seen and run BeOS. I wish I could do that.

I must be getting old, being a cyber criminal doesn't sound fun at all anymore.
posted by Ad hominem at 12:11 AM on June 27, 2013 [3 favorites]


Of course, you can just not carry a cellphone, but that's hardly a solution.

It is the only solution. Indeed with all the focus on spying on the wire, the traditional cloak and dagger methods are going to be more secure than ever. It will be increasingly harder to send government stooges out into the field to do surveillance work as they become accustomed to sitting behind behind a terminal in air-conditioned comfort. Losers.

It's unlikely, perhaps, but who knows what will be secretly illegal tomorrow?

The CENTRAL SCRUTINIZER warned us about this..."it is my responsibility to enforce all the laws that haven't been passed yet..... Our studies have shown that this horrible force is so dangerous to society at large that laws are being drawn up at this very moment to stop it forever! Cruel and inhuman punishments are being carefully described in tiny paragraphs so they won't conflict with the Constitution (which, itself, is being modified in order to accommodate THE FUTURE)."
posted by three blind mice at 12:13 AM on June 27, 2013 [8 favorites]


The problem is the more stuff you do to cover your tracks the more obvious you are, like, for example putting a super-bright IR LED on a hat or something

I bet any remote could blind a camera if you pointed it directly at it. And you can't see that light.

We are kinda getting off in the weeds here since this is all based in me committing crimes, not random people not wanting the NSA getting ther Facebook status. I gotta come up with a good crime first.
posted by Ad hominem at 12:15 AM on June 27, 2013


I bet any remote could blind a camera if you pointed it directly at it. And you can't see that light.
I... think you should really test that theory before you rely on it being true. :P
posted by delmoi at 12:19 AM on June 27, 2013 [1 favorite]


You probably reflect more IR off your wristwatch bezel on a cloudy day than a wimpy little IR LED spits out.
posted by floam at 12:28 AM on June 27, 2013 [1 favorite]


I dunno guys. Dude in the comments seems to think you can do more with a remote than you think.

Obviously I have to test it.

I think it is feasible although completely ridiculous for me to to commit my heists from a street corner wearing an LED had on new years eve so nobody notices how outlandish I look and all the cops are preoccupied.

I would just pay Russian hackers to commit my heists.
posted by Ad hominem at 12:36 AM on June 27, 2013


Unless you are actually breaking the law, what is the point of all of this?

Before I answer that question, I'm going to need to see pictures of your last three bowel movements.

(I'm kidding, please don't send me pictures of your poops)

Of course, you don't get to decide whether the government thinks you committed a (secret) crime or not.
posted by dirigibleman at 12:54 AM on June 27, 2013


I would just pay Russian hackers to commit my heists.

They would love that model. That way they get your money and the money from the heist.
posted by jaduncan at 12:54 AM on June 27, 2013 [2 favorites]


without any privacy concerns

eyeroll.

as for this: Unless you are actually breaking the law, what is the point of all of this?

Well, it's the principle of the thing.

And the principle is: "It's none of your business why I want privacy."
posted by chavenet at 1:26 AM on June 27, 2013 [6 favorites]




Unless you are actually breaking the law, what is the point of all of this

By breaking the law, you must mean globally collecting data on citizens where it is illegal to do so? The point of this is to prevent that kind of criminal abuse. Surely one can trust Booz Allen Something to not hire corporate spies, government agents, corrupt officials, whistleblowers, mafia? They spectacularly failed on at least one of those.
posted by romanb at 3:27 AM on June 27, 2013 [1 favorite]


SSL MITM attacks can be mititaged by using Perfect Forward Secrecy. Even if the root cert is known to the MITM attacker, they need to brute force the per-session key in order to decrypt the session.

Read about PFS here: http://en.wikipedia.org/wiki/Perfect_forward_secrecy
posted by Jerub at 3:46 AM on June 27, 2013


As far as the whole certificate swiping / future decryption goes, there have been some significant improvements on that front in recent years. Back in 2011 Google enabled (perfect) forward secrecy, which uses a per-session key for encrypting traffic - which means you really do have to individually crack all of the collected data, it's not sufficient to simply acquire the private key in the future.

On the certificate authority/MITM front, the Chrome folks also added certificate pinning, which is intended to defend against CA's becoming compromised, like the Comodo hack. Furthermore, it seems highly unlikely that any organization could be organizing a large-scale MITM attack against the Internet without being noticed - the sheer amount of traffic the large players deal with makes them very sensitive to the network conditions in the wild, and you can't silence all the network ops guys.

I think most of the current narrative w.r.t. DDG seems blown out of proportion - assuming that organizations are engaging in large-scale traffic sniffing, the list of things you searched for isn't nearly as interesting as what they know: the URLs you actually visited. The privacy issues seem much more significant when it comes to the contents of email, messaging systems, and cellular metadata - much more difficult problems to resolve in the current ecosystem.

Lastly, I'm of two minds when it comes to the "they should just refuse to cooperate!" argument, especially when it comes to Google, Facebook, etc. - these giant megacorps already have loads of wealth and power, and not subordinating them to the laws of the land (even if they are shitty laws) isn't exactly the direction I want things to go.
posted by lantius at 3:47 AM on June 27, 2013


Self-link: Frank is a free private messaging app for iOS. 256-bit AES, keys exchanged privately between handsets, server has no access to messages. No accounts required. Works with pix/audio.
posted by unSane at 4:08 AM on June 27, 2013 [3 favorites]


And 'not co-operating' with lawful requests is not something any business is every going to do and stay a business. The solution is to design the underlying transport protocol in a way that makes co-operating with lawful requests not very useful.
posted by unSane at 4:09 AM on June 27, 2013


Here's a video of the Duck Duck Go founder speaking at my conference in New York a few weeks back.
posted by mark7570 at 4:23 AM on June 27, 2013


Part of it is that DuckDuckGo is a VC-backed company, backed by a VC who backed Zynga. That's a VC who cares about cash on cash returns, not ethics.
Are there any VCs that don't prioritize cash return over all else? Not using web services backed by VC is like eating vegan. You can pull it off, but you really have to completely change your diet and your eating habits. No more big fancy search engines, no more oh-so-convenient "cloud" apps, etc. – scale your expectations of the web back to 1995, if you want an idea what it would be like.
posted by deathpanels at 4:34 AM on June 27, 2013


Unless you are actually breaking the law, what is the point of all of this?

Because: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did
posted by RonButNotStupid at 4:49 AM on June 27, 2013 [1 favorite]


The solution is to design the underlying transport protocol in a way that makes co-operating with lawful requests not very useful.

Until they outlaw such transport protocols because using them is effectively choosing not to cooperate with the law.
posted by pracowity at 4:52 AM on June 27, 2013


I'm not sure how you imagine that would work.
posted by unSane at 5:14 AM on June 27, 2013


(since all it requires is Diffe-Hellman key exchange followed by encrypted traffic, ie server-proof. There's no way to distinguish this from regular SSH traffic)
posted by unSane at 5:16 AM on June 27, 2013


See, but are they monitoring iAlQaeda and myJihadi? I doubt it.
posted by nowhere man at 5:41 AM on June 27, 2013


Unless you are actually breaking the law, what is the point of all of this?

who's to say the people accessing your information are just interested in whether you broke the law? - they might be interested in whatever trade secrets you have, who you're doing business with, whether you're talking with a "headhunter" or another company, what products your company is planning to release, all sorts of things that could conceivably make someone thousands or millions of dollars for someone who managed to get the information you wanted private

and how do we know that the people in those agencies who are doing the grunt work aren't going to be willing to take a little extra money to pass information on to parties that could profit from it? - how do we know that private monitoring agencies aren't doing the same thing, concentrating on a small set of people who interest them?

you don't have to break the law to have secrets that could harm you and your interests if they were discovered - look at how many times albums get put out on the net before the artists officially release them - look at how many times industrial or trade secrets have been discovered by competitors

don't you think gm could be very interested in what ford employees are searching for with google - do you think that everyone google hires is so honest they wouldn't slip that information to someone who would pay them generously? - what about the NSA? - yeah, they vet their employees thoroughly, don't they?

there's so many scenarios where non-lawbreaking people and companies can be targeted for espionage without the law ever being involved
posted by pyramid termite at 5:47 AM on June 27, 2013 [10 favorites]


Are there any VCs that don't prioritize cash return over all else? Not using web services backed by VC is like eating vegan. You can pull it off, but you really have to completely change your diet and your eating habits. No more big fancy search engines, no more oh-so-convenient "cloud" apps, etc. – scale your expectations of the web back to 1995, if you want an idea what it would be like.

Use open source and self-host.
posted by jaduncan at 5:47 AM on June 27, 2013


This is why all my secure communications are done using hand-written letters sent through snail mail. NOBODY tracks that shit any more.

Actually it's probably the best way. Start a company, sell something innocuous, and in the packages to your Secret Contacts, include written instructions along with the product and packing slip. Stick them somewhere inside the product information booklet if necessary.

Could work. And would not leave a trail, aside from the fact that a person ordered a product. If the product was office supplies or some such, even better, because it's ubiquitous enough to be not very noticeable. So long as your prices are reasonable. Return communication could be difficult though... Too many RMAs for faulty ink pens and someone will catch on.
posted by caution live frogs at 5:54 AM on June 27, 2013 [1 favorite]


On the contrary, clf: the US government has admitted that they scan and record the outside of every letter and parcel sent through the USPS. The list of who you communicate with by mail is available to any agent of the US government with a need to know (and probably some that don't, as well as people working for GCHQ and other agencies who act in concert with the NSA).
posted by pharm at 6:07 AM on June 27, 2013 [1 favorite]


pyramid termite hits the nail on the head with the far more realistic issues around this global access and activity. Imho its not really a case of "how do we know" since we do know the State Department is actually a trade and market opening emissary already.

America’s secretary of state often plays the role of lead US salesman abroad, urging governments to buy products and to facilitate foreign investment.

As such, American executives have been pushing John Kerry hard to get India to further open its markets to American investors.

But as Kerry’s agenda unfolds here at the start of his three-day visit, it’s becoming increasingly clear that he won’t fulfill those demands — at least not publicly.

posted by infini at 6:15 AM on June 27, 2013


Use open source and self-host.
Are you serious? Even if you don't use EC2 to host, any company backed by VC is still going to be beholden to monetization concerns. And if you're a company like Facebook who had no monetization plan to begin with aside from "I guess we'll sell ads," the people who control your funding are going to want more – e.g., they're going to want you to sell your data, in some way, to pay back the outrageous loans they've been giving you to keep your operation going.

I've said it before, but I'll repeat myself. There is no free lunch. You cannot take money from private funding and make a company that does not function like every other company in a capitalist system, beholden to its financiers, and trying to somehow generate revenue from its assets. If your company is not selling a product, your only asset is your users. So you sell your users' data. This isn't difficult to understand.

The web we all expect these days is completely free, yet allows us to interact seamlessly with our contacts and share all manner of private data, with absolutely zero effort on our part. There are only two solutions to this. The populist solution: strong privacy laws are passed, ideally with international agreements to keep Apple and Google from simply moving their data-mining operations to Nigeria. The individualist (slash techno-libertarian) solution: nothing changes, we can't trust corporations with our PII, so we'll just have to go develop our own open-sourced encryption algorithms and stop using Facebook and its ilk for sensitive data. The second solution is probably more secure, but requires every person to be an internet security expert, not to mention a lot of actual work to develop the required software – and even then, you have to trust that the NSA or whoever isn't quietly committing code to the project to introduce very subtle and undetectable backdoors.

So yeah, no.

(Of course, this isn't to say that a company like Netflix who does charge for its service isn't exploiting its private data as well, but if you have no other revenue streams, you're pretty much guaranteeing that you'll have to sell your data at some point, and you're just holding out until you have enough users to be worth it.)
posted by deathpanels at 6:15 AM on June 27, 2013 [2 favorites]


Are you serious? Even if you don't use EC2 to host, any company backed by VC is still going to be beholden to monetization concerns.

I will be clearer. As a user, you can use self-hosted open source things if you wish to avoid VCs. The power of open source is precisely that a lot of projects don't try to monetise beyond donations.
posted by jaduncan at 6:24 AM on June 27, 2013 [1 favorite]


The privacy claims of DuckDuckGo never really sold me. I just like it for the ! syntax. For example; !mefi hamburger. !scholar duck necrophilia. !wiki Simpson's Rule. !rseek raster. Having DDG set as the default search engine in my browser has changed the way I use the internet.
posted by Jimbob at 6:40 AM on June 27, 2013 [2 favorites]


But why go to this amount to protect communications which you don't really need to protect because the value of the information in there is low? ... And encryption draws attention.

Exactly why we should encrypt everything, so that it stops standing out.

Separately, all the tinfoil-netbook antics aren't going to do much good unless everyone you're communicating with is also employing them. Just three regular contacts is plenty enough to identify you, especially if you were formerly associated with a network and suddenly went dark on your usual channels.
posted by bonaldi at 6:43 AM on June 27, 2013


I'm pretty sure IR cameras that can catch me at night can be foiled with a bright IR source that nobody will notice.

Something like this, for example?
posted by elizardbits at 6:46 AM on June 27, 2013 [1 favorite]


Because: How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did

Eh. Target tracks purchases made by a single individual over time by giving people Target cards that they tend to use whenever they shop there. Not exactly black magic.

As far as I know, when web advertising firms try to track individual browsing habits, they don't build super-profiles by synthesizing all the data they can get their hands on. Most of it is useless. They basically ask "will this person be interested in ads for sneakers? Let's see if they've visited Nike.com." Again, not exactly black magic.

(I could be wrong, but that is my understanding.)
posted by leopard at 6:54 AM on June 27, 2013


You just have to look for correlations across the dataset, so it can turn up unusual relationships. It just turns out that visiting sneaker retailers recently is a really good signal that you might be interested in special offers on sneakers.
posted by jaduncan at 7:03 AM on June 27, 2013


Also this site which lists some other alternatives (and has a bit purtier format).

You really have a choice between having your shit exposed and sticking out like a sore thumb. Conformity FTW.
posted by RobotVoodooPower at 7:11 AM on June 27, 2013


Might be time for me to dust off my steganography app.
posted by nerdler at 7:12 AM on June 27, 2013


But do people really find and use truly unusual relationships? I would guess that the best signals are reasonably straightforward.

Reminds me of this much-hyped study about how Facebook likes predict demographics and even personality traits. The findings are presented in a way that makes it seem as if by reviewing your Facebook likes, a data mining algorithm can develop a surprisingly deep appreciation of who *you* are as a person. It's so intimate and personal! The actual findings basically boil down to being able to figure out that someone who likes Sarah Palin is probably a Republican, someone who likes Tyler Perry is probably black, and someone who likes the Bible is probably a Christian.
posted by leopard at 7:12 AM on June 27, 2013


pharm - scanning the outside doesn't scan the contents. In fact, it's a possibly brilliant idea: Netflix. Enough customers that tracking any specific ones would not be an issue - how to tell which of the millions of receivers were getting private communications instead of movies? - and the return mail issue is also solved. Company sends movies to millions, with private communications disguised as movies to a select few. Everyone sends discs back, including both movies and discs that have replies instead. TrueCrypt containers burned onto the "empty" space.

Could work. If this ends up in a spy movie, I'm asking all of you to document that I thought of it. Or, forget about it, the NSA has it on record by now anyway, right?
posted by caution live frogs at 7:13 AM on June 27, 2013


But do people really find and use truly unusual relationships? I would guess that the best signals are reasonably straightforward.

You're correct. ("It just turns out that visiting sneaker retailers recently is a really good signal that you might be interested in special offers on sneakers.")
posted by jaduncan at 7:16 AM on June 27, 2013


I have nothing to hide, but that's none of anyone's business. :-P
posted by Too-Ticky at 7:16 AM on June 27, 2013


Here are some of my favourite alternatives to services that Google offers. Hope this helps someone!
posted by Too-Ticky at 7:20 AM on June 27, 2013


Before I answer that question, I'm going to need to see pictures of your last three bowel movements.
Well... OK I guess... as long as it will keep me safe from terrorists. Somehow.
(I'm kidding, please don't send me pictures of your poops)
Too late!
posted by Flunkie at 7:45 AM on June 27, 2013


When Microsoft can download and install updates to the OS even after explicitly blocking the 'updates' option in admin mode, then what is left to say?

I'm not typically a paranoid person, but when Windows 7 out of the blue popped up an "Updates have been installed, restart computer now to finish installing" notification a few days after all the PRISM stuff came out, and I've always explicitly had it set to never do that without me selecting which updates to install, I felt a pretty strong urge to use Linux as much as possible.

Unfortunately, like many people, I've got a ton of reasons I can't do that - industry-standard software I need to use, hardware problems (a lot of switchable graphics laptops don't play nice with a lot of distros, and my audio interface doesn't work with Linux even with ALSA drivers). Linux can be a great solution but it often isn't.
posted by jason_steakums at 7:57 AM on June 27, 2013


My standard response to someone saying "Well, it doesn't matter if you're not breaking the law" is "So, you'd be fine with the government setting up cameras in your home and bedroom?" when they say "Well, that's different" just ask them to explain why.

But on a larger point, one of the ways we make process in society is that we break laws, laws which we believe to be unjust-- enough of us do something that it actually changes the landscape. Cannabis use is now legal in a few states *because* people broke the law, not because a group got together one day and thought, "Hey, this illegal drug, which we've never tried because it's illegal, should be legal!".

The government has the tools to create a very panoptican society, they see all our online and phone conversations, if you're in a built up area, you're probably on hundreds of private or government cameras a day-- they can scan your house (heat usage, electricity, water, etc) from afar.

The tools that tie all that data together with your shopping habits, medical needs, credit history, sexual preferences, political leanings are only ever going to get better, and cheaper to build. It seems to be legal to observe someone within their home from a telescopic lens, if they leave a crack in their curtain, or window ajar. Cameras are getting smaller, drones are too.

Can you say for a certainty you haven't broken a law in the last decade, year, month, day? I bet that you have, it might be a law you're not aware of, but you've broken it-- but you weren't prosecuted on it, but if you were beginning a new movement to help people but would hurt those in power, those previous transgressions, even if entirely innocent, suddenly become a Damocles sword over your head. If you got a really bad bum deal, how much could the system ruin your life for downloading a single MP3?

We need laws to protect our data, and those people, no matter who they are, private citizens, businesses or government agencies needs to be punished severely if they're broken, because the law is the only real thing that can protect us against people misusing the data. People should have gone to jail for lifetimes during the FISA scandal just before and into Obamas first term, but amnesties were granted instead.

"All are equal before the law and are entitled without any discrimination to equal protection of the law." If we'd just adhere to that, bring that simple need back into reality, we'd see a sea change in the way we're governed.
posted by Static Vagabond at 9:12 AM on June 27, 2013 [4 favorites]


I gotta come up with a good crime first.
posted by Ad hominem at 3:15 AM on June 27 [+] [!]


An ad hominem attack, obviously.
posted by Kabanos at 9:49 AM on June 27, 2013 [1 favorite]


Pfft. An ad hominem attack is a logical crime, and we all know that the laws aren't made by a particularly logical set of people, so, I mean... is it really a crime?
posted by symbioid at 10:26 AM on June 27, 2013


I started using DuckDuckGo a few years ago because I get far better results. The privacy issue is also a selling point. I don’t actually see any ads, so I don’t know about that. I have so much blocking going on I can’t see half the internet. I’m fairly confident it’s the shitty half.

I rarely use Google, but my new plan is to only use it randomly with completely random searches. I need a script or Quickeys shortcut that makes a random Google search occasionally.
posted by bongo_x at 1:33 PM on June 27, 2013 [1 favorite]


I gotta double check this now because you and delmoi both said my browser should notice a fingerprint change.

Ad hominem, my understanding was that Firefox (and other browsers) don't cache SSL certificate fingerprints, unlike most SSH/SFTP clients. They'll alert you if they don't recognize the CA one has been signed with, but that's all. You'd need an addon like Certificate Patrol to compare the certificate to the one you got the last time you visited a site.
posted by sysinfo at 1:41 PM on June 27, 2013


And if you're a company like Facebook who had no monetization plan to begin with aside from "I guess we'll sell ads,"
Since when is "I guess we'll sell ads" not a perfectly workable monetization plan? Not every company is funded by VCs, and I don't think duckduckgo is.
posted by delmoi at 1:42 PM on June 27, 2013


Not every company is funded by VCs, and I don't think duckduckgo is.

Business Insider: DuckDuckGo CEO Gabriel Weinberg has mostly bootstrapped DuckDuckGo, but he also received $3 million from Union Square Ventures, Scott Banister, Peter Hershberg, Joshua Stylman, Joshua Schachter, Kal Vepuri, and Jim Young.
posted by unSane at 2:02 PM on June 27, 2013


The privacy claims of DuckDuckGo never really sold me. I just like it for the ! syntax. For example; !mefi hamburger. !scholar duck necrophilia. !wiki Simpson's Rule. !rseek raster. Having DDG set as the default search engine in my browser has changed the way I use the internet.

I'm another addict for the their bang syntax. That, and while the NSA might have a file on me, Google is certainly triangulating and researching my extended history with them as part of a technological agenda that rivals what Microsoft did with the desktop and office in the '80s and '90s.
posted by CBrachyrhynchos at 2:48 PM on June 27, 2013 [2 favorites]


The bang syntax is a neat feature for a general search engine, but I've never understood why it's heralded as a killer feature of DDG. I mean, don't most people set up keyword search rules for the site-specific searches they use a lot?

I don't even have to visit a search engine. Typing in my address bar is a default search (Google for me still, but it could easily be DDG or whatever), whereas "!w [search term]" in the address bar is Wikipedia, !a is Amazon, etc. I have dozens of these. In Chrome, you can just right-click on any search field and choose "Add as search engine".

It just seems like doing the same thing but at DDG is an extra step, plus I have to use their keywords rather than mine.
posted by gilrain at 3:01 PM on June 27, 2013


I mean, don't most people set up keyword search rules for the site-specific searches they use a lot?

Yes, and again, next time I go to a new browser, and yet again next time my preferences get reset, and not at all if I'm a guest on the system.

I don't even have to visit a search engine.

People do that?
posted by CBrachyrhynchos at 3:16 PM on June 27, 2013


Yes, and again, next time I go to a new browser, and yet again next time my preferences get reset, and not at all if I'm a guest on the system.

You can sync these shortcuts in both Firefox and Chrome. If you're using IE, there is no hope for you.
posted by jaduncan at 3:39 AM on June 28, 2013


Can I sync them between Firefox and Chrome without leaving that information on a server somewhere?
posted by CBrachyrhynchos at 5:47 AM on June 28, 2013


As fas as I can tell, no one has argued that bang syntax is a "killer feature," just a useful one.
posted by CBrachyrhynchos at 5:55 AM on June 28, 2013


Can I sync them between Firefox and Chrome without leaving that information on a server somewhere?

You can indeed (setting aside the use case of using your own server), since the shortcuts are stored as bookmarks. Any program that offers local bookmark transfer/sync should support them.
posted by jaduncan at 5:59 AM on June 28, 2013


... since the shortcuts are stored as bookmarks...

Not on chrome, just checked.
posted by CBrachyrhynchos at 7:36 AM on June 28, 2013


Oh, sorry about that. I'll have to look into how my bookmark sync thing is doing this automagically then, but it is.
posted by jaduncan at 8:04 AM on June 28, 2013


bongo_x: "I started using DuckDuckGo a few years ago because I get far better results. The privacy issue is also a selling point. I don’t actually see any ads, so I don’t know about that. I have so much blocking going on I can’t see half the internet. I’m fairly confident it’s the shitty half.

I rarely use Google, but my new plan is to only use it randomly with completely random searches. I need a script or Quickeys shortcut that makes a random Google search occasionally.
"

TrackMeNot. It's a FF plugin that will happily cook up psuedo-randomized (seeded by previous searches) searches to any/all of a selected list of engines. Noise over signal, baby.
posted by Samizdata at 2:41 AM on June 29, 2013


How do they 'not cooperate' with a court order?

Almost the same way everyone else who chooses to 'not cooperate' with a court order.

In their case they don't gather user data so there is nothing to turn over.

That's laughable.

Says the lawyer. Who the Judge can file a bar grievance and put the bar card in jeopardy.

For fun for the rest of you, go down to the Court and watch the pro se VS Lawyer fights. Watch what happens when a Pro Se has a default VS Lawyer for the Pro Se not showing up. Then watch what happens when the Lawyer does the same VS a Pro Se. Or a lawyer VS lawyer on the same no-show issue. You'll eventually see a pattern - Pro Se's get treated different by Judges.

If they defied the order, the judge just jails the CEO until compliance. Which would come swiftly.

So you have a collection of statistics showing this to be the case? To back up my judicial complaint and 2 criminal complaints of false swearing and 1 complaint about the interception of a Summons and Complaint from the US Postal Mail I've had spend time looking at the conduct and decisions of Judges. And I've not seen what you are claiming is true.

But do go ahead - show the data analysis showing 'defy court order - go to jail' is the normal outcome of defiance of what a Judge orders. Because I've seen a case where the Defendant was notified of a Judgement via the Judge and the Defendant wrote on the letter "Refused" and nothing happened.
posted by rough ashlar at 5:28 PM on June 30, 2013




« Older Duckworth Destroys Dude   |   seeing pixels is kind of like... Newer »


This thread has been archived and is closed to new comments



Post