Very nice. Didn't think we'd be seriously discussing alternatives to the Internet in 2013 =) (https://projectmeshnet.org/) ... maybe this will spur innovation! Cheers.
I was wondering the other way. If you just open Chrome in incognito mode and search Google without logging in, is it very much different from DDG? Except for the results quality, of course.
Is the big difference being your IP tracked with the searches by Google?
Yes but how much is a claim worth? Anything centralized is at risk to be tracked by the government. It's not as if Google put in the TOS that the NSA is monitoring their data.
Several of these suggestions seem somewhat disingenuous - e.g. many of them to be about free software more than actual concerns about tracking, as reflected in the labels "Proprietary" and "Free alternatives". In particular:
- None of the proprietary browsers will track you - well, beyond what's specified in the privacy policy. Two of the alternatives are Tor applications, but the other two are Firefox (which provides no additional protection) and GNUzilla IceCat (which has little reason to exist other than free software politics).
- Most of the browser add-ons are mostly about third-party tracking; these could be subject to PRISM, but the notes suggest that the concern is more about the third-party tracking itself and non-free software (in the case of Ghostery).
- Ditto with the notes in cloud storage, which discount three storage systems with client-side encryption (i.e. equal protection) because they are proprietary.
- The media publishing section promotes third-party blog publishing services for "privacy and security", even though most blogs are public and thus have no need for either.
- Ditto above with Icedove vs. Thunderbird in the email desktop clients section.
- iOS is advised against with a misleading claim that "iOS devices contain hardware tracking" due to an long-patched bug. The claim about it being impossible to verify whether an iOS app was compiled from the original source is disingenuous, as this is rarely done on any platform, but would certainly be possible to do on iOS if the developer cared.
- OS X and Windows won't track you. (Chrome OS won't either, but it strongly encourages using cloud services which will, so I'll concede that.)
In the claims that proprietary software won't track you, I am assuming that the NSA will not compel (or has not compelled) these companies to modify their software to include secret tracking. This claim is made explicitly under the operating system section: "Apple, Google, and Microsoft are a part of PRISM. Their proprietary operating systems cannot be trusted to safeguard your personal information from the NSA." But even considering all that we have heard about the NSA, this seems absurd, far beyond what they are willing to do, and even if it were true, using free software would not necessarily prevent the US-based host of the download from being similarly compelled. Moreover, someone would probably notice (unless it were an intentionally introduced but otherwise unremarkable security bug, but it's sure easy enough to find real zero-days in software, free or not, without having to resort to that! - not that that should necessarily make you feel better.)
> None of the proprietary browsers will track you.
Can you elaborate a bit on this, how do you know they won't? My default assumption is that anything I can't see the source code of and compile myself is compromised.
Unless they frequency-modulate the packets they send home to transmit additional data and you'd probably never figure it out looking at Wireshark output that they are sending more than meets the eye. This is a simple trick; there are probably many other I can't even think of.
I've never heard the term "frequency-modulate" applied to software, and Wikipedia only knows about the radio kind of modulation. Can you please explain what this is?
This is an interesting idea. I assume by "frequency modulation" of data, he means adjusting the timing of the transmissions to create an out-of-band channel that might be more difficult to notice when packet sniffing. As a crude example, if I uploaded War and Peace to you, not as a steady stream of traffic, but as bursts of dots and dashes, I could send "The Magic Words are Squeamish Ossifrage" in Morse code. (Although in the context of apps phoning phone, I'm not sure what the advantage is over simply encrypting the stream...)
Sociologically: there is a surprisingly large contingent of people who believe that if a company makes a claim, it's the God's honest Truth. The OP may not necessarily fall into this camp.
Technically: if the browsers were somehow phoning home, even if the data were highly fuzzed, I'm sure there would be guys like tpatcek who would manage to detail, if not the content of the tracking, at least the amount of data sent and the targets. I don't recall there being such a scandal in recent memory.
> Although proprietary software may be easier for a government to compel to be modified to add tracking, it still runs the risk of being noticed in most reasonable cases, and there is in fact no evidence that any Western government is doing any such thing. It does increase the chance that you are being tracked due to incompetence, but I don't think this is particularly likely for such well-known software.
It is possible to send data along with other data so that it's reaaally hard to find. Also, they don't need to send data all the time, but rather activate this mode on request, say when a person using this browser is a suspect for some reason and govt needs to track his every move on the internet. This would make detecting of such a functionality virtually impossible, because it'd be turned off most of the time for most people.
It is possible. However, considering that it would only take one person being exceptionally curious with IDA, one employee to blow the whistle (the source is still "open" to a fairly large number of people, and a backdoor is far harder to hide than passive collection of existing data), or one slipup to cause a massive amount of PR damage, and this has never occurred, nor does the Snowden leak suggest this is happening, I personally consider this claim extremely improbable. YMMV.
I wonder if anyone tried frequency-modulating the data stream they send home, i.e. encode the sensitive data as changes in frequency of sending packets. Now try to Wireshark that one.
Do you inspect every single line of code? Or at least grep the file list to see if you find a suspicious looking name? Don't think so. Your default assumption should thus be 'everything is compromised' since you did not verify it :]
> Several of these suggestions seem somewhat disingenuous - e.g. many of them to be about free software more than actual concerns about tracking [..] None of the proprietary browsers will track you.
No, these issues are very much related. It is the very nature of proprietary software that you cannot inspect and modify it, so you cannot know if it will track you or not, and cannot fix things if you are.
(Inspecting outgoing traffic is helpful, but unless you monitor all activity all the time, and make the effort to actually understand every single bit that is transmitted, you can't be certain.)
Furthermore, some of these browsers explicitly do track you. For example, Internet Explorer, Chrome and Safari provide ways to sync your bookmarks, all of which track you - and some of them encourage you to do this, for example if you do not log in to Chrome it says "you're missing out". (Firefox also has a sync service, but it is encrypted on the client, so the server cannot read the information, and you can't be tracked.)
Although proprietary software may be easier for a government to compel to be modified to add tracking, it still runs the risk of being noticed in most reasonable cases, and there is in fact no evidence that any Western government is doing any such thing. It does increase the chance that you are being tracked due to incompetence, but I don't think this is particularly likely for such well-known software.
True, there is a difference with the bookmark sync - I do not think it is valid to discount a browser entirely based on this.
You seem to be assuming that tracking only happens either through incompetence or government mandate? Companies also track users to make money. Just today there was the news that twitter is starting to track its users, for example (at least it is opt-out).
Tracking in client-side software that occurs to make money is typically described in privacy policies, and a browser adding additional tracking would likely cause an uproar. While Firefox may provide a better default regarding sync, there is a difference between saying "stop using Chrome" and "enable client-side encryption".
> Tracking in client-side software that occurs to make money is typically described in privacy policies, and a browser adding additional tracking would likely cause an uproar
Emphasis mine. Yes, you might trust them not to track you, or to trust that someone will find out if they do, and that you will hear about it if so. But far better would be to use an open source browser (either Firefox or Chromium).
Twitter has been and will continue to track users' (and possible non-users') external web activity through their embedded buttons on so many pages. They're now beginning to sell that data, and that's what you can opt out of.
> For example, Internet Explorer, Chrome and Safari provide ways to sync your bookmarks, all of which track you
Safari is getting especially terrible. You can either sync "Safari" with iCloud or you don't. This includes bookmarks, but also ALL OPEN TABS ("iCloud tabs"). My bookmarks are absolutely harmless, my open tabs are highly sensitive. Apple sucks at services. :(
They do not use visited URLs. While Firefox separates its location and search bars, this seems to me more of a design choice than a privacy one. I could be wrong! - but then again, the much bigger privacy risk is using Google in the first place, and if you switch to a different search engine then Google stops receiving autocomplete too.
You are wrong, they specifically say that this is a privacy measure to anyone who whines that they want a "superbar" like Chrome's.
Using Google is a privacy risk but at least you can control it with Firefox, when typing URLs that need privacy. Who the hell can verify what Google (and the NSA listening to their pipes) does with your visited URLs? If you use another search engine, Google can see that, and it's one more piece of information.
In relation to OSX, Windows, Chrome, IE, etc, I thought it was more to do with the fact that Apple, Microsoft and Google have all willingly turned over data to the feds...
Up until 2000, export control regulations made it illegal for a U.S company to release cryptographic tools internationally with a key size greater than 40 bits. Lotus Notes got around this by making a deal with the NSA to let them encrypt an additional 24 bits with an NSA key to allow greater security from everyone else but let the NSA still access things easily. At least some have speculated the Windows NSAKEY was for a similar purpose.
A claim that has been explicitly denied by the companies in question. As serious as Snowden's leaks are, he has repeatedly made exaggerated claims regarding them, and I wish he would stop.
"In the claims that proprietary software won't track you, I am assuming that the NSA will not compel (or has not compelled) these companies to modify their software to include secret tracking."
The assumption that the NSA would never compel software vendors to include tracking code seems completely unjustified to me. It makes no sense at all to accept all the inconvenience that comes with avoiding NSA tracking and then use closed source software.
But I think many of the suggestions on this list are completely unworkable. Using Tor isn't just a little slower. It's unusably slow for regular browsing. Using noscript is nonsense. It breaks almost all websites nowadays.
I'm at a bit of a crossroad, and I'm not entirely sure whether it's worth it; I've converted to Firefox from Chrome, moved to Piwik from Google Analytics, moved from Google Reader to Fever and so on. But it's just that it doesn't feel like it'll make a difference in the long run because nothing I'm doing will stop them if they actually do go after me.
It might help against tracking and such, but I feel like it's just an illusion that I'm making for myself. No matter what I do to try to prevent it they it won't matter in the long run, it just makes it that much more inconvenient for me.
On an individual level you’re probably right, if the government wants to track you, they might find a way—so this is more about doing the right thing because you hope more people do it. Google analytics, for example, is mainly problematic because everyone uses it, which creates a graph where at Google’s end, ip numbers can get a very detailed surfing history, as users hop from GA using server to GA using server. One person using Piwik changes nothing, many people using it will.
It won't stop the government from getting at your data if they have time to spend actively targeting you. But it will stop them from passively slurping up your communications (possibly along with many other users') as part of an everyday protocol, which is surely an important difference.
(At least, for the present! I could totally imagine a near future where the government had a standard method to collect the data of various self-hosted services from VPS providers.)
This is great for us. We understand these tools and can use them. But most people don't. So if all geeks switch to the things on this list, we've left most of society just as susceptible as before.
Other, possibly better, solutions:
1) If you work for one of the companies listed as "proprietary", you can do the most. Stand up and say you care in company meetings. Tell managers and executives that it's worth finding better ways to secure, anonymize, or not collect information in the first place. Even if it comes at the cost of profitably or usability.
2) Authors of lists like these: Instead of saying all commercial software is lousy, compare them to each other! Make having secure, private software an actual selling point that people can understand.
3) Developers, designers: make beautiful, usable software that is secure and anonymous by default. Don't have privacy as your ONLY selling point. We can only win if we're private and amazing.
Surprised Arch Linux [1] isn't listed. It's probably one of the most secure distros by limiting the installed packages to a bare minimum. Combine that with App Armour (or SELinux designed by the NSA) with a firewall and basic network monitoring to protect against rootkits. Plus always-on VPN, dm-crypted harddrive, noscript etc.
NSA also released SEAndroid [2] which hardens Android significantly. It's included preinstalled w/ Samsung S4. Although still not very popular and I'm sure not heavily code-reviewed.
I'm more surprised that Mint is being suggested at all in this. Considering how ridiculous this list is in the first place, the 'curator' should have noted that Mint, by default, installs search engines that are partnered with Mint[1].
Even more surprising is that BSD just got a cursory mention. You may as well switch to OpenBSD if you're going to switch to a majority of these alternatives.
I've added a note about Mint's search engine policy, thanks.
Also, BSDs will get greater emphasis in future updates. I'm working on a way to promote more operating systems without the page getting even more overwhelming than it already is.
Nice resource, thanks for posting. It would be really cool to have some kind of ratings and reviews for each service/app listed. Maybe an official review/rating and then user contributed.
There isn't much of a thought process. I opened an issue arguing for a more focused and defined modus operandi, but as it stands, the site is a community generated list.
> What components of DDG are partly proprietary and which are not? (not a criticism of DDG just this page) What is a "free search engine" anyway?
These parts are open source: https://github.com/duckduckgo. I've added this note to PRISM Break. A free search engine would be a search engine where users have the freedom to run, copy, distribute, study, change and improve the software. YaCy fits this description, but there are currently not a lot of people using YaCy at the moment.
> Why is chromium not listed as a free alternative to Chrome/IE/Safari?
Chromium will be added once I get a list of good Chromium extensions that rival the Firefox addons.
> Why are Firefox and Thunderbird listed alongside Iceweasel and Icedove?
Iceweasel and Icedove are difficult to install on Windows and OS X. If users are unable to switch to Linux, Firefox and Thunderbird are still really good options.
> How do you list OpenNIC if they have not adopted an official privacy/anonymization policy?
Good point. OpenNIC will be removed for the time being.
>Speaking of official privacy policies; I see that you tried to load /analytics/piwik.js. Where is the privacy policy for prism-break?
PRISM Break does not track the last 2 bytes of your IP - e.g. 192.168.xxx.xxx. A Privacy Policy is on the todo list.
If you're going to continue using Google Mail, it's a dumb idea to deliberately switch away from Chrome. The connection between Gmail and Chrome is among the more carefully guarded TLS connections on the Internet.
By controlling both sides of the connection, and by investing in people like Adam Langley. And yes, other sites should. Not "control both sides of the connection", which is unrealistic, but in modeling their server configurations on Google's so they can take maximal advantage of Chrome's TLS features.
When Google.com's certificate was faked, it was discovered because Chrome restricts what CAs are allowed to sign Google's certificates, if I recall correctly.
Prefect forward secrecy is a lot more secure since if google's private key were compromised any traffic -- including traffic captured in the past -- would still be secure (baring some further compromise).
Each connection has 2 possibly transient negotiated public/private key pairs made just for that connection. In theory, google could store all these pairs as well and they could be compromised, but that adds up to a lot more ifs.
As near as I can tell, the extra computation required to do perfect forward secrecy is a large part of why its not more frequently implemented.
If you think you can do as robust a job at securing your mail as Google does with Gmail, by all means. But I'd feel awfully dumb if I migrated from Gmail to some other web mail provider only to lose my mail to a 17 year old with a Perl script.
I'm paying hushmail. But I suppose it's no better, they still honour warrants, and I haven't actually used the encryption provided, other than notes to self. I left google, when they changed the privacy policy last year, all google services build one personal profile etc. This is a ramble, but hushmail works, thus far.
If you really bet that, it says more about you than me.
But anyways: what does it matter if your webmail provider isn't beholden to the government, if a suitably motivated teenager can read your mail because of software vulnerabilities?
Google Mail isn't likely to be more secure just because Google is inherently better at building software than anyone else. Rather, it's because they allocate more resources to the problem of keeping Google Mail secure than any other mail provider does (or even can) allocate to their security.
First, I don't think "equivocation" means what you think it means.
Second, the equivalence isn't false. The Venn diagram of sites that can be compromised by script kiddies is entirely contained by that of sites that can be compromised by NSA.
Then my comment didn't say your comment said that. But I want to add that I remember very few nicknames from HN, and yours is one of those. I remember it because you once said that Google takes their users' privacy very seriously, which is hard to forget. Ever since, I saw you defending Google, no matter what. Something isn't right...
Its kinda nice of a list thanks :)
I'd add here.com as proprietary maps. Its actually pretty good. yes its proprietary - but even having proprietary alternatives is good.
Although it relies on Mega and Chrome, neither of which is recommended in the article, http://www.nimbusvid.com streams encrypted videos from your private cloud storage in your browser.
No other service does this and it allows you to have the convenience of the cloud and video streaming while maintaining the privacy that you would get by viewing videos on your local computer.
As far as I know it is one of the few examples of a (client-side) web app based on encrypted cloud storage. (I would like to know other examples, I don't know any).
Interesting, I learned about the Autistici/Inventati collective only from this link, even though they seem to already be a large (>1k users) organization and in existence for a decade now. Useful info.
It is important to mention that "self-hosted" by itself, does not make one Prism-Free.
In most cases, if the hosting platform provider will be asked to provide access to the infrastructure, it is most likely that SSL private keys that stored on the virtual machine will be taken along with other data.
New poster here, but someone needs to say this. Tor is amazing and great, but if you don't think the US/NSA don't know how to run their own Tor hops and cache the very same traffic that you think is on "anonymous" servers. . . then you have a more serious problem of understanding how this works. It's easy to run Tor servers. Even easier when you have an NSA budget. Also, ask yourself why wouldn't they be running thousands to tens of thousands of them knowing that most of that traffic is "suspicious".
Cyanogenmod should have a big asterisk beside it noting that it's system is signed with PUBLICLY AVAILABLE KEYS. Also they have just the same proprietary blobs (most of them) that other android devices have (radio firmware, camera drivers, etc) that have just been pulled out of shipping factory android images. The description (without these) is playing people false IMO
Ugh, really? So is there no smartphone OS that you can be at-least-sort-of certain doesn't have a backdoor (leaving aside unintentional exploits)? My understanding was that even FFOS was built on top of an Android kernel...
Is there any indication that this isn't disinformation geared toward a false sense of security? Call your government representatives instead, it'll have a greater effect.
Quite aside from protecting your data from the NSA, this site has a lot of software it's good to be aware of -- Jitsi, git-annex, Etherpad [1], and Piwik seem particularly interesting.
[1] I've seen Etherpad mentioned multiple times on HN, but I somehow never realized that it's self-hosted FOSS.
sharefest.me is another alternative to secured file sharing.
The main advantage is browser only - sandbox security. And p2p - files don't touch the server.
Although not yet as secured as the other, we're working to improve it. Would love any security feedback on github.com/peer5/sharefest/issues
Let's pretend I'm the NSA. I don't care right now about what your saying, I just care about who you associate with and where you are hanging out. If those raise my suspicions then I will also track the where/who connections and create a map of activity. Those dots might start to line up and create further interest.
If suspicions are founded as actual threats I will do anyone of the following and probably more.
FISA request
Look into your credit card records and bank transactions
Serve your host/ISP with a request and also get your SSL private keys
Listen in on your cell phone/home phone/sat phone
Use traditional listening devices (these are great btw..)
Find an exploit in something you use (I'm pretty sure I have some zero days lying around).
Listen in on your girlfriend/wife/husband/boyfriend/friends and family.
Create lots of tor exit nodes and track your patterns
Ask some actual spy's/moles for some intel
Use satellites and tracking devices, maybe even some drones
Torture
Wait for you to mess up..people are lazy.
I made this to point out some real tactics that are actually used and why the vast majority of PRISM related posts like these are a bit silly...aka..you're probably not a terrorist. The NSA tracked bin Laden's courier Abu Ahmed al-Kuwaiti's cell phone which eventually led them to Bin Laden. Does that sound like anything you're doing?
The NSA is not above the law and I generally support Snowden, William Binney, etc .. I just think people need to get grip on reality here. The only people tracking you are ad trackers.
ps. Don't fret too much about the NSA, Google Glass will have citizens spying on each other in no time flat.
You completely missed the point. The NSA is tracking everyone. They're building a database of everyone's activities. Nobody knows who the "terrorists" are going to be 20 years from now. The moment you become a suspect, they can bring up everything they've recorded you saying or doing and use it against you.
The NSA is above the law and the rules they follow are set by a secret court appointed by a single man who has his position for life.
Also extremely likely - the NSA/GCHQ/Whoever siphon off all "metadata".
At the next Boston bombing, or whatever, they analyse that metadata for the perpetrator. And the next one. And the next one. And build a profile of what a "terrorist's" communication patterns look like.
And then they single out everyone matching that profile and stick watches on them, or bring them in.
It's Minority Report without the psychics. Google Now for Homeland Security.
Wow, that never occurred to me. Analyzing Metadata really is a lot like "pre-crime".
Sure, in a sense all police or intelligence work can be looked at in a way that makes it seem "like pre-crime" - after all, crime prevention does have its merits. But putting every single citizen on the list is something different entirely and really does smack of "psychics".
Have you even seen the slides leaked by Snowden? They tracking everyone. Of course no one has a problem about using FISA requests. The very problem that started this is that they disregard the constitution and track people regardless of their history.
> I made this to point out some real tactics that are actually used and why the vast majority of PRISM related posts like these are a bit silly...aka..you're probably not a terrorist. The NSA tracked bin Laden's courier Abu Ahmed al-Kuwaiti's cell phone which eventually led them to Bin Laden. Does that sound like anything you're doing?
I find this mindset really weird and alien. Surely people who are not terrorists using security measures is exactly what's needed, so that security measures become normalized and the web's vulnerability to malicious actors is lowered. I agree that the site's focus on the NSA and PRISM is a bit misleading, but that doesn't make the site silly (although other things might).
204 comments
[ 2.9 ms ] story [ 181 ms ] threadIs the big difference being your IP tracked with the searches by Google?
Duckduckgo claim not to log your searches.
With that you could run a node and search locally against your machine without anybody knowing.
http://yacy.net/de/index.html
- None of the proprietary browsers will track you - well, beyond what's specified in the privacy policy. Two of the alternatives are Tor applications, but the other two are Firefox (which provides no additional protection) and GNUzilla IceCat (which has little reason to exist other than free software politics).
- Most of the browser add-ons are mostly about third-party tracking; these could be subject to PRISM, but the notes suggest that the concern is more about the third-party tracking itself and non-free software (in the case of Ghostery).
- Ditto with the notes in cloud storage, which discount three storage systems with client-side encryption (i.e. equal protection) because they are proprietary.
- The media publishing section promotes third-party blog publishing services for "privacy and security", even though most blogs are public and thus have no need for either.
- Ditto above with Icedove vs. Thunderbird in the email desktop clients section.
- iOS is advised against with a misleading claim that "iOS devices contain hardware tracking" due to an long-patched bug. The claim about it being impossible to verify whether an iOS app was compiled from the original source is disingenuous, as this is rarely done on any platform, but would certainly be possible to do on iOS if the developer cared.
- OS X and Windows won't track you. (Chrome OS won't either, but it strongly encourages using cloud services which will, so I'll concede that.)
In the claims that proprietary software won't track you, I am assuming that the NSA will not compel (or has not compelled) these companies to modify their software to include secret tracking. This claim is made explicitly under the operating system section: "Apple, Google, and Microsoft are a part of PRISM. Their proprietary operating systems cannot be trusted to safeguard your personal information from the NSA." But even considering all that we have heard about the NSA, this seems absurd, far beyond what they are willing to do, and even if it were true, using free software would not necessarily prevent the US-based host of the download from being similarly compelled. Moreover, someone would probably notice (unless it were an intentionally introduced but otherwise unremarkable security bug, but it's sure easy enough to find real zero-days in software, free or not, without having to resort to that! - not that that should necessarily make you feel better.)
Can you elaborate a bit on this, how do you know they won't? My default assumption is that anything I can't see the source code of and compile myself is compromised.
Technically: if the browsers were somehow phoning home, even if the data were highly fuzzed, I'm sure there would be guys like tpatcek who would manage to detail, if not the content of the tracking, at least the amount of data sent and the targets. I don't recall there being such a scandal in recent memory.
> Although proprietary software may be easier for a government to compel to be modified to add tracking, it still runs the risk of being noticed in most reasonable cases, and there is in fact no evidence that any Western government is doing any such thing. It does increase the chance that you are being tracked due to incompetence, but I don't think this is particularly likely for such well-known software.
Did you also write and compile the compiler that compiled your compiler?
Eventually, somewhere down the chain, you have to have trusted a compiler that wasn't GCC and you probably don't have the source to.
Since we are talking about checking the compiler that compiles your compiler here.
http://c2.com/cgi/wiki?TheKenThompsonHack
"a hack (in every sense), the most subversive ever perpetrated, nothing less than the root password of all evil."
A very very good read :)
No, these issues are very much related. It is the very nature of proprietary software that you cannot inspect and modify it, so you cannot know if it will track you or not, and cannot fix things if you are.
(Inspecting outgoing traffic is helpful, but unless you monitor all activity all the time, and make the effort to actually understand every single bit that is transmitted, you can't be certain.)
Furthermore, some of these browsers explicitly do track you. For example, Internet Explorer, Chrome and Safari provide ways to sync your bookmarks, all of which track you - and some of them encourage you to do this, for example if you do not log in to Chrome it says "you're missing out". (Firefox also has a sync service, but it is encrypted on the client, so the server cannot read the information, and you can't be tracked.)
True, there is a difference with the bookmark sync - I do not think it is valid to discount a browser entirely based on this.
Emphasis mine. Yes, you might trust them not to track you, or to trust that someone will find out if they do, and that you will hear about it if so. But far better would be to use an open source browser (either Firefox or Chromium).
[1] https://support.google.com/chrome/answer/1181035?hl=en
Safari is getting especially terrible. You can either sync "Safari" with iCloud or you don't. This includes bookmarks, but also ALL OPEN TABS ("iCloud tabs"). My bookmarks are absolutely harmless, my open tabs are highly sensitive. Apple sucks at services. :(
By default Chrome sends the text you type in the location bar to Google. I am not sure but they may also use visited urls to source the crawler.
Using Google is a privacy risk but at least you can control it with Firefox, when typing URLs that need privacy. Who the hell can verify what Google (and the NSA listening to their pipes) does with your visited URLs? If you use another search engine, Google can see that, and it's one more piece of information.
More like gave direct access to their backends. [1]
[1] https://www.youtube.com/watch?v=StlFKE_UVI4
Let's be honest, Why would NSA force MS to add a key like that, in such a way?
> Windows won't track you
Pinky-promise?
The assumption that the NSA would never compel software vendors to include tracking code seems completely unjustified to me. It makes no sense at all to accept all the inconvenience that comes with avoiding NSA tracking and then use closed source software.
But I think many of the suggestions on this list are completely unworkable. Using Tor isn't just a little slower. It's unusably slow for regular browsing. Using noscript is nonsense. It breaks almost all websites nowadays.
It might help against tracking and such, but I feel like it's just an illusion that I'm making for myself. No matter what I do to try to prevent it they it won't matter in the long run, it just makes it that much more inconvenient for me.
Ugh, not sure what to do/think.
(At least, for the present! I could totally imagine a near future where the government had a standard method to collect the data of various self-hosted services from VPS providers.)
How do you know? Too much trust in MS and Apple? Backdoors in such systems is a normal thing to expect.
Other, possibly better, solutions:
1) If you work for one of the companies listed as "proprietary", you can do the most. Stand up and say you care in company meetings. Tell managers and executives that it's worth finding better ways to secure, anonymize, or not collect information in the first place. Even if it comes at the cost of profitably or usability.
2) Authors of lists like these: Instead of saying all commercial software is lousy, compare them to each other! Make having secure, private software an actual selling point that people can understand.
3) Developers, designers: make beautiful, usable software that is secure and anonymous by default. Don't have privacy as your ONLY selling point. We can only win if we're private and amazing.
NSA also released SEAndroid [2] which hardens Android significantly. It's included preinstalled w/ Samsung S4. Although still not very popular and I'm sure not heavily code-reviewed.
[1] https://wiki.archlinux.org/index.php/The_Arch_Way
[2] http://selinuxproject.org/page/SEAndroid
Even more surprising is that BSD just got a cursory mention. You may as well switch to OpenBSD if you're going to switch to a majority of these alternatives.
[1] http://www.linuxmint.com/searchengines.php
Also, BSDs will get greater emphasis in future updates. I'm working on a way to promote more operating systems without the page getting even more overwhelming than it already is.
Why is chromium not listed as a free alternative to Chrome/IE/Safari?
What components of DDG are partly proprietary and which are not? (not a criticism of DDG just this page) What is a "free search engine" anyway?
Why are Firefox and Thunderbird listed alongside Iceweasel and Icedove?
How do you list OpenNIC if they have not adopted an official privacy/anonymization policy?
Speaking of official privacy policies; I see that you tried to load /analytics/piwik.js. Where is the privacy policy for prism-break?
These parts are open source: https://github.com/duckduckgo. I've added this note to PRISM Break. A free search engine would be a search engine where users have the freedom to run, copy, distribute, study, change and improve the software. YaCy fits this description, but there are currently not a lot of people using YaCy at the moment.
> Why is chromium not listed as a free alternative to Chrome/IE/Safari?
Chromium will be added once I get a list of good Chromium extensions that rival the Firefox addons.
> Why are Firefox and Thunderbird listed alongside Iceweasel and Icedove?
Iceweasel and Icedove are difficult to install on Windows and OS X. If users are unable to switch to Linux, Firefox and Thunderbird are still really good options.
> How do you list OpenNIC if they have not adopted an official privacy/anonymization policy?
Good point. OpenNIC will be removed for the time being.
>Speaking of official privacy policies; I see that you tried to load /analytics/piwik.js. Where is the privacy policy for prism-break?
PRISM Break does not track the last 2 bytes of your IP - e.g. 192.168.xxx.xxx. A Privacy Policy is on the todo list.
EDIT: https://prism-break.org/privacy.html
If you're not familiar:
http://www.rsync.net/resources/notices/canary.txt
We explicitly support duplicity and git-annex which makes us very versatile for secure cloud storage.
Prefect forward secrecy is a lot more secure since if google's private key were compromised any traffic -- including traffic captured in the past -- would still be secure (baring some further compromise).
Each connection has 2 possibly transient negotiated public/private key pairs made just for that connection. In theory, google could store all these pairs as well and they could be compromised, but that adds up to a lot more ifs.
As near as I can tell, the extra computation required to do perfect forward secrecy is a large part of why its not more frequently implemented.
If you think Google is the only company that can secure webmail, I bet you are an employee.
But anyways: what does it matter if your webmail provider isn't beholden to the government, if a suitably motivated teenager can read your mail because of software vulnerabilities?
Google Mail isn't likely to be more secure just because Google is inherently better at building software than anyone else. Rather, it's because they allocate more resources to the problem of keeping Google Mail secure than any other mail provider does (or even can) allocate to their security.
Second, the equivalence isn't false. The Venn diagram of sites that can be compromised by script kiddies is entirely contained by that of sites that can be compromised by NSA.
https://en.wikipedia.org/wiki/Equivocation
Please do tell which one? And why you are sure they are not beholden to a government?
Also, what's the point of having a "carefully guarded TLS connections on the Internet", if at least one of the ends is completely compromised?
Only if that single feature outweighs your other reasons for switching away from Chrome.
oh also gallery3 should probably be in there.
No other service does this and it allows you to have the convenience of the cloud and video streaming while maintaining the privacy that you would get by viewing videos on your local computer.
As far as I know it is one of the few examples of a (client-side) web app based on encrypted cloud storage. (I would like to know other examples, I don't know any).
(I am the author)
edit subject to the rulings of the fisa court etc.
In most cases, if the hosting platform provider will be asked to provide access to the infrastructure, it is most likely that SSL private keys that stored on the virtual machine will be taken along with other data.
Switzerland and China do not respond to Secret Service or FBI orders.
What makes you think this is not the case there by default?
I am talking about local authorities ofcurse.
When did "self-hosted" take the meaning of "remotely hosted/virtualized/web hosting" for you?
Be safe. Not ignorant.
[1] I've seen Etherpad mentioned multiple times on HN, but I somehow never realized that it's self-hosted FOSS.
If suspicions are founded as actual threats I will do anyone of the following and probably more.
FISA request
Look into your credit card records and bank transactions
Serve your host/ISP with a request and also get your SSL private keys
Listen in on your cell phone/home phone/sat phone
Use traditional listening devices (these are great btw..)
Find an exploit in something you use (I'm pretty sure I have some zero days lying around).
Listen in on your girlfriend/wife/husband/boyfriend/friends and family.
Create lots of tor exit nodes and track your patterns
Ask some actual spy's/moles for some intel
Use satellites and tracking devices, maybe even some drones
Torture
Wait for you to mess up..people are lazy.
I made this to point out some real tactics that are actually used and why the vast majority of PRISM related posts like these are a bit silly...aka..you're probably not a terrorist. The NSA tracked bin Laden's courier Abu Ahmed al-Kuwaiti's cell phone which eventually led them to Bin Laden. Does that sound like anything you're doing?
The NSA is not above the law and I generally support Snowden, William Binney, etc .. I just think people need to get grip on reality here. The only people tracking you are ad trackers.
ps. Don't fret too much about the NSA, Google Glass will have citizens spying on each other in no time flat.
The NSA is above the law and the rules they follow are set by a secret court appointed by a single man who has his position for life.
At the next Boston bombing, or whatever, they analyse that metadata for the perpetrator. And the next one. And the next one. And build a profile of what a "terrorist's" communication patterns look like.
And then they single out everyone matching that profile and stick watches on them, or bring them in.
It's Minority Report without the psychics. Google Now for Homeland Security.
Eagle Eye (yet) without an AI.
Wow, that never occurred to me. Analyzing Metadata really is a lot like "pre-crime".
Sure, in a sense all police or intelligence work can be looked at in a way that makes it seem "like pre-crime" - after all, crime prevention does have its merits. But putting every single citizen on the list is something different entirely and really does smack of "psychics".
I thought that's why everybody's freaking out. I mean... that's why I'm freaking out. I haven't even seen the movie.
Threads like this are silly because actual suspects already know this, and average joe is getting a false sense of security.
You must have been living in a cave...
I find this mindset really weird and alien. Surely people who are not terrorists using security measures is exactly what's needed, so that security measures become normalized and the web's vulnerability to malicious actors is lowered. I agree that the site's focus on the NSA and PRISM is a bit misleading, but that doesn't make the site silly (although other things might).