To Write or Not to Write

Discussion in 'privacy general' started by driekus, Jan 24, 2015.

  1. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    So I have read several privacy books and I really enjoyed them but I felt something missing. It didnt seem to bring everything together. I am pondering whether it is worth writing my own book.

    My goal is to limit my information that ends up in bulk government data collections and also data brokers. I dont feel that the current books I have read really answer these questions. I also want to take a look at data brokers and what the future might hold if they are left unchecked. The topics I would cover would be:

    1.) Hard drive encryption
    2.) Password management
    3.) Operating system
    4.) Browser management
    5.) VPNs and TOR
    6.) Email
    7.) Mobile devices (Android)
    8.) Ordering material online
    9.) Managing data trail

    Am I wrong or are these materials not well covered in this context? Is it worth writing about?
     
  2. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    It's worth writing. I'd love to write a book about some of this stuff, and also to disclose some methods they use, and countermeasures.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    The circumstances are changing too fast for a book to address, except at a conceptual level. Also, books are hard to obtain anonymously ;)

    I can imagine a "dummies" type book that points to a basic website, which in turn points to advanced material on Tor hidden services. There is a risk of drawing naive readers to sites that will lead various TLAs to tag them as suspicious.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If visiting a privacy oriented site is all it takes to be considered suspicious, then many more need to visit those sites. That list would be meaningless if it included half of the population. People need to quit cowering and start standing up for themselves and each other.

    Regarding the original post, a book isn't the ideal format, especially for things like browsers and operating systems. By the time you finished a book, the section on browsers would be obsolete by several versions. With these, every new version brings new problems and more complications. My position on these runs contrary to most readers here. AFAIC, the newer the browser and OS it runs on, the harder it is to control them and bring them to a state where you can trust them. With both of these, security and privacy are increasingly in conflict, especially if you're relying on the conventional, marketed "solutions" like cloud based AVs.
    @driekus
    I wanted to do something similar to what you describe, but just for computers and in the form of a forum thread. The intent was to collect the info into a large thread, then reorganize it into a comprehensive website. It's a big task, especially if you try to get detailed about it.
     
  5. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    Couple of thoughts:

    Is this to make money for you and/or to share your knowledge to help other people with something you believe in? If the latter, then my feeling is (I've been wondering about what to do) - that it would be best to offer & collaborate on material in the context of some existing popular site or movement such as Eff, because that will reach a wider audience and maximise your influence.

    Regarding coverage, I'm personally concerned with realism and operational security, rather than the particular point products and techniques (which are various and fast changing anyway). I'd also think it useful to have guides like "I'm starting with xyz, how do I do it?" "How do I bootstrap security?" And then there's the whole morass of what to do with my money.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    A site like the EFF would be a good place to host the finished product. For pooling the knowledge and ideas that will be in that finished product, It's hard to beat a forum such as this one or a private "invitation only" forum. This is too big of a subject for one person. It covers too many things, many of which are constantly changing.

    For myself, I can't view this as something that can be done for profit. A large part of the content would be dealing with corporations who are profiting from the sale of our data. If this information was being sold as opposed to being openly shared, wouldn't we be doing the same thing as those we're trying to resist?
     
  7. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Definitely not motivated to make money. I know too many authors that make barely enough to live on. My motivation is to try and help the general population to understand more about how to secure themselves and take steps to safeguard their privacy.

    I like using the concept of how to guides or mini projects that people could take up to improve their privacy. I sort of visualize something like this in the form of a wiki as working far better than a book. Once it reaches a certain size I can see sites like the EFF being interested in the material. There is also significant expertise in this forum on different privacy areas.

    Does anyone have a feel on how to set something like this up or what some of the options would be?
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Wilders is a great place for this. It's heavily crawled by search bots, and there are many knowledgeable members.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The individual topics already have threads devoted to them. We should work on those, then pull it all together.
     
  10. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Doing all the researching, checking facts and testing also would be very time consuming
    on top of writing the book. Computer technology is a rapidly changing field with rapid
    release cycles on browsers and newer OS's becoming harder to control. How does one control
    ports and services on newer OS's without crippling the OS? How does one plug most or all
    the leakage (privacy) with these newer OS's and browsers.

    What info is being collected? Most of these privacy policies on apps can be changed at any
    given time and some of them are ridiculously long.
     
  11. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    I agree, Wilders is probably the best place to do it and much of the information is already in individual threads and could be pulled together. Based on this there are a few options based on my experience at other sites.
    1.) Repurposing the Recommended Threads (hasnt been updated since 06)
    2.) A stickied thread listing tutorials and acting as an index to each tutorial thread
    3.) A subforum within Privacy General
    4.) A subforum within Privacy Related Topics

    I am inclined to think that the first is probably the best solution and the easiest to implement. If it takes off then the other options are worth considering.

    Given that some members are already coming up with material (I know mirimir and his email options) a collaborative effort could really bring some great results.
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Quite true. With the newer operating systems for example, is closing open ports a security issue or a privacy problem? Without knowing everything that an OS or user applications sends out, there's no way to be completely certain? Did your cloud AV send suspicious files for analysis or a list of possibly pirated material? When a browser calls home to check for updates, did it send a unique identifier that can be used to de-anonymize you? At what point does security become a privacy liability? IMO, browsers crossed that line a while ago when they adopted rapid update policies and began pushing through changes and "features" that are hostile to privacy. The user shouldn't have to audit their browser every few weeks just to make sure that an update didn't alter their settings or add more nosy features. With rapid update policies, it's almost a full time job to keep up with what they're changing. IMO, if a user really wants to protect themselves from this endless snooping, they need to separate from constant rapid updating. The security risks are greatly exaggerated. Quite often the "issues" they fix would only affect a few users or those with no other defenses at all.

    One that got my attention lately was the Tinywall: Avast deleted Tinywall.exe, now cannot uninstall or reinstall thread. Here an error in an AV update causes it to kill the firewall. I can't help but ask what could happen if ones adversary was good enough to compromise an AV or powerful enough to coerce the vendor? A new OS with all of its separation of privilege and access would be no help at all, not when the application being used has the system access of an AV. Depending on your threat model, a security asset can become a liability to both privacy and security. On XP with a well configured classic HIPS, the attack might be defeated. On a newer OS where the HIPS has less low level access, I doubt it.
     
  13. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Actually for quite sometime I haven't been using any real-time AV's on the system.
    I do occassionly run scans, (on-demand) but monitor connections and apps.

    Looking at the number of services on newer Windows OS's (Windows 10 don't know) boggles
    the mind. Never was in favor of the rapid release cycle of browsers.
     
    Last edited: Jan 25, 2015
  14. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    I wonder if a firewall that is "password protected" could have same result? (deleted by AV) Don't know if Tinywall
    has that type of protection.
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I would suspect that it could. Malware has been including termination and suspension resistance for some time. I have to assume that AVs are built to deal with that.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    IMO, the biggest problem with the concept of privacy and the forum sections devoted to it is defining what it is, what it includes, and the threats against it. This has changed much faster than the concept of security against malicious code and/or hackers. IMO, it's more complicated and harder to achieve. It used to be that we had to deal with what was classified as adware/spyware and a few obnoxious ad servers. Enter the corporation with the "do no evil"motto, who then proceeded to redefine "evil" to mean anything that interferes with their bottom line, then continuously expands their reach until it becomes almost impossible to evade them. Add to that governments and agencies who consider an uncensored thought to be a threat to national security. These governments have redefined national security to mean the bottom line and unbridled power of their corporate overlords, and terrorism as anything that threatens that wealth or power, where anyone that doesn't correctly play the "repeat after me" game is a person of interest or a suspected terrorist. The majority either don't see the scope of the problem or are afraid to acknowledge it. That said, a lot of those who called us tin foil hat material are starting to use that proverbial tin foil.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    That is a good argument. However, the choice to take a stand ought to be well informed and considered. That's why Wilders is a good place to start, because privacy activists are such a small contingent.
     
  18. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    It really should be a thought out consideration. There is no going back once your actual identity becomes known. Although, if you walk away for several years you might be OK at the level most of us in here are operating. -------------------- I know I am kidding myself but it makes me feel better so leave it alone. LOL!!
     
  19. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    I agree mirimir. I also question how accessible privacy information is to the general population and whether they would use some of the information if they knew how. I think the activists are a very small fraction of the population but believe those concerned about privacy make an appreciable proportion of the population.

    Based on the discussion I am guessing there is interest in preparing some of this material. I plan to tackle two topics first, hard drive encryption and cloud storage. I will start two new topics with what to include on each of the sections. I think something similar to what mirimir has going for email (hope you dont mind me borrowing your concept) with collaboration amongst interested users. For cloud storage it will be imperative as there is more in cloud storage than what most people could digest in a lifetime.
     
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    IMO, those who want their data to stay private should avoid the cloud. The only thing that should be stored in a cloud is rain.
     
  21. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    And that is why I am my own cloud provider. :)

    There are also some trust no one offerings as well that are worth talking about. Cloud solutions are good if you want offsite backup, but I would never store information in the cloud where somebody else other than myself had the key to decrypt the data.
     
  22. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    Yeah but is there any secure encryption software? I think not.
     
  23. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    The question really is what you are looking to prevent. If you are a target of a government agency there is probably nothing that you can do to stop them.

    But if you are looking to prevent passive and limited active government surveillance then some encrypted options I believe will work. If you are looking to prevent companies like dropbox and gmail from gathering data from your files then these solutions will work.

    Hosting the cloud on your own machine using owncloud or bittorrent sync is an option.
    Hosting on another machine is also an option with services such as spideroak, hybrid cloud solutions such as using dropbox with boxcryptor, truecrypt and luks-dmcrypt. They are not perfect but I am confident they offer software secure enough for most people.
     
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Yes, many are concerned about privacy. But how many have the requisite skills to implement something that's effective and secure?

    For example, virtually all Tor users rely on the Tor browser. How many get hosed in assuming that other apps will use Tor? Maybe it should firewall non-Tor traffic. But that would be impractical to implement cross-platform.

    And chaining VPNs and Tor? At one point, I imagined that I could just methodically explain how to manage it. Experience tells me that I was living in some fantasy world.

    At this point, Qubes looks like the best shot. The Whonix group has now "ported" the setup (not just the Debian VMs) to Qubes. Chaining VMs is trivial in Qubes. So o_O
    A review of cloud storage options would be very useful. For those working under repressive regimes, and crossing borders, carrying data is very dangerous. And often, encryption isn't a viable solution, because refusing to disclose passphrases and keys may in itself be illegal. Cloud storage is arguably the best approach.

    Hard drive encryption is also important. Hot topics are SSDs, plausible deniability, and what to use on Windows in place of TrueCrypt.

    Go for it :)
     
  25. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Do you think that the NSA can brute force properly-implemented AES, RSA etc?

    Or are you just claiming that most users can't protect private keys?