back to article The Edward Snowden guide to practical privacy

If you want to limit how much governments and companies know about you and your private life, then use Tor, download specific apps and plug-ins, encrypt your hard drive, and use a password manager. Those are among the tips provided by NSA whistleblower Edward Snowden in an interview with "digital bodyguard" Micah Lee. The …

  1. allthecoolshortnamesweretaken

    So when

    will El Reg switch to HTTPS then?

    1. phil dude
      Linux

      Re: So when

      you beat me to it!!

      So El Reg, switch to HTTPS then?

      P.

    2. as2003

      Re: So when

      There's no excuse not to. It can even be free: letsencrypt.org

      1. BillG Silver badge
        Facepalm

        Re: So when

        will El Reg switch to HTTPS then?

        El Reg doesn't even use HTTPS for login/password!!!

        WHY?????

    3. streaky Silver badge

      Re: So when

      Said this months ago, not a single upvote :)

      1. Dr. Mouse Silver badge

        Re: So when

        I would agree that it would be nice if it was at least be made available. It's not difficult or expensive to set up.

        There is, however, a cost involved. Every request made over HTTPS puts a greater load on the web server. Depending on the traffic, content and method of generation this could be negligible, or it could be expensive.

        Is it really that important for a news site to be on HTTPS? Does anyone post sensitive information here?

        To go back to the article, it's up to everyone to weigh up their own risks level and take appropriate action.

        1. LucreLout Silver badge

          Re: So when

          Is it really that important for a news site to be on HTTPS? Does anyone post sensitive information here?

          Probably not, but they could post things via HTTPS that they won't if their employer can read them. I know I'm a lot more vague when posting anything that my employer could misconstrue as being related to them, and that probably applies to a lot of commentards in significantly more interesting roles than mine.

          Also, shouldn't what was/is/wants to be one of the premier tech news sites on the web be demonstrating something just a little closer to best practice?

          1. Anonymous Coward
            Anonymous Coward

            Re: So when

            Plus, pretty pointless when your work uses man in the middle on the proxy server.

            The walls have eyes......

            1. LucreLout Silver badge

              Re: So when

              pretty pointless when your work uses man in the middle on the proxy server.

              I agree, but my workplace doesn't, or if they do it is well hidden and doesn't show in the certificate path. I asked about that very issue on this site a few months back and verified as best I could that we don't have one.

          2. Danny 2 Silver badge

            Re: So when

            I post sensitive information here, as frankly I've lost any privacy long before now. There is a "chilling effect" even for lost boys like me though knowing everything I post here is inevitably on my 'permanent record'. For example, on the Spanish Granny Kinder Egg story I was about to joke about wanting to smuggle drugs into prison if I could buy any drugs on the outside except from my drug-dealer 'complainant', but I realised that comment would be an invitation for an anal probe. Aw fuck it, I'm long over due a prostrate exam anyway.

            Anon Cow status via Tor on security stories here is my best advice unless you are cheer-leading for the state, it is awfully embarrassing that El Reg isn't yet HTTPSed up with it's own secure drop box.

        2. paulc

          Re: So when

          "Is it really that important for a news site to be on HTTPS? Does anyone post sensitive information here?"

          erm, you do when creating an account and logging in...

          usually in the form of an email address...

          1. Quortney Fortensplibe
            Holmes

            Re: So when

            "...erm, you do when creating an account and logging in...

            usually in the form of an email address..."

            Who uses their real email address for things like this? That's what services like Mailinator are for.

    4. Anonymous Coward
      Anonymous Coward

      Re: So when

      So when will El Reg switch to HTTPS?

      .. and stop using Gmail? (also mentioned time and time again)

      ~$ dig +short theregister.co.uk mx

      10 aspmx4.googlemail.com.

      10 aspmx3.googlemail.com.

      10 aspmx2.googlemail.com.

      5 alt2.aspmx.l.google.com.

      5 alt1.aspmx.l.google.com.

      1 aspmx.l.google.com.

      10 aspmx5.googlemail.com.

      Having said that, this Snowden guide only works for geeks, and leaves out a couple of important things like "consider avoiding countries where agencies and law enforcement have powers without accountability". As long as we address symptoms rather than causes there will be no end to an arms race which you are funding yourself through your taxes.

      1. Vic
        Black Helicopters

        Re: So when

        consider avoiding countries where agencies and law enforcement have powers without accountability

        So where am I going to go, then?

        Vic.

    5. apraetor

      Re: So when

      Oh the irony!

  2. Paul Crawford Silver badge

    Facebook

    "the man had deleted all of his Facebook data. A huge pain and shame"

    Indeed, the shame being he should have deleted it himself!

    Even if keeping on FB then please delete and create a new profile with a new disposable email every year or so. It limits what FB can easily gather on you and evidence of past indiscretions, and a perfect excuse to dump those "friends" who are sufficiently important not to appear to single out for un-friending, but that you really did not want watching your every post.

    Edited to add: And don't give FB your email log-in password or mobile number, mkay?

    1. DougS Silver badge

      Re: Facebook

      Yeah 2FA for stuff like Facebook and Google sounds like a good idea if you care about the security of those, but no f'ing way am I giving either one my mobile number.

      They need to support a better 2FA, like using the RSA app on your phone to generate OTP codes.

      1. phil dude
        Boffin

        Re: Facebook

        2nd sim card, PAYG, works a treat. You can use it in any throwaway, but allows you 2FA.

        Also, they do have PGP key support now....they *are* trying...

        P.

        1. DougS Silver badge

          PAYG?

          Seriously? Why the HELL would I want to carry a second phone just for 2FA when it could be done much better with an app on the phone?? The reason they want to do it via text message is very simple - Facebook and Google aren't doing this for security, they're doing this to grab more of your personal information.

          1. Anonymous Coward
            Anonymous Coward

            Re: PAYG?

            Don't be silly! Use a mobile that has space for two or more SIM cards. One doesn't have to buy direct from China either. Both Wileyfox models have dual SIM capability.

            1. Quotes
              Big Brother

              Re: PAYG?

              The Wileyfox Swift also allows you to deactivate an installed sim, so you don’t need to drain your battery keeping two mobile networks active.

              On a side note, if you have a dual sim with both sims active, different networks, would that improve accuracy of location by triangulation methods?

              1. Anonymous Coward
                Anonymous Coward

                Re: PAYG?

                In Britain it probably wouldn't do much to improve triangulation accuracy given the pressure on networks to co-locate their transmitter/receivers. But for those with the power to demand information from all networks, it would improve their confidence that both SIMs relate to the same person.

            2. HarryBl

              Re: PAYG?

              Or you could get yourself an Acer E700 which has space for 3 sims all of which you can turn on and off as you wish.

          2. Anonymous Coward
            Anonymous Coward

            Re: PAYG?

            "Seriously? Why the HELL would I want to carry a second phone just for 2FA when it could be done much better with an app on the phone?? "

            Because, you fool. For that very reason. A cheap throw away phone with anonymous PAYG SIM, which costs peanuts in total, is far more secure than anything you care to do on your main phone.

        2. druck Silver badge

          Re: Facebook

          You might have 2 SIM cards, but do you have one or two IMEIs? Even if its two, are they easily related? - Same manufacturer, same location.

          1. phil dude
            Boffin

            Re: Facebook

            To be clear - the multiple sim cards DONT have to be in the same phone. The point is you have another way of getting in , you leave in your desk drawer.

            And the point about the PGP key, is not that Facebook etc don't trawl your data anyway, but it is so *someone else* can send you a message without them inspecting it.

            I haven't tried it, but I think if you have a PGP key, it might volunteer it when you send a message...if not it *should*!!!

            P.

            1. Anonymous Coward
              Anonymous Coward

              Re: Facebook

              And the point about the PGP key, is not that Facebook etc don't trawl your data anyway, but it is so *someone else* can send you a message without them inspecting it.

              FB doesn't need to. What FB collects is not data, but meta data: who do you communicate with, and why. You have to thank the forgotten Bletchley Park genius Gordon Welchman for that: he's the one who worked out that meta data was at least as important as data, which is what he did before he improved Turings' work on breaking Enigma codes.

              PGP doesn't do squat to protect you against that.

        3. paulc
          Black Helicopters

          Re: Facebook

          "2nd sim card, PAYG, works a treat. You can use it in any throwaway, but allows you 2FA."

          the phone still uses the same IMEI number...

          So you really need cheap 'burner' phones... keep your real phone for normal comms, but anything you don't want them to know about, use a disposable phone

          1. Two Lips
            FAIL

            Re: Facebook

            >>"2nd sim card, PAYG, works a treat. You can use it in any throwaway, but allows you 2FA."

            >"the phone still uses the same IMEI number... "

            No it does not. It IS a separate "throwaway" phone...

            >"So you really need cheap 'burner' phones."

            Which is EXACTLY what he said... "you can use it in any throwaway..."

      2. Robin

        Re: Facebook (GMail)

        > They need to support a better 2FA, like using the RSA app on your phone to generate OTP codes.

        Google already do use this, or something similar. There's an Authenticator app that I use, which spews out six-digit codes every 30 seconds or so. Handy for internet cafes when I'm travelling.

    2. ZanzibarRastapopulous

      Re: Facebook

      >Indeed, the shame being he should have deleted it himself!

      Yup, if you're concerned about how anything on facebook could be misused, then you shouldn't be on facebook.

      1. Anonymous Coward
        Anonymous Coward

        Re: Facebook - "if you're concerned about how anything on facebook could be misused,,...

        ...then you shouldn't be on facebook."

        That would be 99.999999999% of all facebook users then...including geeks, tinhats, etc.

        I was recently added to a group of people that all know me and each other. The purpose was to share each others full address and phone details! I kid you not.

        When I said I would not share my details, unless an alternative secure method was agreed, I was ridiculed multiple times by each and every one of the group including those who work in IT.

        They all seemed to think that privacy is: a) a joke, b) unnecessary, c) for paranoid losers. They then go back to their traditional newspaper that spouts lies to them on a daily basis, bury their heads in the sand and refuse to believe what is real, preferring the fantasy of illusion presented to them.

        I was shocked at the outright refusal to believe that even basic identity theft could be a problem for any of them if any of their FB accounts were to be hacked. Said hacker would have each and every address, phone number, name and email. (S)He could go a long, long way with such information, but no, that could never happen. How stupid I was to even suggest it...

    3. Anonymous Coward
      Anonymous Coward

      Re: Facebook

      Even if keeping on FB then please delete and create a new profile with a new disposable email every year or so. It limits what FB can easily gather on you and evidence of past indiscretions, and a perfect excuse to dump those "friends" who are sufficiently important not to appear to single out for un-friending, but that you really did not want watching your every post.

      You base that advice on what I consider at best an unproven theory: that Facebook genuinely deletes your data when you close a profile. Until there is independent evidence of that I would not consider that to be the case, EXACTLY because your advice suggests you are so addicted to the platform that you have a need to come back to it.

      I suspect that the "old" records will quite swiftly be again associated with you, but with a marker that prevents any of the "old" data be played back to you other than by means of remarkably accurate predictions of with whom you should connect.

      After all, if LinkedIn retains anything even after you delete it, I cannot see why Facebook would do itself a disservice either.

      1. DougS Silver badge

        Re: Facebook

        I agree Facebook probably keeps your information that you "delete". After all, when you leave Facebook all it does is deactivate your account - I have friends that have left for a year or two and when they come back they pop up in my friends list without me having to do anything. Obviously nothing was ever deleted.

        What's more, I know that Facebook and Linkedin are sharing data. I do not have anyone I have a professional relationship with as a Facebook friend, but I do have a handful of Facebook friends who I'm connected with on Linkedin despite a total lack of any overlap in our careers or workplaces. It is really creepy that Facebook will make friend suggestions for me with people I work with (but am not connected with on Linkedin) with whom I have zero mutual friends on Facebook - in fact probably would have to go through several layers of friends of friends, Kevin Bacon style, to get to them!

        This is only possible if Facebook is sharing data with Linkedin to be able to make that association between those people and people I'm connected with, and connecting it with my Facebook identity. (It isn't cookies, I'm very careful about clearing those and hardly ever login to Facebook other than mobile anyway and when I do it is in a private window)

        1. Anonymous Coward
          Anonymous Coward

          Re: Facebook

          What's more, I know that Facebook and Linkedin are sharing data.

          I'm not convinced by that, if only because Zuck doesn't exactly come across as the sharing type. If one or more of your LinkedIn contacts have been daft enough to allow access LinkedIn access to their email (as it keeps asking for on every logon) they already have all the relationship data they need to map your relationships. These companies are *way* ahead of you in working around any protection of your privacy you might deploy: they simply do not ask you, they ask your friends.

          The only way to stop that is to stop having friends and colleagues which is a feat few of us manage unless we use a false name, but having a false name means you then have to protect any link between that false name and you. You can't win, which is why hitting them with every privacy law you can think of is almost mandatory. In the words of a cosmetics brand (I think), "they're worth it".

        2. Kiwi Silver badge

          Re: Facebook @ DougS

          LinkedIn is creepy.

          Trolling through your contacts and sending requests on your behalf when you only gave them access to your contacts is one thing. Being able to send things to people you know when you don't give it permission is another.. That stopped after I a) changed my Gmail password (I run my own email server but use the gmail for a couple of things still) and b) started a policy of not using LI in the same browsing session as I use gmail (cookies always cleared when I close browser, AB+ + NS + no third party cookies etc to help).

          I seldom check LI now anyway, just due to my part in a thread discussing their actions. Including that they send emails from people on their behalf without asking..

          Oh.. And something to note. LI started suggesting I knew the owner of a 5 star hotel in some luxurious tropical resort. Quite insistent. It wasn't for some months that the guy I worked for then let me know what was going on.. this hotel owner was a close friend of one of our customers, the customer and the owner were arranging a surprise trip for the customer's wife, and the customer was using our computers to hide his email from the wife... The only thing in common was the IP address used, but LI used that to link us.

          Which makes sense in some other cases.. There's been a few that creep me out even more.. Like some darling people I know I'd never tell mommy and daddy about... Or the first girl I ever kissed (well, she kissed me...) when we were like 5 or 6. Those people, some I have no online association with and some I haven't contacted for over 30 years - those contacts from LI creep me out no end. Or would do if I looked at it..

          Oh, and when we set up our business my partner and I looked at Google, LI and Facebook's T&Cs. LI is very very nasty about what you put on their site (put your company logo on there? Guess who owns the rights to it now!), Google is not as bad but still bad (also perpetual rights to make money from your material).. But Facebook? Their T&Cs I could surprisingly live with!

    4. GrumpyOldMan

      Re: Facebook

      Or just don't use the b****y thing in the first place!

  3. Anonymous Coward
    Anonymous Coward

    Encrypt your hard drive

    There are some very nice Russians who will do that for you, just click that link.

  4. Anonymous Coward
    Anonymous Coward

    TAILS

    I'd never heard of TAILS before, so I did a search. Quoth Wikipedia:

    "On 3 July 2014, German public television channel Das Erste reported that the NSA's XKeyscore surveillance system contains definitions that match persons who search for Tails using a search engine or visit the Tails website."

    https://en.wikipedia.org/wiki/Tails_(operating_system)

    1. Gordon 10 Silver badge

      Re: TAILS

      Then let's poison the well by all searching for it.

      1. Robert Carnegie Silver badge

        Re: TAILS

        I expect people who read The Register are also watched. Especially people who comment.

        Snowden doctrine suits freedom warriors but doesn't protect your ordinary private life. Vital universal liberty.

        It turns out that the government can simply give itself permission to read everything that you send and receive on the Internet - for instance, the British government intends to have (if the prime minister decides that he wants to see it) a list of names and home addresses of anyone who in the last twenty-four hours accessed BlackLivesMatter.com, IMayBeGay.org, HowTradeUnionsWork.info, BorisJohnsonWouldDoItBetter.net . No warrant and no reason, just for fun. Or to pass it to a Taxpayers Alliance murder gang to carry out a few hits. (You say that isn't what -they- do, but, how do you know that?)

        And it really will be illegal to supply, and presumably to possess, encryption software that the government can't see through.

        That's the plan -here-. Try blowing your whistle wiht all that going on.

        It must be stopped if possible, I suppose by the government being made to accept and actually abide by rules that properly limit what our governors can know about us and why. Which sounds difficult.

        There are more unprincipled regimes around the world, of course. But our lot have a natural inclination to move in that direction.

      2. LucreLout Silver badge

        Re: TAILS

        Then let's poison the well by all searching for it.

        Heh heh. Oops. Too late. I already added myself to their lists by searching for that before I knew it'd add me to a list. Doh.

        If the NSA / GCHQ really want to waste their time keeping tabs on anything I've ever said or done then they must have money to burn. It's not worth logging my past escapades or youthful indiscretions, mostly because I'll never climb high enough to join what today's kids call "the elite", such that I may need to be influenced, and partly because I'm quite open with friends & family about pretty well everything.

        1. John H Woods

          Re: TAILS

          "If the NSA / GCHQ really want to waste their time keeping tabs on anything I've ever said or done then they must have money to burn" --- LucreLout.

          They do. But it's ours.

        2. The elephant in the room

          Re: TAILS

          You sound like a troublemaker...

          1. Richard Taylor 2 Silver badge

            Re: TAILS

            Or a dog/cat fancier (other species are available)

        3. streaky Silver badge

          Re: TAILS

          If the NSA / GCHQ really want to waste their time keeping tabs on anything I've ever said or done then they must have money to burn. It's not worth logging my past escapades or youthful indiscretions, mostly because I'll never climb high enough to join what today's kids call "the elite", such that I may need to be influenced, and partly because I'm quite open with friends & family about pretty well everything.

          And yet they still do it and you're still having to pay for the pleasure. You might not "have anything to hide" but they're still billing you. This is just one of the many problems.

          1. Yugguy

            Re: TAILS

            Do you lot really think you're that important?

            1. Two Lips
              Thumb Down

              Re: TAILS - Do you lot really think you're that important?

              Fools rush in, where wise men fear to tread...

              You cannot predict the future, and also cannot turn back the clock. Once you tell them everything, they will have it forever, for ANY eventuality.

              Fools like you live in the fantasy that spooks are somehow not abusing many ethical boundaries, many democratic principles, many rules of law etc.

              1. Yugguy

                Re: TAILS - Do you lot really think you're that important?

                And fools like you think that you're the special ones out of the other 7.3 billion.

      3. Anonymous Coward
        Anonymous Coward

        Re: TAILS

        Perhaps a t-shirt:

        I searched for tails and they searched my house :/

    2. streaky Silver badge

      Re: TAILS

      https://en.wikipedia.org/wiki/Tails_(operating_system)

      Or visit the wikipedia page? :)

  5. Rainer

    Business journalist Jeff Bercovici lost nine years of Facebook data

    Cry me a river!

    He should rejoice.

    And he calls himself a journalist?

    Does he also weep when someone unfriends him on FB?

    1. Pascal Monett Silver badge

      The shame is not getting his profile wiped

      The shame is that he didn't have a backup of the data.

      Boo.

      1. JetSetJim Silver badge
        Big Brother

        Re: The shame is not getting his profile wiped

        The miscreant that took over the account must have been very persistent - I thought FB never deleted anything, just hid it. Surely a quick phone call to Mr Z will fix this from the archive...

  6. Anonymous Coward
    Anonymous Coward

    No mention of upping your privacy protecting precautions when transiting, or staying even temporarily, in nations with history of mass surveillance...

    Don't forget to check behind the mirror over the bed.

    1. Richard Taylor 2 Silver badge

      Or the mic in the non working shower (https://en.wikipedia.org/wiki/The_Last_Frontier_(novel) - 1959)

  7. swisstoni

    VPN

    No mention of using a VPN? I find that interesting. Does he consider them all compromised?

    1. ZSn

      Re: VPN

      They all are compromised. Either some aspect of the implementation is compromised (easily done) or they are in a country where they can be forced \ threatened into revealing what you have been up to (i.e. all of them).

      1. streaky Silver badge

        Re: VPN

        If they're "all" (on a technical level) compromise it doesn't bode well for the security of OpenSSL or TOR et al does it? They're not all compromised, the weak ways of setting them up and the weak protocols are well documented, you can create a VPN that's in principle secure.

        1. Dr. Mouse Silver badge

          Re: VPN

          If they're "all" (on a technical level) compromise

          Although he mentions compromised implementations, the main concern is the legal vulnerability.

          It is likely that the majority of VPNs out there have some sort of log of who is connecting to them and when. Only those which are set up specifically with privacy in mind, and whos admins and architects have done a thorough job, will have any chance. Even without this, there will likely be a record somewhere that you have connected to a VPN. While this won't immediately allow joining the dots between an individual and his communications history, it will allow a starting point if someone (e.g. the govt) wants to find out what you are doing.

          In addition, it's likely that VPN providers are already watched with a higher priority by the security services. If you use one, so their logic will goes, you must have something to hide.

          it doesn't bode well for the security of... TOR... does it?

          There is a big difference with TOR. The whole design of onion routing is set up to avoid traceability. Your packets bounce around nodes, with each node only able to see the next and previous hop (if I remember what I read about it years ago correctly). Although there is suspicion that spooks control enough of the nodes to compromise the network...

          1. Anonymous Coward
            Anonymous Coward

            Re: VPN

            there's another weakness of tor: suspicion by association (you mentioned it ref. VPN). Sure, the spooks can't (well, maybe) see what you used tor for, but they know YOU use it, and as the tor user base is relatively small in the uk (thousands, out of milions of users) it's much easier to "focus" on those few. And, I'm sure, there are other means and ways of finding out just what those people are up to...

          2. Anonymous Coward
            Anonymous Coward

            Re: VPN

            tl;dr he said to use TOR. It's better than a VPN for privacy: it uses multiple proxies and doesn't require payment which can be used to trace you. (Although it is slower than the VPNs meant for casual pirating and geoblock circumvention)

            And he suggests people use TOR as much as possible to decrease the surveillance signal/noise ratio. I'm down with that. It'll also protect me from IP-based tracking, and websites have gotten so slow that TOR's routing delays are pretty insignificant.

    2. NonSSL-Login
      Big Brother

      Re: VPN

      The theory is that Diffie-Hellman key exchange which VPN cryptography, HTTPS and other protocols rely on are all based on the same prime number as it was thought it would be impossible to compute but a nation state could throw a lot of hardware at it and do it within about a year.

      With most products being based on a few prime numbers, every year so they can crack a new one and use it to decrypt data from all the apps/hardware that use that prime. Each year the percentage of encrypted communication they can decrypt goes up as a result.

      Something like that anyway.

  8. Danny 2 Silver badge

    I was taken down by a cheapo Canon printer last week. An elderly relative bought it against my advice, was disappointed that 'wireless' still meant a power-cord. I rushed at it because I've far more important things on my plate just now. The software didn't work with Win10, even the latest download, insisted on being logged on as admin to access the internet rather than just asking for an admin password, and even then it said I've have to change the household wifi encryption to it's lower standard - I refused and it crashed the PC losing hours of unsaved unrelated work. Totally my fault I know, a litany of errors, but still, sadistically poor programming. The shop didn't even question it's return, they could tell the mood I was in.

    1. Grikath

      "An elderly relative bought it against my advice, was disappointed that 'wireless' still meant a power-cord."

      At which point you should have turned around and said "Sod this.. Sort it out yourself." and not even bothered. If you ignore the warning signs.....

      1. Seajay#

        "Sod this.. Sort it out yourself."

        Yeah but if they can say, "OK I've bought a bad printer and now I'm asking you to clear up the mess. When you were younger you shat in a nappy that I had to clear up. Dry your eyes and get on with that computer voodoo that yoo doo."

    2. tom dial Silver badge

      I'm not at all a Microsoft fan, but I rather suspect every NT based version flushes the dirty buffers several times a minute, so perhaps scepticism is in order here. Software not working with Win10 is credible but unless the printer is at EOL is likely to be corrected in due course. On the other hand, I would not connect a wireless device to my network that had to log in at all, let alone as administrator. A statement of either that or downgraded link encryption as a requirement ought to generate an immediate return.

      1. Anonymous Coward
        Anonymous Coward

        EOL ?

        > unless the printer is at EOL

        Printers are almost always at End Of Line.

    3. tiggity Silver badge

      cable

      Connected via cable. Avoids lots of hassle, it's always the wifi connectivity that causes grief on setting up printers, especially on the low end printers

      1. Anonymous Coward
        Anonymous Coward

        Re: cable

        it's always the wifi connectivity that causes grief on setting up printers, especially on the low end printers

        Upvote for that. Due to circumstances I'm of a sufficient distance away from the access point that my (rather new) printer really struggles to keep a link up. The result: *very* slow printing.

        I tried WiFi extenders but these things have other side effects, so in the end I just jacked the printer in via an old 20m ethernet cable I still had around from when I was messing with VoIP. Problem solved.

  9. allthecoolshortnamesweretaken

    I feel your pain

    "An elderly relative bought it against my advice, was disappointed that 'wireless' still meant a power-cord."

    Been there, talked 'till I started foaming at the mouth, didn't get a t-shirt.

    1. Captain DaFt

      Re: I feel your pain

      Same here, but in my case it was "younger", not "older".

  10. elDog Silver badge

    The word is out - TOR is compromised!

    I'm seeing some random mentions that the NSA (or NORKS or Mensheviks or whatever) have figured out how to intercept all traffic.

    Now, this may be a dis-information campaign to push everyone onto AOL or a honeypot to get everyone to read the article and get Pooh-Beared. But still, don't trust anything you read on the internets, or especially here!

    1. CommanderGalaxian
      Black Helicopters

      Re: The word is out - TOR is compromised!

      TOR has never claimed to be immune to types of traffic flow analysis (i.e. the "intercept all traffic" thing). The problem is balancing usuability in real time with anonymity. If you want to play with those that are designed to deal with that kind of attack, you need to look at using CypherPunk remailers and FreeNet.

      1. moiety

        Re: The word is out - TOR is compromised!

        Your traffic can be detected at exit nodes. My understanding is that TOR is good for looking up -say- contentious things; but using TOR for any service you have to log into is risky. Good for evading ISP filters and country blocks and other barriers; but any passwords are at risk unless there's also another layer of encryption or two. Especially plaintext ones *cough* El Reg *cough*

        Quick in-and-out, non-repeating beaviour (like -say- looking up symptoms that you don't want your insurance company to associate to you); fine.

        Persistant use and logins; some caution.

        As a quick aside; despite film/music downloading being perfectly legal here, Vodafone have taken it upon themselves to block The Pirate Bay. So non-TOR queries take you to this page:

        http://castor.vodafone.es/public/stoppages/stop.htmopt

        ...which calls this javascript

        http://castor.vodafone.es/includes/jscUtils.js

        ...(some kind of fingerprinter?). Anyway, 5 seconds and TOR later, blocks like these are not a problem.

        1. streaky Silver badge

          Re: The word is out - TOR is compromised!

          Your traffic can be detected at exit nodes

          So don't use exit nodes or push your traffic somewhere after them. Ez rares, ez life.

    2. DaveDaveDave

      Re: The word is out - TOR is compromised!

      Tor has always been compromised. It was built as a honeytrap with US government funding. People who use it are kidding themselves if they think there is any security at all as a result of using it.

      Tor's full name is 31-tor - which is ROT-13 backwards. .

      1. moiety

        Re: The word is out - TOR is compromised!

        Depends what you're using it for and who you're hiding from. The receiving site can't tell where you're coming from and that's enough for many purposes. It provides an alternate route; which can be handy if there's area filters in the way of whatever you want to look at. It's useful for coming at each point in a route from a different angle; which I find useful for diagnosing routing problems. It's also good for skipping past your ISP if they're getting a bit cheeky.

        Now looking up contentious stuff is a little shakier ground; but the way I figure it is that it's only state-level actors who are capable of consistently intercepting your traffic (because the entrance and exit are random-ish, so you have to monitor all of them) and if you're of no interest to them then it doesn't matter. Even if the system is as compromised as you maintain it is and you look up something bang in the centre of their word list (like "Ooh. Ricin. How does that work then?") then they can call up your profile and see a lot of random searches on both contentious and non-contentious subjects and work out just how much of a threat you are. In fact the real danger there is if the security services are not as competent as you allege; they see one dodgy search term and get all black-helicoptery on a sample of one. But then, that would be expensive and they would end up looking like muppets.

        You don't know who is running TOR nodes, so basically assume they are compromised and use public wifi rules...no usernames or passwords unless you also have other prophylactic measures in place. Also monitoring of just one end (via your ISP, say) can reveal patterns of usage which can tell people a lot.

        TOR is a tool just like any other. It's certainly not enough on it's own if you're going up against state level actors...there is no one-stop-shop for that sort of thing. Having no plans to topple any regimes (I've got other stuff to do this weekend) I find it pretty useful for a number of things.

  11. Sokolik
    Black Helicopters

    The only thing about which I agree with Scott McNeally

    "You have zero privacy anyway. Get over it."

    Mine may be a defeatist attitude, but there it is.

    1. John H Woods

      Re: The only thing about which I agree with Scott McNeally

      "You have zero privacy anyway. Get over it."

      Provably false. Do you know everything about Scott McNeally? Can you even find out everything about him? No. Privacy is a matter of degree: nearly no-one has absolute privacy and nearly no-one has no privacy at all. Blanket statements like this are just attractive soundbites --- any more than superficial analysis shows them to be fundamentally unhelpful in any mature debate about how much privacy we can reasonably expect in various circumstances.

    2. Afernie
      Big Brother

      Re: The only thing about which I agree with Scott McNeally

      "Mine may be a defeatist attitude, but there it is."

      If that's the approach you're taking, can I have your bank account details and passwords?

      1. Sokolik

        Re: The only thing about which I agree with Scott McNeally

        Point well-taken. Thank you.

    3. Anonymous Coward
      Anonymous Coward

      Re: The only thing about which I agree with Scott McNeally

      I am so f*ing tired of a*holes like McNealy spreading FUD on behalf of the goons, especially since he's probably not getting paid to do it anymore. The purpose of the national security state, of course, is to defend and extend the wealth of those who own it. They use surveillance to keep us in line and provide inside information to their paymasters. McNealy is one of the beneficiaries of that system, and so his opinion can't be trusted.

  12. Lars Silver badge
    Happy

    Off point

    But what the hell, some weeks ago Snowden was just Snowden, but in this article again "NSA whistleblower".

    A rather short search on ElReg come up with the following:

    master blabbermouth Edward Snowden.

    former NSA sysadmin Edward Snowden

    rogue sysadmin Edward Snowden

    Uber-leaker

    Whistleblower Edward Snowden

    Master NSA blabbermouth Edward Snowden

    NSA master blabbermouth Edward Snowden

    whistleblower in chief Edward Snowden

    The People's Whistleblower

    Whistleblower-in-chief Edward Snowden

    international whistleblower Edward Snowden

    a champion of privacy

    Fast Eddy / hero whistlebower

    What about having some more competition on this. (whistlebower was quite nice).

    1. Chairo

      Re: Off point

      You might ask the NSA or any big American company that invested heavily in cloud services. I am sure they have some more names to add to the list.

      1. HonestAbe

        Re: Off point

        "Disgruntled former IT git."

    2. Danny 2 Silver badge

      Re: Off point

      Rector of Glasgow University. He recently slapped down the Scottish Government for a 'reform' to our ancient Scottish uni's even I couldn't get worked up about. He is diligent, you have to give him that.

  13. ZanzibarRastapopulous

    Other tips....

    Could he also suggest a way to monumentally fuck up your life?

    1. Danny 2 Silver badge

      Re: Other tips....

      I have tips to muck up your life.

      1. Tolerating psychopathic lovers

      2. Tolerating psychopathic politicians and public servants

      3. The wrong type of psychoactive substances at the wrong time and place

      4. Mocking the security services (they don't like it up 'em)

      You got any tips yourself? I have some tips for you lot to improve my life. How about doing away with 'Contempt of Court'? I'm a freaking anarchist, contemptuous of nearly everyone, how is that not an in-built trap?

    2. Pascal Monett Silver badge

      Re: Other tips....

      Posting everything you do, everywhere you go, when and for how long you're going to be away on Facebook without any restrictions at all ?

      I'm pretty sure that'll get you into trouble right quick.

    3. Hollerith 1

      Re: Other tips....

      See wrongdoing, decide to say nothing and do nothing about it, accept you are part of a corrupt and immoral organisation, and let your soul be eaten away.

      He could suggest that.

      However, he didn't do it.

  14. mourner

    Plant?

    In full tinfoil mode one has to wonder.... is this a list of things one should use and do, or is this just another character in the play, a harpie calling us to the rocks to wreck our own boats on the shore of already broken "solutions".

    Who to trust... and how to trust..... hard times ahead,

  15. Anonymous Coward
    Anonymous Coward

    Social media?

    Just: no.

  16. ysth

    two-factor authentication? not so sure

    I recently had a phone die; I had a spare phone but needed a different size sim card for it.

    I've read about people with two-factor authentication losing bitcoins via clever social engineering of their phone provider, so I was completely unprepared for what happened when I went to the AT&T store to get it.

    I gave them the phone number, they gave me an activated sim card. No ID needed, no questions asked, not even my name.

    1. Pascal Monett Silver badge

      Did they at least ask you for the existing sim card before giving you a new one ?

      Because if they did, then it's rather okay since you are replacing an existing item with an identical one in a different size. They don't really need to know who you are, the sim card is an appropriate passkey.

      But if they didn't even need that, then yes, one wonders exactly what the word "security" means today if one can go to a store and ask for a sim card for any phone number with a blanket excuse like size.

      1. ysth

        No, they didn't ask for the existing sim card (which I didn't even have with me).

    2. Anonymous Coward
      Anonymous Coward

      Re: two-factor authentication? not so sure

      I gave them the phone number, they gave me an activated sim card. No ID needed, no questions asked, not even my name.

      Sorry, I missed it, what was your number again?

      :)

  17. Anonymous Coward
    Anonymous Coward

    Tor

    But isn't the use of Tor a sure-fire give-away to the Feds that, in their eyes, you're probably up to no good and worth monitoring?

  18. BigSnake

    When will inter-mail server SMTP traffic become encrypted? This is a major oversight and i suspect governments lobby the email server vendors to not secure email communications.

    1. Vic

      When will inter-mail server SMTP traffic become encrypted?

      It's been trivial for many years. If your mail provider doesn't support it - find a better mail provider...

      Vic.

  19. This post has been deleted by its author

  20. Stevie Silver badge

    Bah!

    But gosh, isn't Facebook one of the things we should be frightened of, NSA collusion-wise?

  21. Sil

    I thought there were big questions about Tor's efficiency against US agencies, notably the NSA ?

    Also where did I read that most cryptography algorithms were implemented using the same big prime number, and that in all probability the NSA took advantage of the rarity to make precalculations that helped crack most keys in minutes/hours at the most.

    Anyhow if someone has a recommandation for a good password manager, I'll take it.

    1. Sil

      The same Micah Lee has a guide to privacy in PDF:

      https://freedom.press/sites/default/files/encryption_works.pdf

      There are also many informations on the Tails site. https://tails.boum.org/

      The question I have is, Tails team tells you that you can add an encrypted volume to your tails USB key to store your documents, hyperlinks, encryption keys and more, but that it isn't recommended.

      In this case, what's the alternative ? Can one assume there is a safer cloud storage somewhere ?

      1. Anonymous Coward
        Anonymous Coward

        If you want convenience just download the Tor Browser Bundle and run it in your everyday OS when you just need to look up info without logging into sites. It'll increase your privacy quite a bit.

        "Safer cloud storage"? lol, not really. Maybe a pastebin? Write down the random URL on paper, and only access it via TOR.

        If you're truly paranoid, go with Tails on a throwaway laptop via open wifi far from your usual haunts, and don't bring your phone. It's the kind of thing they do on Burn Notice. Real pain in the ass unless you really need that level of secrecy or are training for it.

      2. Danny 2 Silver badge

        "The same Micah Lee ...The question I have is"

        You do realise that you'd better post that question on the original article, https://theintercept.com/2015/11/12/edward-snowden-explains-how-to-reclaim-your-privacy/?comments, or directly to micah.lee@theintercept.com

        No offence to you, I was myself perturbed by Tails dropping TrueCrypt, just saying...

  22. noj

    I'm not particularly technical and consider myself a user more than anything else. So I was surprised that, with a little searching and common sense, over the last year I've actually come to do all of the things on that list except using Signal.

    In my small circle of friends there is nobody as privacy/security conscious as me. Or paranoid as some have said. OMG! Someone has to lift a finger to install a free and easy to use app on their iPhone or Droid! Too much effort. So although I have Signal on my device, nobody else does that I would care to use it with. I've pretty much given up trying to convince them to install it.

    One thing not touched on in the article was private browsing, which is the default in Tor but not in other browsers. As Snowden notes above, Tor can be slow compared to other less private browsers. So when not using Tor I only browse using the StartPage search engine, which is the same one defaulted to in Tor.

    Also not mentioned is simply being aware of security and privacy oriented news like the EFF web site. And of course The Register.

  23. Androgynous Cupboard Silver badge

    He missed one.

    1. Do not hire Edward Snowden and entrust him with private data

    You might not like it, but it's undeniably true.

    1. Danny 2 Silver badge

      Re: He missed one.

      1. Epic fail, provably true or undeniably untrue, whichever.

      Snowden was indeed hired and trusted with private data, OUR private data his employers had no right to have. He eventually realised that was morally and legally wrong so he told us about it at great risk to himself.

      Your 'truth' is equivalent to "Don't keep records of the torture of your prisoners", when the actual truth is don't torture anyone, ever.

    2. Two Lips
      FAIL

      Re: He missed one.

      1. No wonder you're androgynous

      2. and a cupboard

  24. allthecoolshortnamesweretaken

    Privacy in the age of IoT...

    ...

    Startup uses ultrasound chirps to covertly link and track all your devices

    http://boingboing.net/2015/11/13/startup-uses-ultrasound-chirps.html

  25. mstreet

    That Turkish guy....

    Is pretty cocky posting his name and picture on the stolen account. I'm not a social media user\believer,

    but if I were, and it was my account, I'd consider it a matter of honor to travel to Turkey and meet the guy. With something sharp or heavy....

    1. moiety

      Re: That Turkish guy....

      You're assuming that the photo and details are the real details of the miscreant. It ain't necessarily so.

  26. This post has been deleted by its author

  27. fluffybunnyuk

    Think of a crowd of people, the bigger the crowd the more anonymity you have. Tor isnt all that great but its not bad as a concept or its implementation so long as large numbers of people use it.

    Tails isnt that safe either if you want real safety use a more secure os not linux or if you like linux, checksum all the source read it, understand it, edit it, patch it, and compile it. a good secure lsb base system can be compiled in 2 or 3 hours.

    I use encrypted ram, and tresor, selective stealthing on ports, and a whole lot of other goodies that would never see the light of a default setting on a linux distro. failing that i use z/os on the basis most people couldnt ipl a system if their life depended on it.

  28. DCLXV
    Megaphone

    Snowden, The Anachronism

    Why are we still listening to this guy? Political figures like Snowden and the EFF are out of their depth on all this stuff. Private citizens afflicted with garden-variety paranoia would be better served taking the NSA's advice on cybersec matters. Go ahead, disable every ciphersuite with known vulnerabilities in your browser and try connecting to some of the domains hosting so-called security software. If they can't keep up on their own site security, what are the chances they really know how to protect yours? A lot of this stuff is little more than security-theatre-du-jour, except now they're promising to protect you from the big bad TLAs instead of the blackhat malware coders the AV vendors of yesteryear were terrorizing us with.

    1. Danny 2 Silver badge

      Re: Snowden, The Anachronism

      "Private citizens afflicted with garden-variety paranoia would be better served taking the NSA's advice on cybersec matters."

      NSA advice = Adopt. The. Position.

      I can't tell if you are being serious or joking.

  29. jason 7

    Put your router on a timer switch.

    Make it reboot and refresh the ISP assigned IP addy every 6 hours or once a day. I bet that would make someone's job just that little more tedious. Especially if everyone was playing musical IP addresses rather than sitting on the same one for months on end.

    In fact that could be quite a handy feature if your router code be programmed to refresh its IP address every so often. Just adds to the admin at the other end.

  30. DaveDaveDave

    Snowden's security tips?

    What are they, 'leave the front door open, you'll make my life easier'? 'Don't leave saleable data where I can get it'?

  31. Matt Bryant Silver badge

    IS send their thanks.

    Snowjob's advice on avoiding detection by Frenchelon (https://en.wikipedia.org/wiki/Frenchelon) must have been most helpful in Paris.

  32. Anonymous Coward
    Anonymous Coward

    why would you encypt public information?

    the following post is encrypted for my safety:

    sss4lskekk6 k799dsjjjjjjjjffdo kre8887576e wjjjjjjdfffffffffffffffffk fkkrrkeodksdsd defeffjjjjjjjjjjjjjj eererern4367nmm23s9vfre de983ej jf439rjer9ifjowemcfnt4uu axm233rt dek kr4oktokuy79yh85tkj5tnmfrrr

    there, i hope you all enjoyed that and benefit from it

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019