Conversations about life & privacy in the digital age

Tomorrow is ‘The Day We Fight Back’ against mass surveillance

In Matt’s Damon’s AMA on Reddit last week, he was asked:

Hey Matt, your amazing monologue about the NSA in Good Will Hunting is probably more relevant today than it was when the film was first released. How did you come up with that scene, and are you at all surprised by the revelations on the NSA from the information released by Snowden? 

Here is the clip from Good Will Hunting:

Matt’s reply:

“Well, the first thing to that monologue is it’s safe to say that is the hardest that Ben and I have ever laughed while writing something. We were in our old house in Hollywood, in the basement of this house writing this thing and we were literally in tears because this monologue kept building on itself. We wrote it it one night and kept performing it back and forth, and pissing ourselves laughing.

You know, I was unaware, as I think everyone was, that they had that capacity. Snowden is literally changing policy. These are conversations we have to have about our security, and civil liberties, and we have to decide what we are willing to accept, and he’s provided a huge service kickstarting that debate…”

If you haven’t yet heard, tomorrow one of those conversations about our security, civil liberties, and what we’re willing to accept – it’s called The Day We Fight Back.

Thedaywefightback.org screen shot

“Together we will push back against powers that seek to observe, collect, and analyze our every digital action. Together, we will make it clear that such behavior is not compatible with democratic governance. Together, if we persist, we will win this fight.”

HOW YOU CAN PARTICIPATE:

WHAT HAPPENS ON FEBRUARY 11th:

In the U.S.: Thousands of websites will host banners urging people to call and email Congress. Ask legislators to oppose the FISA Improvements Act, support the USA Freedom Act, and enact protections for non-Americans.

Outside the U.S.: Visitors will be asked to urge appropriate targets to institute privacy protections.

Global events: Events are planned in cities worldwide, including in San Francisco, Los Angeles, Chicago, Copenhagen, Stockholm and more. Find an event near you.

Add the banner to your site now: Grab the banner code on thedaywefightback.org. They’ve built special plugins for WordPress and CloudFlare users and also have a special version of the banner that pushes people to call over email.

Will you join us? 

VPN, privacy and anonymity

There is a common misconception when it comes to anonymity and privacy for users and VPNs that we felt we should try to clarify.

When the goal for a user is to handle all their things as private as possible, or be completely anonymous, the most (seemingly) harmless little detail can make a tremendous difference and compromise every effort made.

So given this fragile balance of everything, lets start by the very first thing that needs to be clear, what does it mean to be anonymous online and what does it mean to have privacy.

Anonymity

If you are one of those readers who note every subtle use of words (I am not) you may have noticed that I said “be anonymous” and “have privacy”. That’s the first and one of the most important details: anonymity is not retroactive. Which means, if you know what you are doing, you are going to become anonymous from one point and only from that point that “property” of your identity will be valid. Before that point in time, you might as well have streamed a live recording of your whole life.

Being anonymous basically works as follows: there are certain countries that assign an ID number to all its citizens, so every person born in it can be reduced on paper to that number. If we remove that ID, we are left with all the other details (hair color, height, etc) that aren’t unique, but combine them and you’ll have what we might call a pseudo-ID. Which is quite close to be as good as the actual ID number. So being anonymous online implies that your pseudo-ID or identifying characteristics make you no different than a big enough group.

It’s basically like saying that you are called John Smith, and 90% of the John Smiths of the world have a certain skin color, hair color and so on, and you are one of those. If you are a John Smith with a hair color from the other 10%, you could dye your hair and you’ll be becoming anonymous from that point on (i.e. unrecognizable from the other billion John Smiths).

Being anonymous online basically means becoming a part of an even bigger group of “John Smiths”, so once you are anonymous you should be really complicated to locate in the world. But it’s also a lot harder to become.

You might use all the software in the world for anonymity, but at some point you might behave in a certain way (write a word more than another, or type at a certain velocity, or always appear online in the same time frame) and you will be blowing away the cover that you created.

Privacy

Privacy works a little different, you can “enable” and “disable” privacy as you wish (if you know what you’re doing and you’re being careful). An eavesdropper will know you are you, but you can choose whether to let that person see what you are doing or not (hint: use HTTPS or HTTP).

Privacy is the concealing of data from people other than you. This data might be a file, or it might be what you are sending and receiving through your WiFi connection every second. Privacy is the door you close when you go to the bathroom, or rather, the door you choose to close. The main problem with privacy though, is knowing where those doors are and knowing how to close them properly.

The main argument against wanting privacy I’ve heard is “I have nothing to hide”. To which I say: do you let other people watch and record you while you’re in the bathroom?

So it’s a matter of boundaries and knowing that those boundaries cannot be broken. It’s knowing that even if you are being recorded in while your bathroom, that camera won’t be capturing anything worthwhile, i.e. the video will be all static. It doesn’t matter which camera you use, it’s not possible for you to see me where I don’t want to be seen. That’s “privacy by design”, but we’ll talk about it more in another post.

How do VPNs work?

So now we got to this VPN things. VPN stands for Virtual Private Network. The idea behind it is not really complex: when you open your browser and enter an URL like https://google.com and hit the return key, your computer starts sending “network packets” to some other computer, which in turn sends them to some other computer, which in turn… well, and so on, until it reaches one of the computers behind the URL you want to access. There, it reaches the content you asked for and goes all the way back to your home computer. Jumping from host to host in the middle.

Now say you are in a cafe and they have WiFi, if you connect to it and start doing internet things, your “network packets” will go first to the WiFi router and then to the big chain of computers we discussed. So if someone is “standing” in the WiFi router, they can see what you are doing (or part of it). “Oh! Mary is accessing her GMail account”.

Connecting to a web server without VPN

If you use a VPN, what you are doing is basically presetting the first computer your “network packet” will reach once it goes out of yours. Well, not exactly right, but the VPN server will be the first computer that will understand what you want to do. So now the person standing in the router can only say “Oh! Mary is accessing this computer” (which will be the VPN server), and that’s all they will be able to see.

Connecting to a web server with VPN

If someone is “standing” in the VPN server, they will have the same power the person standing in the router in the non-VPN scenario has. But may be the only person standing there is you, because it’s your computer at home acting as a VPN server, or the computer of someone you trust. Which is great! right? You don’t have to trust all the random coffee lovers that might sit right next to you in that particular day in that particular coffee shop.

What does a VPN give its users?

So VPNs sound really neat, and indeed they are. You can control an important portion of how you are being seen by the outside world. But be careful! “outside world” in this case means something along the lines of “random people in the same coffee shop as you”, not “everyone in the whole wide world”.

VPNs give you the chance of taking a shower and only your husband or wife can open that bathroom door, and that’s ok, because you truly trust that person, you choose him or her.

What does a VPN NOT give its users?

Well, what if your significant other lets somebody else inside? That would be an enormous betrayal of your trust!, but it is possible, is it not?

VPNs work kind of in the same way, the people behind the VPN server are the ones in control. If you play your cards right (i.e. use HTTPS all the time), they won’t have complete control, but they will still have some.

Privacy and anonymity do NOT go hand in hand with VPNs, and that’s the end of the story. If you are looking for those two particular words, you must not trust a VPN. If someone tells you “you will be completely anonymous, you’ll have VPN running all the time”, that’s a lie. You’ll have this really neat and handy service called VPN running, and it’ll “save” you from a lot of thing, but it won’t anonymize you, it will just give you some privacy, SOME.

The problem with privacy is that it’s not a binary state, it’s not an ON/OFF switch. It has different scales of ON and OFF. So what do you want to protect? Ask yourself that multiple times, answer it carefully, and then and only then decide whether VPNs give you the privacy you want or not.

This is too much information, just tell me how to maintain my anonymity and privacy!

Well I’ve got bad news for you, being truly anonymous might even be called an art. It’s really hard, it has a lot of layers. So if you want to be truly anonymous, I suggest you start reading about all the ways you can compromise your anonymity. Read about how to attack anonymity so you’ll know how to defend yourself. But first things first! What do you want to protect?

For privacy, things are a bit easier. You just need to be careful what software you use and how. Pick software or services that have privacy as their main goal. Always maintain your paranoid alarms in a healthy level. Do not give your trust away easily. You’ll want to use services that use cryptography in some way, they might be using it wrong, but that’s a good start at least. You don’t want to use a service that the only privacy related thing they have is the privacy policy.

So, what do you want to protect?

Pushing on the Open-Source Crypton Effort

After 5 years working on Firefox at Mozilla, last week I began a new adventure at SpiderOak. And whereas I will be working on a wide range of projects, my main focus will be directing the Crypton, open-source project.

Earlier this year I read about Crypton, SpiderOak’s open-source web framework that makes scalable, privacy-centered web applications much easier to produce. As a founder and sometime-editor of the W3C’s Web Cryptography Working Group, I knew there would eventually emerge a ”jQuery for web crypto.” Crypton seemed to be that and then some - a complete solution, including the server and storage mechanism. I was hooked. I have been tinkering in this space for a few years, producing a couple Firefox extensions including DOMCrypt and Nulltxt. These extensions model what I thought made sense for crypto APIs hanging off of each web page, as well as web applications to go along with these APIs. I implemented window.crypto.getRandomValues in Firefox and worked on the team that maintains and improves Firefox security.

With the idea that the Web Crypto API is now forthcoming and the recent media attention on ever-present Internet surveillance, I want to do something more tangible about it now. SpiderOak has been building privacy-oriented products that uphold its ‘Zero-Knowledge’ concept for almost a decade, which makes this move for me a natural fit. I am excited to play a role in making Crypton the standard for web crypto as well as providing an easy way for developers to easily build meaningful, useful ‘Zero-Knowledge’ applications.

As of September 26, 2013, SpiderOak is hosting a weekly development teleconference to discuss the latest developments, features, milestones, bugs and anything else Crypton users or developers would like to discuss. The details are on our Github wiki.

If you have any questions or ideas about Crypton, feel free to contact me via our many channels of communication or email me directly at ddahl[at]spideroak.com.

SpiderOak University & Interview with a Cybersecurity Expert

This week we opened the doors to SpiderOak University. Anyone can participate and earn extra GBs.

We were honored to talk to Richard F. Forno, Ph.D., who has more than 20 years of experience in the cybersecurity field. Dr. Forno helped build the first formal cybersecurity program for the U.S. House of Representatives as the first Chief Security Officer for at Network Solutions (operator of the InterNIC), and is considered one of the early thought leaders on the subject of “information warfare.” Today, he is the Assistant Director of the UMBC Center for Cybersecurity, an honors college in Maryland, as well as the director of its cybersecurity graduate program. Dr. Forno is also a SpiderOak fan.

1. How have you seen cybersecurity evolve since you’ve been in the field, and how would you describe where it is right now?

RF: Cybersecurity these days means much more than just people at computers guarding data and network resources. Yes, that’s where it started off decades ago when it was known as ‘computer security’ and existed as a small function of the IT department and treated as an administrative overhead budget item — but with technology, data, and networking permeating nearly every aspect of society, it’s taken on a much broader meaning and become a critical corporate function. Now, ‘cybersecurity’ can refer to nearly anything related to ensuring the security, availability, integrity, and resilience of the many systems and sources of data that form the foundation of modern existence — from protecting company (or national) secrets to personal health care and financial records, from the systems controlling water and power distribution in our cities to the widgets in our televisions, toasters, and electronic devices they all require some degree of security, assurance, and resilience since our lives and much of society depends on them.  That said, I still believe cybersecurity — and by extension, privacy — is a state of mind and very much dependent on the context of any given situation to be effective.

2. Are you seeing more students that care about privacy and cybersecurity, or is it harder to attract people to your program?

RF: The former, absolutely. There remains a sizable global interest in cybersecurity education, from high schools and community colleges all the way through 4-year and postgraduate study. Recurring news reports of data breaches, website defacements, and denial of service attacks certainly help generate interest in the subject both personally and professionally.

That said, given the strong interest in cybersecurity, it’s important to set and manage student (or prospective student) expectations appropriately.  Despite glorified portrayals of cybersecurity in the media, one can’t simply “wave a magic wand” and become a “cyber warrior” exclusively by a single college degree or certification exam … it’s a combination of fundamental and applied technical knowledge, social acumen, and the ability to understand the ‘big picture’ while exercising common sense that makes for an effective cybersecurity professional.  Cybersecurity in 2013 is far more than just working with the bits and bytes….and by contrast, you can work in some areas of cybersecurity and not necessarily need a deep technical background to be successful or make a difference.

3. Are there any trends in cybersecurity or privacy that you are excited about or think are the future?

RF: I think the ongoing revelations from Edward Snowden are giving people and organisations around the world a useful opportunity to reassess how much they share online and/or what third-party services they use to store information and communicate, which naturally includes both privacy and cybersecurity considerations.  That public discussion, in my view, is long overdue — normally folks rush to embrace new technologies first and then figure out if or how they’re dangerous, and usually only after something bad has happened. So in terms of privacy I am quietly optimistic that the pendulum may begin shifting towards people doing ‘less sharing’  – or, perhaps more accurately, leaving ‘less footprints’ around the Internet.  At least they might start doing homework and determining what level of exposure (and to whom) they’re willing to live with and under what circumstances.

The last time I saw such heated public discussion about government intrusion into online privacy was back in the 1990s — first when the US government tried (and failed) to criminalise the distribution of PGP encryption software and then when the Communications Assistance for Law Enforcement Act (CALEA) was enacted by Congress to provide US law enforcement wiretapping capabilities on Internet devices — which was a faint foreshadowing of things-to-come under the ‘Patriot’ Act of 2001 and subsequent legislative proposals.

However, I’m encouraged to see security and privacy capabilities being brought to market and/or incorporated into software and devices.  To many users, security and privacy technologies are hard to understand and implement — so I am pleased that more user-friendly products and services are making it easier for people to understand and manage their privacy and security exposure if they choose to do so.  But by contrast, I worry about our obsession with creating the ‘Internet of Things’ — do we really need to have our home appliances, air conditioners, baby monitors, and automobiles constantly connected to the Internet? While convenient and perhaps fun or useful at times, what risks do they present to our security and privacy?

4. Tell us about how you came to your current role at UMBC, and what this graduate program is about?

RF: At UMBC I wear many hats. My primary role is directing our graduate programs in cybersecurity, which now is entering its third successful year of educating cybersecurity professionals to assume more senior leadership positions in the technology and cybersecurity industry.  I’m also the assistant director of our Center for Cybersecurity, which serves as the University’s central coordination and outreach entity on cybersecurity education, research, and related activities to allow us to better interact with our many partners, prospective collaborators, and the public.  And, through UMBC, I am co-founder of the annual Maryland Cyber Challenge — our state’s official cyber-competition.

As to how I got here?  My cybersecurity career began in the early 1990s before the Dot Com Boom. Over that next 20 years I worked for a variety of government, military, and private organisations and thus not only was an ‘eyewitness to history’ in terms of cybersecurity and the Internet Revolution, but worked for some of the entities that helped shape it.  Along the way, I remained interested in Internet policy, cyberculture, and how Internet technology influences modern society — which, obviously includes many cybersecurity and privacy issues.

After a while, my interests turned toward “giving back” to the professional community and sharing my lessons learned with the next generation of cybersecurity practitioners to help them improve the future and perhaps learn from our collective past.  And thus I landed at UMBC in 2010 — certainly the right place at the right time to be working on this very timely global topic!

5. How long have you been a SpiderOak user?

RF: I learned about SpiderOak in early 2012 from a fellow academic down in Australia and signed up for the free personal account out of curiosity.  Now, with the SpiderOak Hive capability, I expect to increase my account size and replace another popular realtime sync service I’ve used for years with one that places great emphasis on addressing modern privacy concerns for its users in a meaningful way.

We’re grateful to Dr. Forno for sharing his time and expertise with us.

Be sure to check out SpiderOak University so you can participate and earn extra GBs for your account.