For the tech savvy, there are plenty of solutions to "fix the internet". From Tor to I2P, I use many of these tools regularly. Many more can be found here. https://gist.github.com/postmodern/5018337
We don't need more tools, we need tools that non-geeks can use. For example, ten years ago, I worked at a company with a policy to use PGP with Symantec PGP software installed on PCs. Even the engineers sill failed to use it regularly. On several occasions I had to use logmein because the other company's IT department was incapable of setting up PGP for their own users. Ten years later and the Ask Slashdot is how get someone to send them their public key.
http://ask.slashdot.org/story/13/08/10/0028235/ask-slashdot-....
I only have 2 contacts that I can use PGP to communicate with. Usability is the issue. Unfortunately most GNU Projects have never excelled in this area. It's too bad Mozilla dropped support for Thunderbird. Tight integration with GnuPG + a Mozilla cloud Public key directory could have made mainstream PGP a reality.
> If it were still that way today, most of the startups
> that this site revolves around wouldn't exist.
In what way? The startups wouldn't exist because the founders can't handle the tools? Or, are you saying they wouldn't exist because there wouldn't be huge markets of people sharing cats pictures.
The more I think about it, both cases could both be correct, seeing how many people who call themselves developers would find it impossible to write a line of code if they didn't have eclipse....
I knew someone during our senior year of college that couldn't start a new Java class without using the "New Class" menu option in Eclipse. It was painful, to say the least.
> I only have 2 contacts that I can use PGP to communicate with. Usability is the issue.
This is why Bitmessage is so promising. Everything is encrypted and anonymous by default. The PGP/GPG setup is a huge barrier. With Bitmessage you just need to install it and it just works.
> Every message is retained forever by every BM client.
That is not true.
From the white paper [0] under section 6:
> We propose that nodes store all objects for two days and then delete them.
It's also on the FAQ[1]:
> Yes. However, if you go offline then they must come back online within 2 days of the message being sent. Nodes delete data, and do not accept data, older than 2 days.
The sender will not delete the message until it's received an acknowledge from the receiver. It instead will recompute the proof of work and resend in an exponential growing interval. This is also in section 6 of [0].
> If a node is offline for more than two days, the sending node will notice that it never received an acknowledgement and rebroadcasts the message after an additional two days. It will continue to rebroadcast the message, with exponential backoff, forever.
But it's better than what we have at the moment, IMO. I'd be happier using Bitmessage now (and hoping it improved with time) rather than regular email while waiting for the perfect solution to appear someday.
You could also bounce all email that you receive which isn't encrypted with your public key. If you think requiring all your contacts to set up GPG is too hard - what makes you think they'll adopt bitmessage?
(I know bitmessage has some different security properties than gpg+email -- but I think we'll all agree that if everyone and everything switched to email+gpg we'd be in a much better place from a security/privacy standpoint than we are now).
Gnunet isn't a new tool but a very old one. AFAIK it still provides the best P2P filesharing experience, which is good for mass adoption. And by participating in that users fuel the rest of the network, which exists and gives you the upsides of something like freenet at the same time.
You're right that the UI is dated. But the code is good, with a clean, well-documented library interface. It's probably the best starting point available to build a friendly-looking layer on top of.
> We don't need more tools, we need tools that non-geeks can use.
Why? Suppose someone comes up with these tools for the non tech-savvy, and the internet is "fixed". Now the evil government would no longer be able to spy on innocent citizens and obtain private information for its nefarious purposes, whatever those may be. Would people stop being so easily manipulated by private corporations' campaigns and will no longer surrender their private information so willingly? After all, much more information is yielded voluntarily due to deceitful corporate propaganda than due to clandestine government surveillance. How are tools going to help with that? Will tools educate the public of the ways Google and Facebook use private information to exploit their users?
We don't need more tools. We need politics. We need laws to regulate both government and corporate aggregation and handling of private information.
> We need politics. We need laws to regulate both government and corporate aggregation and handling of private information.
Really? Look around and tell me how that's been working out for you lately.
The top priorities of any human organization, regardless of nature or origin, are: (1) survival, (2) growth, and (3) expansion of influence.
The only way to solve the politics problem is to solve the people problem. In the US we have generations of fat & happy sheep, living off the short-term benefits of inflated currency and credit bubbles, blissfully and willfully ignorant of what goes on around them, so long as they don't miss an episode of American Idol.
> Really? Look around and tell me how that's been working out for you lately.
Well, it's far from perfect, but you've got clean water, highways, research grants, gay marriage in some states, a national healthcare plan that's a good start — all in all, it's pretty good. I don't see why regulation over private data aggregation would be any harder than healthcare. Sure, Google's lobbyists would work hard against it, and would probably succeed in watering down, and I don't have high hopes for breaking-up Google just yet, but it would do to raise awareness.
> In the US we have generations of fat & happy sheep, living off the short-term benefits of inflated currency and credit bubbles, blissfully and willfully ignorant of what goes on around them, so long as they don't miss an episode of American Idol.
All the more reason to try and educate people on how they're being exploited by corporations.
> [...] We need politics. We need laws to regulate both government and corporate aggregation and handling of private information.
Sure, but I don't think the "why bother when another obstacle stands in the way?" argument is a good one.
We have also seen that secret laws make regulation difficult since public oversight is not possible without government transparency; your final paragraph seems to imply current-situation + politics = trust in government and no need for privacy software.
I would guess that at least 99.9% of all leaked private information is given voluntarily to corporations. Privacy software is a solution to the remaining 0.1% (probably far less than that). That's neither a solution nor a step in the right direction. In fact, I would say that it's a step in the wrong direction, as it calls attention to a far smaller threat while hiding the far bigger one. This is yet another misdirection, that only serves to give a false sense of security.
Privacy software will be needed when criminal electronic surveillance becomes prevalent (as it will, some day soon). But the way it's presented now plays into the hands of those who wish to use the NSA fiasco (which, to be sure, it is) to hide a much more serious problem. It's not a solution — it's a diversion.
What about the MAC addresses that Google gathered when driving around for street view? What about data that software gathers on your PC or mobile devices without your knowing, or location data that is made available to mobile carriers and law enforcement simply by the act of communicating with a cell phone tower? What of spyware/maleware, etc?
Even so, the "leaked private information [...] given voluntarily to corporations" is very different than dragnet surveillance. There is no way to know as of yet exactly how much information has been gathered through such programs, but recent revelations suggest startling amounts of data that are far more invasive and vast than anything that could ever be leaked: more information than the NSA is capable of processing, as mentioned in the Guardian's XKeyscore revelation article.
So, no; not 0.1%.
> But the way it's presented now plays into the hands of those who wish to use the NSA fiasco (which, to be sure, it is) to hide a much more serious problem.
I don't see how suggesting software to help limit the scope of surveillance does anything to hide the underlying problem. If anything, it brings action upon it and suggests that users will not stand for being surveilled in this manner.
> What about the MAC addresses that Google gathered when driving around for street view? What about data that software gathers on your PC or mobile devices without your knowing, or location data that is made available to mobile carriers and law enforcement simply by the act of communicating with a cell phone tower? What of spyware/maleware, etc?
Great, so we can say that far more information flows to corporations, voluntarily or involuntarily, than to the government. And privacy software won't help with most of the cases you mentioned.
> There is no way to know as of yet exactly how much information has been gathered through such programs, but recent revelations suggest startling amounts of data that are far more invasive and vast than anything that could ever be leaked: more information than the NSA is capable of processing, as mentioned in the Guardian's XKeyscore revelation article.
I would still venture to say that Google analyses (if not collects) far more private information than the NSA, and unlike the NSA, Google uses that information all the time.
> I don't see how suggesting software to help limit the scope of surveillance does anything to hide the underlying problem. If anything, it brings action upon it and suggests that users will not stand for being surveilled in this manner.
Because, it's like having an awareness campaign after a horrible home-invasion that encourages people to dig moats in their back yards, and all the while their kids are letting strangers in through the front door. It's saying, there's a privacy issue, and here it is, while it's somewhere else completely. A classic diversion.
I'm a lot less worried about targeted advertisements and their trackers (which are easily blocked) than I am about a police state. Internet filtering is already a serious problem. And it's not unreasonable to think they could start cracking down on piracy much more in the future. Also intercepted emails and private messages and stuff will be around forever.
First, I think you're underestimating the effects of targeted advertising on the soul :) Second, targeted advertising proves that the information is analyzed constantly and being used constantly — all day, every day; it's far more prevalent than people being arrested for downloading Iron Man 3. Third, Google says it's collecting information for targeted advertising, just like the government says it's collecting information for counter-terrorism. Even if Google is to be believed, that doesn't mean they won't be using that information for something else tomorrow.
I agree, but it's a lot easier to block or just avoid that kind of spying. That's a lot different than the NSA putting backdoors into your computer, or reading all your private texts, emails, and phone calls.
And the same tools can be used to fight both. Tor for example, allows you to hide your IP, and various browsers and tools prevent you from accidentally leaking private information to identify you to these websites. Secure operating systems and programs protect you from private hackers and adware just as much as they do from government hackers.
>>> Even the engineers still failed to use it regularly.
I used to work at a very large, publicly held company. When I got my new laptop, I realized the PGP whole disc encryption was blocking one of my video cards so I could only run one monitor with my laptop.
After asking around, I soon realized exactly none of the engineers had PGP installed on their PC's. I was pretty surprised when I was told they simply asked for a clean install with nothing on their laptops and the IT people gave them what they wanted - a completely unsecured laptop with which they could customize to their own specifications.
As shocking as it seemed, I was told by several of the team members that the IT support staff allowed it because they "trusted" the software engineers not to install sketchy stuff and thought they could keep their stuff more secure than say a PM.
I think back now and wonder why they would take such a huge security risk.
Enigmail is just an add-ons for Thunderbird, which Mozilla has basically end-of-lifed. My point was for a PGP client to take off, it's going to need some major backing. This is unlikely to come from Mozilla, since they've announced they're no longer dedicating resources to Thunderbird.
Well, Thunderbird has the add-on called "Enigmail" which makes it easy. AFAIK there's no key directory integrated, but then again, is a key directory really a good idea? It adds another attack vector.
And then of course, this only "solves" the email problem, unlike darknet solutions.
Integrate it in an e-mail service that is very popular like Gmail, lead everyone through an initial set-up to create their public keys, and then tie that key to their profile. Then you won't have to know anyone's public key anymore, and everyone would be using PGP by default.
The only issue is that Google would have to ensure you're creating the private key as "locally" and securely as possible, without them being able to copy that key to their servers when they're creating them. That might be very tricky, while still remaining convenient, and they may have to allow for independent audits so we can make sure they aren't transmitting the data.
On my current contract, we go to great trouble to install whole-disk, multiuser encryption on all laptops. And then we use a trivial default password, as in one of the first few you would try if you were guessing passwords. Tech-savvy people for sure, but lazy, I guess.
But people don't change them unless forced to. Another place I worked, half the passwords were qwerty123 because the tech set them up in the expectation they would be changed. Another place, the passwords were usually "password". I once set up a bunch of accounts for a new domain with strong passwords which I printed on a credit card-sized laminated card, which people could keep in a wallet or purse. Mostly, this worked well, but still some people blu-tacked the cards to their desks or keyboards. It's unwinnable unless you force people to do the right thing.
We need technology convergence so that systems work collectively rather than in isolation. Once momentum favors the collective, ease-of-use will follow. I too am frustrated by the lack of PGP adoption.
Gnunet appears to be far from ready for the main stream. For anything to be useful it really needs to work on mobile, and after trying for a few hours, I can't even get it to work on my mac.
Private file sharing will protect some cloud surveillance and limiting laws.
This is great, to minimise surveillance. It's nice to be able to share files properly, but it's not my "typical" internet usage (neither it's on my family members). It's nice to be able to go out through a sane VPN.
Still I miss important things to fix my "internet":
* DNS and search.
* Email service.
* Browser.
These are my main problems today. I can workaround my ISP when I want, and I can share files in the way I like... but I see the problem in my previous 3 points.
Also I wish so many interesting initiatives could be separated of the "pirate" "trademark".
It's not a problem for me, but I think it's not a proper "image" for general purpose projects, just because of how people brain works in "general" (in special people not literate about what this really is).
If you're already willing to sacrifice privacy for convenience, they already have you.
If you're using OSX or that wacky hybrid kernel system from Redmond, WA, You're basically screwed anyway because your endpoints are compromised from day one.
Here's the thing, if you jump at every convenience then blame people working on the vast and complex software required to support privacy, absolutely nobody will come to your defense.
I set my bar very low, if I can obscure the source location of my IRC and email traffic, then I'm all good; All other channels are secondary, and are not worth bursting my basic network node anonymity over if there's no other option.
As someone who cares about security and privacy, I'd like to know why I'd want to obscure the location of IRC/email traffic.
On IRC I can see that you could come across adversaries on some sketchy irc networks - but, in my case, as just a random developer idling away on freenode (using a host cloak) should I really care that I'm trusting freenode?
And what about email? Is that because your ip will be visible on the mail headers if sent from localhost?
And if you're using a VPN or Tor, aren't you just displacing the trust to those providers?
Another thing I'd like to know is just how much more of a potential target you become once you use the tor network. I speculate that tor has a lot of blackhats fishing for potential targets.
Anonymous, secure, encrypted and instant random web browsing is simply not possible. Technically not possible.
If you want anonymity, privacy and security you will have to make certain compromises to your "current internet" that isn't anonymous nor private, but instant and convenient. Or you can just give up and accept having your every step in the net monitored.
>Anonymous, secure, encrypted and instant random web browsing is simply not possible. Technically not possible.
Do you have a link to the paper where this was proved?
Suppose we take Tor and throw a bunch of fiber at it so that the bandwidth improves, then whenever two Tor nodes make a connection they send data at a fixed rate, sending real data when there is any and padding when there isn't. That clearly isn't "impossible" so what's the attack that works against it?
It's trivial, and indeed you can read about this discussion in many papers. I will give you a run-down.
A naked insecure connection through HTTP has response times as low as 100ms coast to coast (US). This makes these connections look instant or almost instant. It's impossible to achieve neither anonymity nor encryption through a naked single connection - you need several, at the very least for AUTH - and this alone multiplies the latency vs a single connection. The problem is that the naked eye can notice the difference between 100ms and 200ms, so the experience cannot be the same. The speed of light is already significant in world-wide distances when you consider a number of hops and a minimum number of messages being necessary to ACK, AUTH and then provide some anonymity layer that hides both sides of the connection.
Anonymous, secure, encrypted random web browsing CANNOT be as fast as a naked open connection. The difference can be minimised over long transfers, but latency over many requests is always going to be several times higher.
You can make all connections theoretically so fast that even a 5-fold slow down is still "fast enough", but for many small transfers it simply cannot be done so fast that it's humanly not noticeable.
Alas, there's ALWAYS going to be a noticeable difference between open connections and hardened connections (to the standard we are talking about in this thread). A simple AUTH cannot be done so fast that a connection across the Atlantic is not humanly noticeable. And what we are talking about implies a whole lot more than that.
The latency of the crypto itself is minimal, what you're really having a problem with is traversing the ocean. Solution: Don't do that. So we need more nodes. If there are a thousand nodes within a hundred miles of where you are then you don't need to use the ones that are ten thousand miles away.
In addition to that, you can mask latency with caching and prefetch. Browsers could prefetch all the small content on linked pages so that by the time you click on a link the data is already on your computer. This could be helped by general purpose HTTP protocol improvements that allow a browser to know speculatively what such content will be on a page through a POST request etc. without having to actually POST anything. SPDY/HTTP 2.0 also allows asynchronous operation which is extremely good at masking round trip latency when requesting many small objects.
It's not the nodes. It's the inevitable distance between client and server.
The post I was replying to wants casual browsing that's secure, anonymous, private and encrypted AND indistinguishable in speed from what he does without all these features. That's impossible, more requests are needed and every single connection adds noticeable lag past a certain minimum distance.
I like that the player gives out (right click) the location of the video and even offers an option to download it. That may be more important than the permissive license.
The server, however, seems to be a bit overloaded at the moment. Is there a torrent somewhere? Maybe an HD torrent?
Right-click download is an implicitly inherent feature of the HTML5 <video> element that is used, not an explicit choice by the creators.
I love it, too.
Defeating traffic analysis has too many downsides for most users, I think the perfect is the enemy of the good here. Having at least working confidentiality and integrity to the content of communications in messaging would be a step up. The NSA will still be able to see who you're talking to, but the crypto-libertarian utopia is not about to arrive any time soon, especially with FreeNet like systems, but getting most people on a better system that reduces the amount of snooping, is better than building an idealized system which the great unwashed masses won't use.
I have a little different take. So, let's assume that you can combine 5+ encryptions / encryption points and hide the contents of you communication on someone else's network. IT IS STILL SOMEONE ELSE'S NETWORK. What happens when the network owner becomes China (game already over), UK (now blocking porn, next political speech, etc. >> game over), USSR, USSA, etc. and decides that your packets look like something we don't transfer. Or what about the old proposal to require a license to use the Internet? -- see http://www.techdirt.com/articles/20100204/1925188060.shtml and http://business.time.com/2010/01/30/drivers-licenses-for-the... and a million other links.
Solutions built on top of some existing (OWNED) platform are inherently fragile until there's a private (P2P-like HAM radio to smoke signal) transfer pipe.
"Yet the reality is, governments may have to reconsider such an requirement. It may not fly today, but don't be surprised if it becomes reality in the near future. Every device connected to the Internet will have a permament license plate and without it, the network won't allow you to log in."
The point is that people have been calling for this for 10 years and it's going to happen SO why would you expect that the "Internet police" would allow you to move around in any manner (speed, intoxication level, destination, type of transport, etc.) that you see fit?
Although I admire the smart people who build these tools, the issue at hand is not technological. We all know that it takes two to tango and we also know that the other person will not be able to use all these privacy tools. The NSA has infinite resources and will get to you or your data. You can't protect yourself from an evil government. You will loose. Using these privacy tools only makes you a target (child pornografy, terrorist) and will give them an excuse to further target you. With the resources NSA has at hand, how many 0-days will they have at their disposal for any software product? I believe we can never resolve this issue in any other way than through politics.
Retroshare is F2F (darknet) network. But Freenet and GNUnet provide generic anonymous networking (with efficient caching!), without you setting up contacts with your peers beforehand. Network where you can access only preknown resources isn't that useful after all. At least for finding new peers. Think about web browser, if you could only open pages which urls you already know. Who needs Google for anything? With retroshare all resources are gone if you delete those, with Freenet & GNUnet you simply can't delete anything. Very different design. Plz read white and design papers.
> With retroshare all resources are gone if you delete those, with Freenet & GNUnet you simply can't delete anything.
Sure, that's true and the advantage of Freenet and GNUnet. The flip side of the caching is of course that this comes at a cost: It takes a lot more resources to have this kind of redundancy.
RetroShare btw does let you download files anonymously from friends-of-friends etc. if the "owner" agrees to it. (You only have to know your immediate friends.)
Yes, but redundancy also means that resources are never unavailable due overload etc. As hacker news users know, sites with most interesting new content are often down. With efficient caching, that simply won't happen. Btw. BitTorrent could utilize caching also much more efficiently.
I know RS allows TurtleHopping, which is extremely inefficient method of transferring data, compared to GNUnets solution. With GNUnet you can transfer data directly with the source anonymously, while also at the very same time creating new sources for that data.
I think insisting on anonymous communication for bulk data transfer is fatal: Crippling performance is too strong an impediment for most people. The primary complaint most people have with these systems is that they are too slow but few devs seem to be listening.
Cryptosphere forgoes anonymous transfers and seems promising.
We don't need more tools, we need tools that non-geeks can use. For example, ten years ago, I worked at a company with a policy to use PGP with Symantec PGP software installed on PCs. Even the engineers sill failed to use it regularly. On several occasions I had to use logmein because the other company's IT department was incapable of setting up PGP for their own users. Ten years later and the Ask Slashdot is how get someone to send them their public key. http://ask.slashdot.org/story/13/08/10/0028235/ask-slashdot-....
I only have 2 contacts that I can use PGP to communicate with. Usability is the issue. Unfortunately most GNU Projects have never excelled in this area. It's too bad Mozilla dropped support for Thunderbird. Tight integration with GnuPG + a Mozilla cloud Public key directory could have made mainstream PGP a reality.