PRISM BREAK PRISM BREAK A Post-PRISM Journey Outside the Big 12 by - - PDF document

PRISM BREAK PRISM BREAK

A Post-PRISM Journey Outside the Big 12 by Will Rico, LibrePlanet Boston + BLU Software Freedom Day September 21, 2013 Cambridge, MA

A CITIZEN'S APPROACH A CITIZEN'S APPROACH

image CC BY-NC-SA marsmettn tallahassee

technical background but not a kernel hacker or even developer mostly approaching this as a regular user with perhaps above average technical ability, but nothing crazy...not an expert day job is marketing and in part dependent on some of the services that I find threatening, especially Google and Facebook by the way, how many people here heard about Software Freedom Day on Facebook? if less experience than me: * than follow along a path I've taken if more experience: * see how someone new sees this

WHAT IS PRISM? WHAT IS PRISM?

Top secret program of the National Security Agency Gives the NSA direct access to the systems of Google, Facebook, Apple and other US Internet giants Google statement: "Google does not have a back door for the government to access private user data." Apple statement: "never heard" of PRISM FAA = 2008 amendment to FISA that allows bulk collection of data when at least one party in the communication is foreign FISA = Foreign Intelligence Surveillance Act

WHO PARTICIPATES? WHO PARTICIPATES?

Microsoft was the first to participate. Yahoo next, followed by Google, Facebook and

• thers.

Plans to add Dropbox. These companies are indemnified by the government in exchange for participating.

WHAT IS COLLECTED? WHAT IS COLLECTED?

Varies by provider NSA can retrieve the communications without court

• rders and in real time

Only need to "reasonably believe" one party is

• utside the US. No outside checks on this.

XKEYSCORE XKEYSCORE

• Based on wiretapping fiber optic cables
• Wiretap anyone without prior authorization
• "Nearly everything a user does on the Internet"
• Allows searches of meta data and content of emails,

browser history, more.

• Search by email address, name, telephone number,

IP address, keywords.

• Every IP address of everyone who accesses any

website.

• Content stored for 3 - 5 days, meta data for 30 days
• British intelligence service GCHQ has analogous

program called Tempora

BULLRUN BULLRUN

• $250 million per year budget for 10 years

$250 million per year budget for 10 years

• Tap fiber-optic cables and decrypt data

Tap fiber-optic cables and decrypt data

• "Covertly influence" product designs

"Covertly influence" product designs

• Obtain keys via "industry relationships"

Obtain keys via "industry relationships"

"Sigint" (Signals Intelligence) program 10 year, $250 million per year program to weaken and co-opt encryption Dependent upon collaborating with technology companies Can break SSL encryption Bullrun = decryption program Microsoft helped NSA break the new Outlook.com's encryption even before the website launched.

Lavabit Shuts Down Lavabit Shuts Down

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States. Sincerely, Ladar Levison Owner and Operator, Lavabit LLC

Groklaw Stops Publishing Groklaw Stops Publishing

• Final Post:

Final Post:

• http://www.groklaw.net/article.php?

http://www.groklaw.net/article.php? story=20130818120421175 story=20130818120421175

Pamela Jones covered patent and legal issues

Linus Nods "Yes" Linus Nods "Yes"

This week - September 18 - at LinuxCon in New Orleans Asked if the US government approached him to add a backdoor Nods "yes" while saying "no"

Where does that leave us? Where does that leave us?

• Angry

Angry

• Fearful

Fearful

• Nothing to hide?

Nothing to hide?

Journalists & Sources Journalists & Sources

Journalists probably do have something to hide...their sources. We're less safe when they're less safe. Your congressperson or other elected official may have something he doesn't want public...info as a threat. Or perhaps a family member of the elected official? THEREFORE In addition to protecting ourselves individually, when we opt for free tools & services, we're also protecting the ecosystem of the Internet that makes journalism and democracy possible.

My Motivation My Motivation

• My own privacy

My own privacy

• Helping restore a fair ecosystem to the Internet

Helping restore a fair ecosystem to the Internet

WHAT "BEING FREE" MEANS? WHAT "BEING FREE" MEANS?

• Computers - OS, even hardware

Computers - OS, even hardware

• Connecting to the Internet

Connecting to the Internet

• Searching the Web

Searching the Web

• Communicating - email, voice

Communicating - email, voice

• Social & sharing

Social & sharing

• Photos & media

Photos & media

• Money - electronic payment

Money - electronic payment

MY ORIGINAL SETUP MY ORIGINAL SETUP

10 - Linux Mint & Firefox = 8 + Apple Microsoft Yahoo LinkedIn

BREAKING FREE BREAKING FREE

http://prism-break.org

• Operating System
• Live CD / VM Images
• Android
• iOS & WP (N/A)
• Web Browser
• Browser Add-ons
• Web Search
• Maps
• Email Service
• Email Client
• Email Encryption
• Instant Messaging
• Video Calls / VOIP
• Social Networking
• Could Storage

I'm not affiliated with the prism-break.org website I don't consider myself free I consider myself on the road to freedom prism-break.org is the website that put me on that road and a tremendous resource

BREAKING FREE...MORE BREAKING FREE...MORE

http://prism-break.org

• Document Collab
• Media Publishing
• Online Transactions
• Digital Distribution
• VPN
• Web Analytics
• DNS
• Anonymizing Net
• Meshnet
• Server O/S
• File Encryption
• Mail Server
• XMPP
• SIP Server
• Hardware & Software

the problem is...it is overwhelming: covers 30 categories of software and services at first, I simply got stuck staring at the page

MY EXPERIENCE MY EXPERIENCE

• Debian 7.1 Wheezy (stable)
• Non-free firmware needed for my wireless adapter
• Followed instructions to add "backports" for newer software
• Bluetooth pairing worked
• Non-free repository in my sources list

This step took a lot of time Was at the top of the list on prism-break so that's in part why I started here I'm happy I did it because I've wanted to try Debian for other reasons - I admire the Debian Social Contract But...in retrospect, should have been a lower priority item and wound up delaying other steps

VRMS VRMS

My new Debian setup has 0.1% "non-free" packages (1 out of 1838) where as my original Linux Mint setup as 0.4% (9 out of 2351)

CONNECTING TO INTERNET CONNECTING TO INTERNET

Download, untar, then simply run ./start-tor-browser

Tor is very easy to install No package to install Just download binary I'm not ready to use TOR exclusively, but use it

• ccasionally when paranoia sets in

TOR TOR

Even safer: use Liberté Linux or Tails

Best practice is to avoid using external programs to view browser media, e.g. Flash, VLC Download and then play in a virtual machine without Internet access Or use a Tors LiveCD such as Liberté Linux or TAILS I couldn't bypass this warning even when downloading rather than viewing (TOR detects filemanager as Internet-enabled program)

PROTECT DNS LOGGING PROTECT DNS LOGGING

Your ISP can still track which sites you visit, unless you are using a proxy like TOR, but by using a more free DNS provider, you leave a trail in one less place I chose OpenNIC DNS servers Very easy to setup following the instructions. A few clicks to update the DNS servers in your network settings or if you have a firewall, you can change them there.

SEARCHING THE WEB SEARCHING THE WEB

Corporations and the government can learn a lot about you based on what you search online This can be used for advertising purposes, which sometimes I'm OK with – if I'm in the market for a new car, perhaps I don't mind seeing ads for new cars Other times this can be intrusive, e.g. when third-party companies build profiles of you (sometimes inaccurate

• nes) and sell them to advertisers

Duck Duck Go using the term "bubble" to mean Google, Bing, etc. put you into a bubble and only show you results they think you'll like, e.g. political messages...but sometimes you want to learn about all sides of an issue

• r simply not be profiled in this manner.

STARTPAGE STARTPAGE

Proxies Google search results Respects your privacy by not tracking what you search Imagine if a company kept a database of all your searches forever And accidentally or purposefully released that database to the public or to the government DON'T LIKE ABOUT STARTPAGE: Ads blend in ← Don't like this LIKE ABOUT IT: Date range settings on left are convenient

DUCK DUCK GO DUCK DUCK GO

http://ddg.gg

Yahoo search results Highlights ads better No date filters, but sort by date option handy Image search takes you back to Google or Bing

BROWSING THE WEB BROWSING THE WEB

Locking down your browser is probably the easiest thing you can do These plug-ins were very well together, in a cascading manner Meaning, what one doesn't catch, the next one does

BROWSING THE WEB BROWSING THE WEB

Chromium without blocking Firefox with ABE, NoScript, RequestPolicy and Disconnect

Ads are blocked on the right User comments didn't render because they required Javascript – may be a good thing

NO SCRIPT ON SALON.COM NO SCRIPT ON SALON.COM

Scripts from at least 19 different websites blocked for this one webpage

DISCONNECT ON SALON.COM DISCONNECT ON SALON.COM

When No-Script & RequestPolicy are off, Disconnect blocks 69 trackers

If I let everything pass through NoScript and RequestPolicy add-ons unblocked... Disconnect catches 69 trackers Disconnect reports 30% faster load and 18% less data

PHOTOS AND MEDIA PHOTOS AND MEDIA

Media Goblin

Needed help of sys admin to install Still a "temporary" installation in a Python virtual environment IRC channel was responsive and helpful Developer responsive via email Could not get video plug-in to work

FEDERATION FEDERATION

vs.

centralized + vulnerable distributed + resilient

Node graphics CC-BY-SA Mike Linksvayer http://youtu.be/XmlxATwyklc

Even though I had the least success with MediaGoblin, it's probably the most inspiring project A federated alternative to YouTube Sites like YouTube and Facebook centralize user data and create a single point of failure for an attack or a takedown notice A federated system like MediaGoblin routes around damage when a node goes out and makes it much more difficult to takedown content because it is distributed throughout the network

SOCIAL NETWORKING SOCIAL NETWORKING

FRIENDICA FRIENDICA

Couldn't find any friends here Found interface a bit confusing Friendica logo take me back to friendica.com instead

• f main page of my portal

DIASPORA DIASPORA

http://podupti.me/

Just like Friendica, the first step to joining Diaspora is to pick a pod Friendica calls nodes portals Diaspora calls nodes pods Start by viewing the pod uptime list I originally wanted to sign up for diasp.org because

• f its rating and it's in my country. There was a

Sign In, but no Sign Up option so I opted for https://pod.geraspora.de. I figured there might be an advantage to a pod outside the US as well.

DIASPORA DIASPORA

Once signed up... There was an option to connect to Facebook so that Diaspora could pull my profile pic and other info as well as allow cross-posting so I followed the prompts and logged into Facebook to allow this. Diaspora asked me for tags based on my interests. I entered several. Posts with the tags you follow show up in your feed. Looked for my friends so I could connect with them: Found 2 out of 13 people (all free software users) One search field, e.g. no search by last name only Convinced 3 people to join with me (wife, dad, friend) Problems: can't move pods (need to recreate user and friends need to reconnect) + pod admin can see everything

Syndicating from Diaspora Syndicating from Diaspora

Bottom Diaspora post syndicated to Facebook. Top Diaspora post syndicated to Twitter.

PUMP.IO PUMP.IO

BYE BYE SKYPE, HELLO JITSI BYE BYE SKYPE, HELLO JITSI

Get free SIP account to use with Jitsi from https://ostel.co

Jitsi uses SIP as well as other protocols Sign up and install were relatively easy Convinced my Spanish teacher in Guatemala (normally use Skype) and my father to sign up Both are Windows users and were able to get SIP ostel.co accounts After about 30 minutes of debugging issues, had a high quality video chat with my Dad who is in NY Spent 1.5 hours across 2 days trying to get Jitsi to work for me and my Spanish teacher, but never quite got there.

Still hopeful.

EMAIL EMAIL

Email need to consider both service and client Currently use Gmail and feel locked in by it Have had trouble moving to Thunderbird because of overall slowness and unreliability of search However, use Thunderbird when I want to send or receive an encrypted message with GPG Tried Sylpheed and looks promising, but not enough experience I can run my own mail server, but it's a headache, especially with Spam Signed up for a MyKolab account – calendar, filesharing too, about $10/month/user

Cloud Storage Cloud Storage

Could not get OwnCloud installed in time to report on it, but it looks the most promising to me. SparkleShare works via git repositories and was relatively easy to setup. Found synchronization slow, but not enough experience to say for sure. Sparkleshare:

• good for file sharing within the context of a project

especially when version tracking/history is needed

• not ideal for backing up whole computer or photo

libraries because everything gets versioned

NEW SETUP / DIRECTION NEW SETUP / DIRECTION

Debian OpenNIC + TOR Locked down with plugins Startpage & Duck Duck Go Self-hosted or MyKolab Syndicate via Diaspora Syndicate via Diaspora MediaGoblin (eventually) OwnCloud (hopefully) Jitsi (when possible)

OTHER AREAS TO EXPLORE OTHER AREAS TO EXPLORE

• Document collaboration ala Google Docs

Document collaboration ala Google Docs

• Online currencies, e.g. Bitcoin

Online currencies, e.g. Bitcoin

• Meshnets

Meshnets

• Phone rooting

Phone rooting

LESSONS LEARNED LESSONS LEARNED

• Start simple

Start simple

• Can't plug every hole at once

Can't plug every hole at once

• Use free services to syndicate to non-free until

Use free services to syndicate to non-free until you can leave non-free services entirely you can leave non-free services entirely

• Success requires bringing friends along

Success requires bringing friends along

• Share the work & fun with communities of trust

Share the work & fun with communities of trust

WHAT THE EXPERTS SAY WHAT THE EXPERTS SAY

We need federation support, and then we need We need federation support, and then we need more people running servers for their friends more people running servers for their friends and family...It's really important to get people and family...It's really important to get people using these things en masse... and running using these things en masse... and running them! them!

– – Chris Webber, Media Goblin Chris Webber, Media Goblin

WHAT THE EXPERTS SAY WHAT THE EXPERTS SAY

Get involved with free and open social networks Get involved with free and open social networks

• first. Find ways to connect them to your Tumblr,
• first. Find ways to connect them to your Tumblr,

Path, LinkedIn, or whatever other proprietary Path, LinkedIn, or whatever other proprietary

• network. Use them often, and have fun with
• network. Use them often, and have fun with
• them. As your friends, family and colleagues
• them. As your friends, family and colleagues

join you, you'll find you use other networks less join you, you'll find you use other networks less

• ften.
• ften.

– – Evan Prodromou, pump.io Evan Prodromou, pump.io

THE WORLD COMMUNITY THE WORLD COMMUNITY

• Participate

Participate

• Contribute

Contribute

• Bring a friend

Bring a friend

Won't always be the best choice from a technology or user interface or features perspective. But it's the right choice ethically: * for ourselves * for our neighbors * for our community * and for those who don't depend on security & privacy as they work on our behalf

YOUR LOCAL COMMUNITY YOUR LOCAL COMMUNITY

• BLU & LibrePlanet Boston

BLU & LibrePlanet Boston

• http://www.blu.org

http://www.blu.org

• http://www.blu.org/desktop

http://www.blu.org/desktop

• Monthly meetings

Monthly meetings

• Mailing list for between meeting sharing & support

Mailing list for between meeting sharing & support

Let's http://prism-break.org together