Category Archives: Tor Browser

If you follow tech news or my site, you have probably stumbled upon the Firefox uses Google Analytics controversy by now.

Let me refresh your memory if you have not. A user of Firefox discovered that Mozilla Firefox connects to Google Analytics when users of the browser load the Get Add-ons page of about:addons.

That page displays a remote web page on Mozilla's website when loaded, and that's where the Google Analytics connection comes into play.

Mozilla stated in a response that it has brokered a special deal with Google which anonymizes the data, and prevents Google from using it internally or externally.

While that is commendable, it does not touch the core of the issue that privacy-conscious users have with the implementation.

The core issue for users who criticize Mozilla for using Google Analytics is the connection to Google Analytics, or in broader terms to Google, and that Firefox does not inform users about it, or provide the means to block it by default, or that the connection happens at all.

Note: Mozilla reacted quickly to the reported issue, and Firefox users may enable Do Not Track in the browser to disable the Google Analytics script on the Get Add-ons page of the browser.

Firefox users may enable Do Not Track by loading about:preferences#privacy in the browser's address bar, and setting the option to "always". Note End

Mozilla may be right when it states that Google won't touch the data because of the deal. There is no evidence that the company does otherwise, even though it would be difficult to prove that. The whole incident may be blown out of proportions, but that is not what is bothering users who criticize Mozilla for the use of Google Analytics.

Read also: Firefox Test Pilot: Snooze Tabs and Pulse experiments

What Mozilla fails to realize in my opinion is that there is a subset of Firefox users which holds the organization to higher standards than any other browser maker when it comes to privacy (except the Tor Browser guys probably).

This does not come out of the blue, as Mozilla presents itself as an organization that values user privacy and security. The fourth principle of Mozilla confirms this for instance:

Individuals' security and privacy on the Internet are fundamental and must not be treated as optional.

A connection to Google Analytics goes against these privacy principles, at least for Firefox users who take privacy seriously. It does not really matter whether Mozilla brokered a special deal with Google or not, what is collected and what is not, or what happens to the data that gets collected.

The fact that data lands on Google servers, and thus outside of control of Firefox users or Mozilla, is what is bothering users who criticize Mozilla for integrating the script on the page that Firefox loads.

In short: The stance that privacy conscious Firefox users have is that Firefox should never make connections to third-party sources, especially not to Google, Microsoft or any other major player in the advertising world, without user consent.

Summary

Article Name

Mozilla is held to a higher standard

Description

The article discusses why Mozilla is, and should be, held to a higher standard when it comes to user privacy than other browser makers.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

You are here: Home > Firefox > Mozilla is held to a higher standard

You can support us in many ways, for instance by disabling adblockers. Alternatively, you may support us with a PayPal donation.

Please check out our other support options here.

Advertisement

Recent Updates:

Pale Moon 27.4 Remove Intel True Key Firefox 54.0.1 Windows 10 Privacy Software The best Chrome extensions The best Firefox addons Firefox privacy and security preferences Firefox Release Schedule Firefox multi-process information Windows Backup Software overview Anti-Ransomware Software overview The Best Windows Software Firefox Roadmap 2017

Advertisement

Topics

Apple Development Facebook Games Ghacks Hardware Internet Internet Explorer Linux Microsoft Mobile Computing Music And Video Networks Opera Security Tutorials

Advertisement

Latest Downloads:

WinSuperMaximize Fing Network Discovery

Continue reading here:
Mozilla is held to a higher standard - Ghacks Technology News

The Firefox web browser ships with an add-on management interface that users may load directly by typing about:addons in the browser's address bar, or by using menus of the browser the page is linked from.

The management interface comes with several pages that separate extensions from themes, plugins, services, scripts and other "add-ons" that users may add to Firefox in one way or another.

There is also a Get Add-ons page that lists add-on suggestions to users. It is making the rounds right now connects to Google Analytics when users access it.

Nicolas Petton posted a message on Twitter on July 11, 2017 that Mozilla was using Google Analytics on the about:addons page. The message was picked up on social news sites such as Reddit and Hacker News shortly thereafter.

Some users voiced concerned about the integration of Google Analytics in Firefox (on this one page), stating that a browser that advertises with being privacy-focused should not do that.

Mozilla employees provided detailed information on the implementation on various sites, including on GitHub where a issue was raised by a concerned user.

According to Mozilla employee Matthew Riley MacPherson, known as tofumatt on GitHub, about:addons loads an iFrame with content hosted on a Mozilla website which contains the Google Analytics script.

Mozilla has a special agreement with Google which means that the data is aggregated and anonymised. Another Mozilla employee, who goes by the handle potch, added on Hacker News that Mozilla negotiated a special deal with Google that only a "subset of data" is collected, and that the "data is only used for statistical purposes".

When asked why Mozilla was not using self-hosted analytics scripts like Piwik, Matthew replied that hosting their own analytics product -- Piwik in particular -- was more work for "a worse product".

Matthew suggested to disable the tracking for users who have opted out of Telemetry tracking in the Firefox browser. This has not been implemented yet, and it is unclear whether this is going to happen.

Ultimately, this seems to be Mozilla's stance on the issue right now according to Matthew:

We won't be discontinuing our usage of analytics for our web properties, but I do think it would be nice to consider easy opt-outs for users like yourself who clearly do not want to participate in analytics sharing.

The maker of uBlock Origin posted an interesting observation in the thread as well. The legacy version of uBlock Origin can block the requests on internal Firefox pages, while the WebExtension version cannot.

Legacy uBlock Origin can block the network request to GA.

However webext-hybrid uBO as per Network pane in dev tools does not block it. Same for pure webext Ghostery, the network request to GA was not blocked, again as per Network pane in dev tools.

What is concerning is that both uBO webext-hybrid and Ghostery report the network request to GA as being blocked, while it is really not as per Network pane in dev tools. It's as if the order to block/redirect the network request was silently ignored by the webRequest API, and this causes webext-based blockers to incorrectly and misleadingly report to users what is really happening internally, GA was not really blocked on about:addons, but there is no way for the webext blockers to know this and report properly to users.

The Tor browser developers, a browser that is a modified version of Firefox for added security and privacy, have voiced concerns as well.

Disallow 'about:addons' unless the extensions directory is volatile, because regardless of what Mozilla PR says about respecting privacy, loading Google Analytics in a page that gets loaded as an IFRAME as part of an 'about:' internal page, is anything but.

Tip: Firefox users who don't use Get Add-ons can disable the functionality in the following way:

Read also: Firefox: copy multiple text bits at once

See how to block automatic connections that Firefox makes for additional information, or the list of Firefox security and privacy preferences.

It is clear that there are multiple points of view on the issue at hand:

My personal stance on the matter is that I think it is unwise to integrate anything that connects back to Google in the Firefox browser. Unwise because it torpedos Mozilla's stance on privacy in the eyes of some Firefox users.

Now You: What's your take on this?

Summary

Article Name

Privacy blunder? Firefox's Get Add-ons page uses Google Analytics

Description

Mozilla Firefox connects to Google Analytics on the browser's internal Get Add-ons page. Some users see this is a privacy violation.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

You are here: Home > Firefox > Privacy blunder? Firefoxs Get Add-ons page uses Google Analytics

You can support us in many ways, for instance by disabling adblockers. Alternatively, you may support us with a PayPal donation.

Please check out our other support options here.

Advertisement

Recent Updates:

Remove Intel True Key Firefox 54.0.1 Windows 10 Privacy Software The best Chrome extensions The best Firefox addons Firefox privacy and security preferences Firefox Release Schedule Firefox multi-process information Windows Backup Software overview Anti-Ransomware Software overview Pale Moon 27.3 The Best Windows Software Firefox Roadmap 2017

Advertisement

Topics

Apple Development Facebook Games Ghacks Hardware Internet Internet Explorer Linux Microsoft Mobile Computing Music And Video Networks Opera Security Tutorials

Advertisement

Latest Downloads:

WinSuperMaximize Fing Network Discovery

Read the original post:
Privacy blunder? Firefox's Get Add-ons page uses Google Analytics - Ghacks Technology News

Russia and China are banning the use of virtual private networks, as their governments assert ever greater control over what citizens can see online.

In Russia, the State Duma the lower house of the Federal Assembly of Russia (legislature) unanimously adopted the first reading of new legislation that would ban the use of VPNs as well as online anonymizers like the Tor browser if they don't block access to a government-run list of websites.

That list of websites will include any sites that provide software that can circumvent censorship. And, most insidiously, the law will require search engines to remove references to blocked websites so citizens don't know what it is they are not allowed to see.

The legislation was approved in record time after the director of the FSB intelligence agency, Alexander Bortnikov, gave an hour-long talk to Duma deputies in a closed meeting, in which he said how important it was that the law was passed and passed quickly. Attendees were told not to report that the meeting even took place, apparently.

In a note explaining the law, Duma deputies argue that the law is necessary because the existing censorship apparatus in place is "not effective enough."

A second law that also passed its first reading this month will require mobile phone operators to:

Any companies that fail to comply with the rules can be fined up to one million rubles ($16,500).

Meanwhile, China has started enforcing its rules, approved in January, that do pretty much the same thing.

The Chinese government requires all VPN services to apply for a license, and as part of the license requirements, they are expected to block access to websites and services the Chinese government doesn't approve of.

Now the government has "requested" that the country's three mobile operators block the use of VPN apps on their networks, and have set a hard deadline of February 1 next year. Chinese users in their millions use VPNs as a way of bypassing widespread online censorship that blocks services such as Facebook and Twitter as well as many Western news websites.

The Ministry of Industry and Information Technology said back in January that the VPN and cloud computing market was undergoing "disorderly development," and as such there was an "urgent need for regulation norms."

That followed a largely ineffective effort to kill off VPNs back in 2015. But this time the government seems more determined to enforce censorship.

Earlier this month two VPN services Green VPN and Haibei VPN said they were shutting down their services in mainland China, having received a "notice from regulatory departments."

The government also recently passed new rules that will censor information that does not reflect "core socialist values" in effect banning discussion on topics such as drugs and homosexuality. Previously, Chinese internet users had grown used to a censored version of the internet built largely around protecting the ruling party by limiting political debate.

It's unclear whether the same rules will apply to the political elite, however. The architect of China's Great Firewall himself used one publicly in a presentation last year when he found himself blocked by his own creation.

Originally posted here:
Russia, China vow to kill off VPNs, Tor browser - The Register

The deep web and its inner recess, the dark web those less well-trodden parts of the internet beyond the reach of Google and Bing are not for the faint-hearted or untrained. With the right tools, however, there's little to fear and plenty to discover. Here's how you can start exploring the deep web without having to worry about your digital well-being.

There are a few ways to approach this, but we're going to focus on one of the most straightforward and secure for simplicity's sake. We're going to be usingTails OS, a bootable operating system that includes everything you need to get down to those hidden parts of the web.

Play Video Don't Play

Play Video Don't Play

Previous slide Next slide

You can buy drugs, weapons and even assassins on it, so do we need the deep web?

Play Video Don't Play

20-year-old Dutch man Mats Valk has broken the single solve Rubik's Cube record in less than 4.74 seconds.

Play Video Don't Play

Researchers have had a medical breakthrough with a new way to detect the degenerative illness. Vision courtesy: Seven News.

Play Video Don't Play

Police release images of a man they believe was responsible for a shocking sex attack in Melbourne's southeast. Anyone with information is urged to contact Crime Stoppers on 1800 333 000.

Play Video Don't Play

Queensland police arrest a man at Clayfield after the serious assault of a woman at Bulimba on July 2.

Play Video Don't Play

Paul Harvey, a postdoctoral researcher in the department of environmental sciences at Macquarie University, says high levels of lead contamination in kitchen drinking water is not new.

Play Video Don't Play

Research from Deakin University reveals that Islamophobia is alive and well in Australia, with Australians having significantly more negative attitudes towards Muslims than religious groups.

Play Video Don't Play

A 26-year-old man is charged over the murder of Sydney teenager Brayden Dillon. Vision courtesy Seven News Melbourne.

You can buy drugs, weapons and even assassins on it, so do we need the deep web?

If you're still unclear about what the deep web is, it's any part of the internet that's not indexed by search engines. Anywhere you can't get from just clicking links. A large part of the deep web is made up of.onionsites (likethe infamous Silk Road), which use a special top-level domain only reachable by a special browser called Tor. Technically, the dark web is a more illicit subsection of the deep web, though the terms are often confused.

For the curious or privacy-conscious internet explorer, it's worth checking out to see what lies beyond the internet we interact with on a day to day basis. But please note: you should be extra careful when clicking links on the deep web as some can lead toillegal sites. Browse at your own risk.

Fortunately Tails hasan installation wizardthat guides you step-by-step through the process of setting up the software. If you want to create a bootable USB copy of Tails (which we do), then you need a Windows machine and two 4GB+ USB sticks (the first is for an "intermediary" version of the OS).

You're also going to requireFirefox, theTor Browseror aBitTorrent clientin order to verify the initial download and confirm it is what it says it is. On top of that you need a Universal USB Installer utility, which the installation wizard directs you to, which will take care of creating the first USB stick using your downloaded Tails ISO.

Get the latest news and updates emailed straight to your inbox.

After that's done, boot from this newly created drive to configure the second one.This official guidetakes you carefully through the process. Use the 'Install by cloning' option in the Tails Installer to create your second USB stick, which includes some security enhancements and extras not built into the first one.

Finally, remove the first USB stick, keep the second in place, and boot from it. You're now ready to start venturing out into the deep web. If you run into trouble (and we hit one or two obstacles along the way), then a general web search for your issue orthe official Tails support portalshould get you moving again.

The Tor Browseris your gateway into the dark web. You can actually use it on Mac and Windows too, but Tails OS adds an extra few layers of security, and comes with Tor included. The browser is based on Firefoxso you shouldn't have many problems finding your way aroundand will open the Tails OS homepage by default.

As you might expect, browsing the deep web isn't quite as simple as clicking on a few links or searching Google. The best way in is through 'hidden' wikislike this one(note you won't be able to click through on any onion links without the Tor browser) and various others you can find via Reddit or with some clever web searching on sites likeDuckDuckGo.

Of course the whole point of the deep web is that casual internet users can't simply fire up Google or read a guide like this to get started easily,so finding working, up-to-date links and directories can take some time. Forums, plenty of patience, and occasionallythe Torch search engineare your best bets for finding a way into new communities.

The deep web has a reputation for shady activity, but it's also a place for whistleblowing, bitcoin exchanges, and political discussion away from the glare of the public internet. It's changed a lot in recent years as security agencies have become more aware of its presence, and it will continue to evolve in the future.

The Tor browser protects you by routing your traffic through various different IP locations (and you'll probably notice your web connection slows down a lot as a result).

And as we've already mentioned,Tails OS includes extra security featureslike built-in encryption, and because you're running it on a USB stick you really are leaving no trace. Tails itself stands for The Amnesiac Incognito Live System, which just about sums up why it's one of the best options for some deep web browsing.

Don't compromise that security and anonymity by giving away personal details, including email addresses and so on, and keep downloading to a minimum. Once you've set up Tails, it's generally common sense. But if you're up to something illegal, you can't rely on these security measures to protect you.

As for whether using Tor will get you in trouble with the authorities on its own, it largely depends where in the world you live and what you're doing with it, but it's worth bearing in mind thatnothing is ever 100 per cent anonymous and secure. For the most paranoid, there's always the option of tape over the webcam but sometimes even that might not be enough.

Read more:
How to safely search the deep web - The Age - The Age

SAN FRANCISCOCan something as mundane as modern Web hosting be used to increase consumer privacy? Daniel Kahn Gillmor, a senior staff technologist at the ACLUs Project on Speech, Privacy, and Technology, thinks so. He also believes that the future of consumer privacy depends on technology providers taking bolder steps to protect their users.

At a recent conference held here by the content delivery network company Fastly, Gillmor spent 20 minutes explaining a set of technology proposals that a modern Web host like Fastly can undertake to defend privacywithout burying itself in costly changes.

The adversaries who are doing network monitoring tend to focus on metadata, not on content, he told the crowd of engineers about the essential tracking data created when we write emails, watch cat videos online, or text emojis. The importance of metadata to surveillance was underscored by former National Security Agency Director Michael Hayden in 2014, when he declared, We kill people based on metadata.

Gillmor explained how a content delivery network, or CDN, could combine new Internet traffic analysis countermeasures and Domain Name System obfuscation to help prevent spies from snooping on consumers Internet activities. Gillmors talk was more of a pitch about what a CDN can do than what Fastly is actually doing.

Daniel Kahn Gillmor. Photo courtesy ACLU.

After Gillmors presentation, he and I spoke at length about three of todays biggest challenges to consumer privacy: rising costs, responsibilities of private companies to their users, and struggles to make email more safe and private.

What follows is an edited transcript of our conversation.

Q: There seems to be a growing digital divide over privacy technology. Whats your perspective?

My biggest fear is that were going to accept, as a society, that privacy is a luxury. You see that already, in many situations. Someone who can afford a home has more privacy than someone who cant afford a home. This is not just a digital-divide thing; its a general situation where people buy privacy for themselves. Its unjust.

Some services people buy are intended to help keep you off others radar. (And some of them actually are invasive.) And a lot of people dont even actively consider privacy when making purchasing decisions. So theres not enough of a market, in some sense, for privacy-preserving technologies.

Which ostensibly privacy-preserving technologies are people are buying that might actually be compromising them? Virtual private networks?

If you cant afford a VPN, most of your connections are going out in the clear, which means that your network provider has an opportunity to surveil you and build profiles about you.

But if everyone gets a VPN, all network traffic would get concentrated at a few VPN companies instead of at the various Internet service providers. And you could monitor everybodys traffic just by monitoring the VPNs, instead of all the different on-ramps.

And if you had a big budget and wanted to do a lot of monitoring, you could even set up your own VPN and sell access. Brand and market it, and then maybe Im paying you to harvest my data.

Another consideration: What privacy controls do we have on existing VPN services we might buy? They should be subject to the same constraints that we would like to put on the ISPs, because they are in the position to see all of the different stuff that we do online. Thats a different perspective than a network service that you may or may not decide to use.

Tor is the exception to this rule because its free and designed to reduce tracking, right?

Theres a bunch of mythology around Tor. But if you want to play around with it, its really not that hard. You go to TorProject.org, download the browser, and use it to browse the Web.

Its a little bit slower than what people usually expect from a Web browser. But Tor developers have really thought carefully, not just about how to route network traffic, but also about what browsers do and how they pass traffic. Tor really does provide a significant amount of user privacy.

We have a responsibility as engineers to try to fix the systems people actually use.

In dealing with cookies, for example, it uses double-keyed cookies. The typical browser makes a request, the origin sends back the page, and the page refers to several subresources such as images or video. It sends them with cookies [a small piece of computer data that can track behavior on the Web], which might come from a third party such as an ad server.

So if I visit a site, make a request from a third-party server, then visit another site that uses the same third-party server, that third party can identify me as the same person because of the identical cookies I send.

The Tor browser ensures that the cookies you send different sites dont match. I think it would be better to just not send cookies at all, but the Web has evolved such that there are things like authentication schemes that dont work, if you dont send any cookies to a third party. This is something Tor does through its browser. Its independent from its network traffic obfuscation.

If youre interested in getting the most developed set of privacy preservation tools that have been thought about, researched, and well implemented, Tor is the place to get it. As part of the Tor uplift to integrate features from the Tor browser back into Firefox, Mozilla has added double-keyed cookies into Firefox as an opt-in. This is a good example of how collaboration between noncompany technology providers can add functionality for a wide swath of users.

For instant messaging, people should be using Signal. And if theyre not using Signal, they should use WhatsApp.

What about for email?

Im involved with an effort to try to do a similar thing for email called Autocrypt. We have had email encryption technology available to us for 20 years. But encrypting email is painful.

So painful that the creator of email encryption tells people to stop using email to send sensitive data.

Phil Zimmerman doesnt use it anymore. He says people should stop using it, but the fact is, that wont happen. And he knows that.

We have a responsibility as engineers to try to fix the systems people actually use. Its one thing for us to say, Quit it. And its another thing to say, OK, we get it. You need email because email works in all these different ways.

I think we have a responsibility to try to clean up some of our messes, instead of saying, Well, that was a mistake. All of you idiots who are still doing what we told you was so cool two years ago need to stop doing it.

We need to actually support it. This is a problem that I call the curse of the deployed base. I take it seriously.

I expect to get a lot of shit, frankly, from some other members of the encrypted-email community.

The Autocrypt project is run by a group of email developers who are building a consensus around automated methods to give people some level of encrypted email without getting in their way.

Some of us deeply, intimately know the thousand paper cuts that come with trying to get encrypted email setup. We asked, Whats the right way to get around that for the majority of people? And the answer weve come up with isnt quite as good as traditional encrypted email, from a security perspective. But it isnt bad.

When someone asks me how to use email encryption, Id like to one day be able to tell him to use an Autocrypt-capable mail client, then turn on the Autocrypt feature.

From a solutions perspective, we dont necessarily handle everything correctly. But no one does traditional encrypted email properly. And encrypted email is a two-way street. If you want people to be able to do it, the people with whom you correspond need to also be doing it.

I expect to get a lot of shit, frankly, from some other members of the encrypted-email community. Five years ago, I would have said Autocrypt sounds dangerous because its not as strong as we expect. That is, I might have been inclined to give people shit about aproject like Autocrypt. However, I think that imperfect e-mail encryption with a focus on usability will be better protection than what we currently have, which is actually clear text for everyone, because no one can be bothered to use difficult e-mail encryption.

How important is it for consumers to understand whos targeting them?

This is the other thing that I feel like we dont have enough of a developed conversation around. Im a well-off white guy, working for a powerful nonprofit in the United States. Were not as powerful as wed like to be, and we obviously dont win as many of the fights that we would like to win. But I dont feel that Im personally, necessarily, a target.

Other people I talk to might be more targeted. I am responsible for pieces of infrastructure as a Debian [Linux] developer that other people rely on. They might be targeted. I could be targeted because theyre being targeted.

When we talk about threats, we take an individualistic approach when, in fact, we have a set of interdependencies. You and I exchange emails, and all of a sudden, someone who wants access to your emails can go attack my email.

We havent yet seen a sufficient shift to companies treating user data as a responsibility, instead of just as a future pot of money.

It used to be that I would set up a server, and you would connect to it to view my site. There were network intermediaries, but no CDN. Now there are both, and the CDNs privacy is my privacy is your privacy. All of these things are intermixed.

You have to think about the interdependencies that you have, as well as the threat model of the people who depend on you. Theres responsible data stewardshipI dont think that people think about that actively.

My hope is that every organization that holds someone elses data will see that data as a liability to be cared for, as well as an asset. Most people today see other peoples data as an asset because it will be useful at some point. Companies build venture capital on the basis of their user base, and on the assumption that you can monetize the user base somehow. Most of the time, that means sharing data.

We havent yet seen a sufficient shift to companies treating user data as a responsibility, instead of just as a future pot of money. How do we ensure that organizations in this middleman position take that responsibility seriously? We can try to hold them publicly accountable. We can say, Look, we understand you have access to this data, and we want you to be transparent about whom you leak it to. Or give it to.

Ive been happy to see large companies make a standard operating procedure of documenting all the times theyve had data requested by government agencies, but I dont think its adequate. It doesnt cover who theyve actually sent data to in commercial relationships.

A big challenge to the effort to protect consumers from hacking and spying is the effort to encrypt metadata. Where does it stand today?

Its complicated by a lot of factors.

First, what looks like content to some layers of the communications stack might look like metadata to other layers. For example, in an email, there is a header that says To, and a header that says From. From one perspective, the entire email is content. From another, the To and the From are metadata. Some things are obviously content, and some things are obviously metadata, but theres a vast gray area in the middle.

When youre talking about metadata versus content, it helps to be able to understand that the network operates on all these different levels. And the idea of encrypting metadata doesnt necessarily fit the full bill.

In terms of the size and timing of packets, for example, say you sent K bytes to me. You cannot encrypt the number. But you can obfuscate it.

Take profile pictures. If youre serving up a cache of relatively static data like avatars, you can serve every avatar at the same size.

Can you essentially hide other forms of metadata that cant be encrypted?

You can obfuscate an Internet Protocol address.

When I send you traffic over IP, the metadata at the IP layer is the source and destination address. If you encrypted the destination address, the traffic wouldnt reach the destination. So somebody has to see some of the metadata somewhere. And practically, realistically, I have no hope of encrypting, or protecting, the sending address. But maybe I dont need to present the source address.

Whether youre padding existing traffic to hide the size of the information transferred, or making changes to how domain name servers operate, what are the associated costs? Additional traffic isnt free, right?

Its hard to measure some of the costs. But youd measure padding to defend against traffic analysis in terms of throughput.

Imagine that your DNS was already encrypted. We know how to do it; we have the specification for it. Are we talking about an extra 5 percent of traffic? Or are we talking about an extra 200 percent or 2,000 percent of traffic? And if were talking about DNS, whats the proportion of that traffic relative to the proportion of all of the other traffic?

DNS traffic is peanuts compared to one streamed episode of House of Cards.

Some traffic analysis savant will come along and say, We found a way to attack your padding scheme, which is great. Thats how the science advances. But it might cost your adversary two to three times more to decipher, because of the padding.

If we step back from that, lets ask about other costs. Have you looked at the statistics for network traffic with an ad blocker versus no ad blocker?

Your browser pulls significantly less traffic, if it doesnt pull ads. And yet, as a society, we seem to have decided that the default should be to pull a bunch of ads. Weve decided that the traffic cost of advertising, which is more likely to be privacy-invasive, is worth paying.

So yes, metadata padding will cost something. Im not going to pretend that it doesnt, but we pay for what we value.

And if we dont value privacy, and thus dont pay for it, there will be a series of consequences. As a society, well be less likely to dissent. Well be more likely to stagnate. And, if we feel boxed in by surveillance, well be less likely to have a functioning democracy.

Continued here:
ACLU's Gillmor on privacy: 'We pay for what we value' (Q&A) - The Parallax (blog)

Q. I've heard you talk about a software called Tor before, but what does it do? Is it safe to download? And is it available to everyone? - Richard M.; listens on 880 AM WCBS, New York.

A. This is a great question, Richard, because Tor software is often the subject of controversy. If you're considering downloading this software, you need to be aware of the pros and cons, especially since Tor will allow you to browse through some pretty dark areas of the internet.

In its simplest definition, Tor is a web browser software that conceals your identity when you're online. It does this in a few different ways. First, it uses encryption to scramble the data that's being communicated within the network. Second, it routes that data between random servers within the Tor network to hide your online identity, including data tied to your personal IP address.

You've probably heard some unnerving things associated with Tor. We're not going to pretend there isn't truth to those claims. Tor can be used for good things and bad.

Positives: The best thing about Tor is that it provides anonymity for people who would wantto browse the web without being tracked by their internet service provider, websites, the government and other interest parties. You can also use Tor to access services that are blocked by some internet providers, or governments.

Note: If you'd like to increase your privacy online without downloading Tor software, click here for tips on disabling web browser tracking.

Negatives: It's true that Tor has a dark side. Not the software itself, but the places to where it grants access on the internet. You may have heard the term "Dark Web" before. This is a portion of the internet that is often used for illegal activities such as child pornography, the sale of drugs, prostitution, etc. Tor software is needed to access the Dark Web, so needless to say, using the software could lead you into some pretty dark places. Click here for more information on the Dark Web and what's hiding in the shadows of the internet.

The easiest answer: Yes, and no. The software itself is safe to use. And, if you're using it for its basic function of hiding your online identity, then you shouldn't run into any trouble. However, if you're using Tor with the intent of accessing the Dark Web, then you could easily encounter more than you bargained for.

Tor software is free to download, however, you may be asked by the software's developers to make a donation. You are not obligated to do so, but there are various sections of the Tor website where donations are requested.

Although Tor does have its benefits, it is an extreme way to obtain online anonymity, and should only be used by those who find it absolutely necessary. Because of the risks associated with the Dark Web, Tor may not be the best option for the average internet user. Instead, try the tips in these articles to gain more privacy online, no special software required.

Please share this information with everyone. Just click on any of these social media buttons.

Previous Downloads

Next Downloads

See original here:
What is Tor browser, and is it safe? | Komando.com

Andrew Brookes/Getty Images

Hacked login details. Cybersecurity exploits for hire. Drugs, guns and ammo. If there's something shady going on online, chances are it's happening on the darknet.

When Target was hacked in 2013, customer card details turned up on darknet marketplaces. Hackers have tried to do the same with Yahoo login credentials, and details of O2 phone network customers in the UK.

You'll also find cybercriminals selling security exploits. Ransomware, anyone?

Everything's for sale if you look in the right place. And with the rise of bitcoin, the "currency of choice" on the darknet, virtually anonymous payments are easier than ever.

Just this week in Australia, a news investigation revealed that an anonymous darknet user has offered up access to the Medicare records of "any Australian" for just 0.0089 bitcoin ($22, AU$30, 18).

That's not to mention the things you really don't want to see. Europol says the darknet and other peer-to-peer networks are still the "main platform" for sharing child abuse material.

So for those of us used to opening Chrome or Safari to get online, the darknet is an entirely different beast. How does it work? How is it different from the "surface web" that we all know? And what do you need to know ahead of time, should you choose to wade in?

The first thing to remember: The darknet is not the same as the "deep web."

The deep web refers to any part of the internet that isn't discoverable by a search engine. But that doesn't mean it's suspicious -- there are plenty of sites you visit in your day-to-day browsing that fall into this category.

When you log in to internet banking, you've navigated to a specific location online, but one that's not served up in Google results. The same goes for the different pages that pop up in webmail services, like Gmail, or academic databases on a university network.

It's hard to estimate just how big the deep web is, but the commonly cited research (albeit from 2001) puts the deep web at 400 to 550 times the size of the "surface web."

If the surface web is the tip of the iceberg and the deep web is what's below the water, then the darknet is what you'll find deep in the blackest waters below. The darknet is the network itself, whereas the dark web is the content that is served up on these networks.

This is where you'll find the kind of marketplaces that ply their trade in illicit wares -- what security researcher Brian Krebs calls the "hidden crime bazaars that can only be accessed through special software that obscures one's true location online."

The UN noted last month that although drug trafficking over the darknet is relatively modest, drug transactions increased 50 percent annually from September 2013 to January 2016. And in early 2016, then-US Attorney General Loretta Lynch warned that some gun sales were shifting to the dark web to stay outside the reach of regulations.

Anonymity is the key here. Whistleblowers, activists and political dissidents certainly have good reason to obscure their online location and post with anonymity on the deep web and the darknet, but that level of secrecy is also sought by criminals.

This isn't just a matter of heading to "darknet.com" and having a snoop -- you'll need specific software and a dedicated browser. The Tor software (and its dedicated Tor Browser) is probably the most famous of these, though there are others, including I2P and Freenet.

Using software originally known as The Onion Router (think layers and layers of encryption), Tor secures traffic by routing it through a network of secure relays that anonymize traffic. These relays are run by volunteers around the world who donate their server bandwidth.

Think of it as a network of safe houses: You travel through underground tunnels that run along the lines of the streets above, and you pop out where you want using safe houses donated by fellow network users.

But with links on the darknet typically just alphanumeric strings of nonsense (think kwyjibo.onion) it can be very hard to know what you're getting.

It's important to remember that Tor isn't illegal software, just as torrenting software doesn't do anything illegal until you use it for sharing pirated movies. Tor says plenty of"normal people" use its service, as well as citizen journalists, whistleblowers, law enforcement agencies and, according toHuman Rights Watch, Chinese dissidents. Tor estimates that onlyabout 4 percent of trafficover its network is for hidden services (or dark web content); the rest is people accessing regular internet sites with greater anonymity.

Still, wherever you have anonymous traffic on hidden networks, the criminal activity will follow.

It's the darknet after all -- be careful what you click for.

Tech Culture: From film and television to social media and games, here's your place for the lighter side of tech.

Batteries Not Included: The CNET team shares experiences that remind us why tech stuff is cool.

See original here:
Darknet 101: Your guide to the badlands of the internet - CNET - CNET

But there is a problem.

South Korea blocks its people, or anyone using the internet in the country, from accessing North Korean websites. If you try to open the K.C.N.A. website, a government warning pops up. Its the same warning the government issues to internet users when it restricts access to pornographic materials online.

I use the Tor browser to circumvent the government firewall. Web pages open slower on Tor than on Chrome and other regular browsers. Still, it's a godsend for journalists reporting on North Korea from the South, where Cold War-era fears still drive the local government to censor the internet.

Whats your favorite tech tool for doing your job?

I use Evernote to help organize my life as a journalist.

With a few clicks, you can clip a news article, commentary, analyst paper, PDF file, video link and other contents you find on the web and want to save for a later reference, and store them in a designated online notebook. I find this Web Clipper function particularly useful when researching a certain topic, say North Koreas market reforms, for weeks or longer; I create a North Korea Economy notebook and save related contents there for easy access.

What is Samsungs influence on South Korea, since the tech companys revenue accounts for a significant portion of the countrys gross domestic product?

Samsung is the biggest among the chaebol, a handful of family-run conglomerates that have dominated the South Korean economy for decades. The countrys top 10 chaebol generate the equivalent of more than 80 percent of the countrys G.D.P. Samsungs flagship company, Samsung Electronics, alone is responsible for 20 percent of the countrys exports.

One cant talk about how well or badly South Koreas economy is doing without talking about Samsung. Samsung has a pervasive presence in the country. It produces best-selling smartphones, TV sets and refrigerators. It runs insurance, shipbuilding and construction companies, to just name a few of its dozens of affiliates. If she likes, a South Korean can live in a Republic of Samsung: She can get married and honeymoon in Samsung hotels; have her baby delivered in a Samsung hospital; take him to a Samsung amusement park; send him to a Samsung university; and stock her Samsung apartment with Samsung home appliances bought with a Samsung credit card.

But the name Samsung also has a darker side among Koreans. Six of the 10 top chaebol leaders, including Samsungs chairman, Lee Kun-hee, have been convicted of white-collar crimes, including bribery, although they have never spent much time in jail. If Samsung symbolizes wealth and technological savvy, many Koreans also accuse the corporate behemoth of corruption and excessive power.

Mr. Lees son, Samsungs vice chairman, Lee Jae-yong, who has been running the conglomerate while his father remains bedridden after a stroke, is now under arrest and on trial on charges of bribing Park Geun-hye, the impeached and ousted former president of South Korea.

How does Samsung affect the way you live and work?

I use only three Samsung products in my office a Samsung TV set, a Samsung fax/printer and the Samsung monitor for my Dell desktop though many of the tech products around me at home and in my office may contain Samsung components, like computer chips.

I used to use a Samsung Galaxy Note smartphone until I switched to an iPhone three years ago. I like my iPhone, but I have a major complaint about it: It doesnt allow you to record your phone conversations. What if a spokesman calls you back and dictates a statement while you are driving a car or standing in a crowded subway car? With my old Samsung phone, I could just tap the screen a couple times to record the conversation. You cant do that with an iPhone.

Recording phone conversations is legal in South Korea, and journalists and others routinely do it. Samsung and others market smartphones with a built-in phone-recording function. Apple doesnt. I am thinking seriously of switching back to an Android phone when I retire my iPhone.

Beyond your job, what tech product are you obsessed with in your daily life?

Im not savvy with tech products. I have my desktop, my company-issued MacBook Air and my iPhone. Thats about all the tech hardware I use. Online, though, I use the Naver and Daum maps all the time when I travel and go to an appointment. They are like Google maps, but more convenient to use in South Korea. Naver and Daum are the countrys two biggest web portals and search engines. Google holds only a minor share in the search engine market of South Korea.

Kakao Talk, the countrys most widely used messenger app, is a must-have for anyone who wants to stay connected in South Korea. Government spokesmen send news releases and media notices through Kakao Talk. Reporters put in queries through Kakao Talk.

I used to use my Kindle a lot, but not anymore. I have switched back to paper books. But Kindle is still very convenient when I am traveling and want to keep my bag light.

Read more here:
In Reporting on North Korea, Tech Helps Break Through Secrecy - New York Times

The deep web and its inner recess, the dark web those less well-trodden parts of the internet beyond the reach of Google and Bing are not for the faint-hearted or untrained. With the right tools, however, there's little to fear and plenty to discover. Here's how you can start exploring the deep web without having to worry about your digital well-being.

There are a few ways to approach this, but we're going to focus on one of the most straightforward and secure for simplicity's sake. We're going to be usingTails OS, a bootable operating system that includes everything you need to get down to those hidden parts of the web.

If you're still unclear about what the deep web is, it's any part of the internet that's not indexed by search engines. Anywhere you can't get from just clicking links. A large part of the deep web is made up of.onionsites (likethe infamous Silk Road), which use a special top-level domain only reachable by a special browser called Tor. Technically, the dark web is a more illicit subsection of the deep web, though the terms are often confused.

For the curious or privacy-conscious internet explorer, it's worth checking out to see what lies beyond the internet we interact with on a day to day basis. But please note: you should be extra careful when clicking links on the deep web as some can lead toillegal sites. Browse at your own risk.

Fortunately Tails hasan installation wizardthat guides you step-by-step through the process of setting up the software. If you want to create a bootable USB copy of Tails (which we do), then you need a Windows machine and two 4GB+ USB sticks (the first is for an "intermediary" version of the OS).

You're also going to requireFirefox, theTor Browseror aBitTorrent clientin order to verify the initial download and confirm it is what it says it is. On top of that you need a Universal USB Installer utility, which the installation wizard directs you to, which will take care of creating the first USB stick using your downloaded Tails ISO.

Get the latest news and updates emailed straight to your inbox.

After that's done, boot from this newly created drive to configure the second one.This official guidetakes you carefully through the process. Use the 'Install by cloning' option in the Tails Installer to create your second USB stick, which includes some security enhancements and extras not built into the first one.

Finally, remove the first USB stick, keep the second in place, and boot from it. You're now ready to start venturing out into the deep web. If you run into trouble (and we hit one or two obstacles along the way), then a general web search for your issue orthe official Tails support portalshould get you moving again.

The Tor Browseris your gateway into the dark web. You can actually use it on Mac and Windows too, but Tails OS adds an extra few layers of security, and comes with Tor included. The browser is based on Firefoxso you shouldn't have many problems finding your way aroundand will open the Tails OS homepage by default.

As you might expect, browsing the deep web isn't quite as simple as clicking on a few links or searching Google. The best way in is through 'hidden' wikislike this one(note you won't be able to click through on any onion links without the Tor browser) and various others you can find via Reddit or with some clever web searching on sites likeDuckDuckGo.

Of course the whole point of the deep web is that casual internet users can't simply fire up Google or read a guide like this to get started easily,so finding working, up-to-date links and directories can take some time. Forums, plenty of patience, and occasionallythe Torch search engineare your best bets for finding a way into new communities.

The deep web has a reputation for shady activity, but it's also a place for whistleblowing, bitcoin exchanges, and political discussion away from the glare of the public internet. It's changed a lot in recent years as security agencies have become more aware of its presence, and it will continue to evolve in the future.

The Tor browser protects you by routing your traffic through various different IP locations (and you'll probably notice your web connection slows down a lot as a result).

And as we've already mentioned,Tails OS includes extra security featureslike built-in encryption, and because you're running it on a USB stick you really are leaving no trace. Tails itself stands for The Amnesiac Incognito Live System, which just about sums up why it's one of the best options for some deep web browsing.

Don't compromise that security and anonymity by giving away personal details, including email addresses and so on, and keep downloading to a minimum. Once you've set up Tails, it's generally common sense. But if you're up to something illegal, you can't rely on these security measures to protect you.

As for whether using Tor will get you in trouble with the authorities on its own, it largely depends where in the world you live and what you're doing with it, but it's worth bearing in mind thatnothing is ever 100 per cent anonymous and secure. For the most paranoid, there's always the option of tape over the webcam but sometimes even that might not be enough.

Read the original:
How to safely search the deep web - The Sydney Morning Herald

If you want to browse through a vast sea of unindexed internet, aka the Deep Web, you will have to use something called Tor, otherwise you wont be able to access the Deep Web.

So, what is Tor and why do I need it?

Tor stands for The Onion Router. Youll soon see why the onion and not some other veggie.

It provides fairly good level of online anonymity, privacy and security to the user.

If youve ever stumbled upon a 16-character alpha-semi-numeric hashes followed by .onion, and tried to open it in your regular browser; it returned the This webpage is not available result, right? This address can only be accessed by Tor browser, specially designed to provide a safe and private environment.

Tor browser bundle can be downloaded for free here https://www.torproject.org/download/download-easy.html.en. There is no need for installation; you simply extract it anywhere on your computer and run it.

If you open the extracted folder with Browser folder in it, you will notice that the actual application is called Firefox, and thats what Tor browser actually is a modified Firefox browser with a set of plugins installed.

However, if you try to install any other plugin you might compromise your anonymity online, and it is not advisable to make any changes in settings unless you know exactly what you are doing.

Dont even enable scripts or flash player, because those applications demand direct internet connection, not via Tor network, which will compromise your IP address and other information and make you an easy target for hackers.

Tor network can also be used for online chatting. Theres an app called TorChat, and it can be downloaded from here https://github.com/prof7bit/TorChat. Many journalists use it for interviews with their confidential sources or whistleblowers.

To put it briefly

Tor is essential; there are no two ways about it. If you wish to browse the deep web, you will have to use Tor. However as I mentioned, it will also protect your anonymity by passing your computer through several relays.

Drawbacks:

The main drawback that I see with it is that it can lull you into a false sense of security. For anonymous browsing, its an excellent first step, but its not the only one you need to take.

For more protection, I would strongly advise using Tor within a VPN service that allows P2P (peer to peer) networking.

Without this, while the sites you visit cant be seen, any eavesdroppers will be able to see that you are using Tor. While that is not illegal by any means, it does stand out, so you lose some of the anonymity you fought to get.

Other non-important drawbacks include not being able to run torrents over Tor, and not being able to use browser plugins.

How deep down the rabbit hole do you wish to go?

Those were really the basics of Tor browser and Tor network and these would probably suffice if you only wish to explore and experiment with it.

But if you want to know the core mechanics behind Tor network and the way it provides the anonymity and privacy, Ill be happy to get into more details about it.

Regular internet

Before going into any details about Tor, let me first cover how the regular internet works.

Lets say that Alvin for example wishes to send a message to Barbara, or visit Barbaras webpage. When Alvin sends his message, a data package is created,containingAlvins message, his and Barbaras IP addresses.

This data package travels directly from Alvins to Barbaras computer, making it an easy target for anyone who wishes to intercept the message or learn the information about Alvin or Barbara.

Spooky, isnt it? Even if your messages arent confidential at all; why would you allow anybody to have access to you messages? Its insane.

So, if you want to keep your privacy intact, I suggest using Tor, even for browsing that is not related to Deep Web.

Almighty Tor

How it works?

Well, as mentioned earlier, here is the detailed explanation for the choice of a veggie. Tor stands for The Onion Router and Tor Network is a series of connected routers.

When using Tor, Alvins data package would firstly be encrypted, and then sent through three routers, called nodes, before the data package reaches Barbara.

Mathematical Cryptography comes first

Remember that data package that was created when Alvin sent his message to Barbara? Now using Tor, that data package is encrypted not once, but three times.

Mathematical encryption basically means that you take a set of information, Alvins message, and together with the encryption key you put it in a box.

When opening the box without the decryption key, the message looks totally different than the original data package. It can look like some other message or like a random messed-up code.

To decrypt the code you simply put in reverse take the encrypted data package and the decryption key, put them in the box together, and you get the original message when you open the box. Simple, right?

Now, Tor takes this encrypted data package and encrypts it twice more, both times using different encryption keys.

Journey through a tunnel

As mentioned earlier, Tor is a series of routers connected to form a tunnel. Theyre a set of relays volunteering their resources to forward traffic for Tor users. Now lets see how they work.

After encrypting the data package 3 times, its ready for sendoff. Unlike regular network, the data package is not going directly from Alvin to Barbara.

Its first stop is the entry node the first router or node as they call it.

In order for the data package to reach the entry node it must be addressed to it, right? So, the package contains information about the receiver and the sender, in other words Alvin and the entry node.

Once the data package reaches the entry node its being decrypted only one time. One layer of encrypted information peels and the other will be peeled when it reaches the middle node.

Once the data package reaches the middle node the process repeats one more layer of encryption down.

It kind of reminds the onion layers, no? The package that reached the middle node contains a different set of information about the sender and the receiver: the sender is the entry node and the receiver is the middle node.

Now, Alvins message is sent to the last router, the exit node. The last layer of encryption is peeled at the exit node.

The information of the data package that exit node has received is again different. It contains info about the middle node as the sender and the receiver the exit node.

Once the message has been decrypted at the exit node, it is finally ready for Barbara.

Barbara gets the message that Alvin sent her, but the information about the sender and receiver is different.

Barbara knows it came from Alvin, because he probably signed it, but if anybody intercepts the message and tries to find out who sent it to Barbara, the data package will only give him information about the exit node as the sender.

The only possible way to reconstruct the journey of the message is to have access to all routers and have all three decryption keys.

So, now that you know how Tor works, if you still feel you need more protection, try using VPN with Tor, but thats the story for another time.

The articles and content found on Dark Web News are for general information purposes only and are not intended to solicit illegal activity or constitute legal advice. Using drugs is harmful to your health and can cause serious problems including death and imprisonment, and any treatment should not be undertaken without medical supervision.

The rest is here:
TOR Browser - darkwebnews.com