
Prism Break - SkyMarshal
https://prism-break.org/
======
h2s
While I understand and sympathise with the compulsion to resist surveillance
in this practical, technological way, I think it might be the wrong reaction
to the information. It's typical of techie people to seek technical solutions
to social problems, and this is one such case.

It may well be possible to mitigate their ability to watch you by wearing
enough tin-foil hats. Even if you succeed, all you've achieved is to protect
one solitary person at the cost of considerable personal inconvenience. Worse,
once you consider yourself "safe enough" from prying eyes, your incentive to
actually _act_ on what they're doing will be diminished.

I think that we should try not to be meek about this issue, passively hiding
ourselves and then getting on with our lives saying "Fuck you, got mine". Why
should the tech community flee the very Internet that it has played such a
crucial role in building? Is the idea that our democracies could eventually
fix this situation really beyond all hope?

If you live in the UK, write to your MP
([http://www.writetothem.com/](http://www.writetothem.com/)). Support PPUK
([http://www.pirateparty.org.uk/](http://www.pirateparty.org.uk/)) if you feel
strongly enough, as they're seemingly the only political group treating this
matter with the seriousness it deserves.

~~~
Homunculiheaded
I'm starting to think people should begin to create "crypto-selves". I've seen
a lot of talk saying essentially "get off facebook! get off gmail!" But that's
a lot of persistent effort even for fairly technical people. Plus even in
secure, anonymous environment interacting with your real life friends,
purchasing your favorite books on amazon etc will reveal who you are anyway.

In non-web life we have private and public spaces and there's plenty of study
on how these two play together and how important they are. Most people have
erroneously thought that because your computer is in your private physical
space that it's also 'private', but that's clearly not the case.

What people need is the education to create the technological equivalent of
locking yourself in your bedroom for the afternoon to clear your head.

Gmail is like sending a postcard, facebook like chatting with friends at the
mall or park. Tor/truecrypte/pgp etc for parts of your life you want private.
Separate usernames, interests, tones of voice, etc in this private space.

Trying to hide your real (ie public) self is silly as should you become a
target of the nsa & co. they'll find a way to dig up something even if you've
been completely hidden from july 2013 on. What people need is a reasonably
benign public self and a hidden crypto-self.

Also I'm all for fighting the surveillance state, but I'm extremely cynical of
it's success. I see no feasible way to reduce the power and authority of the
militarized aspects of our government(s). I can't think of a single example of
where public knowledge and outcry has changed anything other than getting a
few puppets punished anywhere except the non-militarized parts of government.

~~~
AnthonyMouse
>I see no feasible way to reduce the power and authority of the militarized
aspects of our government(s).

I partly think it's because people are asking for the wrong things. People say
things like "stop NSA surveillance" which is vague and impractical. What needs
to happen is to hit them where it hurts: Reduce total defense spending to 50%
of what it is now. That should be the demand from everyone. Money is power. If
you want them to have less power, stop giving them so damn much money. And
besides, who can't get behind massively lower taxes?

~~~
MisterWebz
If you want them to have less power, you need other powerful entities to tell
them to stop abusing their powers. Boycott the tech giants and you'll see it
happen. it's way more effective than any protest or online petition.

~~~
hosh
Isn't that another way of saying, "rule of the strong" instead of "rule of
law"?

------
comex
Several of these suggestions seem somewhat disingenuous - e.g. many of them to
be about free software more than actual concerns about tracking, as reflected
in the labels "Proprietary" and "Free alternatives". In particular:

\- None of the proprietary browsers will track you - well, beyond what's
specified in the privacy policy. Two of the alternatives are Tor applications,
but the other two are Firefox (which provides no additional protection) and
GNUzilla IceCat (which has little reason to exist other than free software
politics).

\- Most of the browser add-ons are mostly about third-party tracking; these
could be subject to PRISM, but the notes suggest that the concern is more
about the third-party tracking itself and non-free software (in the case of
Ghostery).

\- Ditto with the notes in cloud storage, which discount three storage systems
with client-side encryption (i.e. equal protection) because they are
proprietary.

\- The media publishing section promotes third-party blog publishing services
for "privacy and security", even though most blogs are public and thus have no
need for either.

\- Ditto above with Icedove vs. Thunderbird in the email desktop clients
section.

\- iOS is advised against with a misleading claim that "iOS devices contain
hardware tracking" due to an long-patched bug. The claim about it being
impossible to verify whether an iOS app was compiled from the original source
is disingenuous, as this is rarely done on any platform, but would certainly
be possible to do on iOS if the developer cared.

\- OS X and Windows won't track you. (Chrome OS won't either, but it strongly
encourages using cloud services which will, so I'll concede that.)

In the claims that proprietary software won't track you, I am assuming that
the NSA will not compel (or has not compelled) these companies to modify their
software to include secret tracking. This claim is made explicitly under the
operating system section: "Apple, Google, and Microsoft are a part of PRISM.
Their proprietary operating systems cannot be trusted to safeguard your
personal information from the NSA." But even considering all that we have
heard about the NSA, this seems absurd, far beyond what they are willing to
do, and even if it were true, using free software would not necessarily
prevent the US-based host of the download from being similarly compelled.
Moreover, someone would probably notice (unless it were an intentionally
introduced but otherwise unremarkable security bug, but it's sure easy enough
to find real zero-days in software, free or not, without having to resort to
that! - not that that should necessarily make you feel better.)

~~~
snitko
_> None of the proprietary browsers will track you._

Can you elaborate a bit on this, how do you know they won't? My default
assumption is that anything I can't see the source code of and compile myself
is compromised.

~~~
throwit1979
Sociologically: there is a surprisingly large contingent of people who believe
that if a company makes a claim, it's the God's honest Truth. The OP may not
necessarily fall into this camp.

Technically: if the browsers were somehow phoning home, even if the data were
highly fuzzed, I'm sure there would be guys like tpatcek who would manage to
detail, if not the content of the tracking, at least the amount of data sent
and the targets. I don't recall there being such a scandal in recent memory.

~~~
snitko
It is possible to send data along with other data so that it's reaaally hard
to find. Also, they don't need to send data all the time, but rather activate
this mode on request, say when a person using this browser is a suspect for
some reason and govt needs to track his every move on the internet. This would
make detecting of such a functionality virtually impossible, because it'd be
turned off most of the time for most people.

~~~
comex
It is possible. However, considering that it would only take one person being
exceptionally curious with IDA, one employee to blow the whistle (the source
is still "open" to a fairly large number of people, and a backdoor is far
harder to hide than passive collection of existing data), or one slipup to
cause a massive amount of PR damage, and this has never occurred, nor does the
Snowden leak suggest this is happening, I personally consider this claim
extremely improbable. YMMV.

------
tptacek
If you're going to continue using Google Mail, it's a dumb idea to
deliberately switch away from Chrome. The connection between Gmail and Chrome
is among the more carefully guarded TLS connections on the Internet.

~~~
jevinskie
How does Google create one of the most carefully guarded TLS connections?
Should other sites model their implementation?

~~~
mortehu
When Google.com's certificate was faked, it was discovered because Chrome
restricts what CAs are allowed to sign Google's certificates, if I recall
correctly.

~~~
tptacek
Google does that for a number of other non-Google sites, too.

~~~
aray
Pretty sure its just google sites, because otherwise you might get false
positives as other sites change servers/ips/certificates/etc

~~~
dfc
[https://src.chromium.org/viewvc/chrome/trunk/src/net/http/tr...](https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json?view=markup)

~~~
_delirium
Interesting. Kind of an eclectic small list: Google, Twitter, Tor, CryptoCat.

------
wyck
Let's pretend I'm the NSA. I don't care right now about what your saying, I
just care about who you associate with and where you are hanging out. If those
raise my suspicions then I will also track the where/who connections and
create a map of activity. Those dots might start to line up and create further
interest.

If suspicions are founded as actual threats I will do anyone of the following
and probably more.

FISA request

Look into your credit card records and bank transactions

Serve your host/ISP with a request and also get your SSL private keys

Listen in on your cell phone/home phone/sat phone

Use traditional listening devices (these are great btw..)

Find an exploit in something you use (I'm pretty sure I have some zero days
lying around).

Listen in on your girlfriend/wife/husband/boyfriend/friends and family.

Create lots of tor exit nodes and track your patterns

Ask some actual spy's/moles for some intel

Use satellites and tracking devices, maybe even some drones

Torture

Wait for you to mess up..people are lazy.

I made this to point out some real tactics that are actually used and why the
vast majority of PRISM related posts like these are a bit silly...aka..you're
probably not a terrorist. The NSA tracked bin Laden's courier Abu Ahmed al-
Kuwaiti's cell phone which eventually led them to Bin Laden. Does that sound
like anything you're doing?

The NSA is not above the law and I generally support Snowden, William Binney,
etc .. I just think people need to get grip on reality here. The only people
tracking you are ad trackers.

ps. Don't fret too much about the NSA, Google Glass will have citizens spying
on each other in no time flat.

~~~
SmokyBorbon
You completely missed the point. The NSA is tracking everyone. They're
building a database of everyone's activities. Nobody knows who the
"terrorists" are going to be 20 years from now. The moment you become a
suspect, they can bring up everything they've recorded you saying or doing and
use it against you.

The NSA is above the law and the rules they follow are set by a secret court
appointed by a single man who has his position for life.

~~~
rahoulb
Also extremely likely - the NSA/GCHQ/Whoever siphon off all "metadata".

At the next Boston bombing, or whatever, they analyse that metadata for the
perpetrator. And the next one. And the next one. And build a profile of what a
"terrorist's" communication patterns look like.

And then they single out everyone matching that profile and stick watches on
them, or bring them in.

It's Minority Report without the psychics. Google Now for Homeland Security.

~~~
skore
> It's Minority Report without the psychics.

Wow, that never occurred to me. Analyzing Metadata really _is_ a lot like
"pre-crime".

Sure, in a sense all police or intelligence work can be looked at in a way
that makes it seem "like pre-crime" \- after all, crime prevention does have
its merits. But putting every single citizen on the list is something
different entirely and really does smack of "psychics".

~~~
mr_spothawk
>Wow, that never occurred to me. Analyzing Metadata really is a lot like "pre-
crime".

I thought that's why everybody's freaking out. I mean... that's why I'm
freaking out. I haven't even seen the movie.

------
dmix
Surprised Arch Linux [1] isn't listed. It's probably one of the most secure
distros by limiting the installed packages to a bare minimum. Combine that
with App Armour (or SELinux designed by the NSA) with a firewall and basic
network monitoring to protect against rootkits. Plus always-on VPN, dm-crypted
harddrive, noscript etc.

NSA also released SEAndroid [2] which hardens Android significantly. It's
included preinstalled w/ Samsung S4. Although still not very popular and I'm
sure not heavily code-reviewed.

[1]
[https://wiki.archlinux.org/index.php/The_Arch_Way](https://wiki.archlinux.org/index.php/The_Arch_Way)

[2]
[http://selinuxproject.org/page/SEAndroid](http://selinuxproject.org/page/SEAndroid)

~~~
ineedtosleep
I'm more surprised that Mint is being suggested at all in this. Considering
how ridiculous this list is in the first place, the 'curator' should have
noted that Mint, by default, installs search engines that are partnered with
Mint[1].

Even more surprising is that BSD just got a cursory mention. You may as well
switch to OpenBSD if you're going to switch to a majority of these
alternatives.

[1]
[http://www.linuxmint.com/searchengines.php](http://www.linuxmint.com/searchengines.php)

~~~
peng
I've added a note about Mint's search engine policy, thanks.

Also, BSDs will get greater emphasis in future updates. I'm working on a way
to promote more operating systems without the page getting even more
overwhelming than it already is.

------
cookiecaper
Tor should NOT be on here. It has little to do with "breaking" PRISM. PRISM is
a voluntary program wherein a handful of endpoints have chosen to submit
copies of their database to the NSA. Regardless of the mechanism or browser
used to access Facebook, the reality is that all of that data gets uploaded to
the NSA anyway, so who cares? People aren't interested in the real solution to
PRISM, which is "Don't use services provided by PRISM participants".

Furthermore, Tor's outproxy network (i.e., accessing normal internet sites
through Tor) is heavily compromised, rife with honeypots run by both non-
governmental and governmental operatives, and nothing stops anyone from
injecting more honeypots. New exit nodes are automatically registered and used
by the network as soon as the client flips his/her bit. While ostensibly exit
nodes are not supposed to be sniffing these packets, since it likely violates
wiretapping laws in their jurisdiction (unless it's an NSA-owned exit node, of
course), one would be very naive to presume such sniffing is not occurring.
This means that any data that eventually hits the exit node should be
considered, for all intents and purposes, public (correctly-implemented SSL
may mitigate this risk where employed). This is fine if you're just trying to
circumvent a firewall (remember, Tor was originally designed as a firewall-
circumventer so that dissidents in China et al could convey their traffic to
blocked sites; the goal was simply "get this public blog post out of China and
to the rest of the world", not "hide all data from the NSA", hence the design
of the exit node network) so you can use IRC, where your conversations are
public anyway, but it's not fine for all kinds of browsing applications, so
"try using Tor for everything" is actually horrendous advice.

The upshot of that is that like most other privacy software, you really need
to understand the software well to a) actually obtain any meaningful privacy
from its usage and b) not accidentally seriously harm yourself.

On top of all that, Tor traffic is easily distinguished and most likely
automatically flags your NSA profile for additional attention.

~~~
Joeboy
> On top of all that, Tor traffic is easily distinguished and most likely
> automatically flags your NSA profile for additional attention.

As a fairly boring non-dissident who's just trying to be a good citizen on the
internet, I think I actually consider that to be a feature.

------
aray
Cyanogenmod should have a big asterisk beside it noting that it's system is
signed with PUBLICLY AVAILABLE KEYS. Also they have just the same proprietary
blobs (most of them) that other android devices have (radio firmware, camera
drivers, etc) that have just been pulled out of shipping factory android
images. The description (without these) is playing people false IMO

~~~
zwegner
Ugh, really? So is there no smartphone OS that you can be at-least-sort-of
certain doesn't have a backdoor (leaving aside unintentional exploits)? My
understanding was that even FFOS was built on top of an Android kernel...

~~~
phaer
No, not really. I guess your best bets are
[http://replicant.us/](http://replicant.us/) and the openmoko freerunner.

------
dfc
I really do not understand the thought process behind this page:

Why is chromium not listed as a free alternative to Chrome/IE/Safari?

What components of DDG are partly proprietary and which are not? (not a
criticism of DDG just this page) What is a "free search engine" anyway?

Why are Firefox and Thunderbird listed alongside Iceweasel and Icedove?

How do you list OpenNIC if they have not adopted an official
privacy/anonymization policy?

Speaking of official privacy policies; I see that you tried to load
/analytics/piwik.js. Where is the privacy policy for prism-break?

~~~
peng
> What components of DDG are partly proprietary and which are not? (not a
> criticism of DDG just this page) What is a "free search engine" anyway?

These parts are open source:
[https://github.com/duckduckgo](https://github.com/duckduckgo). I've added
this note to PRISM Break. A free search engine would be a search engine where
users have the freedom to run, copy, distribute, study, change and improve the
software. YaCy fits this description, but there are currently not a lot of
people using YaCy at the moment.

> Why is chromium not listed as a free alternative to Chrome/IE/Safari?

Chromium will be added once I get a list of good Chromium extensions that
rival the Firefox addons.

> Why are Firefox and Thunderbird listed alongside Iceweasel and Icedove?

Iceweasel and Icedove are difficult to install on Windows and OS X. If users
are unable to switch to Linux, Firefox and Thunderbird are still really good
options.

> How do you list OpenNIC if they have not adopted an official
> privacy/anonymization policy?

Good point. OpenNIC will be removed for the time being.

>Speaking of official privacy policies; I see that you tried to load
/analytics/piwik.js. Where is the privacy policy for prism-break?

PRISM Break does not track the last 2 bytes of your IP - e.g. 192.168.xxx.xxx.
A Privacy Policy is on the todo list.

EDIT: [https://prism-break.org/privacy.html](https://prism-
break.org/privacy.html)

~~~
rsync
Would you please add rsync.net to the "cloud storage" section ?

If you're not familiar:

[http://www.rsync.net/resources/notices/canary.txt](http://www.rsync.net/resources/notices/canary.txt)

We explicitly support duplicity and git-annex which makes us very versatile
for secure cloud storage.

------
randomGringoGuy
New poster here, but someone needs to say this. Tor is amazing and great, but
if you don't think the US/NSA don't know how to run their own Tor hops and
cache the very same traffic that you think is on "anonymous" servers. . . then
you have a more serious problem of understanding how this works. It's easy to
run Tor servers. Even easier when you have an NSA budget. Also, ask yourself
why wouldn't they be running thousands to tens of thousands of them knowing
that most of that traffic is "suspicious".

Be safe. Not ignorant.

~~~
hobs
Welcome! Don't worry, most of us know this, and those that don't are
constantly being shouted at by everyone else.

------
hinting
This is great for us. We understand these tools and can use them. But most
people don't. So if all geeks switch to the things on this list, we've left
most of society just as susceptible as before.

Other, possibly better, solutions:

1) If you work for one of the companies listed as "proprietary", you can do
the most. Stand up and say you care in company meetings. Tell managers and
executives that it's worth finding better ways to secure, anonymize, or not
collect information in the first place. Even if it comes at the cost of
profitably or usability.

2) Authors of lists like these: Instead of saying all commercial software is
lousy, compare them to each other! Make having secure, private software an
actual selling point that people can understand.

3) Developers, designers: make beautiful, usable software that is secure and
anonymous by default. Don't have privacy as your ONLY selling point. We can
only win if we're private and amazing.

------
tzury
It is important to mention that "self-hosted" by itself, does not make one
Prism-Free.

In most cases, if the hosting platform provider will be asked to provide
access to the infrastructure, it is most likely that SSL private keys that
stored on the virtual machine will be taken along with other data.

~~~
lifeguard
Sorry, this is a fallacy of false equivocation. Not all hosting platforms are
the same, especially in terms of jurisdiction.

Switzerland and China do not respond to Secret Service or FBI orders.

~~~
tzury
China?

What makes you think this is not the case there by default?

I am talking about local authorities ofcurse.

------
znowi
I praise this effort. Whatever the criticism may be, it's a useful site and it
educates people. Folks like them do a lot more than us ranting here in the
comments :)

~~~
rimantas
I am not sure what kind of education does it provide. If NSA has access to
GMail, it does not matter what email client you use, open-source or
proprietary. If your ISP logs all your activity, it does not really matter
what browser do you use. And in general it is simpler and more revarding to
target services providers instead of client apps for those services.

------
_delirium
Interesting, I learned about the Autistici/Inventati collective only from this
link, even though they seem to already be a large (>1k users) organization and
in existence for a decade now. Useful info.

~~~
mknits
I've signed up for their email service and will now use it as my primary email
id.

------
rhizome
Is there any indication that this isn't disinformation geared toward a false
sense of security? Call your government representatives instead, it'll have a
greater effect.

------
enobrev
What about obscuring rather than hiding? For instance, a script that emails
hundreds of random addresses, tweets on hundreds of different accounts, visits
thousands of different urls, texts and voice calls hundreds of numbers (for
those with "unlimited" mobile plans), etc. every hour or every minute or what-
have-you.

It seems that would be the digital equivalent of a paper shredder - imperfect
but not necessarily easy to pick up and read. Just as well, all these
collection operations that seem to be in place would fill up with mountains of
useless data.

------
tommis
With systems like Tempora
[https://en.wikipedia.org/wiki/Tempora](https://en.wikipedia.org/wiki/Tempora)
in place and the main goal of intelligence organizations (probably around the
whole world) being to "know all information", the only way to be safe from
losing your secrets is not to disclose them in any electronic form on the net.
Simple as that.

And with your "secrets", I mean any piece of information you don't want them
to know: email, websites you visit, mobile phone calls (and locations)...

Since Echelon/PRISM/Tempora/etc is practically public knowledge at this point,
I would imagine that most "real terrorists" have also deduced the above facts
and are living by them, making the whole exercise a fishing expedition paid
with regular Joe's privacy and tax money...

------
glogla
The listed software is usually a good idea, but there should be a bit more
explanation. Using TOR to access non-SSL website for example, might be bad
idea.

Also, noticing TextSecure, it's great, but I have personal gripe with it --
you can't use it without using Google play, and that means irrevocably pairing
your phone with Google account and therefore some identity. Would it be that
much of a hassle to put APK on f-droid? Software that's supposed to be secure
but requires you to have Google account is a sad view.

EDIT: of course, after the (de)cryptocat debacle, using TextSecure without
reading the source code might not be a good idea. Homepage of "security"
software like that should always include page about security: what algorithms
it uses, stuff like that.

------
jalada
Politics aside, this is a really interesting list of tools I haven't heard of
before. Thanks!

------
logn
Very nice. Didn't think we'd be seriously discussing alternatives to the
Internet in 2013 =)
([https://projectmeshnet.org/](https://projectmeshnet.org/)) ... maybe this
will spur innovation! Cheers.

------
nimbusvid
Although it relies on Mega and Chrome, neither of which is recommended in the
article, [http://www.nimbusvid.com](http://www.nimbusvid.com) streams
encrypted videos from your private cloud storage in your browser.

No other service does this and it allows you to have the convenience of the
cloud and video streaming while maintaining the privacy that you would get by
viewing videos on your local computer.

As far as I know it is one of the few examples of a (client-side) web app
based on encrypted cloud storage. (I would like to know other examples, I
don't know any).

(I am the author)

------
alan_cx
Just a bit of site feed back:

Maybe its me, not completely unlikely, but when I open the left hand nav menu,
with the button at the top left, the whole site shifts to the right to show
the menu, but that cuts off the text in the last column. As well as that, no
bottom scroll bar appears. Maximizing or resizing the browser window makes no
difference. This is in Chrome, Iron(which you don't list and I reckon should),
and firefox. Tried in IE, but the menu button at the top left doesn't work at
all.

On the up side, the site name gave me a welcome chuckle!!!

------
sequoia
I want to like this page but there are many problems...

* Who is the target demographic for this page? If it's lay-users, many of the suggestions are inappropriate: no-script, arch linux, "host-your-own cloud provider"... these are useless if you're not a programmer.

* Many of the suggestions don't do anything to improve your privacy. As tptacek noted, host-your-own may protect you from gmail handing your emails over en masse, but it doesn't protect you from yourself (you eliminate one attack surface but add many many new ones). Switching your email client... again, if the gov't can just ask your provider for all your mails, your client is irrelevant (excepting gpg which is a different question). It seems like many of these will create a _false_ sense of security, which is even worse than no sense: "Yay I switched from outlook to icedove, take that NSA."

* There are _way too many alternatives listed_. What is the point of listing six different linux distributions? Pros are aware of the fact that there are many distros, newbs need a _recommendation_ , not a dizzying list of alternatives with no guide to how to pick one. (I see mint is listed as newb choice; why are qubes, trisquel, etc. listed at all?). Ditto mail clients, browsers, and especially social networks. It seems little care was taken to ensure that the software on this list has any merit beyond being "free." Hey I made a free [barely functional, never updated] chat client, why isn't it on your list??

* The list reeks of politics over practicality. Seriously, IceDove? Trisquel? I'm a linux user at home, have used tbird, pidgin (& finch), adium, OTR, debian, ubuntu, mint, etc. etc. and I've never even heard of these tools. I suspect they are being listed because they are "FSF Endorsed" _not because they are actually more useful._ This is an AWESOME way to alienate new users: steer them toward ideologically pure but hard-to-use or nonfunctional software.

My suggestions: * pare down the list (only list 1 or 2 of the best
alternatives, maybe with a "more options" link for IceDonkey or whatever);

* Indicate how much technical expertise is needed for different tools. NoScript is USELESS for lay-users, disconnect.me (if it's like ghostery) & adblock are set&forget, very low friction options for new users. Ditto arch linux &c.

* _Don 't include things just because it meets the requirements of being "free"!!_ You don't need every half-functional email client in the world because it's "free"\- this makes the list _worse_ , not better.

* Make clear what tools do and don't do!! Merely switching to pidgin to connect to your does nothing for you, your list suggests it does. Blocking google analytics does not stop the NSA or whomever from requesting information from your ISP about your browsing habits!!! This _needs_ to be more clear on your list.

* Don't make outlandish, inaccurate, unrealistic claims! "Stop the American government from spying on you by encrypting your communications and ending your reliance on proprietary services." 90% of these tools have nothing to do with encryption and/or aren't any more secure by default. You can't "opt out of prism." You're not "stop[ping] the American government from spying on you" by hosting your own wordpress. This claim is horsefeathers and it needs to be removed.

Oh well... at this point I'm feeling that in its current state your list does
more harm than good, overwhelming users with too many (shitty) choices,
creating a false sense of security, and muddying the waters about online
privacy like crazy. These tools require attendant tech education: you can't
just dump Adium in someone's lap and say "now you're protected from spying."

------
rfatnabayeff
It's interesting that none of the BitTorent software was mentioned, at least
BitTorrent Sync as an alternative to proprietary cloud storage.

~~~
hbbio
Closed source afaik.

------
SODaniel
Spideroak.com - online backup and sync with zero-knowledge client side
encryption should be represented in cloud services in my opinion, though since
we are not yet 100% open source I understand the arguments against it.

We are however very close to opening nimbus.io and crypton.io open-source
secure and private storage APIs based on our storage infrastructure.

------
csense
Quite aside from protecting your data from the NSA, this site has a lot of
software it's good to be aware of -- Jitsi, git-annex, Etherpad [1], and Piwik
seem particularly interesting.

[1] I've seen Etherpad mentioned multiple times on HN, but I somehow never
realized that it's self-hosted FOSS.

------
ohwp
Aren't these all false suggestions? (Except for Tor like software maybe)

For example: DuckDuckGo might hide your search but when you click on a link in
the result list the request to that link is still monitored by your Internet
provider.

~~~
bigiain
For the sufficiently paranoid, DuckDuckGo is available as a Tor hidden
service: 3g2upl4pq6kufc4m.onion

They also run a Tor exit enclave for DDG searches, so using https over tor for
DuckDuckGo searches should provide about as much anonymity as you can get
doing search engine queries.

------
jayfuerstenberg
Switched to DuckDuckGo a couple weeks ago. It's surprisingly pleasant to use.

~~~
eliben
I was wondering the other way. If you just open Chrome in incognito mode and
search Google without logging in, is it very much different from DDG? Except
for the results quality, of course.

Is the big difference being your IP tracked with the searches by Google?

~~~
Raticide
Google will track your IP and probably store the searches you made alongside
it. These can easily be linked back to your google accounts.

Duckduckgo claim not to log your searches.

~~~
chrischen
Yes but how much is a claim worth? Anything centralized is at risk to be
tracked by the government. It's not as if Google put in the TOS that the NSA
is monitoring their data.

~~~
jayfuerstenberg
I wonder if there is a decentralized P2P crawler system that shares IP
addresses of at least major domains/hosts.

With that you could run a node and search locally against your machine without
anybody knowing.

~~~
qznc
Yacy is mentioned in the article.

[http://yacy.net/de/index.html](http://yacy.net/de/index.html)

------
zobzu
Its kinda nice of a list thanks :) I'd add here.com as proprietary maps. Its
actually pretty good. yes its proprietary - but even having proprietary
alternatives is good.

oh also gallery3 should probably be in there.

------
Kekeli
Nobody seems to be talking about whonix added layer of anonymity
[http://sourceforge.net/projects/whonix/](http://sourceforge.net/projects/whonix/)

------
MarkHarmon
Nice resource, thanks for posting. It would be really cool to have some kind
of ratings and reviews for each service/app listed. Maybe an official
review/rating and then user contributed.

------
alttab
The only way you can truly guarantee you haven't been rooted is to at _least_
trust your compiler. Even if you have the compiler's source code, how are you
compiling it...?

------
jimworm
Needs more emphasis that the left column is the one to avoid.

~~~
finnn
Seems like the lack of links in that column makes it pretty obvious

------
antihero
Surviving in the current situation, will require a radical change in attitude
and education - you know, effort - not just switching out bits of software.

------
Joeboy
I'd be interested to hear about the state of encryption (particularly end-to-
end encryption) in the listed Social Networking projects.

------
shacharz
sharefest.me is another alternative to secured file sharing. The main
advantage is browser only - sandbox security. And p2p - files don't touch the
server. Although not _yet_ as secured as the other, we're working to improve
it. Would love any security feedback on github.com/peer5/sharefest/issues

------
muxxa
Would like to see a mention of alternatives to commercial mobile networks.

~~~
wxspll
OpenBTS :)

------
davidbrent
I still prefer IRC over all of those Instant Messaging options.

------
oellegaard
I think its fair to say that this is a highly opinionated list.

------
CalinBalauru
On Social networks, we have Diaspora*

What's with the '*'?

------
fireboi
how about app.net

~~~
jrn
american;

edit subject to the rulings of the fisa court etc.

------
julien421
prism

------
julien421
nice!

------
antocv
There is no easy secure way of having audio and/or video chats? Like we had
with skype before microsoft stepped in.

XMPP is here, and we have no real good clients either for desktop and for
Android we got basically none that supports Jingle.

~~~
sdfjkl
Jitsi supports ZRTP and Jingle (experimental).

~~~
antocv
Ive tried it, it sucks and crashed too many times, bugs reported, but gave up.

Jitsi also doesnt run on our phones last time I checked.

Basically we have these smart-phones, awesome hardware, good devices, but we
cant use them to talk confidentially with our friends.

~~~
shmerl
Lot's of clients are stuck because they use Telepathy:

[https://bugs.freedesktop.org/show_bug.cgi?id=16891](https://bugs.freedesktop.org/show_bug.cgi?id=16891)

[https://bugs.freedesktop.org/show_bug.cgi?id=29904](https://bugs.freedesktop.org/show_bug.cgi?id=29904)

Libpurple doesn't seem to move either:
[https://developer.pidgin.im/ticket/11221](https://developer.pidgin.im/ticket/11221)

Those are major libraries which are used on the desktop and mobile, and that's
probably the reason why you don't see actual clients with ZRTP support.

------
Torkild
For cloud storage I also recommend
[https://mega.co.nz/#fm](https://mega.co.nz/#fm)

