It may well be possible to mitigate their ability to watch you by wearing enough tin-foil hats. Even if you succeed, all you've achieved is to protect one solitary person at the cost of considerable personal inconvenience. Worse, once you consider yourself "safe enough" from prying eyes, your incentive to actually act on what they're doing will be diminished.
I think that we should try not to be meek about this issue, passively hiding ourselves and then getting on with our lives saying "Fuck you, got mine". Why should the tech community flee the very Internet that it has played such a crucial role in building? Is the idea that our democracies could eventually fix this situation really beyond all hope?
If you live in the UK, write to your MP (http://www.writetothem.com/). Support PPUK (http://www.pirateparty.org.uk/) if you feel strongly enough, as they're seemingly the only political group treating this matter with the seriousness it deserves.
In non-web life we have private and public spaces and there's plenty of study on how these two play together and how important they are. Most people have erroneously thought that because your computer is in your private physical space that it's also 'private', but that's clearly not the case.
What people need is the education to create the technological equivalent of locking yourself in your bedroom for the afternoon to clear your head.
Gmail is like sending a postcard, facebook like chatting with friends at the mall or park. Tor/truecrypte/pgp etc for parts of your life you want private. Separate usernames, interests, tones of voice, etc in this private space.
Trying to hide your real (ie public) self is silly as should you become a target of the nsa & co. they'll find a way to dig up something even if you've been completely hidden from july 2013 on. What people need is a reasonably benign public self and a hidden crypto-self.
Also I'm all for fighting the surveillance state, but I'm extremely cynical of it's success. I see no feasible way to reduce the power and authority of the militarized aspects of our government(s). I can't think of a single example of where public knowledge and outcry has changed anything other than getting a few puppets punished anywhere except the non-militarized parts of government.
I partly think it's because people are asking for the wrong things. People say things like "stop NSA surveillance" which is vague and impractical. What needs to happen is to hit them where it hurts: Reduce total defense spending to 50% of what it is now. That should be the demand from everyone. Money is power. If you want them to have less power, stop giving them so damn much money. And besides, who can't get behind massively lower taxes?
If the NSA spots half a dozen people on Crypto-Reddit's /r/boston who claim to be from San Francisco, New York, Seattle, Chicago, rural Tennessee, and Miami respectively, then it knows it has probably found six actual Bostonians.
Individuals are in many ways an expression of our context. To remove all information leakage that would tell what our context is or, more simply, who we are, you basically have to remove the person entirely. Even 4chan-grade anonymity won't cut it, since writing style and narrative threading can be used to extract some sense of pseudonymity from even a /b/ thread.
We want our conveniences, we want our privacy, yet we don't want terrorists. We want our iPhones, our cars, and our comforts, and we don't want to see the price exacted from the rest of the world.
Surveillance seems like a very big problem, but only because it is so personal. It's distracting us from the real problems of the world, and that is pretty much every one of us are selfish, adding fuel to conflicts. We're crazy.
I'm a big fan of this approach, as it allows people to explore different facets of their personality. Unfortunately, for the past year the big players, led by google, have been waging a war on it.
But the more significant point is that using this stuff, as an individual, isn't really going to cut it without more, but who says that's the idea? We need to be creating things like this. What we have here is a list of open source projects you should all be contributing to and promoting to anyone you have influence over, and a list whose holes and shortcomings provide opportunities for creating new things.
I mean what good is Diaspora if everyone you know is still on Facebook anyway? But if you create an account and use it regularly, and convince as many people as you can to do likewise, that's how change ultimately happens.
And what you can do is: Read Facebook, write Diaspora. Don't shut off your Facebook account if all your friends still use it. Not enough people are sufficiently purist for that to scale. Just stop posting anything to Facebook that doesn't consist of "I just posted something you might be interested in to Diaspora" and then let all your friends wonder what they could be missing.
If everyone used tools like this, it would be much more difficult for governments to trample on privacy rights. It seems like a worthy goal.
I also think that the very URL of this project - http://prism-break.org/ - invokes a certain over-focus on NSA's PRISM. As a UK citizen, however, my Internet traffic itself is being stored and monitored by GCHQ. So to me it seems especially futile switching from Chrome to Firefox, or from Google to DDG, or from Facebook to Diaspora.
Popularity provides some protection, but it also creates a more desirable target for legislation amongst those who oppose it.
America's government is so corrupt it is no longer democratic.
Watch this video: https://www.youtube.com/watch?v=mw2z9lV3W1g
Unfortunately yes, absolutely.
And you begin to see a direct cause-and-effect relationship between the level of corruption and the "quality" of the policy decisions that are made, example: The Iraq war. Another one: the "inertia" regarding climate change action (it's just corporate power effing it all up for us).
It really has a grave effect on all human beings on this planet. It's clear that this has become a fundamentally global problem.
I strongly disagree with your statement that using encryption will make you passive. Instead it is the other way around: if you continue to use compromised services despite knowing the dangers you will become passive and lose your ability to think clearly about the issues at stake.
Law writers and enforces are corruptible, while code is not.
... what exactly have we uncovered with PRISM and the NSA bulk wiretapping, if not code having been corrupted from its original purposes in ways and extents unforeseen at the outset?
One has to write anonymizing p2p proxies because the old stack was corrupted. It's hardly different than the reason one would want new laws to address the way the old ones have been corrupted.
And our new p2p proxies? They're also (going to be) subject to corruption, by unforeseen things like Sybil attacks. Just as any new law is subject to possible future corruption.
Does anyone have a suggested template letter for this?
Of course not. We should vote these creeps out of office and elect someone that really stands for privacy and civil liberties - like this promising young man: http://www.youtube.com/watch?v=B6fnfVJzZT4
'works' for who, buddy?
Who is "the tech community"? I'm in the tech community, and I'm pretty sure I didn't create The Internet, or Facebook, or the NSA. I think the goal here is to provide people with resources so they can the internet more safely, and to normalize safety measures in order to guard against their demonization or prohibition.
Edit: However I absolutely agree that it's important to fight on social and political fronts as well as technological ones.
There's lots we can do, it's just that some of it is hard, time-consuming and probably frustrating. I do know that this will be the first question on my lips when a politician next asks me for a vote.
Because you already have acted on it, they attempted to violate your privacy and you solved the problem, there's no point wasting time with useless political solutions that are largely ignored. That is the route which could more fairly be described as "not actually acting on what they're doing"
I tried that, but, perhaps unsurprisingly, got no reply. I suspect that is because the main parties share one policy here.
> Support PPUK
Potentially, also, the green party:
But we need to use all the privacy-enhancing tools we can get our hands on, on the way to "real" solutions: You can't organize activities and exchange your thoughts freely while being watched by the government. The fear of being put on "the list" will stifle free speech and therefor sabotage the creation of any meaningful movement. It's called "self-censorship" and I've been told it's the worst form of censorship.
So yes, migrate all of your communication towards encryption and use an open-source operating system.
- Most of the browser add-ons are mostly about third-party tracking; these could be subject to PRISM, but the notes suggest that the concern is more about the third-party tracking itself and non-free software (in the case of Ghostery).
- Ditto with the notes in cloud storage, which discount three storage systems with client-side encryption (i.e. equal protection) because they are proprietary.
- The media publishing section promotes third-party blog publishing services for "privacy and security", even though most blogs are public and thus have no need for either.
- Ditto above with Icedove vs. Thunderbird in the email desktop clients section.
- iOS is advised against with a misleading claim that "iOS devices contain hardware tracking" due to an long-patched bug. The claim about it being impossible to verify whether an iOS app was compiled from the original source is disingenuous, as this is rarely done on any platform, but would certainly be possible to do on iOS if the developer cared.
- OS X and Windows won't track you. (Chrome OS won't either, but it strongly encourages using cloud services which will, so I'll concede that.)
In the claims that proprietary software won't track you, I am assuming that the NSA will not compel (or has not compelled) these companies to modify their software to include secret tracking. This claim is made explicitly under the operating system section: "Apple, Google, and Microsoft are a part of PRISM. Their proprietary operating systems cannot be trusted to safeguard your personal information from the NSA." But even considering all that we have heard about the NSA, this seems absurd, far beyond what they are willing to do, and even if it were true, using free software would not necessarily prevent the US-based host of the download from being similarly compelled. Moreover, someone would probably notice (unless it were an intentionally introduced but otherwise unremarkable security bug, but it's sure easy enough to find real zero-days in software, free or not, without having to resort to that! - not that that should necessarily make you feel better.)
No, these issues are very much related. It is the very nature of proprietary software that you cannot inspect and modify it, so you cannot know if it will track you or not, and cannot fix things if you are.
(Inspecting outgoing traffic is helpful, but unless you monitor all activity all the time, and make the effort to actually understand every single bit that is transmitted, you can't be certain.)
Furthermore, some of these browsers explicitly do track you. For example, Internet Explorer, Chrome and Safari provide ways to sync your bookmarks, all of which track you - and some of them encourage you to do this, for example if you do not log in to Chrome it says "you're missing out". (Firefox also has a sync service, but it is encrypted on the client, so the server cannot read the information, and you can't be tracked.)
True, there is a difference with the bookmark sync - I do not think it is valid to discount a browser entirely based on this.
Emphasis mine. Yes, you might trust them not to track you, or to trust that someone will find out if they do, and that you will hear about it if so. But far better would be to use an open source browser (either Firefox or Chromium).
Safari is getting especially terrible. You can either sync "Safari" with iCloud or you don't. This includes bookmarks, but also ALL OPEN TABS ("iCloud tabs"). My bookmarks are absolutely harmless, my open tabs are highly sensitive. Apple sucks at services. :(
The assumption that the NSA would never compel software vendors to include tracking code seems completely unjustified to me. It makes no sense at all to accept all the inconvenience that comes with avoiding NSA tracking and then use closed source software.
But I think many of the suggestions on this list are completely unworkable. Using Tor isn't just a little slower. It's unusably slow for regular browsing. Using noscript is nonsense. It breaks almost all websites nowadays.
> Windows won't track you
By default Chrome sends the text you type in the location bar to Google. I am not sure but they may also use visited urls to source the crawler.
Using Google is a privacy risk but at least you can control it with Firefox, when typing URLs that need privacy. Who the hell can verify what Google (and the NSA listening to their pipes) does with your visited URLs? If you use another search engine, Google can see that, and it's one more piece of information.
Can you elaborate a bit on this, how do you know they won't? My default assumption is that anything I can't see the source code of and compile myself is compromised.
Technically: if the browsers were somehow phoning home, even if the data were highly fuzzed, I'm sure there would be guys like tpatcek who would manage to detail, if not the content of the tracking, at least the amount of data sent and the targets. I don't recall there being such a scandal in recent memory.
> Although proprietary software may be easier for a government to compel to be modified to add tracking, it still runs the risk of being noticed in most reasonable cases, and there is in fact no evidence that any Western government is doing any such thing. It does increase the chance that you are being tracked due to incompetence, but I don't think this is particularly likely for such well-known software.
Did you also write and compile the compiler that compiled your compiler?
"a hack (in every sense), the most subversive ever perpetrated, nothing less than the root password of all evil."
A very very good read :)
Eventually, somewhere down the chain, you have to have trusted a compiler that wasn't GCC and you probably don't have the source to.
Since we are talking about checking the compiler that compiles your compiler here.
It might help against tracking and such, but I feel like it's just an illusion that I'm making for myself. No matter what I do to try to prevent it they it won't matter in the long run, it just makes it that much more inconvenient for me.
Ugh, not sure what to do/think.
(At least, for the present! I could totally imagine a near future where the government had a standard method to collect the data of various self-hosted services from VPS providers.)
More like gave direct access to their backends. 
Let's be honest, Why would NSA force MS to add a key like that, in such a way?
How do you know? Too much trust in MS and Apple? Backdoors in such systems is a normal thing to expect.
Also, what's the point of having a "carefully guarded TLS connections on the Internet", if at least one of the ends is completely compromised?
Prefect forward secrecy is a lot more secure since if google's private key were compromised any traffic -- including traffic captured in the past -- would still be secure (baring some further compromise).
Each connection has 2 possibly transient negotiated public/private key pairs made just for that connection. In theory, google could store all these pairs as well and they could be compromised, but that adds up to a lot more ifs.
As near as I can tell, the extra computation required to do perfect forward secrecy is a large part of why its not more frequently implemented.
If you think Google is the only company that can secure webmail, I bet you are an employee.
But anyways: what does it matter if your webmail provider isn't beholden to the government, if a suitably motivated teenager can read your mail because of software vulnerabilities?
Google Mail isn't likely to be more secure just because Google is inherently better at building software than anyone else. Rather, it's because they allocate more resources to the problem of keeping Google Mail secure than any other mail provider does (or even can) allocate to their security.
Second, the equivalence isn't false. The Venn diagram of sites that can be compromised by script kiddies is entirely contained by that of sites that can be compromised by NSA.
Please do tell which one? And why you are sure they are not beholden to a government?
Only if that single feature outweighs your other reasons for switching away from Chrome.
If suspicions are founded as actual threats I will do anyone of the following and probably more.
Look into your credit card records and bank transactions
Serve your host/ISP with a request and also get your SSL private keys
Listen in on your cell phone/home phone/sat phone
Use traditional listening devices (these are great btw..)
Find an exploit in something you use (I'm pretty sure I have some zero days lying around).
Listen in on your girlfriend/wife/husband/boyfriend/friends and family.
Create lots of tor exit nodes and track your patterns
Ask some actual spy's/moles for some intel
Use satellites and tracking devices, maybe even some drones
Wait for you to mess up..people are lazy.
I made this to point out some real tactics that are actually used and why the vast majority of PRISM related posts like these are a bit silly...aka..you're probably not a terrorist. The NSA tracked bin Laden's courier Abu Ahmed al-Kuwaiti's cell phone which eventually led them to Bin Laden. Does that sound like anything you're doing?
The NSA is not above the law and I generally support Snowden, William Binney, etc .. I just think people need to get grip on reality here. The only people tracking you are ad trackers.
ps. Don't fret too much about the NSA, Google Glass will have citizens spying on each other in no time flat.
I find this mindset really weird and alien. Surely people who are not terrorists using security measures is exactly what's needed, so that security measures become normalized and the web's vulnerability to malicious actors is lowered. I agree that the site's focus on the NSA and PRISM is a bit misleading, but that doesn't make the site silly (although other things might).
You must have been living in a cave...
The NSA is above the law and the rules they follow are set by a secret court appointed by a single man who has his position for life.
At the next Boston bombing, or whatever, they analyse that metadata for the perpetrator. And the next one. And the next one. And build a profile of what a "terrorist's" communication patterns look like.
And then they single out everyone matching that profile and stick watches on them, or bring them in.
It's Minority Report without the psychics. Google Now for Homeland Security.
Wow, that never occurred to me. Analyzing Metadata really is a lot like "pre-crime".
Sure, in a sense all police or intelligence work can be looked at in a way that makes it seem "like pre-crime" - after all, crime prevention does have its merits. But putting every single citizen on the list is something different entirely and really does smack of "psychics".
I thought that's why everybody's freaking out. I mean... that's why I'm freaking out. I haven't even seen the movie.
Eagle Eye (yet) without an AI.
Threads like this are silly because actual suspects already know this, and average joe is getting a false sense of security.
NSA also released SEAndroid  which hardens Android significantly. It's included preinstalled w/ Samsung S4. Although still not very popular and I'm sure not heavily code-reviewed.
Even more surprising is that BSD just got a cursory mention. You may as well switch to OpenBSD if you're going to switch to a majority of these alternatives.
Also, BSDs will get greater emphasis in future updates. I'm working on a way to promote more operating systems without the page getting even more overwhelming than it already is.
Furthermore, Tor's outproxy network (i.e., accessing normal internet sites through Tor) is heavily compromised, rife with honeypots run by both non-governmental and governmental operatives, and nothing stops anyone from injecting more honeypots. New exit nodes are automatically registered and used by the network as soon as the client flips his/her bit. While ostensibly exit nodes are not supposed to be sniffing these packets, since it likely violates wiretapping laws in their jurisdiction (unless it's an NSA-owned exit node, of course), one would be very naive to presume such sniffing is not occurring. This means that any data that eventually hits the exit node should be considered, for all intents and purposes, public (correctly-implemented SSL may mitigate this risk where employed). This is fine if you're just trying to circumvent a firewall (remember, Tor was originally designed as a firewall-circumventer so that dissidents in China et al could convey their traffic to blocked sites; the goal was simply "get this public blog post out of China and to the rest of the world", not "hide all data from the NSA", hence the design of the exit node network) so you can use IRC, where your conversations are public anyway, but it's not fine for all kinds of browsing applications, so "try using Tor for everything" is actually horrendous advice.
The upshot of that is that like most other privacy software, you really need to understand the software well to a) actually obtain any meaningful privacy from its usage and b) not accidentally seriously harm yourself.
On top of all that, Tor traffic is easily distinguished and most likely automatically flags your NSA profile for additional attention.
As a fairly boring non-dissident who's just trying to be a good citizen on the internet, I think I actually consider that to be a feature.
Why is chromium not listed as a free alternative to Chrome/IE/Safari?
What components of DDG are partly proprietary and which are not? (not a criticism of DDG just this page) What is a "free search engine" anyway?
Why are Firefox and Thunderbird listed alongside Iceweasel and Icedove?
How do you list OpenNIC if they have not adopted an official privacy/anonymization policy?
These parts are open source: https://github.com/duckduckgo. I've added this note to PRISM Break. A free search engine would be a search engine where users have the freedom to run, copy, distribute, study, change and improve the software. YaCy fits this description, but there are currently not a lot of people using YaCy at the moment.
> Why is chromium not listed as a free alternative to Chrome/IE/Safari?
Chromium will be added once I get a list of good Chromium extensions that rival the Firefox addons.
> Why are Firefox and Thunderbird listed alongside Iceweasel and Icedove?
Iceweasel and Icedove are difficult to install on Windows and OS X. If users are unable to switch to Linux, Firefox and Thunderbird are still really good options.
> How do you list OpenNIC if they have not adopted an official privacy/anonymization policy?
Good point. OpenNIC will be removed for the time being.
If you're not familiar:
We explicitly support duplicity and git-annex which makes us very versatile for secure cloud storage.
Be safe. Not ignorant.
Other, possibly better, solutions:
1) If you work for one of the companies listed as "proprietary", you can do the most. Stand up and say you care in company meetings. Tell managers and executives that it's worth finding better ways to secure, anonymize, or not collect information in the first place. Even if it comes at the cost of profitably or usability.
2) Authors of lists like these: Instead of saying all commercial software is lousy, compare them to each other! Make having secure, private software an actual selling point that people can understand.
3) Developers, designers: make beautiful, usable software that is secure and anonymous by default. Don't have privacy as your ONLY selling point. We can only win if we're private and amazing.
In most cases, if the hosting platform provider will be asked to provide access to the infrastructure, it is most likely that SSL private keys that stored on the virtual machine will be taken along with other data.
Switzerland and China do not respond to Secret Service or FBI orders.
What makes you think this is not the case there by default?
I am talking about local authorities ofcurse.
When did "self-hosted" take the meaning of "remotely hosted/virtualized/web hosting" for you?
It seems that would be the digital equivalent of a paper shredder - imperfect but not necessarily easy to pick up and read. Just as well, all these collection operations that seem to be in place would fill up with mountains of useless data.
And with your "secrets", I mean any piece of information you don't want them to know: email, websites you visit, mobile phone calls (and locations)...
Since Echelon/PRISM/Tempora/etc is practically public knowledge at this point, I would imagine that most "real terrorists" have also deduced the above facts and are living by them, making the whole exercise a fishing expedition paid with regular Joe's privacy and tax money...
Also, noticing TextSecure, it's great, but I have personal gripe with it -- you can't use it without using Google play, and that means irrevocably pairing your phone with Google account and therefore some identity. Would it be that much of a hassle to put APK on f-droid? Software that's supposed to be secure but requires you to have Google account is a sad view.
EDIT: of course, after the (de)cryptocat debacle, using TextSecure without reading the source code might not be a good idea. Homepage of "security" software like that should always include page about security: what algorithms it uses, stuff like that.
No other service does this and it allows you to have the convenience of the cloud and video streaming while maintaining the privacy that you would get by viewing videos on your local computer.
As far as I know it is one of the few examples of a (client-side) web app based on encrypted cloud storage. (I would like to know other examples, I don't know any).
(I am the author)
Maybe its me, not completely unlikely, but when I open the left hand nav menu, with the button at the top left, the whole site shifts to the right to show the menu, but that cuts off the text in the last column. As well as that, no bottom scroll bar appears. Maximizing or resizing the browser window makes no difference. This is in Chrome, Iron(which you don't list and I reckon should), and firefox. Tried in IE, but the menu button at the top left doesn't work at all.
On the up side, the site name gave me a welcome chuckle!!!
* Who is the target demographic for this page? If it's lay-users, many of the suggestions are inappropriate: no-script, arch linux, "host-your-own cloud provider"... these are useless if you're not a programmer.
* Many of the suggestions don't do anything to improve your privacy. As tptacek noted, host-your-own may protect you from gmail handing your emails over en masse, but it doesn't protect you from yourself (you eliminate one attack surface but add many many new ones). Switching your email client... again, if the gov't can just ask your provider for all your mails, your client is irrelevant (excepting gpg which is a different question). It seems like many of these will create a false sense of security, which is even worse than no sense: "Yay I switched from outlook to icedove, take that NSA."
* There are way too many alternatives listed. What is the point of listing six different linux distributions? Pros are aware of the fact that there are many distros, newbs need a recommendation, not a dizzying list of alternatives with no guide to how to pick one. (I see mint is listed as newb choice; why are qubes, trisquel, etc. listed at all?). Ditto mail clients, browsers, and especially social networks. It seems little care was taken to ensure that the software on this list has any merit beyond being "free." Hey I made a free [barely functional, never updated] chat client, why isn't it on your list??
* The list reeks of politics over practicality. Seriously, IceDove? Trisquel? I'm a linux user at home, have used tbird, pidgin (& finch), adium, OTR, debian, ubuntu, mint, etc. etc. and I've never even heard of these tools. I suspect they are being listed because they are "FSF Endorsed" not because they are actually more useful. This is an AWESOME way to alienate new users: steer them toward ideologically pure but hard-to-use or nonfunctional software.
* pare down the list (only list 1 or 2 of the best alternatives, maybe with a "more options" link for IceDonkey or whatever);
* Indicate how much technical expertise is needed for different tools. NoScript is USELESS for lay-users, disconnect.me (if it's like ghostery) & adblock are set&forget, very low friction options for new users. Ditto arch linux &c.
* Don't include things just because it meets the requirements of being "free"!! You don't need every half-functional email client in the world because it's "free"- this makes the list worse, not better.
* Make clear what tools do and don't do!! Merely switching to pidgin to connect to your does nothing for you, your list suggests it does. Blocking google analytics does not stop the NSA or whomever from requesting information from your ISP about your browsing habits!!! This needs to be more clear on your list.
* Don't make outlandish, inaccurate, unrealistic claims! "Stop the American government from spying on you by encrypting your communications and ending your reliance on proprietary services." 90% of these tools have nothing to do with encryption and/or aren't any more secure by default. You can't "opt out of prism." You're not "stop[ping] the American government from spying on you" by hosting your own wordpress. This claim is horsefeathers and it needs to be removed.
Oh well... at this point I'm feeling that in its current state your list does more harm than good, overwhelming users with too many (shitty) choices, creating a false sense of security, and muddying the waters about online privacy like crazy. These tools require attendant tech education: you can't just dump Adium in someone's lap and say "now you're protected from spying."
We are however very close to opening nimbus.io and crypton.io open-source secure and private storage APIs based on our storage infrastructure.
 I've seen Etherpad mentioned multiple times on HN, but I somehow never realized that it's self-hosted FOSS.
For example: DuckDuckGo might hide your search but when you click on a link in the result list the request to that link is still monitored by your Internet provider.
They also run a Tor exit enclave for DDG searches, so using https over tor for DuckDuckGo searches should provide about as much anonymity as you can get doing search engine queries.
Is the big difference being your IP tracked with the searches by Google?
Duckduckgo claim not to log your searches.
With that you could run a node and search locally against your machine without anybody knowing.
oh also gallery3 should probably be in there.
What's with the '*'?
edit subject to the rulings of the fisa court etc.
XMPP is here, and we have no real good clients either for desktop and for Android we got basically none that supports Jingle.
Jitsi also doesnt run on our phones last time I checked.
Basically we have these smart-phones, awesome hardware, good devices, but we cant use them to talk confidentially with our friends.
Libpurple doesn't seem to move either:
Those are major libraries which are used on the desktop and mobile, and that's probably the reason why you don't see actual clients with ZRTP support.
Maybe help project Tox? https://github.com/irungentoo/ProjectTox-Core/blob/master/do...