I think this list provides some better overview of alternatives:
The best helmet, is the helmet you will wear
The rms approach, while effective, is untenable for most people. Sometimes more moderate livable recommendations will wind up doing more good, because people will wear them.
In fact I'd argue that 2-factor authentication actually helps governments and private Internet companies because we willingly associate our mobile phones to our Internet accounts.
Having everyone use SSL is better than nothing (and provides some amount of herd immunity to those that need to hide their communication).
Two factor auth protects against a number of threat classes, such as the "local criminal" they mention. People might not care about the NSA, but there are plenty of other reasons to care about security.
Right before the list they state that these only provide incremential improvements.
The last step might lead people to prism-break at some point (eg. during crypto parties).
That's kind of the problem here. The whole situation is in such an advanced stage and so pervasive and based on such "advanced" technology that we simply can not get out of it by keeping our silly little habits that we're so used to. (And yes, it includes shunning the NSA partner companies' products: Google, Microsoft, Skype, Apple, Facebook, Yahoo, Paltalk, etc.)
This situation requires drastic measures, on the individual/personal level as much as on the societal level.
My impression is that the article is for people who would be overwhelmed with prism-break (and couldn't do _anything_ with that list of tools - prism-break.org isn't very actionable without prior knowledge).
If someone without ITsec experience comes up and asks what to do about that nasty NSA stuff they've read in the news, and you tell them to drop their operating system ("Google, Microsoft, Apple" includes Windows, OSX, iOS, Android, Windows Phone), the applications that run on top of them, and their Internet based communication (Skype and Facebook), they'll probably ask you where they could buy a box of index cards and post stamps, and how to build a hut in the forest. And then turn around and change nothing.
That list provides a way to reduce the attack surface - not particularily against the NSA (because of the backdoors), but certainly against the Firesheep instance running on the neighbor's laptop in the cafe.
It also raises awareness without overwhelming newcomers.
Let them lock down their in-flight communication. You can still tell them about endpoint security later (and why US based corporate silos are a problem in that regard), so they can "level up".
If that list isn't radical for you, you're probably not the target audience.
For now, please note that it doesn't end with "you're done. Congratulations, you're now secure!", but with crypto parties and other ways to raise awareness - those are great places to consider and implement more radical steps towards security. At least if people are around who can lend a hand.
I kind of agree with you here. Especially if it's tied to your identification personally. If you have an X@gmail.com or Y@yahoo.com then you're essentially at their mercy. But if you just buy a domain for 10 bucks a year, you can go to your registrar's page and forward mails from catchalls @FNLN.com to your secret X@gmail.com. If you don't like them, download it to outlook and move on to Y@yahoo.com and change the setting at your host record page. That is literally it. Your cost here to switch is the time it takes to download messages to your computer and close the account, sign up for a new account and redirect your alias to the new account. I would ideally automate step 1 as soon as I have opened an account.
You are not 'locked-in' to one provider as your custom domain name becomes an abstraction between your identity to the real world and your storage space/identity to servers. You can change the latter without changing the former. Of course, if you were early enough you could've snagged a Google Apps account, or if you're just entering the scene, you can get a Live Domains account. The only down side is that they don't have catch-alls, so you can have an on the fly email address like hn@FNLN.com for signing up at different websites.
Yes, I was surprised by this too. Giving away your mobile phone number is not something I'd consider doing lightly. What's more, Google have a poor record on privacy matters.
If you provide your phone number to Google, who has access to this info at the company? Is your phone number encrypted so that no-one sees it at Google? i.e is it only accessed by automated computer systems? Do they have strict procedures in place that allow access to authorised staff under particular circumstances only? Do they tie your number to other tracking info? (Of course, Google would never reveal this, but it wouldn't surprise me if they did).
I think these are perfectly legitimate questions to ask when a company stores your personal information. And particularly for a company that has greater oversight of online activity than anyone else. We don't know the answers to any of these questions, because Google's vaguely-worded privacy statements tell you nothing. (The help text when signing up to a Gmail account simply states "your phone helps with keeping your account secure...")
You might feel you can trust Google on matters of security, but can you trust them on matters of privacy?
Why? Unless you're a world famous celebrity no one is going to call you. I put my Google Voice number all over the place and the only issue I have is with recruiters.
Of course, one should use 2FA whenever available, but it has nothing to do with avoiding surveillance. Indeed, it creates a stronger link between an account and an identity, i.e. anonymous twitter account + 2FA w/ mobile phone number == not anonymous.
All last point asks is people to support Stop Watching Us rally and other campaigns against bulk spying, run a Tor node, or hold a cryptoparty.
Your comments on surveillance tactics/hunger/climate change is just bringing up irrelevant arguments, so I won't address them.
P.S. Sorry to go on a rant, but I miss the days when people actually RTFA. (aka never gonna happen).
And also this was quite surprising news to me
"After suspected abuses of the USA PATRIOT Act were brought to light in June 2013 with articles about collection of American call records by the NSA and the PRISM program (see 2013 mass surveillance disclosures), Representative Jim Sensenbrenner, Republican of Wisconsin, who introduced the Patriot Act in 2001, said that the National Security Agency overstepped its bounds. He released a statement saying “While I believe the Patriot Act appropriately balanced national security concerns and civil rights, I have always worried about potential abuses.” He added: “Seizing phone records of millions of innocent people is excessive and un-American.”"
Anonymity Is Hard https://news.ycombinator.com/item?id=6521517
OPSEC for Hackers (video) http://www.youtube.com/watch?v=9XaYdCdwiWU
Only problem being, that involves me handing over my phone number to Google - one personal detail too many, for me.
For better anonymity, ditch your cell (tracking device) and use open wifi networks, with a fresh MAC address each time (you can't necessarily trust routers at $Coffee_Shop to not identify who you are).
Example: The NIST openly went against NSA.
Also, how solid is it? I suppose Tor has attracted much more research over the years in comparison.
The major vulnerabilities sound like details of implementation alone. Then there is a difference between the more easily lost privacy and the less easily lost anonymity.
Finally, people who are actual experts seem to think it remains a tool for anonymity, and explain why in a credible way.
But other than that, Tor is by far the best thing for your privacy right now.
And tor has some weaknesses to active attackers, meaning people who control behavior of many routers, to some extent.I believe there were documents showing the NSA has this capability.
But it would be truly helpful to NSA to create the illusion that TOR is cracked. Maybe that's the point of the documents you're talking about.
Time and resources would be better spent asking voters to shutdown the NSA's illegal collection of information on US citizens (for starters).
> 2. Encrypt as much communications as you can.
http://retroshare.sourceforge.net/ has got your back.
Chrome meets all criteria to be classified as malware software, just because a big name company is behind it doesn't make it any less malicious.