Extent of UK snooping revealed
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [If you're not making a serious attempt at limiting access to information about your on-line activities you're pissing into the wind.] Officials in the UK are routinely demanding huge quantities of information about what people do online and who they call, say privacy experts. Police and other officials are making around a million requests for access to data held by net and telephone companies each year, according to figures compiled from the government, legal experts and the internet industry. http://news.bbc.co.uk/2/hi/technology/3030851.stm -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj7Jpz4ACgkQ3VqOYJkyXhUAbQCdFAfEZafzLWYlUzELMNMj5diQ0/oA nRLEnJdCxC6V2lYFC/Iplaj50Bn1 =j77T -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
barabbus@hushmail.com wrote:
[If you're not making a serious attempt at limiting access to information about your on-line activities you're pissing into the wind.]
Do you know of any effective means of concealing one's web-surfing habits? I know there are things like Anonymizer.com, but with all of these you have to trust the service providers. I've looked into JAP, but they don't have a real network -- just one path between two links, both controlled by the same people.
On Tue, 20 May 2003, Kevin S. Van Horn wrote:
barabbus@hushmail.com wrote:
[If you're not making a serious attempt at limiting access to information about your on-line activities you're pissing into the wind.]
Do you know of any effective means of concealing one's web-surfing habits? I know there are things like Anonymizer.com, but with all of these you have to trust the service providers. I've looked into JAP, but they don't have a real network -- just one path between two links, both controlled by the same people.
I am writing a HOWTO on this subject now, and will (perhaps) be speaking on the topic at DefCon. Long story short: a) collocate your own server (not just a webhost) somewhere. b) install a web server with proxy capability, and configure your own web clients on your personal computers to only hit that webserver, and to only hit it with SSL for _all_ web requests. So, all your web browsing occurs over SSL and has a single destination - your server. The actual fetching of web pages occurs in plain text (or SSL if the site really is SSL) from your server to the world. c) pick a small group (whose size relates to how much bandwidth at your collocation facility you can afford) and give them access as well, so as to diminish traffic pattens when comparing your ISP logs to the collocated servers' ISP logs d) set up an automated script on the server that _constantly_ fetches random web pages, thus creating a constant stream of http traffic in and out of the server, again diminishing traffic patterns. Log the actual proxy requests in some temporary fashion and randomly hit those web sites in an automated fashion throughout the day, regardless of whether someone is requesting them through the proxy or not...and then, script a constant stream of requests to the proxy as well ... either from a home firewall, other home users, or from other users' collocated servers. The point is you want constant traffic in both directions. Establishing Plausible Deniability: a) set up some lame web site on your collocated server offering some sort of "web archive", thus establishing PD for crawling/visiting any site b) open up your wireless AP, at least a little bit, so that random persons walking by have the ability to browse from the IP your ISP has given you as well ... this may be complicated as they have to configure the proxy. Extra points for: a) randomizing the HTTP-USER-AGENT strings coming out of the proxy to fetch the requested data, again removing traffic patterns and reducing your own risk if you use an odd web browser. b) setting up a personal firewall on your own internet link that _only_ allows HTTP and SSH traffic, and only allows it to your collocated server. This will allow you to use modern OS software that you may not trust (windows XP ?) while showinng you what kind of extra-curricular connections it is making. c) running your SSL connections to the proxy over port 25 or port 20 ... or 110 ... or 6667 - all good candidates. d) equalizing the constant inbound and outbound traffic that is generated to obscure traffic patterns ... so, if the constant, scripted inbound SSL requests fall, then the random scripted browsing outbound falls with it. Comments appreciated. ----- John Kozubik - john@kozubik.com - http://www.kozubik.com
At 11:05 2003-05-20 -0700, John Kozubik wrote:
On Tue, 20 May 2003, Kevin S. Van Horn wrote:
barabbus@hushmail.com wrote:
[If you're not making a serious attempt at limiting access to information about your on-line activities you're pissing into the wind.]
Do you know of any effective means of concealing one's web-surfing habits?
Use an open, non-commercial, WiFi hotspot
I know there are things like Anonymizer.com, but with all of
these you have to trust the service providers. I've looked into JAP, but they don't have a real network -- just one path between two links, both controlled by the same people.
Well, for those prepared to run their own servers it may offer improved anonymity but where is Onion Routing and Tarzan? "A Jobless Recovery is like a Breadless Sandwich." -- Steve Schear
On Tue, May 20, 2003 at 11:05:23AM -0700, John Kozubik wrote:
b) install a web server with proxy capability, and configure your own web clients on your personal computers to only hit that webserver, and to only hit it with SSL for _all_ web requests. So, all your web browsing occurs over SSL and has a single destination - your server. The actual fetching of web pages occurs in plain text (or SSL if the site really is SSL) from your server to the world.
Well, it depends. If I'm browsing the web from home on DSL, a remote web site is going to get something like: pool-148-98-113-70.esr.east.verizon.net. If I go through my server, the remote site will see: mccullagh.org Your other points are well-taken, though! :) -Declan
John Kozubik wrote:
I am writing a HOWTO on this subject now, and will (perhaps) be speaking on the topic at DefCon. Long story short:
a) collocate your own server (not just a webhost) somewhere.
[...]
d) set up an automated script on the server that _constantly_ fetches random web pages, thus creating a constant stream of http traffic in and out of the server, again diminishing traffic patterns. Log the actual proxy requests in some temporary fashion and randomly hit those web sites in an automated fashion throughout the day, regardless of whether someone is requesting them through the proxy or not...and then, script a constant stream of requests to the proxy as well
Comments appreciated.
Fun & difficult part is setting up fetching of "random" web pages that looks like real user activity. Also, unless you have some very odd friends, user activity will vary in statistically likely ways over time, so the ideal system would "randomly" compensate for that.
On Wed, 28 May 2003, ken wrote:
John Kozubik wrote:
d) set up an automated script on the server that _constantly_ fetches random web pages, thus creating a constant stream of http traffic in and out of the server, again diminishing traffic patterns. Log the actual proxy requests in some temporary fashion and randomly hit those web sites in an automated fashion throughout the day, regardless of whether someone is requesting them through the proxy or not...and then, script a constant stream of requests to the proxy as well
Fun & difficult part is setting up fetching of "random" web pages that looks like real user activity.
Yes, this is a somewhat interesting problem - probably not that difficult considering that the goal here is to create plausible deniability in a setting like a court of law. Generating traffic patterns that convince other crytpographers (or even sysadmins) is much harder than generating traffic patterns that simply create reasonable doubt.
Also, unless you have some very odd friends, user activity will vary in statistically likely ways over time, so the ideal system would "randomly" compensate for that.
Exactly. The ideal system would monitor in and outbound: - web requests - bytes transferred - bytes per page - pictures per page - binary files transferred - (all of those) / second and generate pseudo-random browsing to smooth these variables over time. Perhaps a script that chose random word pairs from the dictionary, googled them, and browsed the pages that were returned would be a good platform. ----- John Kozubik - john@kozubik.com - http://www.kozubik.com
On Wed, May 28, 2003 at 10:36:23AM -0700, John Kozubik wrote:
and generate pseudo-random browsing to smooth these variables over time. Perhaps a script that chose random word pairs from the dictionary, googled them, and browsed the pages that were returned would be a good platform.
Well, it seems to me that a sufficiently smart Carnivoristic device would be able to detect that and easily toss out all such bogus searches and their progeny. How about reading a bunch of news sites and following links? Maybe posting trollish comments on Slashdot? :) -Declan
On Wed, 28 May 2003 10:36:23 -0700 (PDT), John Kozubik
and generate pseudo-random browsing to smooth these variables over time. Perhaps a script that chose random word pairs from the dictionary, googled them, and browsed the pages that were returned would be a good platform.
Unless it ended up going to one of the FBI's child porn services! Regards, Dave Hodgins
At 02:59 PM 05/28/2003 +0100, ken wrote:
John Kozubik wrote:
Comments appreciated.
Fun & difficult part is setting up fetching of "random" web pages that looks like real user activity.
Also, unless you have some very odd friends, user activity will vary in statistically likely ways over time, so the ideal system would "randomly" compensate for that.
So do something clearly artificial but complex, like taking all the spam from your spambait account and probing the IPs it came from and websites it references to collect some statistics and also check for relay and proxy status and maybe display some samples of spam collections on the "some lame archive" website. Me? I wasn't browsing Thoughtcrime - that was just my spam harasser.
A great source would be the proxy logs from a big public library consortium, where you have all the websites browsed by many hundreds of library patrons in many different towns on a daily basis. -- Harmon Seaver CyberShamanix http://www.cybershamanix.com
On Tue, May 20, 2003 at 10:18:53AM -0500, Kevin S. Van Horn wrote:
barabbus@hushmail.com wrote:
[If you're not making a serious attempt at limiting access to information about your on-line activities you're pissing into the wind.]
Do you know of any effective means of concealing one's web-surfing habits? I know there are things like Anonymizer.com, but with all of these you have to trust the service providers. I've looked into JAP, but they don't have a real network -- just one path between two links, both controlled by the same people.
To get a good answer, you should refine the question to include details about your threat model, e.g. : "I don't want my spouse to look at the history file in Internet Explorer and see that I was shopping for their birthday present online." or "I don't want my employer to look at their proxy logs and figure out that I'm looking for a new job in a different state." or "I don't want John Ashcroft to figure out that I'm a pot-smoking Al Qaida member who's ordering a case of boxcutters from officemax.com." (which is functionally indistinguishable from "I don't want John Ashcroft to figure out that I'm a free-thinking ACLU member who's ordering an unlicensed printing press from officemax.ru.") If your life really is so dramatic and exciting that your realistic threat model is the third choice, you're fucked. You're in never-lose-sight-of-your laptop trust-nobody the-walls-have-ears X-files land. A web proxy is not going to save you from a police state. Tricky probability hacks like letting other people connect to your 802.11 hotspot are only "reasonable doubt" in a hypothetical perfect fair courtroom with a jury full of engineers and statisticians. It's really hard to get your trial assigned to one of those hypothetical perfect fair courtrooms with fully rational juries - you're much more likely to get assigned to one of the standard ones, with juries full of people whose best grasp of probability tells them it's best to fill out Lotto tickets with the dates of their kids' birthdays because that's lucky. Torturers and despots don't want to hear about "plausible deniability" - ask John Walker Lindh about that. ("No, really, I was just studying radical Islam .. ") The best use of surveillance data may not be trial evidence - it's intelligence, which is used to lead to arrests and the subsequent seizure of admissible evidence. A web proxy (like Anonymizer, or one of John Kozubik's virtual colo boxes) will save you from prying spouses and employers, which are more realistic threats for most of the world's population; they're also enough to make it really expensive to spy on you, which means that you're unlikely to be the target of opportunistic or systematic surveillance. They're not nearly enough to save you if you're really in hot water with The Man; which you almost certainly aren't, so count your blessings and keep your head down. -- Greg Broiles gbroiles@parrhesia.com
Obviously the Dumb Ray levels are up and many need tinfoil hats. The 'net access anonymity in front of the local force monopoly is equal to the meatspace (physical) anonymity. The mere idea of having "your server" somewhere else indicates brain damage. It could work if force monopolies were localized; but they are not for any practical reasons. So, to anonymously access the 'net, one must be anonymous in the physical sense while accessing the net. - use Other People's phone lines and internet accounts - use OP's access points - use camera-free internet cafes Obviously, the time has come to print interesting web pages in newspapers. ===== end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
On Tue, 20 May 2003, Morlock Elloi wrote:
Obviously the Dumb Ray levels are up and many need tinfoil hats.
The 'net access anonymity in front of the local force monopoly is equal to the meatspace (physical) anonymity. The mere idea of having "your server" somewhere else indicates brain damage. It could work if force monopolies were localized; but they are not for any practical reasons.
So, to anonymously access the 'net, one must be anonymous in the physical sense while accessing the net.
- use Other People's phone lines and internet accounts - use OP's access points - use camera-free internet cafes
The ability to communicate without the threat of possible punishment scares the people who are in power. ("Freedom of Speech" is just an advertising slogan.) The paranoia is starting to make itself even more evident.
Obviously, the time has come to print interesting web pages in newspapers.
Or just abject nonsense in the personals column. Poke the paranoid with sticks and watch them scuttle about.
participants (12)
-
alan -
barabbusï¼ hushmail.com -
Bill Stewart -
David W. Hodgins -
Declan McCullagh -
Greg Broiles -
Harmon Seaver -
John Kozubik -
ken -
Kevin S. Van Horn -
Morlock Elloi -
Steve Schear