Week 143 + 144

In this week note, we provide a close look into the tools that we are using to make our communication more secure and private.

Picking up where Johannes left off two weeks ago.

One of the themes that we have been exploring is a way to get a better hold of security and data ownership. Certain things are fairly easy to achieve. Here is a run down of things that we have been using or playing around with. Keep in mind that it is fairly important to find your own mixture of things. With all those measures, you need to be capable to integrate them into your workflow. If you can’t, it is likely that you will stop using them after a while.

Browser: Firefox. It’s the only true open source browser that is not directly affiliated with any of the major cooperations. Mozilla has a strong history of activism and protecting the interest of their users. Additionally Firefox is highly customizable through its extensions.

Extensions: There are plenty of them around. Here is a list of the ones that are sensible and won’t break your browsing routine too much:

  • Disconnect: Protects you from unwanted tracking from over 2000 sources.. Easy to install and doesn’t require any further attention from you.

  • HTTPS Everywhere: EFF released a couple years ago a plugin that forces your browser to pick http’s more secure sibling https on the websites that offer it, but didn’t enable secure connections by default.

  • Flashblock: Flash is known to carry more than one malice. Flashblock prevents the flash bits of a website to be loaded automatically. Don’t worry, it won’t stop you from watching all those cat videos on Youtube. You can either whitelist certain websites or select flash content to be loaded via one click.

Option 1: Most websites require many, sometimes hundreds of different scripts to be displayed properly. Some of those scripts can be malicious, some of them are designed to track your behavior – like Google Analytics –, but most are just there to make those fancy web apps that we all are using at all functional. That’s why installing NoScript in this day and age will require a lot of fiddling around. Per default it blocks all scripts. You can whitelist certain and after a while the whitelist database will grow large enough for most web apps to function, but it can still be somewhat of a hassle.

Option 2: If you want anonymized web browsing, the only real solution is Tor. It became very easy to install it. Just grab the browser bundle and off you go. There are ways to integrate Tor in your main browser, but it is recommended to use the one that is provided with the bundle (which is a forked Firefox). The downside of so much security: it is very slow.

VPN: Stands for Virtual Private Network. People who work in corporate environments are quite familiar with them, because most corporations make their employees log in through a VPN to the companies servers, if they’re not inside the corporate network.

Simple explanation of what they do: When you use the internet, you connect from your computer to the servers of the website / services that you are using. You Internet Service Provider (ISP) knows “where you are” and the services know your IP, where you are from and many more things.

If you are using a VPN, none of this is possible for them. Instead of being connected directly, you are establishing a private, secure connection to a server provided by your VPN provider. That makes it impossible for your ISP to know what you are doing and the services that you are using is only getting the information from the server through which you are connected.

There is a downside to using a VPN service: they can be slow. Taking the effort to reach the internet via a secure server means, basically, that it takes longer to get to where you are trying to go. Additionally, if the VPN service is popular, it can struggle with keeping up with the demand.

To put it in simple terms: if you pick your provider right, you will do just fine browsing most websites without really noticing that it takes a bit longer. But it is unlikely that you will be able to perform well playing Counter Strike while being behind a VPN.

The upside: You can pretend being from somewhere else. Which is especially good, if you are living in Germany, because than you can actually see all those music videos that are stripped away from the GEMAnized Youtube.

VPN providers are not free, nor should they be. The service they provide is important and can be hard enough to maintain. There are a few things that you should be aware off when choosing a service:

Location: Where is the company located that provides the service? Most countries have some sort of data retention laws – all of the EU for example – which makes it hard for VPN providers to be as independent at they would like to be. Funny enough, the US has no such laws, so don’t exclude a VPN service from the US by default.

Logs: This is an important one. To make sure that you can stay really anonymous, pick a VPN provider that doesn’t create logs for the activities that are happening on its servers. Some providers don’t create any logs at all, some keep them for a short period of time (up to 10 minutes) and some of them keep them longer. Stay away from the last ones and you should be fine.

Servers: Most VPN providers maintain servers in different locations to create the shortest routes for their users. Pick a provider that has servers somewhere nearby. It also makes sense, with the revelations of who the NSA is specifically spying on, to pick a provider that has servers in either Canada, UK, Australia or New Zealand. By dialing in through those countries, you are at circumventing being a prime target. Which doesn’t say much, of course.

Router: Most people use the modem/router provided by their ISP. So do we so far, but we already chose a replacement. This way we will be able to run a VPN for the whole office instead individually on every device.

Cloud storage: This is a tricky one. So far, we have been using Dropbox. There are alternatives like Google Drive, Microsoft Skydrive, etc. Dropbox is a very good service. They managed to create an ecosystem of apps that rely on Drobpox as an outsourced file system. This is especially relevant on iOS. That’s why it is fairly hard for us to replace it just yet. But there are some very interesting alternatives that we will keep an eye on or will have to find time to implement them.

Bittorrent Sync: Still in alpha, but it looks very promising. Bittorrent sync is especially interesting, because all other alternatives to cloud based services require a central node (a server on which the services runs on). Sync is different, because it’s based on P2P technology. Everyone who uses Sync is one small node in the network. Instead of having one central node, Bittorrent Sync has many, many small ones. Since files are split up in small chunks and encrypted, nobody accept the intended recipient gets to shared file.

While being on paper a quite ideal solution, it is not yet prime time ready. We already tried to replace Dropbox with it and had to peddle back. The bottle neck so far is the clients stability. Additionally there is no mobile client just yet. I’m confident that Bittorrent Sync will become a very relevant contender in this field as soon as it will mature into a more stable product.

ownCloud & Sparkleshare: Both of those self-hosted solutions look like they can compete with the feature set of Dropbox. We haven’t tried them out yet, but we will in the next 2-3 weeks.

The obvious feature is that you don’t host your data with a third party. Those services are designed in a way that gives full control to the user. On top of this all, they are both open source. It’s significantly harder to build in backdoors into those projects.

The downside of course is that one needs to set them both up on a webspace / dedicated-server. On top of the time that needs to be allocated for setup, both services require a certain maintenances, but I don’t expect that it will be a big issue.

E-Mail encryption: This is a somewhat bizarre area. There are with GPG already solutions in place that would make it even for the NSA very hard to read the content of your emails. You just need to install the GPG package on your computer, pick a client that supports GPG, generate a key that clearly identifies you as a sender of a specific email and there you go, now you can start encrypting your emails.

The only problem: unless the recipient also uses GPG there is no way for this person to you read your email. And that’s where we have been stuck for many, many years. I used to encrypt my emails 10 years ago. It all worked flawlessly with the few people who I knew had the ability to read those emails. All of the rest would just see gibberish.

As long email encryption is not incremental part of how email works, there is little chance that we will see a significant increase in encrypted emails.

Author: Igor

Igor likes to connect the dots. As a strategic consultant in an increasingly complex world, he favours broad knowledge over specialisation. In the last five years, he helped shape strategic decisions at large corporations like Deutsche Postbank AG and Deutsche Telekom AG as well as at startups like Amen and refund.me. In his work he is focusing always on finding the appropriate solutions as well as the people who will be executing upon his advice. Beside the consulting work, Igor speaks at international conferences on variety of topics (SXSW, PICNIC, re:publica, etc.).