Ubuntu is finally taking privacy seriously

Posted April 3, 2014 in linux

Update: A couple people have pointed out that the privacy changes won’t actually take affect in 14.04, which means that fixubuntu.com will still be necessary until at least 14.10, which will be released in October. Oops.

In October 2012, Canonical made a horrible mistake. They included a “feature” in Ubuntu 12.10 that has been widely considered adware and spyware. I blogged about the new Ubuntu’s Amazon ads and data leaks for EFF at the time, with the main ask being that Dash’s online search should be an opt-in feature and not enabled by default.

Continue reading →

Two really simple things Microsoft can do to make Windows more secure against NSA

Posted December 29, 2013 in crypto spies security tor

Thanks to Edward Snowden and journalists at Der Spiegel, today we learned about Tailored Access Operations (TAO), NSA’s world-class hacking team. There was a lot of interesting information in that article (like how they divert shipping of electronics to a secret warehouse where they can modify it to install backdoors!).

But I’m just going to talk about how they use Microsoft error reports to gather private information about Windows computers that can be used to compromise their security — a problem that’s trivially easy for Microsoft to fix.

Continue reading →

How Mailpile can implement opportunistic PGP email encryption

Posted December 2, 2013 in crypto openpgp security

For those wanting to decentralize the Internet and encrypt all the things, Mailpile is a hot topic.

Continue reading →

Leaving EFF and joining a fearless team of journalists

Posted November 15, 2013 in journalism

I started working at the Electronic Frontier Foundation in March of 2011. I joined the tech team as EFF’s first full-fledged web developer, eventually switching jobs internally to become a staff technologist. After over two and a half years of working with the most inspiring group of people I’ve ever met, I’m moving on to join a startup. Monday is my last day of work at EFF.

Continue reading →

Canonical shouldn’t abuse trademark law to silence critics of its privacy decisions

Posted November 7, 2013 in linux

I run the website fixubuntu.com, a place to quickly and easily learn how to disable the privacy-invasive features that are enabled by default in Ubuntu.

This morning I received this email from an employee of Canonical Limited, the company that owns and manages the Ubuntu project:

Continue reading →

HTML email, attachments, and flowed text in Enigmail

Posted September 19, 2013 in crypto

I’ve noticed that a lot of people who are new to GPG really don’t want to give up their HTML email, but the Enigmail setup wizard recommends that you do this.

Continue reading →

Don’t Succumb to Security Nihilism

Posted September 5, 2013 in crypto spies security

You might have read today’s shocking Guardian and New York Times articles outlining the many ways that NSA and GCHQ have defeated crypto on the Internet, and have influenced tech companies to insert back doors into their commercial security products.

Continue reading →

It’s 2013. We’re all being spied on. Why do security software websites not use HTTPS?

Posted August 28, 2013 in crypto hackers https security

Update: This post made the frontpage of reddit and many of the comments are wrong. I took a moment to clear a couple things up at the bottom of the post.

We desperately need to work towards deprecating HTTP and replacing it only with HTTPS. The web is a huge part of what billions of people use the Internet for, and still most of it is not encrypted. Since the Snowden leaks started getting published we’ve learned that NSA and GCHQ spy on as close to the entire Internet as they can get.

It would be naive to think that the US and UK are the only governments doing this too. The network isn’t safe, and the only way to make it safe is to encrypt all the things. Websites that still use HTTP are putting users in danger. Here are a couple of examples.

Continue reading →

Despite Google’s statement, they still have access to your wifi passwords

Posted July 19, 2013 in crypto mobile security

UPDATE: The Android bug tracker isn’t the correct place to ask Google to fix this bug. The backup/restore feature is part of the proprietary Google apps for Android, not the open source Android project. This thread on the Google product forums is the correct place.

Earlier this week Ars Technica covered a bug report I posted on the Android issue tracker about the “Backup and restore” feature not offering encrypted backups.

Because there’s no option to encrypt your backup data on your Android device with a passphrase that you set, Google has the capability to see the plaintext data, including all your saved wifi passwords. Google can then be compelled to give up this data (and any other user data that they store) to the US government when requested to do so.

Continue reading →

Use Android? You’re Probably Giving Google All Your Wifi Passwords

Posted July 11, 2013 in crypto mobile security

Go to your home screen, press the Menu button, select “Settings”, under “Personal” select “Backup and reset”. Is the “Back up my data” checkbox checked? If so, all of the wifi passwords that your phone remembers are being synced to your Google account.

And the passwords are in plaintext, too. When you format an Android phone and set it up on first run, after you login to your Google account and restore your backup, it immediately connects to wifi using a saved password. There’s no sort of password hash that your Android phone could send your router to authenticate besides the password itself.

Continue reading →