Despite Google’s statement, they still have access to your wifi passwords
UPDATE: The Android bug tracker isn’t the correct place to ask Google to fix this bug. The backup/restore feature is part of the proprietary Google apps for Android, not the open source Android project. This thread on the Google product forums is the correct place.
Earlier this week Ars Technica covered a bug report I posted on the Android issue tracker about the “Backup and restore” feature not offering encrypted backups.
Because there’s no option to encrypt your backup data on your Android device with a passphrase that you set, Google has the capability to see the plaintext data, including all your saved wifi passwords. Google can then be compelled to give up this data (and any other user data that they store) to the US government when requested to do so.
Use Android? You’re Probably Giving Google All Your Wifi Passwords
Go to your home screen, press the Menu button, select “Settings”, under “Personal” select “Backup and reset”. Is the “Back up my data” checkbox checked? If so, all of the wifi passwords that your phone remembers are being synced to your Google account.
And the passwords are in plaintext, too. When you format an Android phone and set it up on first run, after you login to your Google account and restore your backup, it immediately connects to wifi using a saved password. There’s no sort of password hash that your Android phone could send your router to authenticate besides the password itself.
Opportunistic Encryption to Combat Dragnet Surveillance
The world is in shock and anger over recent revelations that NSA and GCHQ are conducting suspiciounless spying on every human with an internet or phone network connection. One of the ways they’re spying on the entire internet is by tapping the underwater fiber-optic cables that connect the continents and parsing and logging the firehose of packets as they fly by.
If we want to keep what we do on the internet private, a good way to do that is to encrypt as much of our internet traffic as possible. End-to-end encryption is hard to do right for end users because identity verification is really, really hard to scale. It’s not practical for everyone who wants to visit an HTTPS website to meet in person and read out SHA1 fingerprints for SSL certs.
Swatting is Not the Same as Doxing
Update: KTVU has taken down the story.
Recently I was interviewed about “doxing” by KTVU, a Bay Area news station based in Oakland. Doxing is when someone publishes documents (“dox”) about someone to the internet. It’s usually full of mundane info that can be found in a phone book and with a google search, but sometimes it also contains more sensitive information like the contents of personal emails, lists of passwords, etc.
I found out that the segment aired on TV last night when someone tweeted me asking if I really thought that “swatting” was protected by free speech laws. Swatting, I learned for the first time last night, is when someone dials 911 and reports something like a hostage situation or a terrorist bomb plot at someone else’s address in order to get a SWAT team to bust down their door.
sudo apt-get install torbrowser
TL;DR: I wrote a piece of software called Tor Browser Launcher that downloads and auto-updates Tor Browser Bundle for you, in your language and for your architecture, and verifies signatures. I’d like help finding bugs before the initial release.
Over the years, Tor Project has done an amazing job at making Tor more user-friendly. In the past if you wanted anonymity you had to download and install Tor, maybe hand-edit your torrc file, and configure your browser to use a proxy server. You had to make sure that you didn’t have browser plugins like Flash or Java enabled that would compromise your anonymity. Eventually, this got easier when you could install the TorButton Firefox add-on, but even then you had to keep manually separate your own identity and your anonymous browsing.
How to Get a Tor Project T-Shirt For Less Than $65
The Tor Project is awesome. It’s a network of volunteer proxy servers that make it possible for people to use the internet anonymously.
I decided to contribute to the Tor network by running my own exit node called gollum. I’m paying Gandi $16/month for a VPS in Paris, France. As of this writing the uptime on my Tor server is 69 days, 12 hours.
Bradley Manning's statement shows that US intelligence analysts are trained in using Tor
This morning I had the opportunity to help Freedom of the Press Foundation publish the full, previously unreleased audio recording of Bradley Manning’s statement to the military court in Ft. Meade about his motivations for leaking over 700,000 government documents to WikiLeaks.
In his statement Bradley Manning not only explains his motivation for leaking documents to WikiLeaks (he contacted the Washington Post and the New York Times first), but also technically how he went about doing it, including the software and protocols he used.
Using Gajim Instead of Pidgin for More Secure OTR Chat
I’ve been using Pidgin as my chat client for many years. The one feature of Pidgin that I care about more than any other is that it supports Off-the-Record (OTR).
If you don’t know about OTR, it’s awesome. It lets you have end-to-end encrypted chat sessions with people so that only you and the person you’re chatting with can read the chat messages and all other parties—such as your chat server (often Google), your ISP, or anyone else eavesdropping on your—cannot. It also has cool features like forward secrecy that other cryptosystems like PGP don’t have. If you’ve ever been to a CryptoParty, setting up Pidgin and OTR and learning how to verify keys is always on the schedule.
Unity vs. Windows 8
I posted this as a comment on my previous blog post, Why I’m Leaving Ubuntu for Debian. I decided it’s worth it’s own post though.
Mobile Location Anonymity: Proxying Twitter, IM, and Email through Tor on Android
Each time your computer makes a connection to a server on the internet, you tell the remote server, as well as your ISP and every router in between, your IP address. If you’re using the internet on your phone you might be disclosing the IP of your 3G or 4G connection, or the IP of the wifi network you’re connected to.
If your phone checks for new emails or tweets every couple minutes, or keeps up a consistent connection to your instant messenger server, any of those services is almost definitely logging a history of your IP addresses.
This IP address data could be used to figure out your physical location over time. This is the information that New York City subpoenaed Twitter for, to get the private messages and IP addresses (read: location data) of Occupy protester Malcolm Harris.
