Configuring DNS-over-TLS on macOS

Until yesterday I hadn’t thought too much about DNS metadata leakage. Here’s how it works: your computer sends out a request to resolve a DNS hostname, let’s say “topsecretwebsite.example,” and your DNS server responds back with its IP address in a way that’s easy to eavesdrop on. It’s wild that the Internet works like this by default.

What happened yesterday is a company called CloudFlare (a popular and free content delivery network) announced a new DNS service at the IP address 1.1.1.1. (Yes it launched on April 1, no it’s not a joke.) The service supports a couple of interesting privacy protecting options: DNS-over-HTTPS and DNS-over-TLS. Those technologies don’t guarantee your DNS lookups are accurate (check out DNSSEC for that), or that the DNS provider won’t someday betray you, they just make it’s harder to collect metadata by listening in on DNS’s cleartext port 53.

Read more →

Thursday, Thursday, Friday

Three things coming up later this week in NYC:

Do not let the bastards grind you down

Surveillance and inaction

NYPD skywatch tower
Photo: Life under occupation by Barry Hoggard

I am awash in thoughts and feelings this week. Donald J. Trump will very likely be our next President. This fact has already emboldened hate groups, leaving us to contemplate what the next four years could mean—especially for friends who will likely become targets of bigotry.

Should we go outside and protest? Should we turn inward and lean on our support networks? Do we start thinking about the 2018 midterms? Yes. Yes to all of it. If you need time away from this divisive election, you’ll be welcome to join us when you’re ready. I completely understand, especially if you worked on a 2016 political campaign.

For my part, I am regrouping, considering how I can do more, do better. Some friends have asked me about strategies for resisting surveillance. Digital privacy will become even more important in the coming years, and we should all collectively get better at protecting ourselves.

A very short answer is: switch your texting over to Signal, use a password manager. Start today.

Read more →

On Encryption and Terrorists

Nadim Kobeissi, maker of Crypto.cat and Minilock:

The premise driving the people writing encryption software is not exactly that we’re giving people new rights or taking some away: it’s the hope that we can enforce existing rights using algorithms that guarantee your ability to free speech, to a reasonable expectation of privacy in your daily life. When you make a credit card payment or log into Facebook, you’re using the same fundamental encryption that, in another continent, an activist could be using to organize a protest against a failed regime.

In a way, we’re implementing a fundamental technological advancement not dissimilar from the invention of cars or airplanes. Ford and Toyota build automobiles so that the entire world can have access to faster transportation and a better quality of life. If a terrorist is suspected of using a Toyota as a car bomb, it’s not reasonable to expect Toyota to start screening who it sells cars to, or to stop selling cars altogether.

Link via Matthias Bruggmann

How to escape the advertising bubble

Maciej Cegłowski has interesting things to say about big data and the online advertising business. He argues—persuasively, I think—that the advertising technology (adtech) sector is overvalued. In a recent essay, he describes what will happen when that adtech bubble finally bursts.

The problem is not that these companies will fail (may they all die in agony), but that the survivors will take desperate measures to stay alive as the failure spiral tightens.

These companies have been collecting and trafficking in our most personal data for many years. It’s going to get ugly.

Remember when, in its death throes, RadioShack sold off the customer data of 67 million people? This will probably be worse than that. And a whole lot of the web is built on top of adtech spaghetti business (think: spaghetti code, but for business).

The prognosis for publishers is grim. Repent! Find a way out of the adtech racket before it collapses around you. Ditch your tracking, show dumb ads that you sell directly (not through a thicket of intermediaries), and beg your readers for mercy. Respect their privacy, bandwidth, and intelligence, flatter their vanity, and maybe they’ll subscribe to something.

One way I could see publishers phasing in this more-respectful business model is through existing web browsers’ do-not-track differentiation. Every modern browser has privacy settings that let an individual user opt out of online tracking. That do-not-track preference gets included with each and every web request, but it’s up to the website operator to act on it. As far as I can tell, all adtech companies seem to ignore this preference completely.

Firefox privacy preferences
Firefox privacy preferences

Okay, so are you ready for my idea for how publishers can escape the adtech bubble? Stay with me here, because this is a crazy suggestion: if I’ve signaled through my preferences that I prefer not to be tracked, then … I dunno, maybe don’t track me.

A typical ad-driven website relies on dozens of companies to show me slow loading, poorly-customized advertising. But there’s nothing stopping the website itself from simply not letting those companies’ code onto the page.

I would say just switch to dumb (non-tracking) ads for everyone, but I know how this would play out: “it’s too extreme, we can’t afford it!” But here’s the thing, if you think this adtech spaghetti business is going to collapse, you’ll have to start switching traffic over to something else eventually. Why not start out with current and future subscribers (aka “users”) who’ve already indicated they prefer not to be tracked by the adtech industry? Just do what we’ve been asking for in the first place.

Here’s how: if a given visitor has checked the do-not-track box, you’ll be able to detect it. Adjust your ad libraries and CDNs to detect the DNT: 1 HTTP header and then show a small message congratulating yourself, and set aside those ad spots for “artisanal” ads. Once things are rolling along you can ditch the old bloated, crappy ads for everybody else.

You can already tell what proportion of visitors have do-not-track enabled, it’s there in the traffic stats if you look for it. You could pitch this to the higher ups with real numbers, and spin it as a Premium Advertising Experience, like organic fair trade traffic without all the slow bandwidth-bloat and creepy surveillance.

The big challenge, of course, is this type of effort involves cooperation between many departments that may not currently get along well. But getting the ad sales people and the ad tech people and the web developers to get along is important.

Nobody likes working on ads, and I know it’s hard to just get buy-in, let alone actually launch a new thing. But an adtech collapse might be an existential threat, better to get in front of this now rather than wait for it to happen.

Also posted on Medium.com

Let's Encrypt (updated)

Update: since this was written, the letsencrypt-auto script has improved significantly. When I tried it again today (December 8, 2015), the process was basically just cloning the GitHub repo and running ./letsencrypt-auto. I’ll leave the original (outdated) information here for posterity.

As of today phiffer.org is being served using SSL encryption thanks to a free certificate from Let’s Encrypt. It’s a recently launched service, sponsored by Mozilla and the Electronic Frontier Foundation (among others), intended to make HTTPS encryption ubiquitous on the web.

Hooray for Let's Encrypt!
Hooray for [Let's Encrypt!](https://letsencrypt.org/)

Let’s Encrypt is very new, and there are still some rough edges, but overall I’m impressed by how smoothly the process went. I wanted to document my experience, in case it’s helpful to others (and future-me). This post is a bit more technical than usual and, because the service is new, much of it may not be relevant very long into the future. That said, I hope this might offer some clues for folks trying to get up and running on HTTPS.

Read more →

Haunted by Data

Here’s Maciej Cegłowski giving a talk on the hazards of Big Data.

The current model of total surveillance and permanent storage is not tenable.

If we keep it up, we’ll have our own version of Three Mile Island, some widely-publicized failure that galvanizes popular opinion against the technology.

At that point people who are angry, mistrustful, and may not understand a thing about computers will regulate your industry into the ground.

See also: the text version of the talk.

Link

Unfit Bits

Hack the planet your personal fitness device!!

Does your lifestyle prevent you from qualifying for insurance discounts? Do you lack sufficient time for exercise or have limited access to sports facilities? Maybe you just want to keep your personal data private without having to pay higher insurance premiums for the privilege?

Unfit Bits provides solutions. At Unfit Bits, we are investigating DIY fitness spoofing techniques to allow you to create walking datasets without actually having to share your personal data. These techniques help produce personal data to qualify you for insurance rewards even if you can’t afford a high exercise lifestyle.

Made by my friends Tega and Surya. Also be sure to download the DIY guide from Biononymous.me.

Link

Could a Bank Deny Your Loan Based on Your Facebook Friends?

Facebook recently filed a rather unsettling patent application describing (among other things) a hypothetical social-graph-based credit scoring system. What level of freaked out would be an appropriate response?

Facebook makes its money by encouraging people to have large friend networks and create lots of content for it to show ads against. And given that that’s the primary profit driver for Facebook, as a practical manner, it would really surprise me if they decided to get into the credit-scoring business, just because I think that’s going to make people feel panicked and uncomfortable. If I were them, I would not be in a giant rush to do that.

This makes me wonder if a lot of people suddenly started blocking ads, would companies like Facebook move quickly to adopt more dystopian business models? Or would they be more likely to start embracing those business models much earlier—quietly, secretly, mischievously—in anticipation?

Link via Ingrid