February

Tracking Opt-out

In recent weeks, developers for Firefox and Chrome have announced that the next version of their browsers will include an opt-out option of behavioral tracking [1] [2].

This seems like a great idea! After all, advertisers have started to collect massive amounts of detailed data on our behavior in order to bombard us with ads precisely targeted to our individual desires.

Unfortunately, one great tragedy of being a radical is that life holds so few surprises. Therefore, you are probably not shocked to hear that Google (the largest online advertiser in the world) created a really crappy system in their Chrome browser for blocking behavior tracking (the very practice they make billions on).

The Chrome method relies on a voluntary system set up by the Network Advertising Initiative, an industry group. According to one detailed report, this system is a total sham [3]. Its only success is in lulling regulators into thinking that self-regulation is working.

What about open source Firefox? After all, it is produced by a non-profit foundation (albeit one that gets most of its funding from Google). Although the Electronic Frontier Foundation has lauded Firefox’s approach [4], we have to give it a failing grade. The Firefox method is technologically superior to Chrome’s approach, but it is even less useful because it doesn’t actually block any tracking. It relies on the hope that some day the advertisers will decide to recognize the Firefox-specific indication of an ‘opt-out’. This strategy has the same problem as the Chrome method: both rely on a system of voluntary compliance that has proven to be a complete failure.

Ironically, it was Microsoft that developed the first effective technology for preventing unwanted tracking. In Microsoft’s design, Internet Explorer would automatically learn to detect and block tracking by analyzing the content of the websites you visited. Even better, this technology was going to be enabled by default! But the story does not end well. According to the Wall Street Journal [5], programmers developed this amazing feature only to have it killed by Microsoft executives bowing to pressure from advertising companies. The feature is still in Internet Explorer, but is so amazingly cumbersome to use that it might as well not exist.

It is a good sign the that three major web browsers are thinking about behavior tracking. Unfortunately, their half-hearted attempts to address the problem deserve a failing grade.

As it happens, the Riseup birds are also thinking about ways to block behavior tracking. One method is to use the new Riseup VPN service that we are currently beta-testing. If you want to help test it, and you are a windows, mac, linux, or android programmer and you want to help with making the clients easy to use, send mail to vpn@riseup.net.

On passwords and antifascists

If you are in Germany, you probably heard wild reports about riseup.net getting “hacked” (https://linksunten.indymedia.org/de/node/32436) by a German antifa activist in order to prove a point about lax security practice among antifa activists.

Head for the hills! Throw away your computers! Or… maybe not. In truth, none of our systems were compromised, but the attacker was able to acquire the passwords of antifa activists by various methods:

(1) installing keyloggers on the computers individual activists used. (2) guessing passwords and password reset questions by using their knowledge of the activists. (3) brute force attempts to login using thousands of different passwords.

Passwords are the weak link in most security systems, and Riseup is no different. This is why we require strong passwords (although the accounts that got broken into appear to have had weak passwords from before we required strong passwords).

Two recent events have caused us to re-assess our password policy: This antifa incident and media reports of the ease with which some password reset questions can be answered by reading Facebook profiles.

In this light, we have made the following changes:

(1) you can no longer reset your password using the ‘secret question’.

(2) when you attempt to reset your password using an alternate email address no indication is given if it worked or not.

(3) the timeout for failed login attempts has been increased.

If you want to regain access to your account if you forget your password, you should make sure you have a valid alternate email address set. You can check this from the ‘Change my settings’ link on our mail page. While setting this is a good idea if you might forget your password, it does make your account less secure, and requires you to have an alternate email which you store with us. We recognize that this is not a good solution. We are exploring ways of improving our password system, possibly enabling the use of one-time-passwords and non-password forms of authentication.

One problem we face is that many users have old passwords from before we required strong ones. We are currently trying to figure out how to get people to update their password, without being too harsh about it. Perhaps a singing telegram?

Skipping to the Surveillance Apocalypse

Some good news, for once:

Twitter takes US government to court over gag order. http://www.wired.co.uk/news/archive/2011-01/11/twitter-subpoena-reaction

And the typical bad:

Bradley Manning, the soldier accused of leaking documents detailing illegal actions of the US military in Iraq and Afghanistan, has spent eight months languishing in solitary confinement, awaiting a military trial. You can keep up with Manning’s case at www.bradleymanning.org.

Dreams and Schemes

Our dreams do not always match our pocket books. Our dreams do not always need our pocket books, but sometimes they do. As usual, here at Riseup headquarters, we are scheming and dreaming about new ways to build secure and vibrant tech for our social movements. Any money you could send our way would be hugely appreciated and used wisely. https://help.riseup.net/about-us/donate/