Tor bust, HTTPS everywhere, Google Next

  • Finnish police busted on Tor user. How they got him? There are a few theories even if police hasn't yet revealed those. And might not reveal in future either. 1) Bragging 2) Identity Separation 3) Transferring data / knowledge between identities failure - Which just highlights the fact which is well known, identity separation is extremely important and very very easy to fail. You'll need to be careful, have correct procedures and routines to follow and know what you're doing. Never ever do anything which might provide a link between your different identities. Identity isolation needs to be perfect. It's preferable that your parallel identities share nothing. And every identity should be limited to specific operation scope, and not used for anything else at all. In this case, it's likely that it was the third mistake. You'll download from source X file Y and then redistribute the same data over different identity, failing separation and creating strong correlation. This is just perfect example why you must not carry your burner phone(s) with you, it also can be very easily statistically linked to you, if you're carrying two phones. It's very trivial in technical terms. From data analysis point and depending on usage patterns, it should be quite easy to also predict where and when that burner phone will turn up / on next, if it's mostly kept powered down. Always randomize, and make sure there are no links. If releasing any photos, it's also utter importance to make sure that the photos do not carry any other information than what's intended. No reflections, no exif data, any furniture, outdoors light, reflections or even environment coloring. Just plain subject to be photographed in a good studio setting and only that.
  • Found the data EFF's HTTPSeverywhere is storing about private browsing in hidden database (storage-sync.sqlite). This is exactly trap of modern computing, data is being stored everywhere without user knowledge, even in private modes and there's no way to access or delete it, without hacker knowledge. In this case list of HTTP domains being accessed is persistently stored in the database, even if browser is being used in private mode. Really annoying, and this is only very small peak, there's tons of software doing similar "favors" for users. It's really nearly impossible to find any privacy respecting applications today. I found this by accident, because browser behavior wasn't clean anymore. I started to wonder if there's some secret data being captured by the software and retained between sessions, and I found it. Yes there is. - Thank you for that. Private mode isn't nearly as private as users might think. And even extensions by EFF betray you. As bonus, they do not provide any interface to see this data, it's hidden, so there's no way users can easily erase or modify this data. - Thank you for that guys. And yet another reason why normal computer environments can't be ever used for anything requiring privacy or secrecy. Systems are inherently and by design extremely broken. No wondering computer forensics guys got "endless trail of data evidence to follow". As mentioned, if you don't want it to be public knowledge, don't do it at all. Everything you're using smartphone or computer for, you should expect no privacy whatsoever. That's a very good tip and hint for everyone. Why is sync data being updated, when I'm not even using sync. ref: collection_name: default/, record_id: key-disabledList Even the advanced mode allows you to add rules, but it doens't allow you to view any of the existing (custom) rules. This obviously sucks. It's not documented, but I found a way to access the HTTPS Everywhere hidden domain list. It's under extension preferences where you can manage features like automatic updates. All other extensions have separate preferences & settings section, accessible via normal extension controls, but this one is hidden under extension management & updates. Found it, good. I'm sure most of users don't know even about that list. It would be really nice to provide temporary and permanent / persistent option.
  • Watched many Google Next talks, but those are mostly kind of fluff without interesting technical details. Google Cloud Platform (GCP) 101, Cloud to the Fun Part, 101, Keynote, DevOps vs SRE that was interesting and good talk. And of course the future of Google Sites, which I've been complaining about. Yet, nothing really new in the talks.