[liberationtech] Quick Guide to Alternatives

Jonathan Wilkes jancsika at yahoo.com
Mon Jun 17 11:43:51 PDT 2013 




________________________________
 >From: Anne Roth <annalist at riseup.net>
>To: "liberationtech at lists.stanford.edu" <liberationtech at lists.stanford.edu> 
>Sent: Monday, June 17, 2013 1:13 PM
>Subject: [liberationtech] Quick Guide to Alternatives
 

>Hi,

>Tactical Tech has been getting a lot of questions lately on what to do
to avoid being spied on - like probably most everyone on this list.

>We have compiled this 'Quick Guide to Alternatives', based on Security
in-a-box and more.

>https://alternatives.tacticaltech.org


Quick critique of one of the entries:


1) "Many commercial email providers, such as Google or Yahoo, collect a huge amount of user information which can be handed over to third parties from advertising companies to 
governments. Furthermore, some do not offer users an encrypted 
connection (known as HTTPS or SSL) by default, meaning that emails are 
sent in 'plain text' and readable by malicious hackers, Internet Service Providers, and others with access to the networks as they travel 
between users' devices and the email provider's servers."

Change
"Furthermore, some do not offer users an encrypted 
connection (known as HTTPS or SSL) by default"
to
"Google's Gmail  offers users an encrypted 
connection (known as HTTPS or SSL) by default but others do not,"

2) "Riseup is a collective organization 
dedicated to  providing private and secure email and hosting services 
for individuals  and organisations committed to political and social 
justice."
I'll hold off on a suggestion for #2, but do keep in mind that you're going to get views from non-technical people who will
read "secure email" and "https" above and think, "Hey, that's like what I use to log in to my bank, so obviously I want to
use a service that that keeps my messages that secure when they get sent _over_ _the_ _internet_."  They join Riseup and
can now breathe a sigh of relief as they send "secure" email to all their friends at gmail.com, or wherever.  Oops.

Also, notice that the problem actually gets worse when you tell users that Gmail offers https by default.  Either they
just use gmail, or they think sending a message from "secure" riseup to "secure" gmail keeps their data secure.  Neither is
true, and to actually gain any meaningful control over who can read their messages they still have to use Enigmail or
similar software.

Finally, the user of riseup must trust the description of their service on the website to be true because it is a form of
privacy by policy.  If joining it is to be anything other than practicing the bad habit of trusting implicitly something you
read on a list on the internet, you need to know and trust someone from the internet security/privacy world who can vouch
for the security of the system based on their own human trust relationship with someone who runs riseup (or is closely
connected to it).  If you're a human rights worker and you have such a relationship with a security/privacy expert, you'd
do better to pay them for some tutoring sessions on seting up and using one or more of the following: ssh, Tor, Tor + ssh,
torchat, and possibly otr + pidgin and help them develop a working experience about what the threats are to their privacy in
those instances.

-Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130617/d28ebf39/attachment.html>

More information about the liberationtech mailing list