[talk] a Guardian article

George Rosamond george at ceetonetechnology.com
Fri Mar 31 11:05:00 EDT 2017


Antti Kantee:
> On 31/03/17 13:09, George Rosamond wrote:
>> Mirimir:
>>> On 03/30/2017 08:16 PM, Charles Sprickman wrote:
>>>>
>>>>> On Mar 30, 2017, at 9:20 PM, Antti Kantee <pooka at iki.fi> wrote:
>>>>>
>>>>> On 31/03/17 00:38, George Rosamond wrote:
>>>>>> Yet another article about mitigating the sale of user data by ISPs...
>>>>>> except this one features a picture which is piqued my interest...
>>>>>>
>>>>>> https://www.theguardian.com/technology/2017/mar/30/privacy-protection-web-browsing-history-data-congress
>>>>>>
>>>>>
>>>>> Does anyone have recommendations for a daemon which creates fake
>>>>> traffic?
>>>>
>>>> A Tor exit node? :)
>>>
>>> Or install Hola VPN, which routes users through other users' uplinks.
>>> And sells them as a service through Luminati.
>>
>> I think it depends on what he means by "fake traffic." My first read of
>> his email was to assume he meant "fake news."... oh these crazy times...
>>
>> Tor, without acting as an exit, can generate encrypted traffic depending
>> on usage and configuration.
>>
>> Or you could just run a background script pulling/pushing traffic over
>> ftp/curl/fetch/wget from a $hosts list...
> 
> Well, if the attack is the ISP looking at your traffic, generating a
> profile, and selling that to advertisers (or who knows where), and fake
> traffic is the countermeasure, then fake traffic should somehow prevent
> the attack from happening.  In other words, the traffic should look like
> a handful of people browsing, but be "all over the place" so as to
> prevent profiling -- e.g. generate traffic both to fox news and msnbc
> and also somewhere else for actual news.

First, I'm not sure if generating fake traffic is necessarily the best
mitigation to surveillance. It would need to be sufficiently randomized
to not be clearly segmented as "fake".

There was some Firefox plugin a few years back out of NYU that tried to
do this with queries to various search engines. An early version of it
was dismissed by Schneier IIRC.

It would seem the best countermeasure to ISP surveillance is using HTTPS
for www browsing if you're concerned about content, although obviously
the meta-data (source, destination, when, from where, etc) isn't hidden.

If you're just looking at mitigating surveillance and your sole
adversary is the ISP, then Tor for all TCP traffic makes sense,
including IMAP and SSH. An alternative is certainly VPNs in this case,
although then if you're using a provider, you're now concentrating all
traffic you're attempting to hide with one choke-point.

> 
> I fear that approaches such as a tor exit node supply traffic which is
> all too easy to discard from consideration for the profile.
> 

Tor traffic *should* just look like HTTPS traffic and there are other
pluggable transports available (eg, Meek and obfsproxy) which give
different traffic profiles. You could also utilize a Tor bridge remote
from your location so all traffic just flows to that point and enters
the Tor network after the bridge.

> Hmm, I just wrote a mail about a subject I don't know anything about and
> hope someone else did the work.  The spirit of open source is truly in me!

Are we going to startup that auto-invoice feature on this lists?  High-time!

;)

g




More information about the talk mailing list