Which sites/programs do you boycott?

[Rusky]

it just does not make business sense to "do evil".

And yet, government agencies like the NSA or GCHQ managed to get several high-profile businesses to do exactly that. Including, notably, backdoors in networking devices like routers.

A more open process where many entities are responsible for preventing things like that (or even just speaking up about them) makes such evildoing much harder. Imagine, for example, how much more invisible tracking would be done on the web if we didn't have open source, extensible browsers like Firefox pushing back against closed-source ones like Internet Explorer.

[iansjack]

it just does not make business sense to "do evil".

And yet, government agencies like the NSA or GCHQ managed to get several high-profile businesses to do exactly that. Including, notably, backdoors in networking devices like routers.

If you are talking about the revelations by Snowden, companies did not put backdoors in their routers. The allegation is that routers destined for export were intercepted by the NSA and backdoors were installed at that stage. No question there of government agencies persuading the high-profile businesses to do evil.

Far from being complicit in this abuse, Cisco have taken steps to thwart it: http://www.theregister.co.uk/2015/03/18 ... dead_drop/

I make no claim that government agencies do no evil - and they could just as well infiltrate open-source groups. I'd be very surprised if they haven't done so.

[darkinsanity]

I can only assume that you have never worked for a large corpoation in a decision-making role. Whatever the tinfoil hats may imagine, it just does not make business sense to "do evil".

You don't need imagination for that, only observation. How much did it hurt HTCs sales numbers when it was discovered that their version of Android contained spyware? How much did it hurt LGs sales numbers when it was discovered that their smart-TVs spied on people? How much did it hurt Microsofts sales numbers when it was discovered that Windows 8 reported back a list of the apps you installed over a poorly encrypted SSL-connection?
It does make business sense to "do evil". Because you get data that way, and data is money, especially in the growing field of targeted advertising.

And in a corporation of any size you cannot keep secrets - there is always a potential whistle blower with a sense of moral purpose. It's easy for an individual to do evil and keep that secret; it is almost impossible for a multinational to do the same.

Theres a far more efficient way of dealing with secrets: You keep them secret as long as you can, and when somebody finds out, you just lie like hell. For example, look at the LG smart-TV case. When somebody found out his TV was spying on him, LG just said that this was part of an experimental feature and ended up in the final software by accident. It's that easy.

[iansjack]

I'd say there is a big difference between companies or organizations tracking data about viewing or buying habits, which happens all over the Internet, with spying software being installed by the NSA. Personally, it bothers me not in the least that Sony, Amazon, LG, whoever might be tracking what I view or what I buy. If they want to use that information to target adverts at me then so what? At least they might realize that I am not interested in Viagra or opera. I prefer targetted ads to random crap.

Far more of a nuisance, as far as I am concerned, is all the Spam I am bombarded with - not from multinational corporations but from individual chancers. Luckily, Spam checkers - which track my mail reading habits and transmit information about what I consider to be Spam back to the mothership - help me deal with that nuisance. There's a surprise; tracking my data usage actually helps me.

If I were silly enough to use the Internet for any unencrypted information that I thought was important the NSA angle might worry me more. As I live by the rule "trust no-one on the Internet" none of it bothers me at all.

[darkinsanity]

I'd say there is a big difference between companies or organizations tracking data about viewing or buying habits, which happens all over the Internet, with spying software being installed by the NSA. Personally, it bothers me not in the least that Sony, Amazon, LG, whoever might be tracking what I view or what I buy. If they want to use that information to target adverts at me then so what? At least they might realize that I am not interested in Viagra or opera. I prefer targetted ads to random crap.

Are you just telling me that the only reason why the NSA spying on you is bad is because they aren't trying to sell you something?

[iansjack]

I'm certainly saying that if the only reason that the NSA was spying on me was to determine whether I am likely to buy government bonds then I wouldn't consider it "bad" (other than being a waste of taxpayers money). I think there are probably more important things to warrant my concern than the tagetting of advertisements.

[Rusky]

The targeting of advertisements creates a large body of data that government agencies can pull from. That's why they went after corporations like Facebook, whose entire business model is centered around gathering as much data about people as possible.

Having "nothing to hide" or "encrypting everything important" are terrible reasons not to care about surveillance. The level of detail at which these groups know about you would surprise you. For example, they can collect your browser history through Facebook "like" buttons, just through fingerprinting your browser, without you explicitly giving anyone anything.

The problem with this is that this is the sort of data the government agencies want. They don't want to read your emails or documents; they want metadata about the places you go, the things you care about, the people you talk to.

Now, the reason open source is important in this context is that it gives people the option to control this sort of thing. Like I mentioned above, Firefox made browser extensions possible, which enabled ad blockers and other plugins that can block this sort of tracking. It also gives us things like Tor or TrueCrypt that can be trusted far more than any closed-source tool could ever be.

Finally, this sort of thing may not be important right now to you specifically, but it certainly matters to people like journalists or activists working against oppressive regimes or harassment groups, and it certainly matters as a safeguard against things getting worse in the future.

[AndrewAPrice]

If I wanted to know the recipe, understand it, be sure what the chef did before eating my meal, then I would indeed prefer "open source restaurants". For restaurants this is usually not the case, as I simply trust them that they won't poison me.

However, for security critical software such as operating systems, communication software etc. I prefer to know its inner working mechanisms. Even if I don't have the time to understand the complete source code myself, I prefer if it is open to the public, and there is a community around it who has an eye on it. The point is that I simply don't trust certain companies and their closed source software. Of course, one can also figure out what this software is doing, but it's considerable more difficult. And of course open source doesn't mean absolute security. It is simply a matter of convenience in checking the inner working mechanisms of some software.

On personal risk level, trusting a restaurant is more risky, for me, than trusting software I install on my computer. Food has the potential to be poisioness, infect me, make me sick, shorten my lifespan, lead to long term side effects.

Bad software has the potential to kill my computer, steal my money (which I often look at my bank statement and would report this to my bank), spam people on my Facebook, etc. Bad, but at least I'm healthy, alive, and have the support of my friends and family to recover.

This mistrust in the software or data handling policies may also be due to geopolitical reasons. I am originally from Germany, and one very important thing for Germans is their privacy (which might be related to a lack of privacy in Eastern Germany during the GDR time). Things like the NSA activities revealed by Snowden have caused many Germans to mistrust American companies, from which the NSA might get information almost with zero effort. Also here in Estonia, which was ruled by the Soviet Union for quite some time, similar feelings exist, probably also due to the vicinity to Russia.

I agree but that's slightly beyond the control of the software I install on my PC. Once you interact over a network, how can we trust the server? Even a site claims to use open source software, how do you know the software running on the server hasn't been modified to add security exploits? We have to trust other people to some point.

I use Facebook, and I understand it's beyond my control once Facebook gets my pictures and posts, so I only post stuff on Facebook that I wouldn't care if my employer/government/worst enemy/stranger saw it. I occasionally order stuff online, so I've trusted websites with my credit card and address, but I know my bank takes fraud seriously (and they call me if I make a big order online to confirm it's me).

You have to trust closed source stuff to some point, or you're missing out on much of what modern culture has to offer - online shopping, social media, video games, mobile phones, GPS navigation. Just use common sense. If security is your biggest reason to not use priority software, why not build a second computer that's kept offline that you out your sensitive data on.

[Rusky]

Proprietary vs open source isn't black and white. You can advocate for open source and use it when possible, and even "boycott" (ugh) some particular proprietary software without giving up all black boxes.

[iansjack]

The level of detail at which these groups know about you would surprise you. For example, they can collect your browser history through Facebook "like" buttons

Oh no they can't! If you're stupid enough to use Facebook, or other social media, then you have only yourself to blame, and you should have far greater concerns than what use Government is making of that data. It's far more probable that some low-life individual will use it for identity theft. It never ceases to amaze me that people will tweet of their holiday plans, or turn on an "out of office" message on personal email accounts. It's like putting a big placard outside your house - "Empty house - help yourself".

Now, the reason open source is important in this context is that it gives people the option to control this sort of thing.... Firefox made browser extensions possible, which enabled ad blockers and other plugins that can block this sort of tracking

Like the add-ons and extensions available for Internet Explorer, Safari, and Opera?

Proprietary vs open source isn't black and white. You can advocate for open source and use it when possible, and even "boycott" (ugh) some particular proprietary software without giving up all black boxes.

I couldn't disagree with that (although I still think the word boycott is wrong in this context - just avoid using software because you don't like it). Heck, you could even decide to not use one of the most popular Linux distributions because of their history of collecting data about you under the radar. (And, for those who think that open source is immune to that sort of abuse, it wasn't discovered by studying the source code. It was discovered, just as it would be with proprietary software, because unexpected outgoing data packets were detected.)

[Rusky]

The level of detail at which these groups know about you would surprise you. For example, they can collect your browser history through Facebook "like" buttons

Oh no they can't! If you're stupid enough to use Facebook, or other social media, then you have only yourself to blame

You are mistaken. Every Facebook "like" button, every Google analytics script or "+1" button, every Twitter "tweet this" button, all know two things- which page they're embedded in, and which browser is visiting them. They can use cookies to track you, and even if you disable cookies, they can use browser fingerprinting like that Panopticlick link showed. And this is not just speculation either- Facebook builds up "shadow profiles" of people based on "holes" in their friends' social networks, and if/when you ever make an account, it has a pre-existing mountain of data on you already. The only way around this is to block those buttons from even loading in the first place (yay, ad blockers) or in some cases to block javascript.

Now, the reason open source is important in this context is that it gives people the option to control this sort of thing.... Firefox made browser extensions possible, which enabled ad blockers and other plugins that can block this sort of tracking

Like the add-ons and extensions available for Internet Explorer, Safari, and Opera?

Maybe I should credit Opera with the idea of extensions, but Firefox and Mozilla deserve credit for popularizing them, as well as making the whole ecosystem more trustworthy by making it easier for security researchers to check the browser itself. Not just phoning home (which, yes, you can do with open source network debugging tools enabled by openly specified network protocols), but backdoors and even (especially) security vulnerabilities.

[darkinsanity]

On personal risk level, trusting a restaurant is more risky, for me, than trusting software I install on my computer. Food has the potential to be poisioness, infect me, make me sick, shorten my lifespan, lead to long term side effects.

Bad software has the potential to kill my computer, steal my money (which I often look at my bank statement and would report this to my bank), spam people on my Facebook, etc. Bad, but at least I'm healthy, alive, and have the support of my friends and family to recover.

Try telling that the people that got killed by drones because of their metadata.

Once you interact over a network, how can we trust the server? Even a site claims to use open source software, how do you know the software running on the server hasn't been modified to add security exploits? We have to trust other people to some point.

That's a catch question. For example, let's assume that the server hosting osdev.org was manipulated. What could it possibly do to harm me? Hand my email-address over to spammers? Yes, it could try to manipulate the site content to attack my browser, but when that succeeds it's my browsers fault for being vulnerable. If I don't want my trust to be misused, I simply don't give it away in an inflationary way. If osdev.org would require me to tell my real name, real address and my IBAN, I simply wouldn't have an account.

You have to trust closed source stuff to some point, or you're missing out on much of what modern culture has to offer - online shopping, social media, video games, mobile phones, GPS navigation. Just use common sense. If security is your biggest reason to not use priority software, why not build a second computer that's kept offline that you out your sensitive data on.

There's a difference between using and trusting. I have used lots of software in the past that I didn't trust, there's VirtualBox & friends for that. I also have to use intermediate routers to access the internet, but I don't trust any of them, that's why I use SSH instead of telnet.

[iansjack]

You are mistaken. Every Facebook "like" button, every Google analytics script or "+1" button, every Twitter "tweet this" button, all know two things- which page they're embedded in, and which browser is visiting them.

and you are telling me this only happens if I use a closed-source browser like IE? Otherwise it isn't really relevant to what you are saying.

[Antti]

If security is your biggest reason to not use priority software, why not build a second computer that's kept offline that you out your sensitive data on.

I think this is the superior solution. Old computers without wireless connections are very suitable for this.

and it certainly matters as a safeguard against things getting worse in the future.

Actually, maybe it could get worse because of this. If normal people are increasingly using "encrypt everything & privacy for any cost", the methods for surveillance are just getting uglier. But it seems that it is done in one way or another.

[embryo2]

I can only assume that you have never worked for a large corpoation in a decision-making role.

Well, just look at yourself after reading this.

And in a corporation of any size you cannot keep secrets - there is always a potential whistle blower with a sense of moral purpose.

As you can see if followed the link above (and links from the linked page) it is the question of hundreds of billions of $ to keep some secrets. But even if there was an official investigation then still the fines are just a small bit of the real fraudulent income. So, the government spying supported by you now opens the road for a very serious worldwide problem - corrupted (because uncontrolled) governments just sell you to the supporters of drug trade and terrorism.

And now read your words again:

The world is not a James Bond novel with evil masterminds reigning vast private empires of nefarious henchmen.