In this and two following articles I'd like to take a look at three different areas of personal data storage, how I see a majority of people handling these three issues and what my personal theoretical approaches regarding them is. This is going to be purely about data storage and security, not transport security, which is another topic on its own.
The questions mainly are:
First of all, the three distinctions of data storage I'd like to make, and also how I'm splitting the articles, are the following:
Let's start with email storage. Where are your emails stored? The vast majority of Internet users have an email account with one of the big free email providers or they might have an account that is provided by their Internet Service Provider (ISP). Maybe you even use some shared web hosting somewhere which comes with shared email servers. Whichever of these is the case: your emails are effectively stored with a third party, an ISP that is not you.
Let me ask you this: where is your mail stored? And by mail I actually refer to physical mail: letters. Where are they received? Surely you have a mailbox at your home, or you might have a post-office (PO) box. Most likely you'll be receiving your mail at your mailbox in front of your house and then store it safely inside your home. Would you want your letters to be sent to a third-party that is sending you a copy but also storing all your letters within their own house? Probably not.
I believe we have a major misunderstanding how we are treating Email currently. We are giving away our email data to big companies that make a living with it (among with other services). Always keep in mind that you're most likely not the customer when using a free service, you might be the actual product. If events in the last years regarding the NSA and Edward Snowden have shown us anything, it's that our data stored at big ISPs is most likely easily accessible by governments.
Instead of using such a centralized infrastructure, we should be decentralizing Email in the same way our usual mail system works. When you go back looking at the development of email, it actually was meant to be exactly like that.
My suggestion for email therefore is this:
This just a very brief overview of why I suggest hosting your own email server. There are lots of other things to consider and running an email server is by no means an easy task, I understand that.
As a concluding suggestion, I'd like to introduce the website PRISM Break which lists free and open alternatives for all kinds of proprietary and closed solutions. Specifically for mail servers: PRISM Break Mail Servers
In my next article I'll be taking a look at preference storage, where to save application preferences, what to do with browser syncing and phone syncing.
Article NSA parody logo cc by EFF. Article title in reference to "All your base are belong to us".
With the A588T, Lenovo released a neat Android 4.4 based flip phone on the Chinese market. It comes with a touchscreen and also allows the user to completely flip the screen by 180° to make it usable as a conventional smartphone. It doesn't seem to very popular as documentation on it is very scarce and I can't even seem to be able to find an official Lenovo product page.
Since the model I got my hands on is only intended for the Chinese market, it comes with several restrictions:
Yes, 3G won't work outside China Mobile networks which is, for the most part, limited to mainland China. While most of the phone initially seems to be available in English, after updating Lenovo store and other apps, they are only available in Chinese, dropping English language support. Quite the bummer.
The biggest drawback is support for the hardware keyboard, however. It always seems to suggest Chinese and not English input. I somehow got it to suggest English at one point but it's far from proper T9 support like we had back in the days. I have yet to find a proper solution for this. Either way, this is not part of this guide.
I wanted to have Google Play available and also get root access, since I like to be in full control of my devices. Most of this article is based on the video "How to Root every MTK China Phone" by ITXtutor. Do note that the general idea of this article does indeed work with other MTK devices, only some aspects (like the firmware) are Lenovo A588T specific.
This guide is relying on tools for Windows and is therefore meant for Windows only.
As prerequisites you may want to download the following tools:
As I'm assuming everyone knows how to extract and install these files, I won't mention that as an extra step. You may require to install additional ADB and device specific USB drivers. I'm not covering this for every device, for the Lenovo A588T drivers are included within the "FlashTool" folder of the firmware linked above.
If you'd like a fresh start or upgrade your firmware, flash Lenovo A588T firmware version S044 on your phone using MediaTek Smart Phone Flash Tool. Be aware that this will delete all your data stored on the phone and is a completely optional step:
Follow these steps to create a full backup of your current ROM:
Now that you have successfully created a backup, it's time to install CWM recovery:
After CWM recovery has been successfully flashed, it's time to see if it's working alright. Boot your phone into CWM recovery by holding down Volume up, Volume down and the Power button at the same time. If you end up in the CWM recovery menu, everything is working as intended. It should say something along "rua1 autoCWM" at the top of the screen.
Installing SuperSU and Google apps are a piece of cake now:
Congrats! You should now have SuperSU as well as Google apps installed successfully. This will give you root access and the full app range of Google's Play store.
Recently MachineGames' new video game Wolfenstein: The New Order was released. In case you are not familiar with the popular Wolfenstein series, it began way back in 1981 with Castle Wolfenstein and essentially is a video game series revolving around Nazis and organisations which were active in Nazi Germany. You do not play as a Nazi, instead you play against them. So effectively you are killing Nazis within the game.
The more popular part of the series Wolfenstein 3D released in 1992 was "confiscated" in Germany in 1994 because of its use of the Swastika which in this context is considered a symbol of an unconstitutional organisation. The use of such symbols is regulated by German law in § 86a StGB and can lead to a fine and/or imprisonment of up to three years. When a video game is "confiscated" in Germany it effectively means the following (for a more thorough analysis see this (German)):
So, assuming you already owned the game before the "confiscation", it is perfectly legal to keep it and play it. It is also perfectly legal to import the video game from another country which most people don't seem to know about. To me this doesn't really seem like a "confiscation" which is the German term used by law: "Beschlagnahmung", hence I put it in quotes. Instead I'd call it a ban, effectively censorship even.
Now you might be wondering: what about movies or television series involving the use of such symbols? Well, according to German law you may be allowed to make use of such symbols in certain cases like for example for "art" which is regulated in § 86 StGB. The next question is: those are considered art, but video games are not? Who says?
Answering this question would be an article on its own and effectively there is no decisive answer. It's a matter of court decisions in the past, a matter of a people that doesn't even want to touch certain topics due to a taboo and an industry that is rather scared and goes the "easy" way of censoring their video games for the German video game market instead of fighting against censorship.
Anyway, the discussion on why this ban exists is irrelevant to the point I actually want to make. As you have learned now, video games might get banned in Germany due to usage of symbols used by an unconstitutional organisation and regardless of that it is still perfectly legal to import such games from other countries. And here comes the catch.
Back in the days without digital rights management (DRM) it was as easy as importing a video game from another country, installing it and playing it. On the PC anyway, video game consoles already had a kind of a region lock through NTSC and PAL standards. But that's again another topic.
Let's go back to the recently released game Wolfenstein: The New Order which uses Steamworks as their DRM. To play the game you will have to activate it online with Valve Corporation's Steam software. And here's what Bethesda Softworks, the publisher of Wolfenstein: The New Order decided to do: they released a censored German version without the use of any unconstitutional organisation symbols and to top it off disallow the activation of the uncensored version from a German IP address.
Within Germany I'm only allowed to activate and play the censored version even though by law it is perfectly legal for me to import the uncensored version from another country. Since the Steam Subscriber Agreement disallows use of any proxy servers or virtual private network (VPN) to obfuscate my location, I have no legal and allowed means to play a perfectly legal and legit copy of an imported video game.
"You agree that you will not use IP proxying or other methods to disguise the place of your residence, whether to circumvent geographical restrictions on game content, to purchase at pricing not applicable to your geography, or for any other purpose. If you do this, we may terminate your access to your Account." - Steam Subscriber Agreement
Thank you for fucking over the honest customer. Obviously you don't want people's money, you made that abundantly clear.
Since Wolfenstein: The New Order is a single player only game it is happily shared by thousands of German peers... and you shouldn't even really be mad at them... Bethesda Softworks caused this themselves.
Since the illegal closure and take-down of Megaupload in January, 2012 people were anxious what might happen with the case and whether a new Megaupload will follow. Kim Dotcom has already announced the relaunch of Megaupload in November, 2012 and an exact year after the raid the new Megaupload now simply called MEGA (MEGA Encrypted Global Access) has launched.
What MEGA supposedly makes different from every other file hosting service such as Dropbox, Google Drive and more is the built in and mandatory end-to-end encryption. A reason for them to implement this is of course so they can have plausible deniability and claim that they have no idea what kind of content is hosted on their service. A side product of that is also privacy for their users hence MEGA also calls itself "The privacy company". Is it really, though?
A quick look at the Security & Privacy page of their Help center shows this:
"All encryption is end-to-end. Data uploaded is encrypted on the uploading device before it is sent out to the Internet, and data downloaded is decrypted only after it has arrived on the downloading device. The client machines are responsible for generating, exchanging and managing the encryption keys. No usable encryption keys ever leave the client computers (with the exception of RSA public keys)." - MEGA Help center
That sounds pretty awesome. Real end-to-end encryption, that seems pretty safe to me. Let's take a closer look. They are kind enough to lay out their exact process with their MEGA API on the developers page. There it reads:
"Each user account uses a symmetric master key to ECB-encrypt all keys of the nodes it keeps in its own trees. This master key is stored on MEGA's servers, encrypted with a hash derived from the user's login password." - MEGA API
Eh? So, the master key is after all stored on MEGA's servers? I'm confused.
"In addition to the symmetric key, each user account has a 2048 bit RSA key pair to securely receive data. Its private component is stored encrypted with the user's symmetric master key." - MEGA API
What? So... the symmetric master key is stored on MEGA's servers albeit "encrypted with a hash derived from the user's login password". Well, they can grab my password every time I log on or simply save it in plain text in the first place. The private component of my RSA key pair is also stored on their servers albeit "encrypted with the user's symmetric master key", where we just stated why that is broken. But wait a minute. Didn't it clearly state "No usable encryption keys ever leave the client computers" in their Help center? Oh, I see. They are encrypted, hence they are obviously not "usable". Yes. That makes sense.
Now to be honest with you, I'm by no means an expert in cryptography nor have I checked any of their source code and what it actually does. But you can all get down to it with a simple assumption and raising one single question.
Let's assume all the encryption and decryption is in fact done on the client side only. How is it possible to simply switch browsers and/or computers and use all of the encryption and decryption functions without transferring any keys between them whatsoever? Because all of your keys are stored on their servers whether they are stored "encrypted with a hash derived from the user's login password" doesn't matter. They are stored there.
That concludes that in theory it is totally possible for them to decrypt all your files, whether they do that or not is up to your belief and imagination, the ability stands.
How does the upcoming case against MEGA look like? Judge: "Is it true that you actually were able to decrypt and read all the files hosted?" - Kim: "Yes, but we never did."
Real end-to-end encryption does not require you to trust the file hosting service. MEGA does.
"The privacy company"
MEGA fail.
You might have heard about the legal case going on and on with The Pirate Bay for years already. Basically the music industry and other retarded cokeheads of the likes claim that the services The Pirate Bay are offering are illegal.
What exactly is The Pirate Bay offering?
They once actually served as a BitTorrent tracker, search engine and indexing service. They got rid of the BitTorrent tracker sooner or later because they got aware of the retarded people living on this planet deeming it illegal. So what are they left with? A search engine and indexing service. Sounds familiar. Something like Google, Yahoo and Bing? Pretty much, yes, except only for the BitTorrent network. How is that illegal you ask? Well, beats me. But apparently even judges agree.
In case you are wondering how the classical BitTorrent network operates, here's a quick outline:
Okay, now let's assume we have a file that is shared and it contains by law content that is not allowed to be freely shared (like for example a ripped music album). Whoever puts this file up has to create the *.torrent file for it. So that person calculates hashes from the files, adds a BitTorrent tracker to the file and done.
This *.torrent file, containing nothing but legal metadata, will be put up on a site now, for example on The Pirate Bay. So The Pirate Bay offers this *.torrent file, with a description of the files it supposedly contains metadata for and people are free to download this *.torrent file. This is not illegal. Anybody who claims it is, is a retard and did not understand how this system works.
If anybody downloads this *.torrent file of said music album now and adds it to their BitTorrent client, the BitTorrent client will contact the specified BitTorrent trackers and they will reply a list of people who currently want or offer the file. Now, depending on the country you are residing in but also depending on your moral values, none, one or both of these actions can be considered illegal:
What did The Pirate Bay do in all this? Effectively the following:
All of that is considered metadata. None of that is illegal.
Still, on April 17th, 2009 the operators of The Pirate Bay were found guilty of "assistance to copyright infringement" in Sweden and sentenced to one year in prison and payment of a fine of 30 million SEK (roughly 4.4 million USD (as of writing of this article)).
This didn't stop The Pirate Bay from operating however. It still operates as of today and the music industry is still trying really hard to get them down. Since by now they realized they can't take them down from the very source instead they try censoring access to The Pirate Bay.
So far access to The Pirate Bay has been "blocked" in: Belgium, Denmark, Finland, Ireland, Italy, Malaysia, the Netherlands, the People's Republic of China and the United Kingdom. Several other countries had temporary blockades or legal cases about blocking the site. More are probably to come.
The quality from these blockades usually reach from mostly simple Domain Name System (DNS) blockades to Internet Protocol (IP) blockades. Both of them are very easy to go around and people wanting to access The Pirate Bay as well as The Pirate Bay themselves offer tons of ways to go around them. In the end all these blockades cause is free advertising for The Pirate Bay and BitTorrent plus getting people aware what kind of MAFIAA is operating within our governments and courts resulting in membership boosts for the Pirate Party.
One of the worst organizations, trying the hardest to block The Pirate Bay is BREIN (Bescherming Rechten Entertainment Industrie Nederland) in the Netherlands. They don't even stop at just blocking The Pirate Bay by forcing the country's Internet Service Providers (ISPs) to apply a blockade but instead they also want to stop every proxy that is being set up to go around said blockades.
But they even go further. After successfully getting court orders to force closure of a proxy provided by the Dutch Pirate Party as well as a proxy provided by Greenhost they even demand a gag on the Dutch Pirate Party to stop operating any kind of proxy service as well as stop explanation on how to use them or set them up.
Yes. The censorship is getting worse and worse. Stop discussing. Stop offering proxy services. The question how long before VPNs and proxy services become illegal is very valid.
BREIN, you can not win this. Stop fighting.
For every IP address that gets blocked The Pirate Bay will have a new one ready within minutes.
This is a futile game, already lost by BREIN. But since they apparently don't have a BRAIN, they don't see it. As long as there is one person on the Internet who does not agree, content can not be censored. And such people will fortunately always exist.
With that said, have a link to a list of The Pirate Bay proxies, generously provided by Pirate Reverse: http://about.piratereverse.info/proxy/list.html
And also a guide on how you can help and set up your own Pirate Bay proxy: http://about.piratereverse.info/proxy/index.html