I am leaving JonDos and I thought I'd take the opportunity to thank all our users who made that adventure happen for me in the last 4 and a half years. Stay engaged. It is more needed than ever. A special thanks goes to Rolf Wendolsky, a.k.a. jondos. Not many would have considered employing me. I won't forget that.
In the future the JonDoBrowser shall replace the JonDoFox profile in order to allow an even better protection against tracking on the Web. As the development is already on its way since a while we would like to deliver a short status report every six weeks from now on. That would hopefully give users an idea about where we are now and what still remains to do:
The top 5 things we did during the last six weeks:
1) Worked on the update mechanism (full updates are working on Linux now)
2) We disabled SSL 3.0 by default. If there are problems, please report them!
3) Disabled the annoying add-on bar and moved the UnPlug icon to the toolbar.
4) Reported possible problems for the protection against tracking with HTTP
authentication to Mozilla.
5) Released JonDoBrowser 0.6
Top 5 things for the coming weeks:
1) Releasing JonDoBrowser 0.7 (scheduled for May 20, 2013)
2) Integration of partial updates into the update patch for Linux systems
3) Integrating a better compression algorithm for JonDoBrowser packages on
Linux systems into the build script
4) Mozilla's reftests test suite shall work flawlessly with JonDoBrowser.
5) Removing a duplicated UnPlug in the extensions directory of the profile as
this is probably causing issues during the first start of JonDoBrowser on
Linux
ToDo for the 1.0-Release:
1) Update mechanism for Windows, Mac OS X and Linux
2) Integration of JonDo into the JonDoBrowser (Windows only)
3) Making JonDoBrowser compatible with Mozilla's test suites
The EU Directive 2006/24/EC on the retention of data was adopted within the framework of regulating the Single Market, allegedly to harmonize competitive conditions of telecommunication providers and to provide uniform conditions for prosecutors. 5 years after adopting this directive the differences are larger than before.
Some countries like Slovakia, Austria, Norway and Switzerland are looking about the requirements stemming from Brussels regarding the implementation. In the Netherlands the EC directive is implemented in national law but the senate expressed fundamental critique concerning the data retention.
Some countries are exceeding the requirements set by Brussels considerably:
In Germany the dispute about the data retention is not settled yet. The federal constituional court has annulled the until March 2010 valid law but argued that it is possible to implement the EC directive in a constitutional way.
Chancellor Merkel and some members of the federal government are pressing for a new law for the data retention.
"Wir sind uns gewahr, dass im Bereich der Vorratsdatenspeicherung noch eine Liefernotwendigkeit besteht." (We are aware that there is still some kind of delivery need in the area of data retention.)
Home Secretary Friedrich sees a danger due to islamistic terror attacks in Germany and the data retention as a necessary tool for the anti terror measures.
The civil society is resisting the restriction of civil rights. Thus, we want to suggest two roads of action and ask for your support:
"Der Deutsche Bundestag möge beschließen, dass die verdachtlose Vorratsdatenspeicherung nicht zulässig ist. Darüber hinaus möge er die Bundesregierung auffordern, sich für eine Aufhebung der entsprechenden EU-Richtlinie und für ein europaweites Verbot der Vorratsdatenspeicherung einzusetzen." (The German Bundestag may establish that the data retention without suspicion is not allowed. Furthermore, it may request the german government to campaign for annulling the respective EC directive and for an european prohibition of a data retention.)
The warning of dangerous e-mail attachments has already been reiterated many times. Nevertheless, attackers are still succeeding with this method even in the 21. century. Especially regarding targeted attacks against computers of particular persons, companies or governmental institutions is this well-known method promising.
In 2008 were chinese crackers able to infect computers of western governments and the Dalai Lama during the so-called Ghostnet operation. Prepared PDF documents sent with an e-mail were used.
In 2009 were the Royal Navy and some bases of the Royal Air Force hit by a computer worm. The infection occurred via e-mail and the total breakdown of the mail system was a consequence. Parts of the e-mail traffic was redirected to russian servers.
Three weeks ago the company RSA was successfully attacked via infected e-mails. Those e-mails had an Excel file with an embedded Flash file attached. The spreadsheet contained an exploit that installed a backdoor using a vulnerability in Adobe's Flash Player. The backdoor in turn was used to obtain access to sensitive data.
Under these circumstances do we want to reiterate the following advices concerning e-mail security:About one month ago a study done by the European Network and Information Agency (ENISA) was published that was concerned with new types of cookies. These cookies (e.g. Flash cookies) are characterized by their capability to save much larger amounts of information than normal HTTP cookies. Furthermore, they are usually much harder to control as they are often not assessable by the cookie management of the browser. According to the authors of this study the security and privacy problems that accompany those cookies shall be countered by a set of different requirements: First, users must be able to consent in a meaningful way (i.e. informed consent is required) when receiving/sending such cookies. Moreover, they should be easy to handle and to delete. Their storage outside the control of the browser should, if at all, be limited. And, finally, there should be other services providing the same functionality but without the need for accepting and/or sending cookies.
Even if these requirements are legitimate it is very questionable whether they can be put into force within the future having the history of traditional cookies and the struggle for shaping them in a privacy-friendly manner in mind. Until then, only special browser add-ons or profiles, like JonDoFox, are mitigating the tracking risk accompanying those cookies while surfing the Web.
At the beginning of February 2011 the Civil Liberties Committee of the European Parliament will decide whether mandatory EU-wide web blocking should be introduced. Using the pretext of fighting against child pornography all members of the European Union shall build an blocking infrastructure to be able to prevent access to ndexed websites effectively. The 2007 Commission impact assessment on terrorism said that the adoption of blocking measures necessarily implies a restriction of human rights, in particular the freedom of expression. Human rights organisations like EDRi.org und Bits of Freedom are currently campaigning against access blocking. Support is welcome!
Deleting child pornography works well
The German AK Zensur deleted 2009 within 12 hours 60 websites containing child pornography. It checked the danish blacklist and websites blocked for 2 years were deleted within 30 minutes. In 2010 99,4% of all reported websites with child sexual abuse material were deleted. (German news here, maybe an english translation is coming soon).
| Number of websites | |
|---|---|
| Total reported | 656 |
| deleted by INHOPE | 448 |
| deleted by foreign ISPs | 204 |
| no sexual abuse material | 2 |
While deleting those 652 websites evidence for a criminal prosecution was also seized by the provider.
As the discussion concerning the data retention already showed: the proposed action does not make sense to achieve the stated goal. The restriction of fundamental rights cannot be justified by the needs of criminal prosecution.
French law Loppsi 2 adopted by the General Assembly
The Loppsi 2 law (law on guidelines and programming for the performance of internal security) was approved by the French General Assembly. The law which asks ISPs to block Internet sites deemed to have child pornographic content, now includes a version that will no longer require a previous judicial approval, which is actually against the French Constitution.
The Firefox extension Firesheep has caused a certain fuzz in the media some weeks ago (see e.g. lifehacker or Forbes). With its help one may sniff open WLANs and steal session cookies to hijack an active user session. In order to avoid this several solutions have been proposed. On the one hand one can try to detect Firesheep itself and act accordingly. On the other hand there is an option to flood the network with packets in order to impair Firesheep's functionality. Or, as a third and best choice, one just uses services that are only provided by SSL secured connections. Unfortunately, the latter is not available for services like Twitter that only secure the login page but not the session identifier.
Irrespective of which protective means a user deploys (if one at all) if one is using JonDonym Firesheep is not dangerous due to the fact that all traffic is already encrypted on the users' computer. That means an attacker using a WLAN or an Internet Service Provider is not able to get the sensitive data to hijack a particular session, be it provided by an unsecured or a secured (SSL) connection.
But, of course, the things just said only apply if one has no malware on the computer. That means in the current context to avoid just installing unreviewed browser extensions as these could easily contain Firesheep's (or similar) sniffing code without that being detected while surfing the Web.
| 2007 (without DR) |
2008 (without DR) |
2009 (with DR) |
|
|---|---|---|---|
| total number of crimes | 6.284.661 | 6.114.128 | 6.054.330 |
| solved (total) | 55.0% | 54.8% | 55.6% |
| Internet related crimes | 179.026 | 167.451 | 206.909 |
| solved (Internet) | 82.9% | 79.8% | 75.7% |
