IxQuick search engine

I’m concerned about Google having a monopoly on search, and tracking their users for search terms, and much more.

So use another search engine.

I’ve been using IxQuick on-and-off for years, and almost exclusively for the last six months: https://ixquick.com/

First, I set the default Search Bar plugin to IxQuick from one of the many selections at the Mycroft project .

Then I also set Firefox’s address bar to do keyword searches on IxQuick:

1. type about:config in the address bar
2. Acknowledge the potential for damaging your system
3. Search for the keyword.URL entry
4. Change it to https://ixquick.com/do/metasearch.pl?query=

Now any keywords you type into the address bar will be looked up by IxQuick.

IxQuick is a metasearch engine, which searches All the Web, Digg, Qkport, Ask/Teoma, EntireWeb, Wikipedia, Bing, Gigablast, Yahoo, Cuil and Open Directory. Almost everything except Google. IxQuick claims that it does NOT collect or share your personal information, and keeps logs no longer than 48 hours.

All in all, I’ve been very pleased with the results IxQuick provides.

DuckDuckGo search engine

To put DuckDuckGo in the Search Bar, browse to the DuckDuckGo site, pull down the list of search engines, then click on “Add DuckDuckGo”.

To set up DuckDuckGo as the default search engine for the address bar:

1. type about:config in the address bar
2. Acknowledge the potential for damaging your system
3. Search for the keyword.URL entry
4. Change it to https://duckduckgo.com/?q=

I haven’t used DuckDuckGo much at all, but I’ve only heard favourable reports…

Note that there are many other references to Google in the
about:config

settings, so if you make only these changes you’re still not Google Free.

–Bob.

Screenshot images created by Bob Jonkman, and released to the Public Domain

No Google

Hi IT Peeps,

I was wondering if I would cause major havoc if I downloaded google chrome? Will it mess anything up? Any recommendations?

My answer:

What problem are you trying to solve? What’s the question that gets answered “Install Google Chrome”?

Google the company is becoming ever more pervasive in our Internet lives. Google’s business is not providing a search engine for free; Google’s business is to sell our demographic information to advertisers. They gather that demographic data by luring us in with relevant search results, free e-mail and slick looking browsers.

Google collects personal information, including information that was voluntarily given to Google (for instance, by signing up for GMail or Google Plus; posting a video on YouTube), information that was collected anonymously (eg. when you perform a Google search or watch a YouTube video and Google records the search terms, your IP address, and leaves a cookie on your computer), and information that Google collected as it does its web indexing (comments you’ve left on a newspaper site, Tweets you’ve made, messages you’ve posted to public mailing lists). Google then correlates all this data based on IP address, cookies, e-mail addresses, your name, geo-location (finding out where you are based on your WiFi connection or IP address).

As of 1 March 2012 Google changed its privacy policies to combine data mining from all its holdings – the search engine, YouTube, Picasa, Google Maps, Google Plus, Google Mail, &c. I didn’t think too much of that, since I had thought that Google had always aggregated its data. According to an article I read^[1] that’s actually a new development. Google used to keep all its data mining separate, in fact, kept it so separate that it didn’t even correlate its adwords between different messages in GMail. With the new privacy policy that’s all changed, and everything is now aggregated, correlated, and retained to be sold to the highest bidder. Google says we’ll never sell your personal information or share it without your permission, but you grant that permission every time you agree to the Terms of Service and Privacy Policies when you sign up for Google’s services.

Remember the Google Toolbar? Every search request, every URL, and every local file you opened in a browser with the Google toolbar installed was sent to the Google servers. There was a report of someone who opened confidential company documents with IE and the Google toolbar, only to find those reports cached on Google’s servers. Google Chrome is far more invasive than a mere toolbar.

Google Chrome does not have the same set of security-related add-ons that Firefox offers. For your best privacy protection and security, use Firefox with the NoScript, AdBlock Plus, HTTPS-Everywhere and Force-TLS extensions. See my article on Browser Security for details on installing and configuring them.

–Bob, who will be getting fitted for a new tinfoil hat at lunch…

Key by Quasimondo

Some ID would also be a good idea, for those who do not already know you.

No no no.

If people don’t know you, then they shouldn’t be signing your key. If you don’t know someone, then you shouldn’t be signing their key.

Using ID of any sort is assigning trust by proxy to an “authority”. You’re no longer vouching for a person based on your own knowledge, but relying on the “authority” to provide that trust. If you’re going to rely on third-party authorities you might as well revert to a hierarchical PKI and pay lots of money to a certificate authority to assign levels of trust for you.

The point of the keysigning is to associate a key value with a real person, with no opportunity for a Man in the Middle attack ^[1]. It is not to verify name, address and permission to drive in Ontario.

When I sign your key it is not because the government says that you’re allowed to drive under your name, but I sign your key because I believe that you’re the same guy who drinks Jagermeister and hacks on Blackberries and hangs out at the Syrup Festival. It is based on my personal knowledge of you, and my trust in your claim that you own the GPG key with fingerprint D2CCE5EA ^[2].

The Web of Trust extends this, so that since I trust your identity and judgment, I’m also likely to grant some level of trust to the people you trust. After a successful keysigning party then I’m going to trust many more people because they’re all trusted by people I trust. And I’ll be trusted by more people, because they trust the people who have signed my key.

So, how do you hold a keysigning party? Here’s an excerpt from the PGP FAQ:

The comp.security.pgp FAQ

Wouter Slegers

Copyright © 1996, 1997, 1998, 1999, 2000,
2001 by Arnoud Engelfriet

Copyright © 2002 by Wouter Slegers

This FAQ is copyright © 2001 by Wouter Slegers.

It may be distributed freely in online electronic form, provided the copyright notice is left intact. Since this FAQ is always available from USENET and the PGP network, there should be no problems getting access to it. However mirrors with outdated versions can confuse the users, so I request you not to mirror this FAQ elsewhere.

[...]

Q: What’s a key signing party?

A: A key signing party is a get-together with various other users of PGP for the purpose of meeting and signing keys. This helps to extend the web of trust to a great degree, making it easier for you to find one or more trusted paths to someone whose public key you didn’t have.

Kevin Herron has an example of a keysigning party announcement page ^[3].

Q: How do I organize a key signing party?

A: Though the idea is simple, actually doing it is a bit complex, because you don’t want to compromise other people’s private keys or spread viruses (which is a risk whenever floppies are swapped willy-nilly). Usually, these parties involve meeting everyone at the party, verifying their identity and getting key fingerprints from them, and signing their key at home.

Derek Atkins has recommended this method:

There are many ways to hold a key-signing session. Many viable suggestions have been given. And, just to add more signal to this newsgroup, I will suggest another one which seems to work very well and also solves the N-squared problem of distributing and signing keys. Here is the process:

1. You announce the keysigning session, and ask everyone who plans to come to send you (or some single person who will be there) their public key. The RSVP also allows for a count of the number of people for step 3.

2. You compile the public keys into a single keyring, run pgp -kvc on that keyring, and save the output to a file.

3. Print out N copies of the pgp -kvc file onto hardcopy, and bring this and the keyring on media to the meeting.

4. At the meeting, distribute the printouts, and provide a site to retrieve the keyring (an ftp site works, or you can make floppy copies, or whatever — it doesn’t matter).

5. When you are all in the room, each person stands up, and people vouch for this person (e.g., “Yes, this really is Derek Atkins — I went to school with him for 6 years, and lived with him for 2″).

6. Each person securely obtains their own fingerprint, and after being vouched for, they then read out their fingerprint out loud so everyone can verify it on the printout they have.

7. After everyone finishes this protocol, they can go home, obtain the keyring, run pgp -kvc on it themselves, and re-verify the bits, and sign the keys at their own leisure.

8. To save load on the keyservers, you can optionally send all signatures to the original person, who can collate them again into a single keyring and propagate that single keyring to the keyservers and to each individual.

I’m going to have to put my key signature where my mouth is. Hopefully there will be another key signing party soon, for which I will be more prepared.

–Bob.

^[1] Yes, it is still possible to have a meatspace MitM attack if you’re signing keys for people you don’t know and relying on ID. If you’ve never met me before then it is possible that someone mugs me in the parking lot, takes my ID and wears my goofy hat. If you don’t know me you would never be able to tell the difference, and you’d be signing a key for the wrong person.

^[2] Although that’s really my PGP key, so as not to divulge the identity of innocent and unsuspecting Key Signing Party Organizers.

^[3] Sadly, Kevin Herron makes the same mistake of requiring "Positive picture ID". Please ignore that part.

Key by Quasimondo is used under a Creative Commons by-nc license.

Google Plus Screenshot

I won’t be using it. Google has too much of my data already.

For gushing, sycophantic reviews see Mashable and Techcrunch.

Update 8 July 2011: Someone pointed out that I should probably investigate Google Plus before dissing it, so I’m licking the Google salt block. There will another blog post with the results of this investigation… In the meantime, Circle Me!

Update: 13 October 2011: The Verdict on Google Plus: Mostly Harmless

Ripe for Deep Packet Inspection

Far more interesting than the data presented by Sandvine is the fact that Sandvine has any data to present at all. How did they get this stuff? Did they buy it from Bell and Rogers? Does their throttling equipment phone home? I don’t recall giving them permission to use my data.

They claim they’re not looking at data content. Maybe that’s true, maybe it’s not. But they’ve inspected deeply enough to know that we use more streaming applications than P2P, and more Bittorrent than Gnutella. As any data analyst knows, traffic analysis of data patterns gives as much information as the data itself. Why are they allowed to gather any of this data at all? None of their business what I use on my computer.

I’m sure Sandvine is making a hefty buck selling this report, or at least using it as evidence to sell more of their DPI equipment. They’re profiting from the the data that I didn’t give them permission to use. I think the Privacy Commissioner may want to look into this.

–Bob.