Posted on 06/27/2013 10:32:35 AM PDT by imardmd1
Here's the tantalizer line on the StartPage splash page:
Take a deep breath. You're safe here.
Click *here* to learn how StartPage protects you from government surveillance.
************
Then, clicking on *here* takes you to this:
---------
No PRISM. No Surveillance. No Government Back Doors. You Have our Word on it.C Giant US government Internet spying scandal revealed
The Washington Post and The Guardian have revealed a US government mass Internet surveillance program code-named "PRISM". They report that the NSA and the FBI have been tapping directly into the servers of nine US service providers, including Facebook, Microsoft, Google, Apple, Yahoo, YouTube, AOL and Skype, and began this surveillance program at least seven years ago. (clarifying slides)
These revelations are shaking up an international debate.
No PRISM. No Surveillance. No Government Back Doors. You Have our Word on it.
Giant US government Internet spying scandal revealed
The Washington Post and The Guardian have revealed a US government mass Internet surveillance program code-named "PRISM". They report that the NSA and the FBI have been tapping directly into the servers of nine US service providers, including Facebook, Microsoft, Google, Apple, Yahoo, YouTube, AOL and Skype, and began this surveillance program at least seven years ago. (clarifying slides)
These revelations are shaking up an international debate.
StartPage has always been very outspoken when it comes to protecting people's Privacy and civil liberties. So it won't surprise you that we are a strong opponent of overreaching, unaccountable spy programs like PRISM. In the past, even government surveillance programs that were begun with good intentions have become tools for abuse, for example tracking civil rights and anti-war protesters.
Programs like PRISM undermine our Privacy, disrupt faith in governments, and are a danger to the free Internet.
StartPage and its sister search engine Ixquick have in their 14-year history never provided a single byte of user data to the US government, or any other government or agency. Not under PRISM, nor under any other program in the US, nor under any program anywhere in the world. We are not like Yahoo, Facebook, Google, Apple, Skype, or the other US companies who got caught up in the web of PRISM surveillance.
Here's how we are different:
o StartPage does not store any user data. We make this perfectly clear to everyone, including any governmental agencies. We do not record the IP addresses of our users and we don't use tracking cookies, so there is literally no data about you on our servers to access. Since we don't even know who our customers are, we can't share anything with Big Brother. In fact, we've never gotten even a single request from a governmental authority to supply user data in the fourteen years we've been in business.
o StartPage uses encryption (HTTPS) by default. Encryption prevents snooping. Your searches are encrypted, so others can't "tap" the Internet connection to snoop what you're searching for. This combination of not storing data together with using strong encryption for the connections is key in protecting your Privacy.
o Our company is based in The Netherlands, Europe. US jurisdiction does not apply to us, at least not directly. Any request or demand from ANY government (including the US) to deliver user data, will be thoroughly checked by our lawyers, and we will not comply unless the law which actually applies to us would undeniably require it from us. And even in that hypothetical situation, we refer to our first point; we don't even have any user data to give. We will never cooperate with voluntary spying programs like PRISM.
o StartPage cannot be forced to start spying. Given the strong protection of the Right to Privacy in Europe, European governments cannot just start forcing service providers like us to implement a blanket spying program on their users. And if that ever changed, we would fight this to the end.
Privacy. It's not just our policy, it's our mission.
Sincerely,
Robert E.G. Beens
CEO StartPage.com and Ixquick.com
StartPage has always been very outspoken when it comes to protecting people's Privacy and civil liberties. So it won't surprise you that we are a strong opponent of overreaching, unaccountable spy programs like PRISM. In the past, even government surveillance programs that were begun with good intentions have become tools for abuse, for example tracking civil rights and anti-war protesters.
Programs like PRISM undermine our Privacy, disrupt faith in governments, and are a danger to the free Internet.
StartPage and its sister search engine Ixquick have in their 14-year history never provided a single byte of user data to the US government, or any other government or agency. Not under PRISM, nor under any other program in the US, nor under any program anywhere in the world. We are not like Yahoo, Facebook, Google, Apple, Skype, or the other US companies who got caught up in the web of PRISM surveillance.
Here's how we are different:
o StartPage does not store any user data. We make this perfectly clear to everyone, including any governmental agencies. We do not record the IP addresses of our users and we don't use tracking cookies, so there is literally no data about you on our servers to access. Since we don't even know who our customers are, we can't share anything with Big Brother. In fact, we've never gotten even a single request from a governmental authority to supply user data in the fourteen years we've been in business.
o StartPage uses encryption (HTTPS) by default. Encryption prevents snooping. Your searches are encrypted, so others can't "tap" the Internet connection to snoop what you're searching for. This combination of not storing data together with using strong encryption for the connections is key in protecting your Privacy.
o Our company is based in The Netherlands, Europe. US jurisdiction does not apply to us, at least not directly. Any request or demand from ANY government (including the US) to deliver user data, will be thoroughly checked by our lawyers, and we will not comply unless the law which actually applies to us would undeniably require it from us. And even in that hypothetical situation, we refer to our first point; we don't even have any user data to give. We will never cooperate with voluntary spying programs like PRISM.
o StartPage cannot be forced to start spying. Given the strong protection of the Right to Privacy in Europe, European governments cannot just start forcing service providers like us to implement a blanket spying program on their users. And if that ever changed, we would fight this to the end.
Privacy. It's not just our policy, it's our mission.
Sincerely,
Robert E.G. Beens CEO StartPage.com and Ixquick.com
Unless you use a proxy to get to StartPage to begin with, you still have a problem. The traffic from your IP address is visible to have arrived there. On top of that, the backdoors built into Windows and Apple OS’s would stagger most people.
Thanks for your post. Please see this discussion:
Alternatives to Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, etc.
http://www.metafilter.com/129454/Alternatives-to-Microsoft-Yahoo-Google-Facebook-PalTalk-AOL-etc
I wonder if there'll be a push for new (and hopefully non-unix/linux) OSes now.
I'm reading about Wirth's Oberon and it's looking pretty interesting.
One advantage startpage.com has is its secoure (https) connection, unlike bing and google. Also, the results display a built in proxy link for each result. Nothing is perfectly secure, but this is better.
Why exclude the world's largest OS (in terms of usage)? It already has users, experts, and a lot more applications than anything else out there right now.
cyber security bookmark
Because I hate, loathe, and despise the C/Unix philosophy.
It's seriously a pile of shit; and I'm saying this as someone who's a bit of a language geek.
There's this thread which compares Oberon to C++ and touches on the topic very well.
There's this critique of C++ (I've just started reading it, but so far it's good). Then there's always the amusing Unix Hater's Handbook, which details frustrations but manages to illustrate a good number of UNIX's design-flaws and problems with its philosophy.
It already has users, experts, and a lot more applications than anything else out there right now.
So? In all three of those categories Windows has more. So, it's obvious that those aren't the criterion I'm using.
Besides that, I'm not sure that Unix/Lunux is more secure on the PRISM-front — because that's collecting the data in whole-pipe
method, any machine that data goes through can be compromised.
I agree, but have a personal penchant for Linux for some reason. Some distros are, of course, more desireable than others. Fortunately, with Linux not packaging propitiatory drivers with the OS, it reduces the risk. I still love the Linux kernel.
OK. What "philosophy" do you like, then?
In all three of those categories Windows has more.
Incorrect
bookmark
Maybe I'm cynical but I don't trust DuckDuckGo.
Part of it is that the founder made his millions by creating a “name database” website that he sold to classmates.com. I can't believe such a person suddenly developed a deep passion for privacy.
Part of it is that DuckDuckGo is a VC-backed company, backed by a VC who backed Zynga. That's a VC who cares about cash on cash returns, not ethics.
Part of it is just a baseless suspicion, similar to the one I had when Dropbox claimed that everything was encrypted client-side. That turned out to be a flat-out lie and was abandoned once they'd reached scale (and the lie was widely revealed).
Part of it is that many of the DDG guys have a strong love of Ayn Rand, Ron/Rand Paul, and Libertarianism. I know that it's possible for somebody to hold fringe political beliefs and also be honest, but those particular beliefs tend to be held by people who oppose customer protections, and I remember that when I'm doing business with them.
And honestly, part of it is simply that DDG doesn't control their upstream networks or the certificate authorities, so even if they're operating in totally good faith, it probably doesn't matter.
posted by grudgebgon at 9:39 PM on June 26 [33 favorites]
I'm really liking Ada's eye for correctness.
The Ada 2012 standard introduces some nice additions: preconditions, postconditions, and type-invariants among some. (In a manner that avoids the futzing about with comments [annotations]; comparison of Ada 2012, Java/JML, and C/ACSL.) I actually like having the extra safety of having the compiler take care of what details it can.
Example: dangling-else
is so trivial to fix in language-design that the only reason new languages have it is because of their ties to older syntax.
As I said previously, I'm reading my way through a book on Oberon which is apparently Wirth's simplicity/elegance taken to the extreme (I'm only on the system itself, not the language, yet). I anticipate it to be very instructive.
There's LISP, full-functional programming — this should seriously be what web-page backends were written with instead of PHP — again an emphasis on correctness.
Not that I'm any good at LISP; but I can seriously respect it.
So I'm for much more of a correct is better
kind of mentality.
I heard someone once say I don't have enough time to do it quickly
in reference to the amount of time lost fixing up quick and dirty solutions and fully agree.
And with tools like SELinux, the OS can be locked down so tight that not even root could take it down. Why it's not more widespread is because at this point, it can be quite difficult to use.
I’ve used Startpage for a year now too. I like that each search result has a link below where you can optionally open it in their built in proxy.
This is a good link >
http://prism-break.org/
This is the best FREE cross platform secure phone app i found so far. https://mocana.com/for-device-manufacturers/keytone/
Actually no, I was talking about the philosophies encouraged by the language. (And yes, the languages used do impact the design of the system.) Because the Unix/C philosophy is a language philosophy [as well as an OS] it is valid to address it on the language side. On the OS side there's a lot of design issues that stem from the language, there's a lot of design issues period.
But, in short, unix and C can be thought of as the good enough
mode of thought... and when that turns out not to be the case the result is always another kludge. (C++ exhibits the klugde-accumulation very well.)
All of that can be implemented quite easily on Unix/Linux.
I know. I still don't like using a system that seems to have the perverse pleasure of being so fragile it goes tits up on you because somewhere the owner of a file changes and calls that security.
There are ADA and LISP compilers for Linux.
There's an American Dental Association compiler? Show me! (Ironically Ada's name is case-sensitive; being a proper name.)
And with tools like SELinux, the OS can be locked down so tight that not even root could take it down. Why it's not more widespread is because at this point, it can be quite difficult to use.
You missed my point completely, it's not about what can be done, it's about what should be done.
Your connection to startpage.com is encrypted with 128-bit encryption.The connection uses TLS 1.0.
The connection is encrypted using RC4_128, with SHA1 for message authentication and RSA as the key exchange mechanism.
However, when I do the same while connected to Google, I see (bold-face added):
Your connection to www.google.com is encrypted with 128-bit encryption.The connection uses TLS 1.1.
The connection is encrypted using RC4_128, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.
What does this mean? It's called Perfect Forward Security (PFS). It means that, even if NSA eventually obtains Google's private key, they will still not be able to decrypt previously intercepted traffic. That is not the case for StartPage.
With regular key exchange, the client picks a session key and shares it with the server encrypted with the server's public key. That means anybody who has the server's private key or succeeds in obtaining it in the future can decrypt the session key and recover the session plain text. However, with ECDHE_RSA, the client and server use a far more devious way to share the session key, which does not require the full key to be sent, even encrypted with the server's public key. As Vincent Bernat explains:
Unlike with the classic Diffie-Hellman key exchange, the client and the server need to agree on the various paremeters. Most of this agreement is done inside Client Hello and Server Hello messages. While it is possible to define some arbitrary parameters, web browsers will only support a handful of predefined curves, usually NIST P-256, P-384 and P-521. From here, the key exchange with elliptic curves is pretty similar to the classic Diffie-Hellman one:The second E in ECDHE_RSA stands for "ephemeral", referring to the above method of sharing the session key using ephemerally chosen crypto parameters.
- The server picks a random integer a and compute aG which will be sent, unencrypted but signed with its private key for authentication purpose, in a Server Key Exchange message.
- The client checks that the signature is correct. It also picks a random integer b and sends bG in a Client Key Exchange message. It will also compute b⋅aG=abG which is the premaster secret from which the master secret is derived.
- The server will receive bG and compute a⋅bG=abG which is the same premaster secret known by the client.
An eavesdropper will only see aG and bG and won’t be able to compute efficiently abG.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.