https://t.me/neo_network

neo: a new or revived form of.

The internet is a way of life. Are you living your best one?

Welcome to the neo-network, this is a content venture with daily updates. We're going to explore the digital frontier and create our own neo-networks along the way.

You'll be reading about:

- Low level technologies that will radically change how you use the internet
- New & existing tools that improve your workflow
- Breaking tech news and their implications
- Interviews with experts and knowledge-sharing

https://t.me/neo_network

✉️🪓⁉️

What happens when you send your emails to the trash? *poof* and its gone? Not so. Most states in the United States require email retention between 3 - 7 years.

https://www.intradyn.com/email-retention-laws/

Think twice about sending sensitive communications through the webmail you are accustomed to.

Are there better email laws out there? Sure, there's one country that comes to mind, Iceland. They don't have ANY data retention laws for your mail. Icelandic companies are not required to save your mail whatsoever. You can use a VPN to further hide your information from Iceland ISPs which are required to store data for 6 months.

And the email service I suggest is CTemplar - I have been very happy with their commitment to privacy, and no I'm not getting any bonuses sharing this with you (unfortunately)

They allow anonymous payments using Monero, they don't record, monitor, store any submitted information, and have zero data access. (they couldn't read your messages if they tried)

Interested in learning more?

https://ctemplar.com

You can get an invite code to start using a free acount, email support@ctemplar.com

Google Chrome Is Getting a New Machine Learning Model That Groups Its Users

🍪👁🧮

https://t.me/neo_network

THE NEWS
The Chromium Project, the open source Google-funded initiative that developed the engine behind Google Chrome and many other browsers (Brave, Opera, Microsoft Edge) released new details on their 2019 proposal for The Privacy Sandbox.
Given Chrome's 65% market share across all browsers - this is going to be huge.

WHATS THE PROPOSAL?
Chromium is starting to get rid of third-party cookie tracking and fingerprinting techniques which are traditionally used to target relevant advertisements to you as you surf the web (and implicitly track you). They are in favor of replacing it with new functionality that aims to have the same result of advertisers and users. It was hard to get any details on this functionality until late last year, and now more things are being explained.

WHATS THE NEW FUNCTIONALITY?
New details were announced last month about a Federated Learning Of Cohorts which is one of the highly favored proposals and will be released for testing in March (among others). It works by feeding a user's browsing behavior to a local Machine Learning model that groups users into clusters, which can then be used to target ads specifically to these groups.

Behind this functionality is a new browser API, which is local to your machine and gets updated with new information as you browse the internet. The machine learning model may be fed 'URLs, content, or other factors' to cluster you. Its important to note that your browsing data isn't exposed, just your cohort, which the browser ensures is 'well-distributed', each cohort may represent thousands of people.

BENEFITS
So does this improve privacy? It will in the sense of the large ad networks that use third party cookies to create targeted advertising profiles of their users. But browsers like Firefox, Safari, Brave, and Edge have already created measures to block third party cookies, and there are plenty of addons that can help with this, although they aren't used by many people.

RISKS
There are a few risks that the proposal recognizes itself. The first that users can now be tied to their general interests (or theoretically, any cluster that a cohort wants to group them in) through a site that has their PII or email. The cohorts can also be used as a pseudo-identifier, and be used to identify someone in addition with their IP address, if the cohort sizes are small enough. Lastly, a cohort might reveal sensitive information about the user. Such as someone who works in a particular industry, an investigative journalist, people who browse taboo content.

WHAT CAN WE DO?
If you're a Chromium user, just be prepared for the rollout of the new Privacy Sandbox features in the coming months, with origin tests underway and advertisers tests in Q2. Google plans to release opt-out functionality for these new features sometimes in April.

If you're a web developer, you can opt out of cohort computation using a permissions policy, which for cohorts will be allowed by default. This will exclude the url and content of that site from being used in the cohort calculation.

How do you feel about these new web features?

Are they an improvement to your privacy?

Could they be abused to put users into groups?

Discuss here:
https://t.me/neo_network_chat

The World's Last Independent Search Engine

🔍🛡🔎

https://t.me/neo_network

Did you know that there was an independent search engine launched only a few years after Google was founded? In 2000, Matt Wells created Gigablast to index hundreds of billions of pages with the least amount of hardware possible.

Gigablast, the subject of today's piece, was brought to my attention by a reader. If you've got cool stuff to share, let me know by joining the discussion at neo-network

Before beginning this piece, you should know how a search engine works. Search engines use web crawlers (or spiders), which are bots that navigate the web and download web pages, using links to discover new webpages, and save the content to an index along with keywords and content types. The index is what you're actually searching through when you use a search engine.

If you read through Matt's blog, you'll see that he's been fighting unfair treatment by the likes of tech-giants since 2003 - like Verisign (which is an authoritative domain registry, and runs 2 of the 13 Internet's root namerservers).

More recently, he's been having to fight the collusion & anti-competitive practices of tech giants trying to keep out smaller or newer search engines.

Here are some key points from his struggle:
- Google demands exclusivity from any company that displays Google results (google results cannot be mixed with other search engine's), destroying any meta-search engines (search engines that combine results from multiple places)
- Cloudfare CDN (if you've ever seen those DDOS protection warnings) which is heavily funded by Google, Bing, and Baidu, interferes with the indexing of context from millions of PUBLIC websites under the guise of 'protection' so smaller search engines cannot build their results. Cloudfare even allows the Chinese search engine Baidu to have their results unimpeded.
- Github, Youtube, Facebook & LinkedIn are no longer openly shared platforms, they only share data with Google & Bing but limit or outright disallow other search engines.
- The US Government seems to support the Google monopoly (as if it was a surprise), limiting the rate at which alternative search engines can index the content of US government sites, while not imposing the same restrictions on Google.

Its obvious that all content on the web is being monopolized, our sources of information are being dwindled and centralized in the hands of a few, which make it easier to censor, and kill any independent alternatives.

What can we do?!

If you use the web:
- Use alternative search engines as much as possible like Gigablast and private.sh.
- private.sh uses Gigablast as a search provider and offers encrypted searches (where the contents of your query are encrypted so only Gigablast can read it)

If you're a creator:
- Get off Youtube & Facebook, there are platforms like Odysee and Minds which are independent and strive to be open
- Get off LinkedIn which is harvesting & monetizing your open data
- Do not use Cloudfare for DDOS protection, your site will not be indexed by any alternative search engines, and thus - if your site ever breaks the 'rules', no one will be able to find it.

Questions For The Reader:

How does the search engine collusion between Microsoft, Google, Cloudfare, and Chinese companies like Baidu change your stance on them?

Are Youtube's, LinkedIn, and Github's practices of blocking alternative search engines inherently anti-competitive? What impact does this have on the internet?

Discuss here:
https://t.me/neo_network_chat

No post today :( trying to put out technical fires. Stay tuned for tomorrow's post though. We're gonna learn about the future of the internet

3️⃣

The Third Iteration Of The Internet: Part I, IPFS
@neo_network
2️⃣➡️3️⃣🕸

The internet as we know it, lovingly referred to as Web 2.0, started in the early 2000's and is now is fully matured. (Web 2.0's been drinking their milk)

This generation of the web gave rise to:
- Interactivity & user participation, dynamic content, electronic economies
- Data & power in the hands of a few, through huge centralized data stores (search engines, social media platforms)
- Advertisements & monetization, and its pressure on web content to keep people engaged
- Censorship by blocking access to singular servers

We're now seeing a movement towards a decentralized web, and in this series of posts we'll learn about some of the leading technologies.

Today, we'll talk about IPFS, InterPlanetery File Sytem.

IPFS is a internet protocol and peer-to-peer storage network released in 2015 by Protocol Labs. It enables users to store and access files, websites, applications, and data. IPFS has already been used as the file storage for several revolutionary projects like Brave and OpenBazaar. It has also been used to circumvent internet censorship, such as when Wikipedia was blocked in Turkey.

IPFS flips the philosophical paradigm of content ownership and access. Where before you asked the file's owners for access to content (like when you hit a website), you now participate in a network of computers that possess each other's files.

This is similar to the peer-to-peer torrenting software BitTorrent, which helped rapidly distribute music, movies, and software to the masses.

When using IPFS, your computer is an active participant in the network, making downloaded files available to others who may want them.

Another major principle of IPFS is its verifiability, meaning you can be sure that a piece of content is a genuine copy of the original. IPFS does through content addressing, which is a unique content identifier created by hashing the content of the file over and over until its a manageable string. This identifier will dramatically change when files are changed.

So how is content actually stored on IPFS? Content is split up into blocks, and related to each other in a DAG (Directed Acyclic Graph, also used in Git's version control software), where each node has a content identifier that is the hash of its contents (its children). Breaking up files into blocks enable it to be downloaded from different sources and rebuilt together. (damn if only Humpty Dumpty was around to see this)

And lastly, how the hell do you ask for content from an entire network at once?

When asking for a specific file from the network, you'll have to look it up in a Distributed Hash Table (give me all the acronyms), which is like a dictionary of names & addresses, but distributed among many computers in a network.

There's two parts to this:
1. Lookup the names of the nearest computers that can serve up the content
2. Find the current location of those computers

Then, its just a matter of connecting to those computers and requesting the blocks that you need.

Boom! Simple, right?

What should you do next?

1. Try navigating the DWeb.

You can navigate to the DWeb through an HTTP gateway by using a gateway host followed by an IPFS address.

The address will look something like:
https://ipfs.io/ipfs/bafybeifx7yeb55armcsxwwitkymga5xf53dxiarykms3ygqic223w5sk3m#x-ipfs-companion-no-redirect

2. Become a part of the DWeb, run IPFS on your computer.

Questions For The Reader
1. How else can you access the DWeb?
2. What are the effects of the DWeb on censorship, monetization, and user tracking?
3. How fast do you see the DWeb taking off?

Discuss at: @neo_network_chat

That was a lot of learning. I hope this writeup was informative. As always, join the active discussion at @neo_network, and I'll see on the decentralized web.

Alright you asked for it. An expository report about ProtonMail will be released later today.

Exposition: ProtonMail is Inherently Insecure, Your Emails Are Likely Compromised, Ties To Government Agencies: Part I

⚛️❗️🔓

READ AT:
@neo_network

I'm currently writing this post in a dark room by candelight and it seems fitting.

Ever since I got into this space, and even before, people have always been quick to recommend ProtonMail, a 'private' email service based in Switzerland.

I'll admit though, I went along with it and used the service, but after a while, seeing its growth gave me an uneasy gut feeling.

As I should have done half a year ago, I finally read into it, and my suspicions were validated.

If nothing else, take away these three points from this post:
1. ProtonMail is inherently insecure, if you've used the Webmail client, ProtonMail has always had the ability to grab your password and private encryption key without you knowing, giving them backdated access to your emails.
2. ProtonMail lies to its supporters and has close ties with intelligence agencies, and world governments.
3. ProtonMail has several points of security failure which can be utilized by many bad actors.

HISTORY
There are two versions of the ProtonMail origin story. There's the 'official' one, on their Wikipedia, which describes Proton Technologies as being started by 'a group of scientists from CERN'.

And then there's the origin story that has been scrubbed from all of ProtonMail's marketing material and denied by official representatives that goes as follows:

The trio who created ProtonMail were CERN researchers along with a MIT graduate. They were [semifinalists](https://www.helpnetsecurity.com/2014/05/22/cern-mit-scientists-launch-swiss-based-secure-webmail/) at the 2014 MIT 100K startup lunch competition.

Why was [his](https://archive.fo/9qmi1) involvement scrubbed from the history of the company? We'll find out later in Part II.

First let's see how secure ProtonMail really is.

CLAIMS
ProtonMail has made the following claims since the early days.

“We have no access to your messages, and since we cannot decrypt them, we cannot share them with third parties,”

There has never been independent verification of these claims until 2018, where [ Nadim Kobeissi released his own analysis](https://eprint.iacr.org/2018/1121.pdf). He responded to the claims made by ProtonMail's technical specification detailing "security features and infrastructure" in July 2016.

Nadim found that ProtonMail's architecture did "not guarantee end to end encryption for the majority of its users" along with a plethora of other concerns.

The majority of this post is synthesizing [Nadim's technical paper](https://eprint.iacr.org/2018/1121.pdf) into layman language.

It won't take long to realize how blatantly insecure this is, you don't need to be a cryptographer or computer scientist to understand it.

Let's start by defining ProtonMail's claims in general security characteristics:

1. Confidentiality: An encrypted email sent from one person to another can only be read by those two people.
2. Authenticity: An email you received from someone must have been sent by them and can't be spoofed by someone in the middle.

Next, let's understand how ProtonMail's authentication and encryption schemes work.

First, ProtonMail uses a Zero-Knowledge Password Proof to avoid giving anyone else information about your password.

[ZKPP](https://hackernoon.com/eli5-zero-knowledge-proof-78a276db9eff) has a complex explanation, but its purpose is to show someone you have a valid password without providing them any information (zero knowledge) about its value.

PM uses this method for user authentication, to prevent the user from ever sending ProtonMail their password. Why is this important?

"The security granted by this protocol extends to the user's private keys, which are encypted with a salted hash of their password before being sent with the server"

Stop right there. Yes, that's right, the most critical piece to the 'private' email service, your private key - is sent to and saved on ProtonMail's server.

PM openly states they have your private key, and it is only a matter of getting access to your password to decrypt the encrypted privacy key.

In addition to this, ProtonMail has no password requirements, and has been tested with passwords like '1', 'iloveyou', and 'password', which are all trivial to crack in dictionary attacks. Once these can be confirmed, an attacker has your entire email history.

That's still not the main flaw:

THE FLAW
The inherent security flaw is introduced with the ProtonMail WebMail portal, the normal web application that we've all visited in the browser.

And the flaw is that it is relatively simple for ProtonMail to serve you a modified version of their web application or the underlying PGP implementation. There is no way to cryptographically verify that you are getting the official version of the web client as [stored in their repository](https://github.com/ProtonMail/WebClient).

If PM decides to act maliciously, they can do so undetected. Unlike the mobile application who's binaries get cryptographically signed to match the official codebase, there is no method to verify a web application.

Once they have your password, they can use it with the private key that they have stored for you to decrypt any communication you've ever made through ProtonMail.

Additionally, they can spoof email messages to others on your behalf.

PM also has a Encrypt-To-Outside feature, which allows you to send encrypted email to other email providers.

Not only are PM servers involved in this, but a third party, like Microsoft Outlook.

It works by redirecting the recipient to a PM page in which they type a encryption key that they should have previous outside knowledge of, and this key decrypts the message. They also receive the PM sender's public key so that they can write a reply back.

This leaves many open attacks:
1. PM can once again replace the web application or PGP software to recover the original message and passcode.
2. PM can also give the recipient a different public key, one that they have the private key to, retrieving the reply for themselves, which they can once again reencrypt with the sender's public key - completely undetected.
3. The third party mail server is free to do the same, sending their own URL, pretending to be PM, allowing them to harvest the encryption key, which allows them to get the original message. Once they have the original message, they can use it to derive the private key. Then they are able to encrypt the reply back to the sender using their public key.

CONCLUSIONS & RECOMMENDATIONS
- ProtonMail's WebMail client cannot be verified to do what it says (this goes for most apps, but since private keys are stored on ProtonMail's servers - this is especially true).
- ProtonMail cannot claim E2E encryption
- A larger implication is that any encrypted web application can't be trusted to encrypt your data. This goes for other mailers and services like CTemplar, CryptPad and more... the research needs to be done.
- If we really want privacy, users should generate their own public & private keys.
- [ProtonMail's response to this analysis](https://protonmail.com/blog/cryptographic-architecture-response/) (that tries to brush it aside) shows that they've known about this for a while and aren't going to do anything to fix it

Unfortunately, I wish I had more recommendations but discovering this has got me rethinking every 'encrypted' web application I use on the computer.

In Part II we will uncover many of ProtonMail's lies and ties to government entities.

Discuss at: @neo_network_chat