https://t.me/neo_network

neo: a new or revived form of.

The internet is a way of life. Are you living your best one?

Welcome to the neo-network, this is a content venture with daily updates. We're going to explore the digital frontier and create our own neo-networks along the way.

You'll be reading about:

- Low level technologies that will radically change how you use the internet
- New & existing tools that improve your workflow
- Breaking tech news and their implications
- Interviews with experts and knowledge-sharing

https://t.me/neo_network

✉️🪓⁉️

What happens when you send your emails to the trash? *poof* and its gone? Not so. Most states in the United States require email retention between 3 - 7 years.

https://www.intradyn.com/email-retention-laws/

Think twice about sending sensitive communications through the webmail you are accustomed to.

Are there better email laws out there? Sure, there's one country that comes to mind, Iceland. They don't have ANY data retention laws for your mail. Icelandic companies are not required to save your mail whatsoever. You can use a VPN to further hide your information from Iceland ISPs which are required to store data for 6 months.

And the email service I suggest is CTemplar - I have been very happy with their commitment to privacy, and no I'm not getting any bonuses sharing this with you (unfortunately)

They allow anonymous payments using Monero, they don't record, monitor, store any submitted information, and have zero data access. (they couldn't read your messages if they tried)

Interested in learning more?

https://ctemplar.com

You can get an invite code to start using a free acount, email support@ctemplar.com

Google Chrome Is Getting a New Machine Learning Model That Groups Its Users

🍪👁🧮

https://t.me/neo_network

THE NEWS
The Chromium Project, the open source Google-funded initiative that developed the engine behind Google Chrome and many other browsers (Brave, Opera, Microsoft Edge) released new details on their 2019 proposal for The Privacy Sandbox.
Given Chrome's 65% market share across all browsers - this is going to be huge.

WHATS THE PROPOSAL?
Chromium is starting to get rid of third-party cookie tracking and fingerprinting techniques which are traditionally used to target relevant advertisements to you as you surf the web (and implicitly track you). They are in favor of replacing it with new functionality that aims to have the same result of advertisers and users. It was hard to get any details on this functionality until late last year, and now more things are being explained.

WHATS THE NEW FUNCTIONALITY?
New details were announced last month about a Federated Learning Of Cohorts which is one of the highly favored proposals and will be released for testing in March (among others). It works by feeding a user's browsing behavior to a local Machine Learning model that groups users into clusters, which can then be used to target ads specifically to these groups.

Behind this functionality is a new browser API, which is local to your machine and gets updated with new information as you browse the internet. The machine learning model may be fed 'URLs, content, or other factors' to cluster you. Its important to note that your browsing data isn't exposed, just your cohort, which the browser ensures is 'well-distributed', each cohort may represent thousands of people.

BENEFITS
So does this improve privacy? It will in the sense of the large ad networks that use third party cookies to create targeted advertising profiles of their users. But browsers like Firefox, Safari, Brave, and Edge have already created measures to block third party cookies, and there are plenty of addons that can help with this, although they aren't used by many people.

RISKS
There are a few risks that the proposal recognizes itself. The first that users can now be tied to their general interests (or theoretically, any cluster that a cohort wants to group them in) through a site that has their PII or email. The cohorts can also be used as a pseudo-identifier, and be used to identify someone in addition with their IP address, if the cohort sizes are small enough. Lastly, a cohort might reveal sensitive information about the user. Such as someone who works in a particular industry, an investigative journalist, people who browse taboo content.

WHAT CAN WE DO?
If you're a Chromium user, just be prepared for the rollout of the new Privacy Sandbox features in the coming months, with origin tests underway and advertisers tests in Q2. Google plans to release opt-out functionality for these new features sometimes in April.

If you're a web developer, you can opt out of cohort computation using a permissions policy, which for cohorts will be allowed by default. This will exclude the url and content of that site from being used in the cohort calculation.

How do you feel about these new web features?

Are they an improvement to your privacy?

Could they be abused to put users into groups?

Discuss here:
https://t.me/neo_network_chat

The World's Last Independent Search Engine

🔍🛡🔎

https://t.me/neo_network

Did you know that there was an independent search engine launched only a few years after Google was founded? In 2000, Matt Wells created Gigablast to index hundreds of billions of pages with the least amount of hardware possible.

Gigablast, the subject of today's piece, was brought to my attention by a reader. If you've got cool stuff to share, let me know by joining the discussion at neo-network

Before beginning this piece, you should know how a search engine works. Search engines use web crawlers (or spiders), which are bots that navigate the web and download web pages, using links to discover new webpages, and save the content to an index along with keywords and content types. The index is what you're actually searching through when you use a search engine.

If you read through Matt's blog, you'll see that he's been fighting unfair treatment by the likes of tech-giants since 2003 - like Verisign (which is an authoritative domain registry, and runs 2 of the 13 Internet's root namerservers).

More recently, he's been having to fight the collusion & anti-competitive practices of tech giants trying to keep out smaller or newer search engines.

Here are some key points from his struggle:
- Google demands exclusivity from any company that displays Google results (google results cannot be mixed with other search engine's), destroying any meta-search engines (search engines that combine results from multiple places)
- Cloudfare CDN (if you've ever seen those DDOS protection warnings) which is heavily funded by Google, Bing, and Baidu, interferes with the indexing of context from millions of PUBLIC websites under the guise of 'protection' so smaller search engines cannot build their results. Cloudfare even allows the Chinese search engine Baidu to have their results unimpeded.
- Github, Youtube, Facebook & LinkedIn are no longer openly shared platforms, they only share data with Google & Bing but limit or outright disallow other search engines.
- The US Government seems to support the Google monopoly (as if it was a surprise), limiting the rate at which alternative search engines can index the content of US government sites, while not imposing the same restrictions on Google.

Its obvious that all content on the web is being monopolized, our sources of information are being dwindled and centralized in the hands of a few, which make it easier to censor, and kill any independent alternatives.

What can we do?!

If you use the web:
- Use alternative search engines as much as possible like Gigablast and private.sh.
- private.sh uses Gigablast as a search provider and offers encrypted searches (where the contents of your query are encrypted so only Gigablast can read it)

If you're a creator:
- Get off Youtube & Facebook, there are platforms like Odysee and Minds which are independent and strive to be open
- Get off LinkedIn which is harvesting & monetizing your open data
- Do not use Cloudfare for DDOS protection, your site will not be indexed by any alternative search engines, and thus - if your site ever breaks the 'rules', no one will be able to find it.

Questions For The Reader:

How does the search engine collusion between Microsoft, Google, Cloudfare, and Chinese companies like Baidu change your stance on them?

Are Youtube's, LinkedIn, and Github's practices of blocking alternative search engines inherently anti-competitive? What impact does this have on the internet?

Discuss here:
https://t.me/neo_network_chat

No post today :( trying to put out technical fires. Stay tuned for tomorrow's post though. We're gonna learn about the future of the internet

3️⃣

The Third Iteration Of The Internet: Part I, IPFS
@neo_network
2️⃣➡️3️⃣🕸

The internet as we know it, lovingly referred to as Web 2.0, started in the early 2000's and is now is fully matured. (Web 2.0's been drinking their milk)

This generation of the web gave rise to:
- Interactivity & user participation, dynamic content, electronic economies
- Data & power in the hands of a few, through huge centralized data stores (search engines, social media platforms)
- Advertisements & monetization, and its pressure on web content to keep people engaged
- Censorship by blocking access to singular servers

We're now seeing a movement towards a decentralized web, and in this series of posts we'll learn about some of the leading technologies.

Today, we'll talk about IPFS, InterPlanetery File Sytem.

IPFS is a internet protocol and peer-to-peer storage network released in 2015 by Protocol Labs. It enables users to store and access files, websites, applications, and data. IPFS has already been used as the file storage for several revolutionary projects like Brave and OpenBazaar. It has also been used to circumvent internet censorship, such as when Wikipedia was blocked in Turkey.

IPFS flips the philosophical paradigm of content ownership and access. Where before you asked the file's owners for access to content (like when you hit a website), you now participate in a network of computers that possess each other's files.

This is similar to the peer-to-peer torrenting software BitTorrent, which helped rapidly distribute music, movies, and software to the masses.

When using IPFS, your computer is an active participant in the network, making downloaded files available to others who may want them.

Another major principle of IPFS is its verifiability, meaning you can be sure that a piece of content is a genuine copy of the original. IPFS does through content addressing, which is a unique content identifier created by hashing the content of the file over and over until its a manageable string. This identifier will dramatically change when files are changed.

So how is content actually stored on IPFS? Content is split up into blocks, and related to each other in a DAG (Directed Acyclic Graph, also used in Git's version control software), where each node has a content identifier that is the hash of its contents (its children). Breaking up files into blocks enable it to be downloaded from different sources and rebuilt together. (damn if only Humpty Dumpty was around to see this)

And lastly, how the hell do you ask for content from an entire network at once?

When asking for a specific file from the network, you'll have to look it up in a Distributed Hash Table (give me all the acronyms), which is like a dictionary of names & addresses, but distributed among many computers in a network.

There's two parts to this:
1. Lookup the names of the nearest computers that can serve up the content
2. Find the current location of those computers

Then, its just a matter of connecting to those computers and requesting the blocks that you need.

Boom! Simple, right?

What should you do next?

1. Try navigating the DWeb.

You can navigate to the DWeb through an HTTP gateway by using a gateway host followed by an IPFS address.

The address will look something like:
https://ipfs.io/ipfs/bafybeifx7yeb55armcsxwwitkymga5xf53dxiarykms3ygqic223w5sk3m#x-ipfs-companion-no-redirect

2. Become a part of the DWeb, run IPFS on your computer.

Questions For The Reader
1. How else can you access the DWeb?
2. What are the effects of the DWeb on censorship, monetization, and user tracking?
3. How fast do you see the DWeb taking off?

Discuss at: @neo_network_chat

That was a lot of learning. I hope this writeup was informative. As always, join the active discussion at @neo_network, and I'll see on the decentralized web.

Alright you asked for it. An expository report about ProtonMail will be released later today.

Exposition: ProtonMail is Inherently Insecure, Your Emails Are Likely Compromised, Ties To Government Agencies: Part I

⚛️❗️🔓

READ AT:
@neo_network

I'm currently writing this post in a dark room by candelight and it seems fitting.

Ever since I got into this space, and even before, people have always been quick to recommend ProtonMail, a 'private' email service based in Switzerland.

I'll admit though, I went along with it and used the service, but after a while, seeing its growth gave me an uneasy gut feeling.

As I should have done half a year ago, I finally read into it, and my suspicions were validated.

If nothing else, take away these three points from this post:
1. ProtonMail is inherently insecure, if you've used the Webmail client, ProtonMail has always had the ability to grab your password and private encryption key without you knowing, giving them backdated access to your emails.
2. ProtonMail lies to its supporters and has close ties with intelligence agencies, and world governments.
3. ProtonMail has several points of security failure which can be utilized by many bad actors.

HISTORY
There are two versions of the ProtonMail origin story. There's the 'official' one, on their Wikipedia, which describes Proton Technologies as being started by 'a group of scientists from CERN'.

And then there's the origin story that has been scrubbed from all of ProtonMail's marketing material and denied by official representatives that goes as follows:

The trio who created ProtonMail were CERN researchers along with a MIT graduate. They were [semifinalists](https://www.helpnetsecurity.com/2014/05/22/cern-mit-scientists-launch-swiss-based-secure-webmail/) at the 2014 MIT 100K startup lunch competition.

Why was [his](https://archive.fo/9qmi1) involvement scrubbed from the history of the company? We'll find out later in Part II.

First let's see how secure ProtonMail really is.

CLAIMS
ProtonMail has made the following claims since the early days.

“We have no access to your messages, and since we cannot decrypt them, we cannot share them with third parties,”

There has never been independent verification of these claims until 2018, where [ Nadim Kobeissi released his own analysis](https://eprint.iacr.org/2018/1121.pdf). He responded to the claims made by ProtonMail's technical specification detailing "security features and infrastructure" in July 2016.

Nadim found that ProtonMail's architecture did "not guarantee end to end encryption for the majority of its users" along with a plethora of other concerns.

The majority of this post is synthesizing [Nadim's technical paper](https://eprint.iacr.org/2018/1121.pdf) into layman language.

It won't take long to realize how blatantly insecure this is, you don't need to be a cryptographer or computer scientist to understand it.

Let's start by defining ProtonMail's claims in general security characteristics:

1. Confidentiality: An encrypted email sent from one person to another can only be read by those two people.
2. Authenticity: An email you received from someone must have been sent by them and can't be spoofed by someone in the middle.

Next, let's understand how ProtonMail's authentication and encryption schemes work.

First, ProtonMail uses a Zero-Knowledge Password Proof to avoid giving anyone else information about your password.

[ZKPP](https://hackernoon.com/eli5-zero-knowledge-proof-78a276db9eff) has a complex explanation, but its purpose is to show someone you have a valid password without providing them any information (zero knowledge) about its value.

PM uses this method for user authentication, to prevent the user from ever sending ProtonMail their password. Why is this important?

"The security granted by this protocol extends to the user's private keys, which are encypted with a salted hash of their password before being sent with the server"

Stop right there. Yes, that's right, the most critical piece to the 'private' email service, your private key - is sent to and saved on ProtonMail's server.

PM openly states they have your private key, and it is only a matter of getting access to your password to decrypt the encrypted privacy key.

In addition to this, ProtonMail has no password requirements, and has been tested with passwords like '1', 'iloveyou', and 'password', which are all trivial to crack in dictionary attacks. Once these can be confirmed, an attacker has your entire email history.

That's still not the main flaw:

THE FLAW
The inherent security flaw is introduced with the ProtonMail WebMail portal, the normal web application that we've all visited in the browser.

And the flaw is that it is relatively simple for ProtonMail to serve you a modified version of their web application or the underlying PGP implementation. There is no way to cryptographically verify that you are getting the official version of the web client as [stored in their repository](https://github.com/ProtonMail/WebClient).

If PM decides to act maliciously, they can do so undetected. Unlike the mobile application who's binaries get cryptographically signed to match the official codebase, there is no method to verify a web application.

Once they have your password, they can use it with the private key that they have stored for you to decrypt any communication you've ever made through ProtonMail.

Additionally, they can spoof email messages to others on your behalf.

PM also has a Encrypt-To-Outside feature, which allows you to send encrypted email to other email providers.

Not only are PM servers involved in this, but a third party, like Microsoft Outlook.

It works by redirecting the recipient to a PM page in which they type a encryption key that they should have previous outside knowledge of, and this key decrypts the message. They also receive the PM sender's public key so that they can write a reply back.

This leaves many open attacks:
1. PM can once again replace the web application or PGP software to recover the original message and passcode.
2. PM can also give the recipient a different public key, one that they have the private key to, retrieving the reply for themselves, which they can once again reencrypt with the sender's public key - completely undetected.
3. The third party mail server is free to do the same, sending their own URL, pretending to be PM, allowing them to harvest the encryption key, which allows them to get the original message. Once they have the original message, they can use it to derive the private key. Then they are able to encrypt the reply back to the sender using their public key.

CONCLUSIONS & RECOMMENDATIONS
- ProtonMail's WebMail client cannot be verified to do what it says (this goes for most apps, but since private keys are stored on ProtonMail's servers - this is especially true).
- ProtonMail cannot claim E2E encryption
- A larger implication is that any encrypted web application can't be trusted to encrypt your data. This goes for other mailers and services like CTemplar, CryptPad and more... the research needs to be done.
- If we really want privacy, users should generate their own public & private keys.
- [ProtonMail's response to this analysis](https://protonmail.com/blog/cryptographic-architecture-response/) (that tries to brush it aside) shows that they've known about this for a while and aren't going to do anything to fix it

Unfortunately, I wish I had more recommendations but discovering this has got me rethinking every 'encrypted' web application I use on the computer.

In Part II we will uncover many of ProtonMail's lies and ties to government entities.

Discuss at: @neo_network_chat

After the exposition on ProtonMail yesterday, I got to verifying the other services I use. First was CTemplar, an email service based in Iceland, which I fully recommend using.

CTemplar has been aware of the ProtonMail vulnerability and even links the paper by Professor Kobeissi that we discussed in yesterday's post.

Although they do use the same client side OpenPGP library maintained by ProtonMail (its likely the only one in the world that works in browsers, and a whole post can be written about it), they have accounted for the concern and developed a system that allows you to compare the code in your browser with the code that they've published. Here's instructions on how to do so.

This is in stark contrast to ProtonMail's response to Kobeissi's analysis that tries to frame the vulnerability as 'his opinion' and not a real problem with their infrastructure.

As you can see, there are people out there who are dedicated to achieving the utmost privacy, instead of pretending to be. Maybe ProtonMail should be open to implementing a similar method, after all - they should have nothing to hide?

Later on today, we will see the troubling origin of ProtonMail and why they shouldn't be given the benefit of the doubt.

Harris County Judge Calls Lit Up Downtown Skyscrapers in Houston Amid Outages "Maddening"

📡@G3News: With more than 1.3 million people in the Houston area still without electricity in the bitter cold, many wondered why empty offices in downtown skyscrapers remained brightly lit Monday night.

On Monday at about 8:30 p.m., the Houston skyline was visible, brightly lit up in the night as surrounding homes and businesses were left in the dark.
SOURCE | SUPPORT G3

"Better to die fighting for freedom than be a prisoner all the days of your life"

- Bob Marley

Exposition: ProtonMail is Inherently Insecure, Your Emails Are Likely Compromised, Ties To Government Agencies: Part II
@neo_network

🚨🍯🇨🇭

In Part I, we looked into the details of ProtonMail's security vulnerabilities, and we discovered that IF ProtonMail was a malicious actor, they could easily decrypt all your emails.

In Part II, we'll see why ProtonMail is very likely a bad actor, after looking at red flags with their origin, blatant lies in their privacy policies, false claims, illegal activities, and more.

Full disclosure, a lot of the primary research was performed by another investigative journalist, Privacy Watchdog who has been investigating ProtonMail for a while. Rather than retell his findings, I will iterate the main points (there are many), and add commentary on things I have researched on top of it.

1. ProtonMail was likely created under the oversight of US Intelligence Agencies being founded at MIT. Although proved through backdated articles, resumes, and twitter posts - ProtonMail denies any involvement with MIT now (look at their Wikipedia, site, etc...). This should strike you as very suspicious.

Here's the full article by Privacy Watchdog.

2. ProtonMail flat out lied to its supporters after raising 550K in crowdfunding.
Here's a direct quote from their IndieGogo (crowdfunding) page.

"We firmly believe that ProtonMail can only succeed in its mission if it remains independent. [...] There are certain powerful governments and corporations out there who are in the business of controlling and exploiting personal data that will try to hinder us."

Only 7 months after the campaign (they may have been in talks during the campaign), ProtonMail sold equity to Charles River's Ventures and FONGIT.

CRV's founder was part of the US Dept. of State under Obama and delegate to the UN.

FONGIT is financed by the Swiss Government, which has a MLAT treaty with the US government, which allows both countries to share user data back and forth.

Here's more details by Privacy Watchdog.

3. Countless lies about its activities , including conducting illegal cyber warfare, its privacy policy, deletion policy, and more.

After looking up the false claims in the Privacy Watchdog article it was actually quite astounding to me how easy it is to catch their lies.

Here's a discussion about the change in Privacy Policy, in 2018.

In their new privacy policy they say the following:

"IP Logging: By default, ProtonMail does not keep permanent IP logs. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions

Your login IP address is also kept permanently (until you delete it) if you enable authentication logging for your account (by default this is off). The legal basis of this processing is consent, and you are free to opt-in or opt-out at any time in the security panel of your ProtonMail account."

Keep in mind by Swiss law, they are legally required to keep user data around for 6 months. Swiss laws aren't as private as they seem.

Additionally, they have all your email metadata - this has always been unencrypted and ProtonMail does not offer any protection for this. This includes (from the privacy policy) "sender and recipient email addresses, the IP address incoming messages originated from, message subject, and message sent and received times."

This is incredibly helpful for law enforcement investigations, the content of the emails is usually not needed.

4. ProtonMail fully complies with Swiss authorities, and foreign requests that have been approved by Swiss authorities (MLAT treaty).

In their warrant canary, they openly show how they retained user data based on a request from the FBI via the MLAT agreement.

They've complied a little under 2,000 times with authorities since 2017, retaining data, handing over 'encrypted' emails, and the associated metadata (which can be used as evidence just as strong as the content of the emails themselves).

Conclusion

I hope this puts to bed the notion that ProtonMail can be trusted with your emails. If you're on ProtonMail, I hope you realize as the laws change, that you can and will be compromised.

Discuss here:
@neo_network_chat

We now return to our regularly scheduled programming…

After several days of constant DDOS attack, the Freedom Cell Network has implemented the first defense out of many, and for now it seems as if the attackers have stopped.

We would like to take this time to warn you about scam sites that have appeared recently. These sites appear to represent The Freedom Cell Network, they have a similar URLs like ‘freedomcells.net’ These scam sites lure you into logging in (where they no doubt will steal your login information), and attempt to get you to purchase cryptocurrency tokens.

Please know you will always be able to visit this site through our official domain name: freedomcells.org

Welcome back, and thank you for your support. <3

https://www.freedomcells.org

@neo_network

I'm proud to announce my first article feature on The Conscious Resistance Network - if you haven't read it, check out Part I of ProtonMail is Inherently Insecure, Your Emails Are Likely Compromised

Saving The World In A Decentralized Manner
@neo_network
Join the network at: @neo_network_chat

⚡️🥶🆘

Our beliefs in the current system are being challenged once more as temperatures freeze across the country.

The Electric Reliability Council of Texas (ERCOT) which manages the power generation and distribution to more than 26 million Texas customers (90% of the whole state) is on emergency alert. They have implemented "rotating outages" which are "controlled, temporary interruptions of electric service. This type of demand reduction is only used as a last resort to preserve the reliability of the electric system as a whole"

There are currently 2.7M people currently in Texas without power. Check out the live map here.

At the same time, the food supply chain has not been able to supply large parts of Texas due to hazardous road conditions and power outages. I've had first hand experience seeing cleaned out food shelves since Monday, and now we're hearing local reports of grocery store lines that stretch around the block.

Who's going to come to our aid?

We have to come to our own aid.
And that's exactly how people like Echo Colon have been handling it.

Echo organizes Austin Mutual Aid, which is a mutual aid group for the city of Austin that works with other regional mutual aid groups. Mutual aid groups are much like Freedom Cells in the sense that they're volunteer run, locally based, and bring people together.

We had the pleasure of hearing some advice from Echo on how people can organize mutual aid groups in their area and help their neighbors.

"We set up a Facebook page/Instagram/email and we created [2] online survey[s] for people who need things and people who can help. As people fill out the form they’re added to a spreadsheet"

Echo typically uses the Google Forms & Google Sheets combo to do this. I've used Google Sheets in the past myself, its easy to use and robust.

At this point we should just be aware that our data is not ours when we submit it to cloud services. Interested in finding alternatives, I researched a few online form services and read through their privacy policies. They all tell you up front that they have full rights to any submission of data.

However, don't despair. I have also self-hosted my own form applications in the past, which store the submission data on your own server and aren't sending it off to the cloud.

If you are even a little bit technically proficient, you should look into buying a Virtual Private Server (there are many options in independent providers) and self-hosting your own applications.

You can install entire platforms on your server that allow you to locally install applications from an app store in one-click, like Yunohost and Sandstorm.

If you want to just browse all the software you can self host, here's a whole list of goodies, including document editors, photo storage tools, and of course - surveys.

If you're only interested in managing survey software, then a few solid options are:
JDHost
OhMyForm
LimeSurvey

If you're unable to set this stuff up, than don't despair, try and look for someone technically proficient to help you in your community. Voluntary collaboration under a common goal is the essence of Freedom Cells and Mutual Aid Groups. Find individuals to help you with the cause.

And don't get stuck on the technology, if you are ready to help people - by all means use Google Sheets. Just be aware of where your data could go. (mostly big corporations & world governments).

Once you have your surveys, up - you can start running the operation.