As I said, those of us who dwell on the Internet aren’t going to take the NSA and GCHQ’s attack lightly. We have more firepower than they realize and have unleashed one of our best weapons, Bruce Schneier. Mr. Schneier has been working with Mr. Greenwald for the last two weeks and has written a short list of things, based on the information provided by Mr. Snowden, you can do to keep yourself secure online:
1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.
2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you’re much better protected than if you communicate in the clear.
3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.
4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.
Mr. Schneier does rightly point out that many Internet users aren’t currently capable of doing all of these things. To those of you who don’t know how to use the above mentioned tools, learn. Information on all of the tools Mr. Scheneier mentioned is freely available online. If you’re still having trouble I’m more than happy to help. Shoot me an e-mail at blog [at] christopherburg [dot] com and I’ll give you as much assistance as I can. Together we can push back against the state’s surveillance apparatus and return the Internet to its original form, a network where those wanting to remain anonymous can do so.
This kind of endeavor only works is everybody does it, otherwise is useless. Also inviting laymen to “learn” reveals how much you underestimate the fact that being a programmer gives you all the mental models you need.
Those people who “learn” will only end up compromising their own security under the impression that they are doing something secure.
Actually, it’s worth a great deal even if a handful of people are doing it. Every additional encrypted e-mail and instant message is one more the NSA has to toss resources at in order to see what’s in it. Not everybody has to do these things but the more who do the more difficult it is for the NSA overall.
Everybody begins somewhere. I wasn’t born with the knowledge to program computers, I spend countless hours learning the based knowledge required to learn how to program before I even began learning how to program. It takes time, yes, but it’s material that can be learned. Starting with a defeatist attitude isn’t going to make the journey any easier. People need to realize that computers are nothing more than human made machines and anything one person can make another person (barring mental disabilities) can learn to understand.
Using these tools immediately creates additional problems for the NSA, as mentioned above. Using this tools correctly comes in time. When I first learned about encrypted e-mail I didn’t understand proper key security. That knowledge came in time as I continued to learn more. But, even though I wasn’t as secure as I could have been, I was creating more trouble for snoops because I was sending data that they didn’t know the contents of. Baby steps are better than nothing at all.
> Starting with a defeatist attitude isn’t going to make the journey any easier.
I didn’t want to come across as defeatist. I am myself a big advocate of personal encryption, but what you then said
> I spend countless hours learning the based knowledge required to learn how to program before I even began learning how to program. It takes time, yes, but it’s material that can be learned.
actually makes my point better than I could have done it myself.
The idea of sitting down and explain to my dad what is public key encryption and how to use it and how not to save his encryption key on his dropbox (screwing up everything he thinks he knows about how to backup) is so headache inducing that I would not even start. Not to mention the moment he is going to ask “So how do I communicate with encryption on Facebook ?”
That sounds to me as though you lack patients. The point of teaching is to give somebody the basic knowledge required to set them off in the right direction. From there they can pursue the goal independently and ask you for help when they get stuck or don’t fully understand a concept.
Teaching is headache inducing at times but if you’re unwilling to suffer those headaches who will do the job of educating? I don’t teach people who to use security tools because I enjoy teaching per se, I do it because somebody has to be the guy that says “OK, having unencrypted communications on the Internet was a stupid idea. We need to fix this.” The only way to fix it is to get more people signed on to using encrypted communications and the only way to do that is to teach.
Nothing worth doing is easy.
As much as I agree with everything you said, I refer you to my other comment in the other entry.