Slashdot Mirror
Keeping Your Data Private From the NSA (And Everyone Else)
Nerval's Lobster writes "If those newspaper reports are accurate, the NSA's surveillance programs are enormous and sophisticated, and rely on the latest in analytics software. In the face of that, is there any way to keep your communications truly private? Or should you resign yourself to saying or typing, 'Hi, NSA!' every time you make a phone call or send an email? Fortunately there are ways to gain a measure of security: HTTPS, Tor, SCP, SFTP, and the vendors who build software on top of those protocols. But those host-proof solutions offer security in exchange for some measure of inconvenience. If you lose your access credentials, you're likely toast: few highly secure services include a 'Forgot Your Password?' link, which can be easily engineered to reset a password and username without the account owner's knowledge. And while 'big' providers like Google provide some degree of encryption, they may give up user data in response to a court order. Also, all the privacy software in the world also can't prevent the NSA (or other entities) from capturing metadata and other information. What do you think is the best way to keep your data locked down? Or do you think it's all a lost cause?"
Only way you can keep your data yours while sitting at rest is to have it on your own servers and utilize proper encryption and security on those servers. That means don't use "cloud" anything unless it's on equipment you own, run your own email servers, etc. Remember that even doing this, emails that you send to other people can be accessed through whatever servers they use.
+++ATH0 NO CARRIER
1. Use an email provider nobody's heard about.
2. Keep social network data private, more importantly don't post anything sensitive.
3. Don't engage in terrorism, they really hate that.
4. Somewhere between "get off Windows" and use a live disk, I don't think any OS is truly secure.
5. Don't save anything locally, keep your accounts hidden, no email notifications.
Wave at the black SUV outside your window as not having any traceable data may warrant suspicion in itself.
Move to SA (either one).
Actually, privacy isn't mentioned in the Bill of Rights at all. It has been inferred though not explicitly mentioned.
Or you're a tea party supporter trying to start a nonprofit.
If I have been able to see further than others, it is because I bought a pair of binoculars.
The solution is encrypt everything (OpenPGP for emails, etc.), plus decentralization. If everyone either hosted their own email, or used a minor hosting company, then it would be much more difficult for the NSA to round up all those emails. Then, if even half the population used OpenPGP for emails, we could hide in the mass, and the NSA etc. will have no hope of reading all those emails.
As soon as you have just a few spots (e.g. FarceBook, Google-, Murdoch'sSpace) that host the significant majority of a certain type of communication, then you have a huge weak spot. Solution is decentralization and federation.
Use tools like Diaspora, StatusNet, Jabber, SIP, and email. Don't use tools like Skype, Yahoo Messenger, AIM, Facebook, etc.
See also: http://autonomo.us/ and particularly Reducing vulnerability to massive spying with free network services?
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
Hint: It's the part that indicates the list isn't all inclusive and that reserves all rights not enumerated therein to the people. Or is that too far in for you to read?
No. SSL/TLS only encrypts data in transit. Once it reaches it's destination, i.e. Google, it is decrypted so it can be processed.
Ascalante: Your bride is over 3,000 years old.
Kull: She told me she was 19!
Is not their problem if you feel that you don't have anything to hide. You could be committing 3 felonies a day without being aware of it. Anything that you did in your past could be used against you, even if not a matter of national security, or against some friend to frame you if they think you did something wrong. And could be in your side to prove that you are innocent, something that could be costly if even possible.
And not forget that the **AA are in bed with them, the wrong you did could be having a background music in the video you took in a birthday party or that silly theme that you were singing with your friends when drunk.
Don't think just in the present, and your precarious today's safety, Things will change. And for worse.
According to wikipedia, in 2001 a total of 3547 people died in terrorist attacks. Worst year on record.
According to wikipedia, in 2001 in the US 42,196 people died in traffic accidents.
According to Wikipedia in 2001 (A crappy graph) approximately 8000 people were killed with handguns in the US.
Someone tell me why the threat of terrorism gets so much attention.
If I were God, wouldn't I protect my churches from acts of me?
You could...
Host your own mail server. Of course, you'd probably have to upgrade your internet service to a tier where incoming mail ports aren't blocked. You'd also need to have SSL/TLS support, ensure everyone whom you email hosts their mail on your server and that you can personally trust them. Not exactly practical.
Instead of Skype, use a decentralized chat system like RetroShare. Takes some doing to trade PGP keys with friends, but works.
Use an encrypted proxy for all of your surfing. Practical and quite easy.
Use encrypted SIP for VoIP communications. No idea how easy or difficult this is, haven't researched it.
Throw away your landline and cell phone. Goodbye 911 service.
The point is that the middlemen have proven themselves unworthy of our trust and we should seek to avoid them. The larger and more daunting point is that this breakdown of trust could ultimately lead to a society's collapse.
This presumes that reading the worlds gmails and facebook posts will actually stop terrorism, just as you presume that somebody who has a mythical allergy to being within a 20 meters radius of peanuts would venture beyond the assured safety of his home.
You don't understand how PKI / X.509 works.
The CA signs the public key. The private key is not shared with the CA, the CA is not able to decrypt messages. The NSA, potentially having access to the CA's private keys, cannot simply decrypt your messages.
The NSA could very likely have their own "approved" signing key or copies of legitimate signing keys for which they could launch a man-in-the-middle attack and present their own privately generated version of a certificate and proxy requests to the original site as requested by the end-user. This is also something difficult to keep transparent for long.
That said, I'd be surprised if the NSA didn't have copies of the private keys of the larger web services. Sites such as Google and Facebook are too large of targets and getting copies of their private keys should be relatively trivial (compromise the servers and steal the private keys).
The 4th's ban ban on general warrants (that's what it means when it mentions "warrants" in its historical context) strongly implies a privacy right. General warrants were authorization from the crown for its agents to search any person or premises they desired to, blanket authorization. The 4th amendment bans that. The government has to have specific cause, evidence already at hand related to a specific person or premise, to search at all.
That the government in general has no right to search means by very strong implication that you have the right to the privacy which results. What else is it but your privacy that the 4th amendment says the government can't intrude on? It's nonsense not to find a right to privacy as a necessary implication of our constitutional protection from general warrants.
"with their freedom lost all virtue lose" - Milton
Or anyone targeted by McCarthy's hearings.
I've been meaning for a while to write a guide for friends/family about this. I thing that first you really have to have an understanding of why this is happening, what the goals (hidden and obvious) are for those engaging in the spying, and determine where you stand on the subject before you can't make any sort of plan for implementing the level of privacy you desire. From there the entire discussion is about capabilities and methods. I will forgo the first points in the hope that the hacker mentality still thrives at least somewhat on /.
First, there was metadata,
Metadata combined with modern algorithms and big data can give it's owner just about everything on you. Here is what I consider metadata
(this assumes every point compromised except local, imagine NSL's etc)
IP - Your ISP will always know this. Circumvention includes tor, i2p, other anonymizing technologies. VPN does not secure your metadata. Wardriving. Rooted boxes.
MAC - Much less of an issue, can be spoofed easily. Usually not know outside of edge network devices or ISP.
Time - Heavily used but not well understood. Correlation of login times to compromised activity elsewhere holds up pretty good in court. The longer they've been watching you, the more dangerous to security this is.
Other machine identifiers (agent strings, cookies, DNS, etc) - mostly a software (and knowledge) issue. Have to be able to prevent DNS leakage, spoof agent strings, keep machine clean of cookies (including harder to find/remove cookie types like flash) If you are on windows... this is your most likely failure point.
Then, there was low hanging fruit.
Low hanging fruit: cloud services (webmail providers, social networking, cloud apps, cloud storage/computing, voip/txt chat protocols, etc) If you use these services you must expect them to be compromised and not private. You can choose to not use these services, or compartmentalize use of them (which is my preferred method). Data poisoning becomes more relevant here. Now, you can attempt to be anonymous while using them (say tails(tor) for facebook), but the data is still compromised. But if they can't tie my identity to X, why does it matter. Two reasons: one, because if you are using a service like that, all it takes is one slip up to tie everything to you, and two, because there are other ways beyond even time-data correlation to do so (writing analysis for example)
So, assuming you have figured out how to be relatively anonymous and encrypt your data (ssh, tcplay, dm-crypt, gpg) You self host as many services as possible, and directly connect to people/sites you "trust". You have in intelligence terms "gone dark" or "dropped off". I'm going to ignore the issue of DPI for the moment.
This is where the majority of people who care about privacy want to be. They want to be just enough of a hard target that it's not easy to grab up their info. This is what the 90's cryptowars were about. The ability to go dark.
The problem with this state is twofold: First, your data can still be retroactively inspected. So that AES-256 you think is nice and secure is finally cracked by the NSA (if it isn't already). Then they run it on gobbled up data from the past, and suddenly your encryption is worth jack. (save discussion of storage feasibility for another time, some of the math has already been done over on Schneiers blog)
Second, once you become a target for other reasons, they will resort to other methods. First with off-site but close compromise. Usually ISP. Then escalated to remote compromise (trojans, keyloggers, etc through 0-days or backdoors) If for some reason you are still safe at this point, commence black bag operation. While you are at work, they break into your house and plant a physical keylogger, audio bug, copy HDD, install trojan (MBR not encrypted? evil maid!) or any other number of growing possibilities. This boils down to your physical security. Think your ADT alarm system works? Think again (well, this depends on who you pissed off, normal
"It's ok, I'm completely secure as long as my iron is off"
Most people aren't concerned about the NSA looking at them right now. They're concerned about how this data may be used in the future should they suddenly find themselves with an administration which has a problem with their views on issue X and now has the means to identify all the people who have those particular views on issue X.