Slashdot Mirror
Keeping Your Data Private From the NSA (And Everyone Else)
Nerval's Lobster writes "If those newspaper reports are accurate, the NSA's surveillance programs are enormous and sophisticated, and rely on the latest in analytics software. In the face of that, is there any way to keep your communications truly private? Or should you resign yourself to saying or typing, 'Hi, NSA!' every time you make a phone call or send an email? Fortunately there are ways to gain a measure of security: HTTPS, Tor, SCP, SFTP, and the vendors who build software on top of those protocols. But those host-proof solutions offer security in exchange for some measure of inconvenience. If you lose your access credentials, you're likely toast: few highly secure services include a 'Forgot Your Password?' link, which can be easily engineered to reset a password and username without the account owner's knowledge. And while 'big' providers like Google provide some degree of encryption, they may give up user data in response to a court order. Also, all the privacy software in the world also can't prevent the NSA (or other entities) from capturing metadata and other information. What do you think is the best way to keep your data locked down? Or do you think it's all a lost cause?"
It stinks, but I can see if anyone's been intruding. So far it is totally secure.
UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
Only way you can keep your data yours while sitting at rest is to have it on your own servers and utilize proper encryption and security on those servers. That means don't use "cloud" anything unless it's on equipment you own, run your own email servers, etc. Remember that even doing this, emails that you send to other people can be accessed through whatever servers they use.
+++ATH0 NO CARRIER
I don't want "it all". I just want our government to respect our rights and our Constitution. Is that too much to ask?
1. Use an email provider nobody's heard about.
2. Keep social network data private, more importantly don't post anything sensitive.
3. Don't engage in terrorism, they really hate that.
4. Somewhere between "get off Windows" and use a live disk, I don't think any OS is truly secure.
5. Don't save anything locally, keep your accounts hidden, no email notifications.
Wave at the black SUV outside your window as not having any traceable data may warrant suspicion in itself.
Move to SA (either one).
Those who worry are usually those who have something to hide or something criminal in the works.
You won't mind me wiretapping your phones, installing caneras in your home and adding keyloggers to your computers? You're not a criminal with anything to hide, right?
That's silly. Privacy is a constitutional right -- so important that it's part of the original Bill of Rights (first 10 amendments). To state that the desire to MAINTAIN your right to privacy means you have ill intent to "do wrong" (whatever the hell THAT means) is saying that nobody has any rights whatsoever -- since whatever is "granted" is as easily revocable and ostensibly temporary.
Furthermore, what constitutes "wrong"? Who's the judge? It's a moral characterization to actions of an inalienable right afforded by our founding fathers. Your statements simply don't make sense.
Just game the system. I've started typing random shit in gmail before I do anything ... let 'em see lots of false positives.
You know, I'm glad nobody KILLED OBAMA. Durka durka, mohammed jihad. Monsanto sucks. Bush was a simpleton. Death to American cheese.
Gotta go, someone's at the door ...
I DO want it all. I want it all. I want it all. I want it all. And I want it NOW!
Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
As with all things, assume that your communications are going to be monitored, whether electronic or not. I know, I know, it's not the answer you want; but the truth is...we put innocent people to death. If we are willing to do that, and not tear down our societies in an act of grief over the loss of a single innocent life, looking deeply within and without as to how or why we allowed this to happen, and how we can prevent it from ever happening again, then caring about protecting your privacy from the monsters waiting outside your door is the wrong approach. You're fighting Evil himself, and he aims to win by any means; if putting a gun to the head of one your children's heads to get you to decrypt your hard drive is what it takes, then he will do it, no hesitation.
I am John Hurt.
Actually, privacy isn't mentioned in the Bill of Rights at all. It has been inferred though not explicitly mentioned.
"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." Cardinal Richelieu.
See, when your government spies on everything you do, sooner or later someone will come along and decide that since they already have this information, they can use it for other things.
If you don't grasp this, I suggest you read more about Joseph McCarthy -- America is entirely capable of political persecution as any other government.
Bottom line, with your attitude, you deserve to be dragged off in the night, because you're part of the problem with the complacency and people not seeing what's really wrong here. That's kinda how I see it.
Since you're not part of the solution, you are the problem.
Twenty years ago, the US would make jokes about "papers please" and the Soviets. Now, that's just normal routine.
Lost at C:>. Found at C.
Live in a cabin in the mountains that is over 100 miles from the nearest cell phone tower. Also ensure that you have top cover so satellite surveillance cannot see your house. Add enough insulating material (dirt would be easiest) above your cabin so that there is little/no thermal footprint. And never leave your new found cabin, since cars and feet all leave tracks.
sudo make me a sandwich
ok, but shipping takes a few days...
People in cars cause accidents....accidents in cars cause people
Your an idiot.
/facepalm
The USPS, however, still takes a picture of both sides of every envelope (and obviously time, date, location) and stores it.
We don't have a state-run media we have a media-run state.
The old 'if you are innocent you have nothing to fear' argument. I thought that one went out of fashion when the German Jews realized that being innocent is no defense again tyrants.
The solution is encrypt everything (OpenPGP for emails, etc.), plus decentralization. If everyone either hosted their own email, or used a minor hosting company, then it would be much more difficult for the NSA to round up all those emails. Then, if even half the population used OpenPGP for emails, we could hide in the mass, and the NSA etc. will have no hope of reading all those emails.
As soon as you have just a few spots (e.g. FarceBook, Google-, Murdoch'sSpace) that host the significant majority of a certain type of communication, then you have a huge weak spot. Solution is decentralization and federation.
Use tools like Diaspora, StatusNet, Jabber, SIP, and email. Don't use tools like Skype, Yahoo Messenger, AIM, Facebook, etc.
See also: http://autonomo.us/ and particularly Reducing vulnerability to massive spying with free network services?
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
This is the kind of crap that was held up as examples of why communist countries were so much worse than the US.
People, the government is supposed to work for you, not the other way around.
If I were God, wouldn't I protect my churches from acts of me?
The problem with heavily encrypted solutions is that they rely on human perfection. There was a story a few months back about Sabu. He eluded the FBI for months until, in a hotel room, he made the mistake of logging into IRC without using Tor first.
That was all it took. One non-Tor login, and the FBI had him.
Human beings are not designed for constant watchfulness. We make mistakes. We screw up. Even if *you* stay perfect, the person or persons you're communicating with may not, and if the FBI or NSA wants the details of what you're talking about, they can "break" the encryption at either end of the conversation. Maybe they can't find you -- but if they find the people you're talking to, they can still grab the info.
I'm not saying that all security is useless, or that there's no benefit to raising the bar. My point is that the solution to this is to *stop spying.* Because, in the long run, almost everyone screws up.
No. SSL/TLS only encrypts data in transit. Once it reaches it's destination, i.e. Google, it is decrypted so it can be processed.
Ascalante: Your bride is over 3,000 years old.
Kull: She told me she was 19!
Is not their problem if you feel that you don't have anything to hide. You could be committing 3 felonies a day without being aware of it. Anything that you did in your past could be used against you, even if not a matter of national security, or against some friend to frame you if they think you did something wrong. And could be in your side to prove that you are innocent, something that could be costly if even possible.
And not forget that the **AA are in bed with them, the wrong you did could be having a background music in the video you took in a birthday party or that silly theme that you were singing with your friends when drunk.
Don't think just in the present, and your precarious today's safety, Things will change. And for worse.
So, in an effort to hide from NSA you go all out HTTPS. However, to avoid getting those pesky "this site is dangerous!!!" messages browsers show you on self-signed certificates, you buy your keys from any of the larger certificate authorities. Safe? Sorry, no. Almost all those CAs work under American jurisdiction, or on delegation from American CAs. Assuming NSA doesn't get the keys in other ways, all they have to do to get them is to ask the CA and the company would have to hand them over.
With those private keys available they can listen in on the HTTPS conversations in real time, and there is no way for the participants of the conversation to know this.
Amusingly enough, the safest bid (well, to hide from NSA at least) would be to use self-signed keys despite all the browser warnings.
If you still want to get valid keys, here is an interesting discussion on which CA to choose.
Security concerns are not about common people, or even criminals being tracked. It's aboud political opposition being tracked.
Snowden said he could listen in on conversations of anyone he wanted, including powerful people, and proceeded to do so as a test. No one came to get him for doing so without a warrant.
Among hundreds, maybe thousands of agents, it's trivial to insert an operative to listen to opposition.
He says he has data ready to release in case he's arrested. I hope it includes embarrasing conversations of said powerful people. Maybe then these jackasses will wake up.
All people want is a system design that tracks and records everything the government does, as it tracks and records everyhing we do, from Twitterers to opposition discussing political planning.
That currently does not exist.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
I'll presume that you're a troll but you drag out the age old "If you've got nothing to hide... argument"
Here are a couple of issues with this argument.
1. Retroactive violation of new laws:
Let's imagine that you're a smoker and that you smoke in your house. The government could pass a law saying "Smoking is not allowed inside any building. Anyone caught must pay a $500 fine." They can now either go back and look at their surveillance data and retroactively charge you for smoking in your house in the past or they can put you on a list of people to watch and then catch you smoking in your house.
2. If this is your stance that you have nothing to hide.... I presume that you don't have shades. Why don't you post your credit card statement on your front door for your neighbors to inspect "Hey, you've got nothing to hide". In fact let's make your browsing history completely public. How about your health records?
You may nothing to hide but I suspect you're also not eager to share your personal details with the world.
Yes Francis, the world has gone crazy.
I only use one time pads when tweeting.
...puts a crimp in the number of followers though.
While in theory I agree. Then again what the government is doing is criminal. Did you not see the /. post yesterday about relational metadata and how it can be used. It was a very interesting read, and I actually did RTFA. It showed how innocuous data mining like this could be used to identify people, in this case the data was used to show how seemingly innocent data could point to potential threats in this case it was Paul Revere.
I can fully see how this can be used to stop terrorist attacks, but so far we have finger pointing from every corner that says our intelligence community has had prior knowledge of several potential attacks and neglected to follow through. It is far more likely this will be used against law abiding citizens. What if I am a law abiding citizen but I begin speaking out against the injustices the administration is committing in the name of fighting terror and they use my data to pin point and come after me. I've committed no crime other than I could be labeled a terrorist for speaking up for my rights.
The way I see it it's just another way the government can abuse or circumvent checks and balances that were put in place to protect our rights.
Do you honestly want your government to know every minute detail of your life?
I am Bennett Haselton! I am Bennett Haselton!
So let me get this straight. You've got a military that spends trillions of dollars. You've got eight national defence organizations screwing with your own citizens. And a) you think that you can dodge an organization that has spent that many dollars purely to find you, and b) you think that you don't have a cultural problem?
Where do you think all of those funds come from? For every tax dollar that you spend, how much goes to military, para-military, and anti-crime organizations? How much of it winds up in actual crime? Are you spending more on anti-crime than you would on crime in the first place?
Maybe you should solve the actual problem. Maybe you should start electing officials who spend your money on things that you like, instead of things that you dislike. I can't vote for you.
And correct me if I'm wrong -- you see, my country earned its independence by asking nicely -- doesn't your country believe in violently fighting your own government to break free of restrictions to your freedoms? Have you forgotten how to do that? Your right to fight would seem to be the only freedom for which you do fight, and then you don't use that right to protect your other freedoms.
One of these days, you'll wake up to realize that you've kept the right, but eliminated the opportunity. What good is the right to bear arms when you can't get away with using it?
Everybody does something criminal. On the average of three felonies a day.
http://kottke.org/13/06/you-commit-three-felonies-a-day
Want some bread with your water?
There are two types of people in the world: Those who crave closure
Wrong, wrong, wrong! And wrong!
It's a common fallacy spouted by those who foist surveillance on us. See here, here, or any other of the many hits when you search for privacy "nothing to hide"
It goes right along with the "privacy and security are mutually exclusive" fallacy.
People like you that are trading your long-term liberty and privacy for a current sense of security are going to rue this day eventually. These essential freedoms need constant vigilance. Many of our forefathers died defending them. They're rolling in their graves now seeing how so many are nonchalantly pissing them away.
Here's your homework. Go read the Constitution of the United States of America. No, really. Read it line by line and understand why some say it's the most important and influential document created in the last 1000 years.
And don't say it can't happen here. It just did.
We don't have a state-run media we have a media-run state.
The problem is that your right maybe someone else's breach of freedom. That's always the issue.
E.g. You eat peanuts, the guy beside you is allergic. He has to leave the event because he can't be within 20 metres of peanuts...
Collection of information can protect citizens from crooks but also impede on said individuals privacy. Which one is more important? Is there a balance?
None of those things will help you. To the NSA, the content of your email may be less important than with whom you are communicating. Yes, the care about the content of some emails, but their dragnet appears to be for network analysis -- sender, recipients, date, time, etc. The NSA almost certainly catalogs every DNS lookup you do. This is the stuff that is erroneously being referred to as metadata.
One possibly surprising way to keep your communications private is to read/post your communications to a very public forum. That way the intended recipient is difficult to determine. Keep the communication slightly covert -- a little steganography goes a long way if you can fly under the radar. Just don't trust others with your privacy.
Our rights are inalienable -- but only if we use them.
the growth in cynicism and rebellion has not been without cause
This presupposes that privacy is a right, rather than a privilege.
This is part of the reasons we have so many problems with government. At the time the US government was formed the premise was:
The people have all the rights; the government has no rights at all, except those granted by the people through the constitution.
For most people today the belief similar, except they swap people and government.
//TODO: Think of witty sig statement
Certificate-based encryption (like HTTPS) is only as secure as the certificates that sign sub-certs. If you accept certificates signed by a trusted CA, and that CA is compromised (i.e. controlled or accessible by the NSA, which all of them are), then you have no privacy, and all of your communications can be monitored without your knowledge or consent.
Here's a good writeup on how it works:
http://theorylunch.wordpress.com/2013/01/24/ca-mitm/
How would you interpret this:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
What part of that do you feel authorizes the government to collect detailed information about our private lives? Or do you think email is not "papers" because it's stored electronically and that if our founding fathers meant for email to be included, they would have had the foresight to include electronic document storage?
You could...
Host your own mail server. Of course, you'd probably have to upgrade your internet service to a tier where incoming mail ports aren't blocked. You'd also need to have SSL/TLS support, ensure everyone whom you email hosts their mail on your server and that you can personally trust them. Not exactly practical.
Instead of Skype, use a decentralized chat system like RetroShare. Takes some doing to trade PGP keys with friends, but works.
Use an encrypted proxy for all of your surfing. Practical and quite easy.
Use encrypted SIP for VoIP communications. No idea how easy or difficult this is, haven't researched it.
Throw away your landline and cell phone. Goodbye 911 service.
The point is that the middlemen have proven themselves unworthy of our trust and we should seek to avoid them. The larger and more daunting point is that this breakdown of trust could ultimately lead to a society's collapse.
Nope. You don't see it at all. Because illegal is not a synonym for wrong .
Over 2000 years ago, Sun Tzu pointed out that when the laws imposed by the rulers are aligned with the customs and ethics of the people, societies are prosperous and resistant to crime, war and rebellion. When the rulers lose the way, as the corporate overlords of the USA have, the people become unhappy and the society becomes progressively more fragile over time. Eventually a neighbor invades or a province revolts and the rulers are replaced, because nobody's willing to die to protect them anymore.
Tell me if this isn't a more exact definition of privacy than simply stating: "People have a right to privacy."
If you're scared of your govt then you need to further restrict its powers
Vote 3rd Party in 2016 and beyond
That's why DHS was monitoring the anti-war protestors in Boston instead of looking for terrorists with bombs, right?
Because TERRORISM!
Face it, the jokers in power aren't Republican or Democrat. They're authoritarians.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
The 4th's ban ban on general warrants (that's what it means when it mentions "warrants" in its historical context) strongly implies a privacy right. General warrants were authorization from the crown for its agents to search any person or premises they desired to, blanket authorization. The 4th amendment bans that. The government has to have specific cause, evidence already at hand related to a specific person or premise, to search at all.
That the government in general has no right to search means by very strong implication that you have the right to the privacy which results. What else is it but your privacy that the 4th amendment says the government can't intrude on? It's nonsense not to find a right to privacy as a necessary implication of our constitutional protection from general warrants.
"with their freedom lost all virtue lose" - Milton
Or anyone targeted by McCarthy's hearings.
I've been meaning for a while to write a guide for friends/family about this. I thing that first you really have to have an understanding of why this is happening, what the goals (hidden and obvious) are for those engaging in the spying, and determine where you stand on the subject before you can't make any sort of plan for implementing the level of privacy you desire. From there the entire discussion is about capabilities and methods. I will forgo the first points in the hope that the hacker mentality still thrives at least somewhat on /.
First, there was metadata,
Metadata combined with modern algorithms and big data can give it's owner just about everything on you. Here is what I consider metadata
(this assumes every point compromised except local, imagine NSL's etc)
IP - Your ISP will always know this. Circumvention includes tor, i2p, other anonymizing technologies. VPN does not secure your metadata. Wardriving. Rooted boxes.
MAC - Much less of an issue, can be spoofed easily. Usually not know outside of edge network devices or ISP.
Time - Heavily used but not well understood. Correlation of login times to compromised activity elsewhere holds up pretty good in court. The longer they've been watching you, the more dangerous to security this is.
Other machine identifiers (agent strings, cookies, DNS, etc) - mostly a software (and knowledge) issue. Have to be able to prevent DNS leakage, spoof agent strings, keep machine clean of cookies (including harder to find/remove cookie types like flash) If you are on windows... this is your most likely failure point.
Then, there was low hanging fruit.
Low hanging fruit: cloud services (webmail providers, social networking, cloud apps, cloud storage/computing, voip/txt chat protocols, etc) If you use these services you must expect them to be compromised and not private. You can choose to not use these services, or compartmentalize use of them (which is my preferred method). Data poisoning becomes more relevant here. Now, you can attempt to be anonymous while using them (say tails(tor) for facebook), but the data is still compromised. But if they can't tie my identity to X, why does it matter. Two reasons: one, because if you are using a service like that, all it takes is one slip up to tie everything to you, and two, because there are other ways beyond even time-data correlation to do so (writing analysis for example)
So, assuming you have figured out how to be relatively anonymous and encrypt your data (ssh, tcplay, dm-crypt, gpg) You self host as many services as possible, and directly connect to people/sites you "trust". You have in intelligence terms "gone dark" or "dropped off". I'm going to ignore the issue of DPI for the moment.
This is where the majority of people who care about privacy want to be. They want to be just enough of a hard target that it's not easy to grab up their info. This is what the 90's cryptowars were about. The ability to go dark.
The problem with this state is twofold: First, your data can still be retroactively inspected. So that AES-256 you think is nice and secure is finally cracked by the NSA (if it isn't already). Then they run it on gobbled up data from the past, and suddenly your encryption is worth jack. (save discussion of storage feasibility for another time, some of the math has already been done over on Schneiers blog)
Second, once you become a target for other reasons, they will resort to other methods. First with off-site but close compromise. Usually ISP. Then escalated to remote compromise (trojans, keyloggers, etc through 0-days or backdoors) If for some reason you are still safe at this point, commence black bag operation. While you are at work, they break into your house and plant a physical keylogger, audio bug, copy HDD, install trojan (MBR not encrypted? evil maid!) or any other number of growing possibilities. This boils down to your physical security. Think your ADT alarm system works? Think again (well, this depends on who you pissed off, normal
"It's ok, I'm completely secure as long as my iron is off"
Most people aren't concerned about the NSA looking at them right now. They're concerned about how this data may be used in the future should they suddenly find themselves with an administration which has a problem with their views on issue X and now has the means to identify all the people who have those particular views on issue X.
This kind of argument re: "the person watching will be bored/frustrated" may have worked circa 1948, but nowadays computers can do the work. When there's something useful then the computer signals it. No muss, no fuss. I'm always stunned by how many people refuse to get into the 21st century with their thinking on this issue.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes