Slashdot Mirror
The Register: 4 Ways the Guardian Could Have Protected Snowden
Frosty Piss writes with this excerpt from The Register: "The Guardian's editor-in-chief Alan Rusbridger fears journalists – and, by extension, everyone – will be reduced to using pen and paper to avoid prying American and British spooks online. And his reporters must fly around the world to hold face-to-face meetings with sources ('Not good for the environment, but increasingly the only way to operate') because they believe all their internet and phone chatter will be eavesdropped on by the NSA and GCHQ. 'It would be highly unadvisable for any journalist to regard any electronic means of communication as safe,' he wrote. El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper's carbon footprint, by suggesting some handy tips – most of them based on the NSA's own guidance."
here are the four things, pulled from the article:
1. Encryption: It's not hard
* Keep your private key secret, encrypted and in one place (eg, not a police interrogation room)
* Meet the Advanced Encryption Standard
2. Use clean machines
3. How to shift the data securely
4. Using hidden services
Encryption: It's not hard
Yes it is. It fails the mom test badly. More properly it is key management that is too difficult. The actual key generation can be automated mostly. Distribution and use of keys is inherently difficult with no obviously easy solution.
Not difficult at all. It's called an air gap. You buy a laptop specifically for the purpose of decrypting the messages. You set it up without connecting it to the Internet. You generate your private-public key pair on this machine and use a flash drive to manually copy the public key to a different machine so that you can provide it to whoever needs it. When you receive a message, you copy that to a flash drive, then copy it to the other machine, then extract it.
Ideally, the private key should also be stored on a (different) USB key that you carry with you, to reduce the risk of physical theft by (hopefully) ensuring that the key and the encrypted data are never in the same place except when you are decrypting that data. If you are really paranoid, you can split the key into pieces so that multiple key dongles held by separate people must be stolen or confiscated before encryption is compromised.
This is how high-security data handling works everywhere. If intercepting it could mean the end of (the|your) world, you build an air gap, and you ensure that the computers on the inside of that gap are never connected to the public Internet in any way, shape or form. And when you're done with the machine, you destroy its hard drive in accordance with DoD manual 5200.01.
Of course, this ignores TEMPEST/Van Eck phreaking; chances are, you aren't that important, but if you are, you should also take precautions to physically secure your air gap room against any EM emissions from the computer in question.
And as always, Keep Calm and Carry a Towel.
Check out my sci-fi/humor trilogy at PatriotsBooks.
From TFA:
"El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper's carbon footprint, by suggesting some handy tips â" most of them based on the NSA's own guidance".
Since the NSA gets a lot more information from metadata than from the message itself, I imagine they'd be delighted to have journalists encrypting everything important (lazy buggers that they are, they probably wouldn't bother with anything that wasn't).
By jumping through all the hoops in the NSA guidelines, you just sorted yourself into a tiny minority that has something to hide. You can guarantee you'll have spooks from every spy agency in the free world tracking where you go, who you talk to, who THEY talk to and what all of you do all day, where you keep your money, where you spend it, and who makes your morning coffee when the wife's out of town.
And laughing. You just KNOW they'll be laughing.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
2.) Use clean machines
Extremely difficult. The US has deals with phone companies, operating system creators, and hardware manufacturers, to put backdoor systems into so many devices. They monitor so many email and phone companies. How can you be fully sure you didn't buy a machine that has a secret backdoor entry that the FBI or CIA can get into easily? How can you know that your PC isn't already set up for intercepts on all of your activity? You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored. And being passively monitored like how the NSA just copies everything sent anywhere.
I call BS on this one. "You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored." No, you don't. It only takes ONE expert to find that Dell, HP, Microsoft, Apple, OSX, Windows, Linux, has all these supposed backdoors to blow the whistle. While we have cases where various cloud / online services have been forced to turn over information, none of what you're claiming has been reported with hardware and OS vendors.
You're missing one important thing in your paranoia. Existing networks still have to be utilized to transfer this data. If every home PC had such a backdoor, then they still would have to use the internet connection to transmit that data. And yes, there are experts that do watch for this kind of thing, and keep an eye on what their machines are connecting to and why. Unless you're also positing the conspiracy theory that every machine has some totally secret wireless communication built in that talks to some government ghost network that no one has discovered either.
Yes, the NSA is reaching way too far, but even so you've got your tin foil hat way too tight.
Better known as 318230.
You are assuming that when you tell your computer to turn off the WiFi, the WiFi stays off. Now if cell phones that are "off" can record the conversations of mobsters without them knowing it, what makes you trust your computer all of a sudden? It would have to be an "air gap" somewhere in the countryside away from any wifi signal...
Seven puppies were harmed during the making of this post.
TFA (& everyone else it seems) misses a key option: release anonymously using US First Amendment protection.
The US has **the most journalistic freedom in the world**
Accept it...in fact, the Guardian is working with NY Times to release future Snowden info *precisely* because the US has the 1st Amendment. From The Guardian's editor:
Not only that, in the US, journalists may use **anonymous sources**...they risk their reputation and job, and it has to be cleared by their editors, but it is done routinely (ex: Deep Throat).
If journalists release secret info, they can be subpoenaed to reveal their source. IF THEY REFUSE...the journalist can be jailed ONLY a short period of time, never more than 6-9 months as a 'coercive tactic'...but the gov't HAS TO LET THEM GO if they still don't talk!!!
This process is something every college journalism major learns.
Glenn Greenwald is using Snowden to further his career...the way he's shopping Snowden interviews around proves it.
The Guardian could have done this **completely differently** and Snowden would still have his job, and Greenwald would have a book deal and a ton of street cred...
Thank you Dave Raggett
The NSA is a deeply schizophrenic organization. On one side you have people seeking to defend and secure Americans' computer systems and networks against crackers, foreign spies, and the like. They'll propose BS like key escrow, but they're actually fairly honest: they know if there is a backdoor they can use, their adversaries can use it too.
On the other hand you have people seeking to break into computer systems and networks, including those of Americans. They oughta be first against the wall when the revolution comes.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood