Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snowden's Tough Advice For Guarding Privacy

Posted by timothy on from the going-through-the-eye-of-the-needle dept.

While urging policy reform as more important than per-person safeguards, Edward Snowden had a few pieces of advice on maintaining online privacy for attendees at Saturday's New Yorker Festival. As reported by TechCrunch, Snowden's ideas for avoiding online intrusions (delivered via video link) sound simple enough, but may not be easy for anyone who relies on Google, Facebook, or Dropbox, since those are three companies he names as ones to drop. A small slice: He also suggested that while Facebook and Google have improved their security, they remain “dangerous services” that people should avoid. (Somewhat amusingly, anyone watching the interview via Google Hangout or YouTube saw a Google logo above Snowden’s face as he said this.) His final piece of advice on this front: Don’t send unencrypted text messages, but instead use services like RedPhone and Silent Circle. Earlier in the interview, Snowden dismissed claims that increased encryption on iOS will hurt crime-fighting efforts. Even with that encryption, he said law enforcement officials can still ask for warrants that will give them complete access to a suspect’s phone, which will include the key to the encrypted data. Plus, companies like Apple, AT&T, and Verizon can be subpoenaed for their data.

8 of 210 comments (clear)

  1. No technical solution for a social problem by iamacat · · Score: 4, Interesting

    Of course government can read my e-mail. All they have to be is waterboard me. Or install enough camera in public places to capture my unlock pattern. The question is what we allow the government to do, and in democracy we deserve what we get. No amount of encryption is going to solve this problem. We should have a direct popular vote for a commission of constitutional enforcement and then if majority of them rule that some secret agency is in violation, they will be able to disclose it legally.

  2. on phone, passphrase. on iCloud, not really encry by raymorris · · Score: 4, Interesting

    On the device, the data that is encrypted uses a key derived from the password or pin. This is very similar to how you'd encrypt any local file. Anything you can still get to after forgetting your password and resetting it obviously was not encrypted with that forgotten password.

    On their cloud, some things are technically encrypted, but the encryption isn't very effective. Anything you can access via their website or apps, including email and photos, they have access to. Email is a good example- their web site shows you the To, From, and Subject lines of the messages, so obviously their server has access to read the emails.

    In general, encryption of live, working data on a server is _often_ largely security theatre. Sure, if a bad guy physically broke into the datacenter and walked out with the server, the encryption of the disk would make it hard for him to access the data. As long as the server is up and running, any data the server can access can also be accessed by a hacker with a presence on that server. In these cases, the key is for one of the server's disks, so it's generated by Apple and probably sitting on the same server where the data is. With tens of thousands of servers, you don't have human beings walking around typing in passwords, so the key needs to be on the server. If the hacker is in the server ...

    The data is encrypted in transit via ssl/tls. For that time period, it's encrypted via tls/ ssl. First Apple's ssl key is used, then a per-connection key is generated.

    Holes, where the data is not encrypted at all, and there is no key, occur at transition points. They web server takes the ssl encrypted data, decrypts it, and hands it off to the storage layer to be "encrypted" on disk. Quotes are on the disk encryption because as discussed above the encryption on disk is largely illusory. Similarly with the transition from your phone to the upload to the server. Your phone decrypts it with your key, encrypts it with the ssl key, and then sends it to the server.

    Those transition points in which the data is unencrypted are vulnerable points which are targeted for attack. I've confirmed at least one case where I've seen the transition point on the server compromised. Fortunately, I _think_ I may the one who tapped the data and logged at it that point, for debugging and recovery purposes. I forgot to turn off the logging when we went into full production, I think.

  3. Re:No Google by Noah+Haders · · Score: 1, Interesting

    Apple isn't any better than google.

    [citation needed].

    1) All iOS devices are encrypted such that even Apple can't access.
    2) After #Celebgate apple rolled out 2 factor authentication throughout the OS and services.
    3) iMessages and Facetime are encrypted end-to-end, so even apple can't access them when they're on the server.
    4) apple's business model is not to spy on their users in order to make more money from them.
    5) if you look through all the NSA leaks and all the hacker actions, none of them have been able to penetrate a iOS device that is not jailbroken.

  4. Re:No Google by Famak1994 · · Score: 4, Interesting

    Well, that"s why you use throwaway identities: http://www.fakenamegenerator.c... It may not be 100% foolproof, but it certainly makes it harder for others to build an exact profile of you. Most especially use something like Lastpass to import 3000 generated identities that you can randomly pick from to auto fill forms.

  5. Re:Don't avoid them by Seumas · · Score: 3, Interesting

    Wait... what?

    Okay, I get how Google makes our lives easier (as far as searching and maps go). I get how CamelCamelCamel telling us where the cheapest thing to buy is and when makes our lives easier. I get how that little thing that helps you find the cheapest local gas station makes our lives easier. I totally get how email does. But Facebook? In what possible way does it even remotely offer any service that makes people's lives easier?!

  6. Re:No Google by Anonymous Coward · · Score: 5, Interesting

    As far as I can determine

    But what's that worth? They're pretty much silent on their internal operations. Who owns them? Who runs them? What does their infrastructure look like? How about their business model?

    I don't trust any of the search providers as far as I can throw them. If you've got to make a search and you're worried, do it over a public network somewhere else with a spoofed mac and/or over Tor (for starters). Start by locking down your box and then lock down your habits.

  7. Re:No Google by Anonymous Coward · · Score: 1, Interesting

    Actually, I do read source code, you imbecile. I and many others. You think I'm the only one?

    The point is that you *can* read the source code. *Anyone* has that ability, or can learn to do so. Many people do so. You're safer in such a scenario than in a scenario where the company is doing who knows what with the software. It's not perfect safety, but it's better.

  8. Re:No Google by Anonymous Coward · · Score: 2, Interesting

    Actually, I do read source code, you imbecile.

    Careful who you're calling "imbecile" there. Reading source code doesn't do a damned bit of good unless every line of code on your machine was built *by you* from the same source you audited, using a known good compiler. Every executable, every driver, every library, every damned line of code that executes on your hardware.