Sunday, September 8, 2013

Is It Time to Throw Up Our Hands?

Trey Smith

I bet the US government isn't as upset as they let on in regards to the recent revelations about their massive spying programs. I'm not saying that they are particularly overjoyed about being exposed and I'm not suggesting that they don't have some legitimate concerns, but all in all, the vast majority of the world that uses the internet is now on notice that the leading governmental spy agencies are bound and determined to get their grubby hands on as much of our information as they can and there is not much we can do to stop them. While these continued revelations are politically messy, they do impart a chilling effect on a lot of people.

In conversations around my community, most of the folks I have talked to express a feeling of utter impotence in the face of this onslaught. One fellow said he was ready to throw up his hands. "I will just assume that the government is watching my every move," he lamented.

I, for one, don't think we should give in. While we might not be able to stop all of the unwanted government (and corporate) intrusions, there ARE ways to make such intrusions more difficult on the intruders. Writing in the Guardian, Bruce Schneier offers 5 such tips.
1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.

2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connectionsand it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.

3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.

4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.

5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.
I have two other tips: 1) Switch from Windows to a Linux distro and 2) Use as many open source software programs as possible.

While reports indicate that Microsoft works closely with the NSA, Linux is community-driven. People from all over the world work on it OUT IN THE OPEN. Without a centralized corporate structure, the NSA has no singular person or group they could go to in order to try to bribe or compel them to allow for backdoors or other kinds of embedded vulnerabilities. If the NSA figured out how to introduce one, my guess is that it would be discovered darn quick and eradicated. The very same is true for open source software programs as well.

This is not the time to allow apathy to sweep over us. If people simply throw up their hands and do nothing, the NSA wins by default. It might look like a case of David vs. Goliath, but don't forget, David won in the end! (Yeah, I know. That's a biblical reference. So, sue me!)

No comments:

Post a Comment

Comments are unmoderated, so you can write whatever you want.