Wiliest Ways to Keep the NSA at Bay

The death of online privacy had already been proclaimed long before Edward Snowden landed in the international spotlight, but if it wasn’t confirmed back then, Snowden’s NSA revelations surely must have extinguished the last vestiges of hope in even the most die-hard optimists.

“We’re in a predicament,” Phil Zimmermann, Pretty Good Privacy creator and cofounder and president of Silent Circle, told LinuxInsider. “Everything we do on the Internet is being captured in a vast database — it’s a kind of Panopticon.

“We have to do something about this,” added Zimmermann, an Internet Hall of Fame inductee. “We have to push back in policy space as well as use countermeasures like encryption.”

Public policy changes rarely happen quickly, of course. In the meantime, those countermeasures are looking more and more like users’ best bet.

‘They’re Capturing Your Browsing’

“I’d recommend making phone calls with Silent Phone,” Zimmermann suggested, and “for email, PGP, GnuPG or something like it.”

As for other online activities, “there’s a lot of things you do on the Internet that leak information,” he added. “They’re capturing your Web browsing.”

SSL and TLS are both protocols Zimmermann recommended using.

In addition, the Tor Web browser is “a good idea,” he said. “I would recommend using Tor for visiting any website you would prefer to not have recorded.”

‘Deliberate Back Doors and Stupid Bugs’

On the road, if you’re in a place where there may be a lot of interception, Tor or a VPN can help protect privacy, though not all VPNs are equally secure, noted Zimmermann.

“I use open source OpenVPN, but you have to have a server somewhere to connect to, and that’s usually a paid service,” he pointed out.

In general, open source technologies tend to be a better bet, Zimmermann said.

“I’ve always recommended that people not trust any crypto software unless they publish the source code,” he explained, noting that the availability of that code serves as a sort of protection against both “deliberate back doors and stupid bugs.”

‘The Entire Reason Is to Protect Privacy’

Then, too, there’s the Blackphone, which was officially launched at this year’s Mobile World Congress by SGP Technologies, a joint venture between Silent Circle and Geeksphone.

“The entire reason for it to exist is to protect privacy,” Zimmermann said of the US$629 device, which includes Silent Phone, Silent Text, Tor and a VPN among its features.

“We’re putting a lot of effort into making it as good as we can in terms of the OS and apps and configuration, all toward protecting your privacy,” he said.

The Navy SEALs, U.S. Special Operations Command and Canadian Special Operations Regiment are all among the device’s users, Zimmerman said.

“We figured nobody would ever ask us to put a back door in if our own agencies were using it,” he added. “That strategy seems to be working.”

KPN Mobile is the inaugural launch carrier for Blackphone serving European regions including Belgium, the Netherlands and Germany.

“We’re hoping it will shame other European carriers into following their example,” Zimmermann said. “U.S. carriers will have to wake up and smell the coffee.”

‘Friend-2-Friend’

At the same time, “whatever the level of cryptography you’re using, the NSA can probably break into your home network, install keyloggers and grab whatever they want — passwords, private PGP keys, screenshots, etc.,” Cyril Soler, a developer on the RetroShare project, told LinuxInsider.

“This is always easier than breaking the encryption,” he explained. “Their ability to do that is facilitated by the backdoors they probably force American companies to put into their hardware and software.”

RetroShare is an open source, cross-platform, “Friend-2-Friend” and secure decentralized communication platform that lets users securely chat and share files with others using a web of trust to authenticate peers and OpenSSL to encrypt all communication.

“RetroShare builds an F2F network and provides services on top of it — forums, channels, messaging, chat, IRC,” Soler explained.

Though the platform has not yet been audited for security, it does use open source libraries for the crypto portion of its technology, as Zimmermann recommends.

Among RetroShare’s guarantees:

  • “Authenticated/secure communication between friends represented by their PGP key,” Soler noted. “RS also makes use of the PGP signing mechanism to build a web of trust among users.”
  • “Anonymity of file transfers to/from non-friends using a tunneling system,” he added.
  • “Authenticity or anonymity — depending on the user’s choice and type of service — of messages, posts on internal forums and channels, and messages in IRC chat rooms,” he said.

‘Do Not Use Google, Yahoo or Gmail’

The content of communications between two peers is difficult to figure out for an external observer, since “the stream is encrypted and authenticated, making it impossible for a third-party observer to hack SSL certificates in the middle,” Soler explained.

“Our SSL implementation uses perfect forward secrecy to ensure that it is impossible to decrypt a captured communication if the SSL keys get broken in a post process,” he added.

The main limitation of F2F systems in general is that “a spying agency that has the ability to snoop on Internet routers will know the topology of the network and how much data transits between nodes, and therefore can perform traffic correlation to figure out who talks to whom,” Soler noted.

“Things could be improved if building an F2F network over an anonymization proxy such as Tor,” he added. “RetroShare does not allow this yet, but it might in the future.”

Also common to F2F networks is that users must “build” their network by recruiting trusted friends to connect with.

“That takes some effort, and certainly slows down adoption,” Soler pointed out.

In the meantime, he advised, users with sensitive information on their computers should take a number of conservative steps:

  • “Encrypt all your emails” — using Enigmail on Thunderbird, for example;
  • “Do not use Microsoft nor Apple products and systems,” he advised. “This sounds like I hate these systems — I don’t. It’s not their fault”;
  • “Do not buy hardware that is manufactured in or that transits in the U.S.”; and
  • “Do not use Google, Yahoo or Gmail,” he concluded. “If you do, only use a very specific passphrase for these systems/services that you don’t use elsewhere.

“This sounded like paranoid talk before June 2013,” Soler added. “It doesn’t anymore.”

‘You Are the Product’

Online privacy is “in a poor state,” agreed McCall Paxton, a security operations center analyst with Rook Security.

“A great example is the many free tools and apps available,” Paxton told LinuxInsider. “If you are not paying for the product, you are the product. Even free online privacy tools still collect, use and sell your data.”

To mitigate the problem, “one of the first things to do is install plugins to your browser and check the settings,” he suggested.

Disabling third-party cookies is one good idea, he noted. In addition, “the first plugin I recommend is HTTPS Everywhere followed closely by Ghostery.”

‘You Would Be Surprised’

Next, “go to your mobile phone and go through the privacy settings for every app you have,” Paxton said. “You would be surprised what information some apps send out.”

At the same time, however, “people should be aware that despite the steps they personally take, there will likely always be some service or company that they use that will still track, collect and sell your information,” he warned. “Mobile carriers are a good example of this.”

The last thing, and “probably the most important, is educate yourself and others,” Paxton concluded. “You may take all the right steps, but if someone else doesn’t take the same, you will both trip.”

Building the Future

Can current technologies really help users avoid tripping on the toes of the NSA or others?

Well, “conspicuously absent from Snowden’s list was anything I’ve worked on,” Zimmermann noted.

As for where things go from here, “the best way to predict is to create the future,” he said. “Decide what kind of future you want, and work your butt off trying to get there.”

Katherine Noyes is always on duty in her role as Linux Girl, whose cape she has worn since 2007. A mild-mannered journalist by day, she spends her evenings haunting the seedy bars and watering holes of the Linux blogosphere in search of the latest gossip. You can also find her on Twitter and Google+.

4 Comments

  • Now of course, if you are a commercial entity with valuable intellectual property, such as patents, to protect, and the personal and financial information of clients to protect, then you’d damn well better be deeply concerned about privacy and security. But the enemy isn’t the NSA.

    The enemies are organized crime, industrial espionage on the part of competitors, and foreign governments, and lazy or incompetent employees.

    • You’re so right, kibert. What many people don’t realize, or want to face, is that the US has become the country that we were warned about back in the 50s and 60s (i.e., Russia).

      And you’re on the money about the Holocaust also. And it’s the same here now. I hear people say "but this is America! We are free!" But the truth is 1) we’re not as free as people want to believe, and 2) there are other nations who have freedoms like we have. The US is not the only nation with these rights. But when the citizens in the US run scared (e.g., 9/11) they are more than willing to give up the freedoms they think they had in the first place, and more. Now everyone is surprised at what is happening.

      Most people don’t understand that the government they "see", e.g., the president and congressmen and senators, is only a portion of the power that actually runs the nation. It’s those in the NSA, CIA, FBI, etc.– those who are not elected by the people — who continue on with business as usual, even though the elected ones change.

      BTW, your Jefferson quote is dead on. There are many other such quotes by the founders of this country that people don’t want to hear/read.

  • People forget the greatest security of all – the lowest common denominator. In the western world, if you obey the law, use common sense when you bank and purchase online. You probably don’t have anything to worry about. The NSA isn’t going to care if you are a jerk and are having an affair with your wife’s best friend.

    They aren’t going to care if you have a nasty porn habit, as long as you don’t get into anything illegal. They aren’t going to care if you hate Obama’s policies, or think that your governor is a dickhead, as long as you don’t do anything like make threats of bodily harm.

    And as long as you do all the common sense stuff that everyone should when dealing with the internet, such as not clicking on attachments to emails unless you know what they are and are expecting them, and using anti-virus, etc. etc.

    Your chances of being violated or robbed on the internet are much lower than they are of being seriously injured or killed in an automobile accident, or of having your purse snatched on a city street.

    I do care about privacy, to a certain degree. I care about a lot of things, but there are so many greater dangers out there than being snooped on by the NSA. I think we all need to gain a little perspective, and lose the naive notion that the internet is our own private little world. It isn’t.

    It’s a public space where anyone can seen you walking up and down the road, and as long as you aren’t doing anything criminal, no one is really going to care about what you are doing. I’m far more worried about companies like Google recording and analyzing my browsing habits and preying on my weaknesses, than I am about the NSA.

    And thankfully there are some fairly simple things you can do to protect yourself from the Google monster, and other forms of commercial mind control… 🙂

  • I really hate to be the bearer of bad news, Ms Noyes, but it’s over. No matter how badly we wish that it weren’t, and that somehow WE can change things BECAUSE WE LIVE IN A DEMOCRACY…IT’S OVER!

    I’d be willing to bet everything on the fact that the holocaust happened because EVERYONE, everywhere, inside and outside of Germany, said, "This can’t continue. It’ll all get better."

    In my post to you on "…Strong Man Snowden…",

    what, precisely, about

    "Experience hath shewn, that even under the best forms of government those entrusted with power have, in time, and by slow operations, perverted it into tyranny."

    –Thomas Jefferson

    do you not understand?

    Thomas Jefferson’s warning has already come true. HERE!

    It’s over, Ms Noyes.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Katherine Noyes
More in Community

LinuxInsider Channels