
How to remain secure against NSA surveillance - ISL
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
======
tptacek
_1) Hide in the network. Implement hidden services. Use Tor to anonymize
yourself._

SKETCHY ADVICE. Tor might make targeted attacks on you personally take more
work, but because Tor attempts to provide anonymity and not confidentiality or
integrity, it may make you _more_ susceptible to dragnet surveillance.

 _2) Encrypt your communications. Use TLS. Use IPsec._

Great advice. But prefer TLS to IPsec, which is largely the provenance of
commercial systems and the product of much more vendor-centric
standardization.

 _3) Assume that while your computer can be compromised, it would take work
and risk on the part of the NSA – so it probably isn 't._

Sure, I guess.

 _4) Be suspicious of commercial encryption software, especially from large
vendors._

Absolutely, great advice.

 _5) Try to use public-domain encryption that has to be compatible with other
implementations._

This starts out great. This sentence is great. It continues:

 _Prefer symmetric cryptography over public-key cryptography._

Dead on, absolutely. Number-theoretic public-key crypto is terrifying. But
then:

 _Prefer conventional discrete-log-based systems over elliptic-curve systems;
the latter have constants that the NSA influences when they can._

ARGH NO ARGH. First, conventional DLP systems also have suspect parameters.
Second, the best ECC systems have parameters of well-known provenance. Third,
ECC systems are _known_ to be stronger than DLP systems. In fact, the most
likely source of any claim about an NSA cryptographic breakthrough is that NSA
has a viable attack on RSA-1024 (an IFP system, but six of one).

If you were going to change one thing about the way you decrypted in the wake
of today's "new information", make it be that you abandon RSA.

~~~
bad_user
RSA-1024 was assumed already to be breakable, but RSA-2048 and RSA-4096 will
likely stay unbreakable for a long time.

It's really as many suspect - they are prepared for targeting the crypto
implementations, through exploits or backdoors and if they can't they can
target your computer.

Also, open-source is of course safer and some of us have been repeating for
years that you can't trust binary blobs, security being just one reason out of
many.

~~~
cube13
>Also, open-source is of course safer and some of us have been repeating for
years that you can't trust binary blobs, security being just one reason out of
many.

Only if you're auditing the code and building it yourself, or have a trusted
place where that's done. I would wager that for the vast majority of users are
just using the binary blob provided by someone. Otherwise, the "code" you're
using could be as compromised as any closed source program.

~~~
bad_user
Again with the vast majority of users fallacy? Bring up a story of grandma for
a full picture too.

Binary blobs can be checked easily if they originated from the source code
published. Major Linux distributions, like Debian, have people all over the
world auditing the repository. If a backdoor is planted, with the repository
being public, most projects have a full history of whom added what and when.
Code reviews happen too.

~~~
derefr
You're right in that this mostly foils the NSA in its role as a global passive
attacker. However, having a FOSS OS doesn't foil _active, targeted attacks_ at
all: the version of a package in the repo could be perfectly safe, while the
version distributed to _just your computer_ could be backdoored. (The NSA,
after all, can FISA-order someone to give up their package signing key just as
well as they can grab a decryption key, and then MITM just your connection to
deliver an "automatic security update" that nobody else got.)

~~~
nitrogen
_...while the version distributed to_ just your computer* could be
backdoored.*

They would have to get the base distribution signing key, which is probably a
shared secret that requires multiple people to unlock.

Have there been any hints of NSLs or FISC orders requiring the disclosure of
private Linux distribution keys, some of which may not even be held in the US?

~~~
derefr
The funny thing is, you don't actually need to replace a package that's part
of the base distribution. Every package format we have (RPM, DEB, etc.) runs
its install- and upgrade-scripts as root, so every package can potentially do
anything on install, including patching the installed files of other packages
(or cleverer things, like adding SSL trust roots.)

So, since they don't specifically need to patch your openssl package to
compromise your openssl library, they could just as well suborn the signing
key of (presuming Ubuntu) some PPA author, as long as the user they're trying
to bug has that PPA in their sources.list.

~~~
gtirloni
Solaris introduced some concepts in its IPS packaging to avoid packages
changing the system. IMHO, it is very good but adds some pain to developers
and sysadmins alike.

[http://www.oracle.com/technetwork/server-
storage/solaris11/t...](http://www.oracle.com/technetwork/server-
storage/solaris11/technologies/ips-323421.html)

That coupled with system wide snapshots is a great tool to audit a system
after a patch is applied.

------
SimHacker
"Basically, the NSA asks companies to subtly change their products in
undetectable ways: making the random number generator less random, leaking the
key somehow, adding a common exponent to a public-key exchange protocol, and
so on. If the back door is discovered, it's explained away as a mistake. And
as we now know, the NSA has enjoyed enormous success from this program."
-Bruce Schneier

So when Rasmus Lerdorf checked in a change to PHP that broke crypt(), and then
made a release without bothering to run the tests (he claimed that "This is
mostly because we have too many test failures which is primarily caused by us
adding tests for bug reports before actually fixing the bug."), was that
actually because he was working for the NSA to install a giant backdoor in
PHP, and not just completely incompetent and totally negligent?
[https://plus.google.com/113641248237520845183/posts/g68d9RvR...](https://plus.google.com/113641248237520845183/posts/g68d9RvRA1i)

"We have things like protected properties. We have abstract methods. We have
all this stuff that your computer science teacher told you you should be
using. I don't care about this crap at all." -Rasmus Lerdorf

"I'm not a real programmer. I throw together things until it works then I move
on. The real programmers will say "Yeah it works but you're leaking memory
everywhere. Perhaps we should fix that." I’ll just restart Apache every 10
requests." -Rasmus Lerdorf

~~~
Spooky23
It sounds like Mr. Lerdorf isn't really qualified to do what he was doing. Not
a good example of an NSA plot.

~~~
SimHacker
"For all the folks getting excited about my quotes. Here is another - Yes, I
am a terrible coder, but I am probably still better than you :)" -Rasmus
Lerdorf

------
contingencies
Basically, you can't avoid being surveilled without radically altering your
lifestyle. If you did, then it'd be something like:

0\. Don't use a cell phone.

1\. Don't use Google.

2\. Don't use Skype or any other VOIP or telephone service.

3\. Don't use social networks.

4\. Don't use electronic money, including the bank account you are presently
being paid in to.

5\. Don't use individually booked international flights or ships.

6\. Don't use email.

7\. Don't communicate regularly with the same set of people. If you must
communicate, do it either using steganography or in brief and without
revealing any identifying information (spelling, voice, writing style, etc.)

~~~
pearjuice
8\. Don't use anything which isn't FOSS or compiled from source.

~~~
RickHull
[http://cm.bell-labs.com/who/ken/trust.html](http://cm.bell-
labs.com/who/ken/trust.html)

~~~
dllthomas
[http://www.dwheeler.com/trusting-trust](http://www.dwheeler.com/trusting-
trust)

------
alan_cx
From the article:

"Since I started working with Snowden's documents, I have been using GPG,
Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm
not going to write about."

My take on that is that the author does not trust all the things he advises us
to use, since he relies on other things he is not going to tell us about.
Which means he is safe(r), we are not, and wont be, since he wont share.

Great. What use is all that then? None.

BTW, Just read that O2 UK are blocking VPN traffic.....

~~~
vidarh
He is giving suggestions for _improving_ your security, not for perfect
security. And one additional way you can improve your security is to not led a
potential adversary know all the steps you take - Schneier is high profile,
and with an admission he's worked on Snowden document, even more so; there's
every reason for him to assume that if he wasn't a direct NSA target before,
he is now. It's a trade off.

------
fiatmoney
In addition to trying to obscure traffic, we should be generating large
amounts of spurious traffic that's difficult to analyze and store.

------
jlmorton
> Basically, the NSA asks companies to subtly change their products in
> undetectable ways: making the random number generator less random, leaking
> the key somehow, adding a common exponent to a public-key exchange protocol,
> and so on. If the back door is discovered, it's explained away as a mistake.

You have to wonder about the Android SecureRandom weakness just discussed in
recent weeks:

[http://android-developers.blogspot.com/2013/08/some-
securera...](http://android-developers.blogspot.com/2013/08/some-securerandom-
thoughts.html)

Exactly the situation described by Schneier. Normally I would dismiss this out
of hand as pure tin hattery. Scarily, I'm actually wondering.

------
philip1209
Encrypting DNS traffic should also be considered:

[http://dnscrypt.org/](http://dnscrypt.org/)

------
a3n
"I bought a new computer that has never been connected to the internet. If I
want to transfer a file, I encrypt the file on the secure computer and walk it
over to my internet computer, using a USB stick."

Wasn't this one transfer mechanism for stuxnet? Once a computer is infected,
you have to at least suspect that anything that touches it directly or
indirectly is infected. It's like an STD.

~~~
betterunix
Format the thumb drive before mounting it on the airgapped computer. It is
cheaper than using CDs.

~~~
simoncion
It looks like you can DVDs in bulk for between 20c and 10c per disc. If you're
_really_ serious about protecting your airgapped computer, this is a very
reasonable price to pay.

~~~
betterunix
Sure, so is using a rewriteable DVD, but neither is much more secure than
formatting thumb drives before mounting them. Convenience is the only
argument, and it is not all that hard to set things up so that you always
format thumb drives that are plugged in.

~~~
dubya
A thumb drive is, or can be, a tiny computer that can lie about its contents
depending on what's asking. I don't see a particular exploit in Schneier's
case, but a thumb drive could be made that behaved differently depending on
whether a Mac or Windows PC was trying to talk to it.

------
motters
I may have misread. Did Bruce Schnier just admit that he has Snowden documents
on an air gapped computer, likely sited at his place of residence? If he is a
"US person reasonably believed to be inside the US" then I imagine that could
put him on the list for a 2am wakeup call.

~~~
SEMW
Am I missing something? What motive would the US have for raiding his house?

It's not like the US is desperate to know what's in the documents. They
already know what's in them. They're the US's own documents. They just want to
stop them being published. Raiding Schneier wouldn't do anything to help with
that, it'd just mean he has to go over to the Guardian's offices to do the
analyzing - it's not like the copies he has are the only ones.

The Guardian's already confirmed that they have copies at at least their New
York and Brazil offices, and you can bet they have plans in case those are
raided. (Last resort, they're almost certainly part of the august 2013
Wikileaks insurance release, which someone just needs to tweet the password
for if somehow all the guardians' copies are simultaneously destroyed).

~~~
minor_nitwit
The US actually does not know the specific documents that Snowden took, or how
much he took, because he was able to bypass their security. This is suspected
to be the reason that Miranda was detained in the UK.

~~~
junto
Which is the reason that they now know what Snowden took.

------
greenrice
Why use symmetric cryptography over public-key? I thought RSA was
theoretically secure as long as factoring sufficiently large prime numbers is
impossible.

~~~
tptacek
Argh.

First, RSA is about factoring composites.

Second, factoring those composites at popular key sizes isn't impossible.

Third, public-key algorithms are much harder to get right; they involve direct
mathematical operations on plaintexts and devolve to well-studied math
problems much more readily than symmetric ciphers do.

You should absolutely avoid public-key crypto, including public-key key
agreement schemes like Diffie-Hellman, if your needs don't absolutely require
them.

~~~
anoncowherd
> You should absolutely avoid public-key crypto, including public-key key
> agreement schemes like Diffie-Hellman, if your needs don't absolutely
> require them.

Is there an alternative to public-key crypto? We all need to do stuff online.

~~~
tptacek
Sure there is: pre-shared keys, exchanged out-of-band.

~~~
anoncowherd
You probably know what I was getting at. Public-key crypto is _very_ important
in today's world. If we can't use the current system, we need something to
replace it. Pre-shared keys is for a different scenario.

~~~
tptacek
You are missing both Schneier's point and mine. The point is that if you can
contrive of a way to (perhaps inconveniently) pre-share static keys, you
should consider doing that instead of relying on number theory to protect your
secrets.

~~~
anoncowherd
> The point is that if you can contrive of a way to (perhaps inconveniently)
> pre-share static keys, you should consider doing that instead of relying on
> number theory to protect your secrets.

No I got that just fine. As you know, I'm suggesting that not using public-key
crypto or something else for the same purpose is impractical.

------
devx
This is from the Guardian:

 _Among the specific accomplishments for 2013, the NSA expects the program to
obtain access to "data flowing through a hub for a major communications
provider" and to a "major internet peer-to-peer voice and text communications
system"._

What could this be: "major internet peer-to-peer voice and text communications
system" ?!

We already know Skype is compromised and it's not P2P anymore anyway. So what
are they talking about? Which other _major_ P2P service for voice and text is
there?

~~~
ZoF
Hangouts?

------
RexRollman
"Basically, the NSA asks companies to subtly change their products in
undetectable ways: making the random number generator less random, leaking the
key somehow, adding a common exponent to a public-key exchange protocol, and
so on. If the back door is discovered, it's explained away as a mistake."

I have to wonder if, maybe in some instances, this is why it takes so long for
some vendors to patch the vulnerabilities in their software. Maybe some of the
problems we report were really there intentionally?

------
ZeroMinx
I suspect the real answer to "How to remain secure against NSA surveillance"
is; go offline.

~~~
lifeisstillgood
This is of course the right answer. And the _only_ answer if you are actually
planning something you know to be nefarious. It's going to be an I retesting
law of uninteneded consequences now that only the better criminals and
terrorists will escape this dragnet.

------
peterwwillis
Psh! I know how to fool the NSA! I'll start using 9 character passwords
instead of 8.

~~~
artichokeheart
hunter222

------
graycat
I don't 'get it': For public key cryptography, the basic math is well known.
Then what's needed is some code. The core code for just the en/decryption is
quite short. So, just write the core code yourself, directly from the math
and/or open source code -- be 100% sure understand each statement of code do
write.

Then turn the en/decryption code into just a simple command line program that
reads a file and writes a file -- no opportunity for the spooks to corrupt
that code either.

Then call it done. So, for e-mail, type some text into a simple file, wash it
through own command line encryption software, get out the file of simple text
of the base 64 of the encryption, pull that text into the e-mail program, and
send it.

I'm not 'getting it' on just where the security vulnerability is here.

Again, the crucial point is that the core en/decryption code is darned short,
quite close to the well known math, and can be checked against some open
source code.

Then, if everyone writes their own code in this way and discovers that they
are 'interoperable', then everyone knows that they did good work even if they
never actually share code.

I'm not getting why this can't work?

~~~
revelation
Right, so you go on Wikipedia and implement RSA. You understand every single
thing you do.

Oops. You forgot padding. Because of some strange identity that applies to the
simple math you just implemented straight from the textbook, all your
encrypted data can be trivially decrypted.

~~~
dllthomas
Or even if you get the algorithm correct, maybe you forgot to handle all the
memory the key touches special and it's swapped to disk. Or maybe your
implementation is vulnerable to timing attacks or something more obscure.

~~~
graycat
Just trying to send some text via e-mail, so swaps to disk and/or timing
attacks should not work. That is, not trying to encrypt streams of voice or
video, and do assume that the computer used for the de/encryption is 'secure'.

~~~
dllthomas
The problem with it being swapped to disk is that it means the decrypted form
of your key (you're storing it encrypted by a passphrase, right?) is now
persisting while your computer is off, which exposes it to more threats
(someone images your disk when you take your computer in for repair).

Timing attacks would certainly be harder if you're never signing anything in a
situation the attacker controls, but I'm leery about claiming nothing could be
done.

~~~
graycat
> decrypted form of your key (you're storing it encrypted by a passphrase,
> right?)

Haven't yet implemented the little de/encryption command line program l
described so don't know just how I'd store my private RSA key. The private key
would likely be just on my computer some place as just ordinary data maybe
with a comment that clearly describes the data as my private key.

I'm not sure what you mean by a "passphrase", but I can guess; with my guess,
no, I wouldn't do that because (1) it makes life harder for me and (2) doesn't
really make decrypting my data much more difficult for an attacker.

> when you take your computer in for repair

Right, if I lose physical control of my computer, then all or nearly all the
data I encrypted can now be decrypted by others.

So, right, for anyone who would lose physical control of his computer for any
reason, the 'approach to computer security' I outlined would have a huge hole
in it.

In my case, I would never take my computer for repair since I built and repair
my own computer.

------
VikingCoder
[http://xkcd.com/538/](http://xkcd.com/538/)

~~~
Homunculiheaded
Please let's not mindlessly post this comic and act that because rubber hose
crypt-analysis exists we shouldn't even bother.

One huge point I keep trying to bring up to friends when I talk about security
is: yes if you are the specific target of the state or any asymmetrically
powerful adversary you are in a lot of trouble.

But with large scale surveillance the bigger concern is not becoming a target
in the first place. Properly securing sensitive communications is a good first
step in ensuring that you aren't picked up in sweep through the data.

Sure encryption in the first place may flag you, but at least in the current
situation it isn't going to be enough to invoke any rubber hose techniques.

~~~
VikingCoder
I propose that we do act like governments can detain you, until you reveal
your password, because that does in fact happen.

I propose that people abandon the concept that they can archive their email
forever, and instead use systems like a Mission Impossible Tape that self-
destructs the instant you're done reading it.

I propose that the only way to stop the government from making you decipher
your messages, is if it's impossible for you to decipher them.

Everyone should use Perfect Forward Secrecy systems.

------
gburt
I guess this makes NSAKEY[0] probably the NSA's.

[0] [http://en.wikipedia.org/wiki/NSAKEY](http://en.wikipedia.org/wiki/NSAKEY)

------
mhb
Wouldn't it be relatively easy for the NSA to run ubiquitous MITM attacks
using some certificates in the certificate chain that they have compromised?
That way all they need to do is compromise certificates and get in the middle
on a large scale (which could be done automatically perhaps) instead of
breaking encryption.

~~~
tptacek
No, because the anti-surveillance features of browsers like Chrome would flag
those MITM attacks, which would compromise sources & methods, which is
anathema to NSA.

~~~
mhb
I thought that the browser flags a MITM attack when the information that was
sent from the supposed server doesn't agree with the server information
received through a different channel (e.g., with the operating system).

If the NSA had compromised certificates on the operating system, how would
Chrome detect that a MITM attack was being attempted?

~~~
tptacek
Because Chrome doesn't entirely rely on the operating system to verify
certificates.

~~~
Karunamon
I wouldn't trust Chrome's extra methods in this case. Nothing against Google
whatsoever, but closed source, commercial software from a company the NSA has
expressed a great deal of interest in fooling around with is probably the
worst possible choice in this case. Same with Safari and IE.

~~~
tptacek
(a) the code in question is part of Chromium, which you should read, and (b)
Mozilla has adopted it as well.

~~~
Karunamon
Google and other corporations still represent a huge risk in that they can be
compelled to degrade or modify the feature, and since all you get is a binary
blob, you have no way of knowing.

The security provided by the feature, in this case, is then questionable. I'd
trust Firefox and Chromium, but not Chrome for this reason.

------
hextalib
You can't remain secure against an organization that has effectively unlimited
resources. All you can do is make it harder for them -- and that is most
easily accomplished by non-technical means rather than a more advanced version
of existing technical means.

Talk to people face-to-face, maybe?

------
coherentpony
It's pretty funny that SilentCircle's website preaches privacy and information
hiding. Yet their site is also littered with trackers for analytics, logging
what OS you're using, what hardware, etc.

------
chaitanya
Scheneir says: "Prefer symmetric cryptography over public-key cryptography."

If I were to use only symmetric encryption then how do I prevent man in the
middle attacks?

------
erikb
So many comments and nobody actually sacks Schneier for working on Windows
completely? How much security can you have when you work on top of Windows?

~~~
dublinben
Most security researchers use Windows because that's where the 'action is' so
to speak. If he wasn't running Windows, he'd be firing up a Windows VM more
often than not.

~~~
erikb
seems not unreasonable for work. but there is also a level at which they can't
see much of what's happening, because they simply don't have the source code,
right? so for the home office it would make sense a lot to use Linux.

------
b6
For now, we need to stop thinking and talking like this. This race is lost.
The government is ready to record everything, but we are not ready to encrypt
everything.

It's not enough to protect yourself, even if you could. You are not OK even if
you manage to protect yourself, because your friends and family and loved ones
and colleagues are mostly, if not all, compromised.

The long term goal should still be for everything to be encrypted. But the
near-term goal should be to utterly dismantle the NSA. It should all be taken
apart, brick from brick, and destroyed. The people who put it into place
should be removed from power and prosecuted.

~~~
bad_user
If data is easy to eavesdrop, then somebody will. This is also an engineering
problem. We've got broadband, we've got capable CPUs, there's no excuse for
not encrypting everything.

~~~
alan_cx
And if they do suspect you of something, they will water-board you in a
country with no human rights to stop the "ticking bomb" they use to excuse
themselves. Not sure how long I'd last, TBH. If you are lucky, you'll got to
jail.

That's the way it is, and will be until people wake up and change politics.

~~~
mahyarm
The problem with that is it isn't very scalable. The NSA being able to spy on
the world is very much a very recent economic reality.

~~~
zachrose
Yes, though just because it's not scalable doesn't mean it's not an injustice.

~~~
prawn
Or likely to deter others. Terror, flipped.

------
nether
I know they've had problems in the past, but is Cryptocat now a decent way to
securely communicate?

~~~
mahyarm
It isn't a secure product, but it's a crypto product something that has decent
UX that isn't from a huge compromised company such as apple or google. In this
space it makes it rare. It all depends on your adversary. For family members,
stalkers and most employers, it's probably great.

~~~
MichaelGG
How is it more secure against "family members and stalkers" than, say, Gmail?

~~~
mahyarm
Well it's more a social design. Google probably has a record of all of your
emails, deleted or not somewhere and a court order can get those emails.
Cryptocat will not. Gmail is also very integrated into most people's devices,
so it's easier to get to someone's email records by getting at their computer,
phone, cookies, etc.

