In the news--a phone called FreedomPop for $189 that's supposedly secure against government spying.
Two things I have to say about that:
1. It's illegal in the U.S. to maintain a communications system that government agencies cannot tap into. All communications providers are required by law to maintain a technical means for the government to know who is communicating with whom and to record or listen in on communications.
2. If I were at the NSA, I would secretly sponsor a web site called nsa.cant.hack.this.site.com which would presumably attract a crowd of terrorists, tax cheats, spies, fraudsters, drug dealers, bitcoinsters, child pornographers, investment bankers, cheating husbands, socialists, and anyone else the government ought to be keeping track of. It would make things so much easier because they wouldn't have to go looking for these people and wouldn't have to waste all that time and energy trying to hack into systems. To make it convincing, NSA would orchestrate a big fuss about how awful it is that they can't hack the site and just wait for the baddies to come to them. It's impossible to know whether such a site is being sponsored by the NSA or not. Impossible. In fact, the more it's hyped, the more news there is about how bad it is for the government, the more likely it is to be a front for one or another spy agency.
So what does it take to really hide from the NSA? Here are a few things to keep in mind.
- Don't use Microsoft Windows for anything. It can't be made secure no matter what you do, period.
- Use the smallest, simplest hardware possible, Raspberry Pi for example. Make it tamper-evident, for example by giving it a custom paint job.
- Use only the Linux kernel and the absolute minimum Linux add-ons. Get the software from multiple sources and make sure they're identical and of course verify checksums from multiple sources via multiple connections from different computers and different internet providers.
- Write the rest of the software yourself. You really can't trust software you get from anyone else. One of the Snowden revelations is that NSA has been planting programmers to introduce security holes into open source software.
- Use XOR encryption. It's simple and you can easily program it yourself. If the key is truly random and is at least as long as the message, the result is a one-time pad, which is unbreakable even in theory. Use 3 or more different makes and models of USB hardware random generators in combination to generate the key and test the generated keys for randomness. This is really hard to do properly. You'll need to study it and become expert at this.
- Use low-tech key exchange, physical rather than telecommunications delivery. If not in person, then use tamper-evident packaging and you'll need one-time-use code words to verify authenticity.
- Don't buy via mail order if you can possibly avoid it. If the government is already on to you, everything you get in the mail will be pre-hacked. Buy as much as possible from stores you don't normally visit.
- You need to hide who you are communicating with and the fact that you are communicating at all. This is called steganography. This means that you can't use any centralized servers but need to communicate one-to-one only, and you need to use library or internet cafe or hacking into poorly secured internet connections, rather than doing it from home or work. It's terribly difficult to do and tedious and awkward but absolutely necessary if you want to be truly invisible.
It's pretty unlikely you're bad enough to justify doing all this. There are some things you can do though to make it at least a little bit more difficult for the NSA.
- Minimize unnecessary communication of whatever it is you feel you need to keep secret. It's really difficult to make sense of communications without context and 99% of what we say is redundant and unnecessary.
- Maximize unimportant communication with both important people and unimportant people. It makes it a little more difficult for the NSA to sort out the wheat from the chaff.
- To foil automated computer scans of your communications, communicate via Skype and hold up written messages to the camera while you're talking, preferably in handwritten script rather than printed. Better yet, learn sign language and sign while Skyping. (Your deaf friends will appreciate it too.) I'd be surprised if NSA have got this covered yet, though maybe they will after reading this blog. Probably they're the only ones who read my blog.
But do you really care? Does privacy have any real value to you? To paraphrase Dr. Strangelove: Stop worrying and learn to love the NSA!
No comments:
Post a Comment