Bruce Schneier's 'How to remain secure against NSA surveillance'




I wish someone would translate some of what is gobbledygook to those of us who are less well versed in technology. Also, he says some things that I suppose insiders understand like "use encryption not made by any major US company". Okay, I get that Apple is probably not a good source for encryption which comes with the computer. But how does someone find good encryption? How do you know where to look, and which ones always have a backdoor way in and which don't? I have many questions, but will read it all over again when I am fresh.


Isn't it simpler if we all agree to use "Death to Obama, Long Live Osama" as our sigs?

I mean, if everybody is a terrorist, nobody is a terrorist.


Computer security and cryptography is very hard. Its up the the engineers and coders to do the heavy lifting for users. You can learn how to protect yourself better but it will take time. I'm afraid that technology is primarily constructed from gobbledygook.


Thank you.


We need more Schneiers in the world. What is required is an army of scientists armed with high math and engineering skills to protect the common person from spying eyes and invisible hands of any and all.


For a little while there, I was thinking of making my email signature, Fuck you NSA.
I'm not sure the intended recipients would appreciate that though.


I would start with gpg to protect the contents of your email. Gpgmail is a plugin for your apple mail application. Now this program will only work if the people you communicate with use gpg too.

Here is a demonstration of the problem. We have these great tools but they are hard to work with and they only work if they are broadly adopted. This is the challenge if you're an engineer, coder, or admin.


What you can do to make real change is call your representative and senator and give them an earful. Tell them that you vote and your are not happy. If enough people do this the NSA can be put in its place.


I'd put that in my work sig, but I work for "the man." (Not El Presidente, but one of his departments.)


I'd love to encrypt my email, but at best the people I email are indifferent about the surveillance, at worst they're supporters of it. Thankfully I don't write anything that would get me in troub...


Yep, that's some sig material right there.


I get that Apple is probably not a good source for encryption which comes with the computer

Apple's DMG can use up to 256-bit AES and it's problematic to crack. With a tough password, it's possible, but it would take too many billions of years to do so.

Schneier seems to think it's safe:

Now, if someone knows of a backdoor in Apple's implementation of DMG, that's another story.

Overall, you're probably better off using something open source like TrueCrypt.


"our best defense is to make surveillance of us as expensive as possible."

Unfortunately this also has the side effect of making us pay more for our trouble, as the NSA will have to work overtime to decrypt all of our missives.


Mostly it is the users who defeat security by giving away their passwords or using applications like facebook.


Yeah, I know, but in my experience, sometimes that brings the heat on you, especially if you are consistently vocal.


Sir, come with us, please.


Truecrypt is probably safe. But what he didn't really address in his article is WHAT you should encrypt. He has it all lumped together. Computer users do a few main things: work on local files, and communicate over the network, sometimes regarding those local files.

If all you are doing is working local on top s33krit sh1t, TrueCrypt and an airgap is your solution. But if you are hoping to communicate securely, you're going to need one of a few other solutions. Or maybe you don't care about encrypting your local work, but you only care about your communications.

See? Everyone needs to personally audit what is important to them, and what they need to keep secure... AND FROM WHOM.

Sometimes, it's not the NSA that is bothersome. For instance, I won't email personal stuff to my wife on her corporate email account. I don't want some slob at her company doing the Outlook backups reading our shit. Do I care if the NSA reads it, if they are listening? Well, no, and it's not worth the effort to encrypt it all. Easy solution: don't email her at her work; use her personal address.

So, long story short, my advice is to personally assess your computer use, what is important and what you need to encrypt, and who you are most concerned about. Then go from there.


Basically it says you don't have a glimmer of a hope to secure your communications against NSA surveillance.

Even a noted security expert like Schneier finds it to be far to onorous to actually implement it for any but his most sensitive communications, and presumably he has some communications a lot more sensitive than you and many of the people he communicates with are also security experts.


My like was for translating for me, not that I like what the bottom line is.