Bruce Schneier's 'How to remain secure against NSA surveillance'

Young man, I’ve got JUST two words for you that define the future of secure communications: Carrier Pigeons</hushed tone>.

1 Like

Maybe they are already on to this notion, hence the pigeon strangler; a government agent.

1 Like

Engineering solutions have to deal with and prevent users from making bad decisions. Also, solutions have to be so convenient that making a bad decisions is actually harder. If half of these security problems are solved it will probably be a victory for most users. Right now most users have been completely sold out.

The implication (actually the outright accusation, come to think of it) in the story is that if the encryption product came from a large corporation and you don’t have access to the source, there is a very good chance it’s been compromised.

Last I looked, Apple was a large corporation and AFAIK their crypto source code has not been open-sourced or otherwise published. Draw your own conclusions as to the likelihood of the existence of backdoors.

if the encryption product came from a large corporation and you don’t have access to the source, there is a very good chance it’s been compromised.

Agreed, but you took my quote out of context. That’s why my next sentence was, “Overall, you’re probably better off using something open source like TrueCrypt”.

I just don’t want to resort to conjecture as fact. We don’t know that Apple has put a backdoor into DMGs.

Draw your own conclusions as to the likelihood of the existence of backdoors.

One hole the government does have is if you look at things that have certain levels of FIPS compliance, you know they shouldn’t have a backdoor in it or other agencies will get into their files. This info isn’t readily available online (you really do have to watch out for potential disinformation that gives the public a false sense of security.). If you’ve ever done security work for (or with) the government (at certain levels), then you may have a better idea.

You can dig around to try and determine baselines for various devices, for example:

https://cio.gov/wp-content/uploads/downloads/2013/05/Federal-Mobile-Security-Baseline.pdf

I’ve done IT work for the government, but beyond this (in regards to how they implement things like Level 3 and 4 FIPS compliance), I’m sorry I can’t say anything more, except to point in right directions. The line between informative journalism/sharing and incriminating yourself is very blurry nowadays within our authoritarian, corporatist regime.

But, you’re right, people are going to have to draw their own conclusions, because there’s no way in hell I’m giving out sensitive info on a pseudo-anonymous boingboing account.

As far as Apple having a backdoor into DMGs, I consider that highly unlikely considering the FBI, etc. can’t apparently can’t get into them:

http://www.securityfocus.com/columnists/215

But, there are workarounds and tools to at least try a brute force attack on DMGs and I think people would be better served with things like TrueCrypt as long as it’s done correctly.

It ain’t easy, but hopefully all this will change in the future as more citizens demand to have their privacy protected. I think, all in all, this is a hybrid political-technological issue. I’m slightly hopeful more Americans will demand more privacy as more whistleblowing leaks are exposed, but then again these are the same people that voted in GW Bush… twice…

1 Like

Do I care if the NSA reads it, if they are listening? Well, no, and it’s not worth the effort to encrypt it all

That’s the problem, though. I think the overall solution is a hybrid political-technological movement that involves most Americans whether you care if someone at the NSA reads certain particular love letters or not.

Everyday email communications are basically an unwrapped postcard and that makes encrypted emails stand out like a clownish, sore thumb with unicorn sparkles all over it.

I think you may be missing Schneier’s overall point when he says, “… They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.”

If we all start using encryption en masse for everyday email communications, it’ll shut down (or at least massively slow down) aspects of the NSA’s draconian system for all of us. They might have to resort to things like legal warrants again to focus on individuals instead of suspicionless spying on most Americans. It’ll simply become too cumbersome to spy on all of us at once if most all of us use encryption.

Encrypting your love letters (even those sent to your wife’s personal account) is the patriotic, civic thing to do. The technological challenge is to make encrypting email easier for average people, and the political challenge is to educate one another on why it’s important to use it even for our love letters.

http://www.thoughtcrime.org/blog/we-should-all-have-something-to-hide/

2 Likes

Public key infrastructure is right there, ready to be used. Friendly mail clients are available which use it. It does require a bit of effort to get right, but no more than people put in to physical security.

Sure, but I’m talking about the practical, “What do I do with myself RIGHT NOW?” level of things. We don’t have easy-to-use non-commercial encryption-always-on killer apps. If we did, we’d be using those instead of google, hotmail, etc.

1 Like

Sure, and I’m not saying it’s impossible. Hell, anything’s possible. I just want a killer app that’s mainstream and untouched by the feds.

Give it time…


Unfortunately, all the other methods I could recommend aren’t simple “killer apps”. They take time, expertise and meticulous setup to pull off. It’s just the way it is in this day and age when services like Lavabit are destroyed by our authoritarian state.

By the way, if you haven’t already or feel like doing it again, please donate to the Lavabit developer. He needs every little bit, and certainly deserves our support. If you want things to change, supporting people like Ladar Levison is necessary. (He has a donation link at his site)

1 Like

The government has had the ability to read anyone’s mail for as long as postal mail has existed, but I don’t encrypt my Christmas cards, and even medical records arrive in plain text. For as long as the telephone has existed, the government has had the ability to listen to my phone calls, and yet I speak freely when I call my mother (I need to remember to do that today). I have to wonder what sort of communication people are engaged in that generates such paranoia.

Ability with warrants.

1 Like

I have to wonder what sort of communication people are engaged in that generates such paranoia.

Most of your sort of communications may be indeed be worthless, but there are others in this world that have significant, valuable information they transmit to other dynamic people. That data is sometimes very valuable (even life/world-changing) information and can aid in corruption, theft and other nasty deeds in the wrong hands.

You’re right, though… you can just stay in line for the rest of your life and you’ll probably be ok. Stay insignificant, keep your communications insignificant and you’ll be safe. Whatever you do, don’t start a successful business where they can pluck your valuable secrets… nor try to be a patriotic activist where they can thwart you from organizing others…

Want to organize and run for government? Make sure you stay in line with the agenda of those who are listening or they can (and will) readily destroy you if you dare decide to become a threat to the status quo.

Also be sure and trust that every, single, last employee that works for a governmental and quasi-governmental entity that has access to all your financial data is an honest, little choir boy.

Most importantly… just stay in line and stay insignificant. No nasty “paranoia”. No problem.

But, keep in mind that assholes like me have done IT work for the government and I’ve also worked at the headquarters of a major financial institution and had direct access to major accounts (and little ones). I had ready access to all the transactions of many individuals and major institutions alike. I could use the financial information and governmental information combined in many nefarious ways if I chose to. It’s likely the credit card you own right now is from the corporation we founded. Hint: Alec Baldwin is our bitch.

Hope that helps you sleep better at night knowing that. :zap:

of course I’ll USE it, but it isn’t here yet dammit! We need Internet3… ASAP!

This topic was automatically closed after 5 days. New replies are no longer allowed.