The Register: 4 Ways the Guardian Could Have Protected Snowden 233
Frosty Piss writes with this excerpt from The Register: "The Guardian's editor-in-chief Alan Rusbridger fears journalists – and, by extension, everyone – will be reduced to using pen and paper to avoid prying American and British spooks online. And his reporters must fly around the world to hold face-to-face meetings with sources ('Not good for the environment, but increasingly the only way to operate') because they believe all their internet and phone chatter will be eavesdropped on by the NSA and GCHQ. 'It would be highly unadvisable for any journalist to regard any electronic means of communication as safe,' he wrote. El Reg would like to save The Guardian a few bob, and reduce the jet-setting lefty paper's carbon footprint, by suggesting some handy tips – most of them based on the NSA's own guidance."
spoiler alert (Score:5, Informative)
1. Encryption: It's not hard
* Keep your private key secret, encrypted and in one place (eg, not a police interrogation room)
* Meet the Advanced Encryption Standard
2. Use clean machines
3. How to shift the data securely
4. Using hidden services
Not sure what author of article is going for (Score:5, Informative)
1.) Encryption: It's not hard
Shouldn't really be a factor now that Snowden is known publicly. When Snowden was trying to escape the U.S. it was necessary for him to be paranoid and secretive. Now he's already given a full copy of all of his information to Greenwald in person. Snowden was protected well by his news contacts. They had him reveal himself to the world on his own time and not have his name leak before he wanted it to leak. He was safe when it mattered. The Guardian did an acceptable job getting Snowden to safety.
2.) Use clean machines
Extremely difficult. The US has deals with phone companies, operating system creators, and hardware manufacturers, to put backdoor systems into so many devices. They monitor so many email and phone companies. How can you be fully sure you didn't buy a machine that has a secret backdoor entry that the FBI or CIA can get into easily? How can you know that your PC isn't already set up for intercepts on all of your activity? You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored. And being passively monitored like how the NSA just copies everything sent anywhere.
3.) How to shift the data securely
The governments of the world can potentially intercept ANYTHING. Phone calls, emails, text messages, picture messages, faxes, voices through a hidden microphone, credit card transactions, smoke signals, bank statements, parabolic intercepts. Nothing is truly secure in this day and age. A reporter can use a courier by land or plane and that person can be held in a cell for nine hours while being interrogated. But an in-person intercept is known to both parties. A phone intercept is tough to fully know about unless you have an inside source telling you "your personal phones and prepaid phones are all tracked". Thanks to Snowden I now assume that EVERYTHING is tracked by the government.
4.) Using hidden services
The government is cracking down on those. Lavabit could not stop the government. Why would any other black site or anonymous exchange be able to stop the government? The government can stop billion dollar companies from operating overnight. Like a small email or messaging company can withstand the onslaught of a multi-national cyber-military operation?
Snowden didn't want protection (Score:3, Informative)
Snowden and the reporters he communicated with did use encryption and other means to preserve secrecy while he was initially doing the leaks. But once it became front-page news, he wanted the publicity, and he told them to go public.
Re:Not sure what author of article is going for (Score:5, Informative)
Not difficult at all. It's called an air gap. You buy a laptop specifically for the purpose of decrypting the messages. You set it up without connecting it to the Internet. You generate your private-public key pair on this machine and use a flash drive to manually copy the public key to a different machine so that you can provide it to whoever needs it. When you receive a message, you copy that to a flash drive, then copy it to the other machine, then extract it.
Ideally, the private key should also be stored on a (different) USB key that you carry with you, to reduce the risk of physical theft by (hopefully) ensuring that the key and the encrypted data are never in the same place except when you are decrypting that data. If you are really paranoid, you can split the key into pieces so that multiple key dongles held by separate people must be stolen or confiscated before encryption is compromised.
This is how high-security data handling works everywhere. If intercepting it could mean the end of (the|your) world, you build an air gap, and you ensure that the computers on the inside of that gap are never connected to the public Internet in any way, shape or form. And when you're done with the machine, you destroy its hard drive in accordance with DoD manual 5200.01.
Of course, this ignores TEMPEST/Van Eck phreaking; chances are, you aren't that important, but if you are, you should also take precautions to physically secure your air gap room against any EM emissions from the computer in question.
And as always, Keep Calm and Carry a Towel.
Re:Not sure what author of article is going for (Score:5, Informative)
2.) Use clean machines
Extremely difficult. The US has deals with phone companies, operating system creators, and hardware manufacturers, to put backdoor systems into so many devices. They monitor so many email and phone companies. How can you be fully sure you didn't buy a machine that has a secret backdoor entry that the FBI or CIA can get into easily? How can you know that your PC isn't already set up for intercepts on all of your activity? You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored. And being passively monitored like how the NSA just copies everything sent anywhere.
I call BS on this one. "You'd need to be an expert on computer software, hardware, intercept technology, and so many other things just to detect that you were being actively monitored." No, you don't. It only takes ONE expert to find that Dell, HP, Microsoft, Apple, OSX, Windows, Linux, has all these supposed backdoors to blow the whistle. While we have cases where various cloud / online services have been forced to turn over information, none of what you're claiming has been reported with hardware and OS vendors.
You're missing one important thing in your paranoia. Existing networks still have to be utilized to transfer this data. If every home PC had such a backdoor, then they still would have to use the internet connection to transmit that data. And yes, there are experts that do watch for this kind of thing, and keep an eye on what their machines are connecting to and why. Unless you're also positing the conspiracy theory that every machine has some totally secret wireless communication built in that talks to some government ghost network that no one has discovered either.
Yes, the NSA is reaching way too far, but even so you've got your tin foil hat way too tight.
Re:MacOS secure!!!! (Score:5, Informative)
Here's a link to the article: The Ken Thompson Hack [c2.com]
Re:The NSA would like to thank you very much (Score:5, Informative)
Just RTFA (Score:4, Informative)
I can read it on your machine before you encrypt it
The "clean machine" never connects to the 'net. It handles the encryption and is the only machine that sees the decrypted data. The machine that touches the net (somewhere remote to your home/office connection) only sees the encrypted file.
When you realize that I have the power to quickly mobilize any police force almost anywhere in the world to get what I want, you will realize by how much you are screwed.
"If you just want to "stay anonymous from the NSA", or whomever good luck with that. My advice? Pick different adversaries."
Re:hung him out to dry (Score:4, Informative)
The truth is, Snowden's info isn't actually revealing of any *new* info, only operational details of already-reported on programs...
Our local senator is one of the ones who has been hinting to us that this is going on since early this year. He couldn't tell us what it was, but ...
He also didn't think it was enough of a problem to bother trying to stop it.
Re:Not sure what author of article is going for (Score:1, Informative)
Did you know that RMS has long been advocating the secure nature of free software as a way of protecting privacy? It is exceedingly difficult to have malicious features in free software that is publicly developed. Binary blobs also represent a security risk in that users are unable to reason the logic of the blobs. This is the reason why RMS supports the Linux-Libre project. I've noted in the past that for many here in Slashdot, any sort of suggestion to remove these Linux blobs for the sake of freedom are met with contempt with the reasoning that "hardware with binary blobs that work are better than hardware without blobs".
RMS has been vindicated once again about the issue that if users do not control the software, the software controls the user.
Re:Wait -- *their* guidance? (Score:5, Informative)
The NSA is a deeply schizophrenic organization. On one side you have people seeking to defend and secure Americans' computer systems and networks against crackers, foreign spies, and the like. They'll propose BS like key escrow [wikipedia.org], but they're actually fairly honest: they know if there is a backdoor they can use, their adversaries can use it too.
On the other hand you have people seeking to break into computer systems and networks, including those of Americans. They oughta be first against the wall when the revolution comes.
Re:5. First Amendment (Score:5, Informative)
The US has **the most journalistic freedom in the world**
wrong [wikipedia.org], according the journos themselves at least; US doesn't even make it into the top 30.
Re:that was a questionaire (Score:4, Informative)
No. I am arguing that one might give more weight to the results of polls among a large number of journalists around the planet, rather than the opinion of this single guy -- Guardian editor or not.
And even if he's right that NYTimes are better equipped for this kind of thing, that's still a far cry from saying that the US does therefore in its entirety have "the most journalistic freedom" in the world -- which was what you were arguing.