Ten Steps You Can Take Against Internet Surveillance

Hugh Pickens DOT Com writes "Danny O'Brien writes for the EFF that as the NSA's spying has spread, more and more ordinary people want to know how they can defend themselves from surveillance online. 'The bad news is: if you're being personally targeted by a powerful intelligence agency like the NSA, it's very, very difficult to defend yourself,' writes O'Brien. 'The good news, if you can call it that, is that much of what the NSA is doing is mass surveillance on everybody. With a few small steps, you can make that kind of surveillance a lot more difficult and expensive, both against you individually, and more generally against everyone.' Here's ten steps you can take to make your own devices secure: Use end-to-end encryption; Encrypt as much communications as you can; Encrypt your hard drive; Use Strong passwords; Use Tor; Turn on two-factor (or two-step) authentication; Don't click on attachments; Keep software updated and use anti-virus software; Keep extra secret information extra secure with Truecrypt; and Teach others what you've learned. 'Ask [your friends] to sign up to Stop Watching Us and other campaigns against bulk spying. Run a Tor node; or hold a cryptoparty. They need to stop watching us; and we need to start making it much harder for them to get away with it.'"

Use end to end encryption?

[bazmail]

Good idea, but can't really see that catching on, unfortunately.

Re:Boycott of US & UK products

[Anonymous Coward]

They'll just take it from the healthcare and education budget allocations. They don't give a fuck. Its all about protecting their own positions of power against the plebs.

Re:Boycott of US & UK products

[amiga3D]

Really? It's not like the US and UK export all that many products. Boycotts are almost always a waste of time.

Do you think you are special?

[Calibax]

According to news reports, there are around 1000 analysts at NSA engaged in surveillance. Let's assume half of them are looking at foreign traffic and half at domestic traffic. That's 500 analysts for 350 million population, or 1 analyst for every 700,000 people. What makes you think you are special enough to deserve their attention?

Personally, I'm much more concerned about the way commercial organizations are spying on us. I think the loss of privacy to Facebook, Twitter, LinkedIn, Google, and other social media is much more creepy than some secret government bureau knowing that I called my parents 3 times last week.

Of course, there are those that worry about cops knowing when they are calling their drug supplier to set up a buy, but all indications so far is that the data is not available to regular police organizations.

Re:Steps You Can Take Against Internet Surveillanc

[girlintraining]

Step one: Don't post on forums.

Step Two: Terrorists Win.

When you opt not to speak out against the government out of fear of reprisal, then you effectively have lost your right to free speech. Forums like Slashdot need to embrace the use of proxies like Tor, etc., instead of shutting them down with giant ugly off-red pages saying "Blocked!" Anonymization services like Tor are invaluable for creating a safe haven for free speech; in countries like Iran, North Korea, United States, France, Iraq, and Egypt, people are being harassed, arrested and imprisoned for chastizing the government for being a police state. We need websites to publish information about these governments' activities for the world to see, and sites like Slashdot that block Tor and similar technology are simply enabling those governments to build a digital iron curtain around themselves to lock down political dissent.

Re:Do you think you are special?

[sI4shd0rk]

What the hell? You think spying on everyone so we can maybe catch a few terrorists is acceptable in a country that's supposed to be the land of the free and the home of the brave? You think it's okay for our government to blatantly violate the constitution and then claim that they didn't actually do so because some secretive court rubberstamped general warrants?

You might be just a little paranoid though.

There has never once been a government that has failed to abuse its powers throughout history. Why do you believe me to be paranoid when I suggest that allowing the government to collect nearly everyone's communications is an awful idea? Do you believe the people in the government to be perfect angels? I do not understand why you would say such a thing otherwise.

I hope you were joking; otherwise, you are profoundly ignorant and naive.

Re:Steps You Can Take Against Internet Surveillanc

[girlintraining]

Considering the number of things the NSA has completely missed (e.g. Boston bomber, Snowden, Bengazi, etc.) I'm beginning to wonder if

Back up the fail train there. The NSA wasn't tasked to find the Boston bomber, the FBI was. And they did. Bengazi is a figment of the tea party's over-active imagination -- there's no evidence that anything other than poor judgement and incompetence at a local level occurred. And Snowden... well, that's the only thing you mentioned that has any weight. The NSA management was warned about him long before "the incident" by Homeland Security. They ignored that warning. The case can be made this was a mistake -- but it seems from the after action reports online they're addressing their structural/organizational deficits that allowed it to happen post-incident. The fact is, there's always a risk of a defector, no matter how good your agency is. Every major intelligence agency from every major government in the world has had it happen. This is not a statement on the overall competence of the NSA as an intelligence organization.

What if this is much like a Banana Republic, were the government puffs up it's chest and parades around a bunch of military men and equipment to try to scare it's citizens into line. But actually they are totally outnumbered by the citizenry, have very little real power, and they know it.

That's pretty much the working definition of law enforcement everywhere, man. There's only 1 police officer for every, what, 10,000 citizens? It's a practical impossibility for the NSA to do all the things the tin foil hat brigade claims they're doing -- monitoring everyone's cell phones, everyone's e-mail, the entire internet... and just to keep things interesting, doing all that while cracking foreign powers' high level cryptography and military communications systems. To do everything they claim they're doing, even assuming their technology is twenty years more advanced than the civilian sector equivalents, would imply multi-trillion dollar budgets per year to sustain and a workforce vastly higher than the numbers available suggest.

Sure, they might be collecting a lot of data, but storage and analysis may be such a monumental task that they can really only figure out things in retrospect, which really doesn't give them much advantage over classic investigation techniques. But hey, some tech companies are probably getting rich over this.

The data collection is a massive operation because the data being sent only has data retrospectively; When they identify a potential suspect for development, based on those "classic investigation techniques", without that infrastructure they're starting at day zero. But if everything is logged, they can proceed immediately with looking into his/her background and recent communications. In the intelligence world, there are three things that give an asset value; Timeliness, accuracy, and analytical support. It does you no good to find the terrorist after the bomb has gone off, it does you no good to identify the wrong person, and it does you no good to have all the information that could have met the first two criterion if nobody analyzes it and suggests a course of action (arrest, drone strike, whatever).

Once you understand that the analytical side of the intelligence cycle is the real bottleneck here, you quickly realize that the NSA can't possibly care about your marijuana stash, or even the warrant for your arrest. To develop leads and maintain a solid intelligence cycle, they can only focus on a tiny fraction of the data they're pulling in... so unless you're a .01%'er in the world of terrorism, counter-intelligence, spying, or foreign military... forget it. They don't care.

Sock puppet, begone!

[Okian Warrior]

According to news reports, there are around 1000 analysts at NSA engaged in surveillance. Let's assume half of them are looking at foreign traffic and half at domestic traffic. That's 500 analysts for 350 million population, or 1 analyst for every 700,000 people. What makes you think you are special enough to deserve their attention?

Okay, let's look at those statistics more closely.

500 analysts for 350 million people continuously is 500 analysts for roughly 1 million people per day each year, or roughly 1 analyst is spending an entire day looking at 2,000 people. Each year. So there's a 1-in-2,000 chance that sometime this year, an analyst will be pawing through your online behaviour.

(Of course, if you assume that the analyst spends 1 hour on each person, it drops to 1-in-250 chance that sometime during the year you will be "analyzed" by an NSA agent.)

Now consider the power of computers. Is it reasonable to think that 1 computer could collect and analyze the E-mail and online speech of 2,000 people in a single day of compute time? Assuming you put certain keywords in your online text ("I'm going to kill some time this afternoon by watching the presidential debate"), how likely do you think it will be that you win the 1-in-250 chance?

Let's add in ambiguous laws. The recent trend is not to charge people with doing harm, but conspiracy for doing harm. One recent news report told of a couple of people charged with "conspiracy to join Al-Qaeda". Note that these two people didn't do a terorrist act, they didn't contribute to a terrorist group, and they weren't even a member of a terrorist group. They were talking about joining a terrorist group. People are commonly charged with "conspiracy to grow marijuana" (google has many links).

We've reached the point where you can be arrested when no overt crime has been committed.

There's a recent news story where, for the first time, the DOJ is informing a defendant [usatoday.com] that they used NSA/warrant-less surveillance to gather evidence. They used mass surveillance to get enough probable cause to apply for a real warrant which resulted in evidence of a crime.

The important bit of the previous is that the DOJ was conflicted about revealing this information. The prosecutor felt that it was only a "procedural decision", since no evidence from the mass-surveillance warrant would be introduced at trial. (A couple of lawyers in the DOJ argued for disclosure.)

All evidence indicates that they analyze everyone's online presence all the time, and use that information to pick-and-choose people for prosecution when no overt crime has been committed.

Sock puppet, begone!

Windows

[Princeofcups]

"use anti-virus software"

Just come out and say it. Don't use Windows.

Re:Steps You Can Take Against Internet Surveillanc

[whoever57]

Back up the fail train there. The NSA wasn't tasked to find the Boston bomber, the FBI was.

Back up the strawman train there. The GP was pointing out that the information gathered by the NSA failed to prevent the Boston bomber, and
prevention is what the NSA claims that its massive surveillance program does.

In reality, what it does is undermine democracy. What if the NSA discovered some embarrassing material relating to Dianne Feinsteinn and is using it to blackmail her to support the NSA? How do you know that it hasn't happened? The answer is that you don't and that's why democracy has been undermined. What would Herbert Hoover would have given to have the information that the NSA has?

Re:EFF are losing their edge

[Burz]

If, however, there was an equal exploit that could be triggered on a Qubes user (ability to execute code on the local machine), exactly what protections are in place to prevent gathering their real external IP, MAC, and forwarding it off to the attacker?

Under Qubes, the Tor Browser (actually, all browsers) operates within its own hardware-enforced (both VT-x and VT-d) virtual machine ensuring that even privilege-escalated code would have no way to access the Internet except through Tor itself. It would have no access to real system settings or personal info, etc., unless for some odd reason you put them into that VM.

The system architecture is a series of VMs that have varying levels of risk assigned to them. Even the firewall, IP stack and X11 graphics (with attendant hardware drivers) run in their own separate VMs under Qubes, booted from a non-writeable system template.

The hypervisor itself is a desktop GUI disconnected from any networking devices.

Re:Do you think you are special?

[sI4shd0rk]

So, given the NSA versus greedy companies, I'll take the NSA any day.

There is no such dichotomy, and you should be extremely concerned about the NSA spying on everyone's communications. The US is a country founded on the idea of distrusting authority, and yet you basically suggest that we should not care when the government is essentially crumpling up the constitution and tossing it into the garbage. What a sorry state of affairs this is that people so naive even exist.

Re:Use end to end encryption?

[bazmail]

True, but nobody outside the IT dept is going to use ssh, install security plugins like OTR or use PKI. Unless this is all baked directly into the product,is on by default amd is zero-config, it will fail.

Re:Do you think you are special?

[FuzzNugget]

Seriously, this should not have to be explained on Slashdot.

Data can be wrong. Interpretations can be wrong. Police tend to intepret everything as an act of wrongdoing as soon as they have a single data point or dumb-ass idea that suggests you are a suspect.

Case in a point: David Marie [youtube.com] (jump to 5:00). He enters a subway station. He's flagged as a suspect because he's "wearing a jacket." Seriously. The Bumblefuck Police Department then use this as justification to raid his apartment where find a page of random scribbles they deem as "subway map" (seriously, look at the drawing in the video, it's just fucking random scribbles) and proceed to charge him as a terrorist. Oh, he's not in prison, he just can't get a Visa, leave the country or expect to ever be free from constant restrictions and "unwanted attention" in his life.

Amazing how someone can be too dangerous not to be watched, but not dangerous enough to imprison. I wonder how it feels to be stupid enough to engage in that level of cognitive dissonance and not go insane.

problem is "keeping SW up2date"

[lpq]

When the computer industry was "young", there was little likely hood the NSA had co-opted your developers & SW providers. Now?

With every update you need to wonder if it contains a new backdoor at the request of the NSA, asked via a "security letter", which makes disclosure illegal.

Examples in linux abound as vendors stumble over each other to provide secure-boot distro's, complete with windows-like service managers (systemd), that move config control out of scripts where you can see what they are doing, into binaries, that you have to verify come from a source that is likely too large for most of us to audit -- not to mention the problem looking for a backdoor that might be very well hidden these days... (ex. pre-solved factoring keys for AES encryption), etc... You got the latest certs downloaded from *where-ever* (needed for https and such)? How many aren't already cracked?

I wouldn't have a problem with the NSA's spying, *IF* they didn't share anything not related to national security -- but our entire justice system is predicated on law-enforcement being 'human' and needing warrants to search private stuff -- but now? The NSA doesn't need those, and any info it finds is shared with generic, domestic law enforcement. It's already been seen that the FBI has been getting info dumps from the NSA that it's been using to start determined "take-down" efforts against *persons*. I.e. they just watch the people they want, and find some excuse to 'legally' find out the info, OR, find something else to bust them on.

Of course it's been well documented here on "/.", how both foreign visitors and US citizens lose their constitutional rights when they are at a border -- losing laptops and having decryption keys demanded.

What crap!.

One rectifying solution would be to have any illegally leaked evidence taint prosecution of someone for *any, "hidden", charge*, for some number of years (whatever statute of limitations might be).
By hidden, I mean things they'd have to probe into to find out -- not armed robbery or such...

It sounds problematic, and the details would have to be ironed out, but between that, and the profit motive for "charging" a "rightless" property with "crimes" instead of the person, our legal rights as citizens are falling below western standards and down into the "outcast/illegal/brutal" regimes that we supposedly "invade" for....

Who's gonna invade us to save us from our government? I think the only ones with the ability to save us are "us".