Monday, August 5, 2013

Government Surveillance - You Don't Have to Close Your Eyes and Think of England

Computers are tremendously powerful tools. Modern computers, even tablets and smartphones, have more compute power than you could put on a desktop a dozen years ago.  They are, it must be remembered, platforms for running software, nothing more or less than a system that can execute any code that can be developed for them.  The NSA exploits the power and flexibility of modern hardware and Operating Systems to intercept, capture, store, sort and query your digital communications.  Programs like PRISM, XKeyscore and Tempora are nothing more than stacks of software systems and hardware platforms designed to manipulate digital data.

But wait - what's that thing on your desk?  It's also a computer, isn't it?  You are not helpless - you just need to educate yourself. You have the compute power and digital resources to resist, and even defeat the most sophisticated government surveillance, but you need to educate yourself and gather a few basic tools.  Nothing is certain in this world, but if you are uncomfortable with the idea that the US government is capturing and perhaps analyzing your communications and Internet activity, you should at least try to protect yourself.

The first thing you need to do is understand that digital communications and Internet activity are two different things. You can't conceal your web searches and site visits, so the best solution is to find a way to decouple those activities from your identity.  The fast and free solution is to use TOR.  TOR stands for The Onion Router and is designed to conceal your IP address and substitute it with a randomized address - the NSA will still capture your traffic, but nothing in those packets will connect it with you.  TOR works by stripping the identifying information from the packets it receives and then bouncing that traffic around a random set of member routers.  No one, not even the people who run TOR, knows where it will emerge.  When it does, it will appear that the packets originated at that TOR exit point, with no remaining data that can be used to forensically trace them back to their actual source.

It was just revealed that the TOR Browser Bundle was hacked - exploiting a vulnerability in Firefox - by the FBI, apparently with a technical assist from the NSA.  The vulnerability has been patched - just make sure you get the current version of the TOR bundle.  Firefox represents the weak link in the TOR bundle, but there's hope on the way. Jason Geffner announced a new TOR tool, Tortilla, at the BlackHat InfoSec conference last week.  Tortilla provides a secure, anonymous means of routing TCP and DNS traffic through Tor regardless of client software and without the need for a VPN or secure tunnel.  It's open source, so implementations should start to appear for your platform of choice soon.

Anonymizing solutions are great for protecting the privacy of your web browsing, but obviously aren't a viable solution for communications.  In order to protect your files and messages, you have to encrypt. The amazing thing is that encryption tools, even the free ones available to you today, are so powerful that, used correctly, it would take even the NSA thousands of years to decrypt a single email message.  You can use the free, open source Truecrypt software to encrypt your files, folders and even whole disks, both on your local network storage and in the cloud.  Email encryption requires that both the sender and recipient have the public key for the message, which causes people to think it's "too hard" to encrypt emails.  But if it's not every bit as important to the recipient to maintain the privacy of the communication, then you should think very carefully about what information you want to send them.

An easy solution is for you and your contacts to use Hushmail.  A free service, Hushmail encrypts the email on their server, transfers it using TLS protocols and allows the recipient to decrypt it.  It is considered secure from capture by intelligence agencies and hackers, but the company does acknowledge they will respond to court orders (they are in Canada, not the US, for what that's worth).  Beyond that, get started with one of the OpenPGP/GPG platforms, get a key pair and start protecting your messages.

These tools and solutions are anything but breaking news to the people who have been professionally at odds with government surveillance for years.  Whether journalists, whistleblowers, dissidents, criminals, terrorists or hackers, the basic tradecraft for secure digital communications is part of life for them. But that means all these tools are available to you - at whatever level you feel that you should resist.  Bear in mind that Apple, Microsoft and Google all provide your information to the government without telling you - ask yourself how confident you feel using their core operating system platforms.  There are alternatives, alternatives we KNOW do not contain back doors or government connections because anyone can freely parse the source code.  So bear in mind that if your Operating System provider is compromised, nothing you can do will protect you - they are capturing your data as you create and download it, before you can take any steps to protect yourself.

The bottom line is simply this: if you feel that the revelations about NSA spying on American's digital communications is an unacceptable and extra-constitutional intrusion on your privacy, and you regularly say so and express outrage at these clear examples of government over-reach, and then you do NOTHING to protect your digital communications from interception and compromise, you are a fraud and a hypocrite.  Yes, it DOES mean you're going to have to learn some new technologies and understand a little more deeply how to implement secure communication protocols.  If you "don't have time" or "can't be arsed", then fine, accept that you are sharing your life with the US Government and whoever they care to share it with, and shut up about it.

There's a ton of information at  Use it or don't - it's up to you.


  1. If you "don't have time" or "can't be arsed", then fine, accept that you are sharing your life with the US Government and whoever they care to share it with, and shut up about it.

    You can complain if you're doing it and complain if you're not. It's a bad policy. They could be subsidizing education instead of spooks.

    1. Yeah...I guess I agree with that. But it nonetheless frustrates me no end that people will express boundless outrage and at the same time sit passively by and wait for somebody else to do something about it. "Will no one rid me of this meddlesome government?"

      It's the American disease - we just can't be bothered to push back, but we'll invest significant effort in whining and complaining...

  2. Yeah I agree. Gotta see if the service provider would let me set up a TOR server. I kind of feel bad not helping.

  3. Nothing is certain in this world, but if you are uncomfortable with the idea that the US government is capturing and perhaps analyzing your communications and Internet activity...

    I appreciate your tips, mikey.

    But what if there were some individual (totally hypothetical, of course!) who didn't have a cell phone. Rarely ever used his landline more than once or twice a month. Has a blog, but mostly just uses it to post pictures of butterflies and flowers (and such as). In other words, there is nothing in this person's communications that he cares about the government knowing, one way or another.

    HOWEVER...He believes that the government can not be trusted with the power to spy on everyone. (Note: DHS coordinated the shutdown of Occupy protests, people protesting fracking have been labeled "ecoterrorists" by our government, and of course, there is this.

    So it isn't about this hypothetical individual's's about the slide into a Stasi state.