Discussion in 'Bill of Rights' started by stg58, Jun 6, 2013.
Yes, yes it will. But I still want to see if PRISM is susceptible to SQL injection
So, I think it's just about time I post a GPG public key for general consumption on the board. Just trying to decide a) if I want to create a new thread for it and b) exactly how much of my communication is going to "go dark".
One thing is not up for debate though, I've had it.
@DarkLight, there in lies the rub. We want to fly under the radar but encrypting comms tends to attract unwanted attention.
It's a conundrum at best.
Even if it's innocuous chatter between friends, the act of encrypting/obfuscating communication raises suspicion and the alphabet crews resources to try and get grandmas meatloaf recipe
Big Brother is here, and his name is PRISM
This was a pretty depressing article for individuals highly concerned with information privacy. It basically says, "You can try all of this, but you're pretty much screwed if the big boys want your data badly enough."
Ideas for keeping your data safe from spying - Yahoo! News
Ideas for keeping your data safe from spying
LONDON (AP) — Phone call logs, credit card records, emails, Skype chats, Facebook message, and more: The precise nature of the NSA's sweeping surveillance apparatus has yet to be confirmed.
But given the revelations spilling out into the media recently, there hardly seems a single aspect of daily life that isn't somehow subject to spying or surveillance by someone.
Experts say there are steps anyone can take to improve privacy, but they only go so far.
Using anonymity services and encryption "simply make it harder, but not impossible," said Ashkan Soltani, an independent privacy and security researcher. "Someone can always find you __ just depends on how motivated they are."
With that caveat, here are some basic tips to enhance your privacy:
ENCRYPT YOUR EMAILS
Experts recommend encryption, which scrambles messages in transit, so they're unreadable to anyone trying to intercept them. Techniques vary, but a popular one is called PGP, short for "Pretty Good Privacy." PGP is effective enough that the U.S. government tried to block its export in the mid-1990s, arguing that it was so powerful it should be classed as a weapon.
Disadvantages: Encryption can be clunky. And to work, both parties have to be using it.
TOR, short for "The Onion Router," helps make your traffic anonymous by bouncing it through a network of routers before spitting it back out on the other side. Each trip through a router provides another layer of protection, thus the onion reference.
But it's worth noting that TOR may be ineffective against governments equipped with the powers of global surveillance.
Disadvantages: Browsing the web with TOR can be painfully slow. And some services — like file swapping protocols used by many Internet users to share videos and music — aren't compatible.
DITCH THE PHONE
In general, proprietary software, lousy encryption, hard-to-delete data and other security issues make a cellphone a bad bet for storing information you'd rather not share.
An even bigger issue is that cellphones almost always follow their owners around, carefully logging the location of every call, something which could effectively give governments a daily digest of your everyday life. Security researcher Jacob Appelbaum has described cellphones as tracking devices that also happen to make phone calls. If you're not happy with the idea of an intelligence agency following your footsteps across town, leave the phone at home.
Disadvantages: Not having a cellphone handy when you really need it. Other alternatives, like using "burner" phones paid for anonymously and discarded after use, rapidly become expensive.
CUT UP YOUR CREDIT CARDS
The Wall Street Journal says the NSA is monitoring American credit card records in addition to phone calls.
Disadvantages: Credit cards are a mainstay of the world payment system, so washing your hands of plastic money is among the most difficult moves you can make.
DON'T KEEP YOUR DATA IN AMERICA OR WITH AMERICAN COMPANIES
U.S. companies are subject to U.S. law, including the Patriot Act, whose interpretations are classified.
If you don't like the sound of that, your best bet is to park your data in a European country, where privacy protections tend to be stronger.
Disadvantages: Silicon Valley's Internet service providers tend to be better and cheaper than their foreign counterparts. What's more, there's no guarantee that European spy agencies don't have NSA-like surveillance arrangements with their own companies. When hunting for a safe place to stash your data, look for smaller countries with robust human rights records. Iceland, long a hangout for WikiLeaks activists, might be a good bet.
STEER CLEAR OF MALICIOUS SOFTWARE
If they can't track it, record it, or intercept it, an increasing number of spies aren't shy about hacking their way in to steal your data outright. Edward Snowden, the NSA leaker, warned the Guardian that his agency had been on a worldwide binge of cyberattacks.
"We hack everyone everywhere," he said.
Former officials don't appear to contradict him. Ex-NSA chief Michael Hayden described it as "commuting to where the information is stored and extracting the information from the adversaries' network." In a recent interview with Bloomberg Businessweek, he boasted that "we are the best at doing it. Period."
Malicious software used by hackers can be extremely hard to spot. But installing an antivirus program, avoiding attachments, frequently changing passwords, dodging suspicious websites, creating a firewall, and always making sure your software is up to date is a good start.
Disadvantages: Keeping abreast of all the latest updates and warily scanning emails for viruses can be exhausting.
The title of this story was a bit misleading, since Germany is certainly not NSA's most prolific partner, except perhaps where the situation in Afghanistan is concerned; but it does highlight the global nature of intelligence gathering these days.
Germany is NSA's 'Most Prolific Partner': Report
Barack Obama isn't the only world leader suffering over leaked information about NSA surveillance—Germany's Angela Merkel is also in the firing line. On Friday, she spent her annual news conference dealing with increasing concerns that the US has been spying on German citizens, the New York Times reports. "We are examining what happened, whether this is the tip of the iceberg, or less serious, or something else—what is true," she said.
But a new report from Der Spiegel says Germany should have some idea of what's true, because it is running NSA spying programs and has actually been increasing its cooperation with US intelligence recently.
Der Spiegel says it has seen secret US documents showing German intelligence is employing the NSA's XKeyScore program. XKeyScore allows the agencies to gather all unfiltered data coming from a target's computer for several days, including things like what they have typed into search engines and the content of communications.
The NSA accesses up to 500 million data connections from Germany a month. In December 2012 alone, 180 million of those came from XKeyScore.
The documents also report that Germany's foreign intelligence service has recently "been working to influence the German government to relax interpretation of the privacy laws to provide greater opportunities of intelligence sharing" and has become the NSA's "most prolific partner" for intelligence gathering in Afghanistan.
Germany is NSA's 'Most Prolific Partner': Report - New documents reveal extent of US-German spying cooperation
An interesting solution to this problem . . . but, you'll have to work for it:
How to foil NSA sabotage: use a dead man's switch | Technology | theguardian.com
How to foil NSA sabotage: use a dead man's switch
Registering for nothing-to-see-here deadlines could help to sound the alert when a website has been compromised
'The deliberate sabotage of computers is an act of depraved indifference to the physical security and economic and intellectual integrity of every person alive.' Photograph: Workbook Stock/Martin Rogers
The more we learn about the breadth and depth of the NSA and GCHQ's programmes of spying on the general public, the more alarming it all becomes. The most recent stories about the deliberate sabotage of security technology are the full stop at the end of a sentence that started on 8 August, when the founder of Lavabit (the privacy oriented email provider used by whistleblower Edward Snowden) abruptly shut down, with its founder, Ladar Levison, obliquely implying that he'd been ordered to secretly subvert his own system to compromise his users' privacy.
It doesn't really matter if you trust the "good" spies of America and the UK not to abuse their powers (though even the NSA now admits to routine abuse, you should still be wary of deliberately weakened security. It is laughable to suppose that the back doors that the NSA has secretly inserted into common technologies will only be exploited by the NSA. There are plenty of crooks, foreign powers, and creeps who devote themselves to picking away patiently at the systems that make up the world and guard its wealth and security (that is, your wealth and security) and whatever sneaky tools the NSA has stashed for itself in your operating system, hardware, applications and services, they will surely find and exploit.
One important check against the NSA's war on security is transparency. Programmes published under free/open software licenses can be independently audited are much harder to hide secret back doors in. But what about the services that we use – certificate providers, hosted email and cloud computers, and all the other remote computers and networks that we entrust with our sensitive data?
Ultimately these are only as trustworthy as the people who run them. And as we've seen with Lavabit, even the most trustworthy operators may face secret orders to silently betray you, with terrible penalties if they speak out.
This is not a new problem. In 2004, American librarians recoiled at the FBI's demands to rummage through their patrons' reading habits and use them to infer terroristic intent, and at the FBI's gag orders preventing librarians from telling their patrons when the police had come snooping.
Jessamyn West, a radical librarian, conceived of a brilliant solution, a sign on the wall of her library reading "THE FBI HAS NOT BEEN HERE (watch very closely for the removal of this sign)." After all, she reasoned, if the law prohibited her from telling people that the FBI had been in, that wasn't the same as her not not telling people the FBI hadn't been in, right?
I was reminded of this last week on a call with Nico Sell, one of the organisers of the annual security conference Defcon (whose founder, Jeff Moss, told the NSA that it would not be welcome at this year's event). Nico wanted me to act as an adviser to her company Wickr, which provides a platform for private messaging. I asked her what she would do in the event that she got a Lavabit-style order to pervert her software's security.
She explained that her company had committed to publishing regular transparency reports, modelled on those used by companies like Google, with one important difference. Google's reports do not give the tally of secret orders served on it by governments, because doing so would be illegal. Sell has yet to receive a secret order, so she can legally report in each transparency report: "Wickr has received zero secret orders from law enforcement and spy agencies. Watch closely for this notice to disappear." When the day came that her service had been served by the NSA, she could provide an alert to attentive users (and, more realistically, journalists) who would spread the word. Wickr is designed so that it knows nothing about its users' communications, so an NSA order would presumably leave its utility intact, but notice that the service had been subjected to an order would be a useful signal to users of other, related services.
This gave me an idea for a more general service: a dead man's switch to help fight back in the war on security. This service would allow you to register a URL by requesting a message from it, appending your own public key to it and posting it to that URL.
Once you're registered, you tell the dead man's switch how often you plan on notifying it that you have not received a secret order, expressed in hours. Thereafter, the service sits there, quietly sending a random number to you at your specified interval, which you sign and send back as a "No secret orders yet" message. If you miss an update, it publishes that fact to an RSS feed.
Such a service would lend itself to lots of interesting applications. Muck-raking journalists could subscribe to the raw feed, looking for the names of prominent services that had missed their nothing-to-see-here deadlines. Security-minded toolsmiths could provide programmes that looked through your browser history and compared it with the URLs registered with the service and alert you if any of the sites you visit ever show up in the list of possibly-compromised sites.
No one's ever tested this approach in court, and I can't say whether a judge would be able to distinguish between "not revealing a secret order" and "failing to note the absence of a secret order", but in US jurisprudence, compelling someone to speak a lie is generally more fraught with constitutional issues than compelled silence about the truth. The UK is on less stable ground – the "unwritten constitution" lacks clarity on this subject, and the Regulation of Investigatory Powers Act allows courts to order companies to surrender their cryptographic keys (for the purposes of decrypting evidence, though perhaps a judge could be convinced to equate providing evidence with signing a message).
When the NSA came up with codenames for its projects to sabotage security products, it chose "BULLRUN" and "MANASSAS", names for a notorious battle from the American civil war in which the public were declared enemies of the state. GCHQ's parallel programme was called "EDGEHILL", another civil war battle where citizens became enemies of their government. Our spies' indiscriminate surveillance programmes clearly show an alarming trend for the state to view everyday people as adversaries.
Our world is made up of computers. Our cars and homes are computers into which we insert our bodies; our hearing aids and implanted defibrillators are computers we insert into our bodies. The deliberate sabotage of computers is an act of depraved indifference to the physical security and economic and intellectual integrity of every person alive. If the law is perverted so that we cannot tell people when their security has been undermined, it follows that we must find some other legal way to warn them about services that are not fit for purpose.
Adding to my signature line "I have received no secret government orders of any kind" (watch for this notice to be removed.)
You know @kellory...that's an AWESOME idea. Done!
Separate names with a comma.