How You Can Still Avoid and Thwart the NSA
The presentation given by Jacob Applebaum and Laura Poitras at the 31st Chaos Communication Congress has touched off a wave of articles about the places where the NSA either can or can’t surveil you. Concurrent with this talk Der Spiegel released over forty documents from the Snowden leak that support the technical points Applebaum addressed. These documents have touched off a running discussion in Hacked’s chat channel, and we’d like to share some of our observations.
Also read: 31st Chaos Communication Congress Offers Confirmations, Shocks
Things You Should Not Use
There are a variety of things you should not use anymore and Skype belongs at the top of the list. Your voice communications and text chats are accessible to the NSA, and they have been for a couple of years. The alternative that horrifies NSA analysts the most is Phil Zimmerman’s ZRTP encrypted voice protocol. Implementing this is painless, since you can just switch to Jitsi, an open source competitor to Skype.
Virtual Private Networks sometimes offer PPTP, the point to point tunneling protocol, as an option. This was popular with Windows users, as no additional client software was needed, but the protocol is and has been painfully weak for many years. IPSec can be safe, but there are many configuration options and a significant learning curve, even for the technically minded. OpenVPN connections, which depend on the OpenSSL encryption package, seem to be the right balance of protection and ease of use.
Zero Customer Knowledge VPNs as pioneered by Cryptostorm are an excellent OpenVPN option. They provide an introductory low-speed service Cryptofree.me. If you want to experiment with both PPTP and OpenVPN, Romanian provider VPNBook offers free connections. Unlike Cryptostorm, there is no obvious revenue model supporting VPNBook, so be mindful that they likely make their way by selling information about what you do with their network.
The NSA has massive compute resources at their command including farms of cryptographic ASICs similar to Bitcoin mining operations, only they are dedicated to picking apart encrypted traffic streams. They are actively hunting and recording public key cryptography sessions so they can crack them in bulk. If you use software with configurable key lengths you make sure the longest one possible, which is often 4096 bits, and be sure you use a long, strong passphrase to protect your keys.
Things that Work Well Against the NSA
Technology counted as ‘catastrophic’ by the NSA includes the Tor anonymizing network, particularly when accessed using TAILS, The Amnesiac Incognito Live System, a hardened Linux distribution that will run well on netbooks and older computers. This is a live distro, which means you can put it on a thumb drive attached to your keychain for those times when you are forced to use a public computer. Not mentioned in the talks, but similar to TAILS, the Whonix distro provides an even more hardened environment, but it requires a machine large enough to run two VirtualBox machines at once.
Chats protected by Off The Record (OTR) are undecipherable for the NSA. Did you already install Jitsi for its ZRTP voice capabilities? If so, you’re in luck, because that program also provides OTR encryption for text chat, too. Jitsi offers support for Jabber, Yahoo, and even Facebook. If you use a network that isn’t supported by Jitsi your next choice for a client is Pidgin if you’re on Linux/Windows or Adium if you use OSX.
Email encrypted with Pretty Good Privacy (PGP) or it’s free software implementation, GNU Privacy Guard, are a terrible problem for the NSA. This is one of those places where a 4096 bit key is needed, and some programs still default to only 2048. If you are not yet encrypting email things have gotten a lot easier, which we described in Making Encrypted Mail Usable.
Whisper Systems offers SMS text message encryption software and a year ago this was added to the CyanogenMod OS, a free and open alternative to Google’s Android, creating a potential ten million new users as people upgrade their systems. They also have a voice application, Red Phone, which gets high marks.
How You Can Help
Many of the documents released offer hints about what you can do to make the NSA’s admittedly fragile access to your communications completely impossible. There are going to be many guides published in the coming months as people take steps to ensure their privacy. Reading them and fostering the good practices you find is important, but here are two simple actions you can take immediately.
If you have a computer that is on 24×7, both TAILS and Whonix are distributed by torrent. If you can spare the disk space, download them both and leave your torrent client running.
If you have good bandwidth at home, configure that computer that is on 24×7 to be a Tor relay. If your home computer runs Linux, this involves installing a single package, opening a port in your firewall and uncommenting a few lines in the config file. The only hazard is that the default configuration sets your system to be not just a relay, but also an exit. Find the line that says ExitPolicy and disable it until you understand the risks. You can learn more about this by reading the tor-relays mailing list.
Providing storage and distribution for good tools coupled with adding capacity to the Tor network for those who want to use them doesn’t just benefit them, you’re getting a constant smoke screen of traffic which will help conceal your activities.
Images from Shutterstock.