Now Reading
How You Can Still Avoid and Thwart the NSA

How You Can Still Avoid and Thwart the NSA

by Neal RauhauserDecember 30, 2014

The presentation given by Jacob Applebaum and Laura Poitras at the 31st Chaos Communication Congress has touched off a wave of articles about the places where the NSA either can or can’t surveil you. Concurrent with this talk Der Spiegel released over forty documents from the Snowden leak that support the technical points Applebaum addressed. These documents have touched off a running discussion in Hacked’s chat channel, and we’d like to share some of our observations.

Also read: 31st Chaos Communication Congress Offers Confirmations, Shocks

Things You Should Not Use

avoid nsaThere are a variety of things you should not use anymore and Skype belongs at the top of the list. Your voice communications and text chats are accessible to the NSA, and they have been for a couple of years. The alternative that horrifies NSA analysts the most is Phil Zimmerman’s ZRTP encrypted voice protocol. Implementing this is painless, since you can just switch to Jitsi, an open source competitor to Skype.

Virtual Private Networks sometimes offer PPTP, the point to point tunneling protocol, as an option. This was popular with Windows users, as no additional client software was needed, but the protocol is and has been painfully weak for many years. IPSec can be safe, but there are many configuration options and a significant learning curve, even for the technically minded. OpenVPN connections, which depend on the OpenSSL encryption package, seem to be the right balance of protection and ease of use.

Zero Customer Knowledge VPNs as pioneered by Cryptostorm are an excellent OpenVPN option. They provide an introductory low-speed service If you want to experiment with both PPTP and OpenVPN, Romanian provider VPNBook offers free connections. Unlike Cryptostorm, there is no obvious revenue model supporting VPNBook, so be mindful that they likely make their way by selling information about what you do with their network.

The NSA has massive compute resources at their command including farms of cryptographic ASICs similar to Bitcoin mining operations, only they are dedicated to picking apart encrypted traffic streams. They are actively hunting and recording public key cryptography sessions so they can crack them in bulk. If you use software with configurable key lengths you make sure the longest one possible, which is often 4096 bits, and be sure you use a long, strong passphrase to protect your keys.

Things that Work Well Against the NSA

Technology counted as ‘catastrophic’ by the NSA includes the Tor anonymizing network, particularly when accessed using TAILS, The Amnesiac Incognito Live System, a hardened Linux distribution that will run well on netbooks and older computers. This is a live distro, which means you can put it on a thumb drive attached to your keychain for those times when you are forced to use a public computer. Not mentioned in the talks, but similar to TAILS, the Whonix distro provides an even more hardened environment, but it requires a machine large enough to run two VirtualBox machines at once.

Chats protected by Off The Record (OTR) are undecipherable for the NSA. Did you already install Jitsi for its ZRTP voice capabilities? If so, you’re in luck, because that program also provides OTR encryption for text chat, too. Jitsi offers support for Jabber, Yahoo, and even Facebook. If you use a network that isn’t supported by Jitsi your next choice for a client is Pidgin if you’re on Linux/Windows or Adium if you use OSX.

Email encrypted with Pretty Good Privacy (PGP) or it’s free software implementation, GNU Privacy Guard, are a terrible problem for the NSA. This is one of those places where a 4096 bit key is needed, and some programs still default to only 2048. If you are not yet encrypting email things have gotten a lot easier, which we described in Making Encrypted Mail Usable.

Whisper Systems offers SMS text message encryption software and a year ago this was added to the CyanogenMod OS, a free and open alternative to Google’s Android, creating a potential ten million new users as people upgrade their systems. They also have a voice application, Red Phone, which gets high marks.

How You Can Help

Many of the documents released offer hints about what you can do to make the NSA’s admittedly fragile access to your communications completely impossible. There are going to be many guides published in the coming months as people take steps to ensure their privacy. Reading them and fostering the good practices you find is important, but here are two simple actions you can take immediately.

If you have a computer that is on 24×7, both TAILS and Whonix are distributed by torrent. If you can spare the disk space, download them both and leave your torrent client running.

If you have good bandwidth at home, configure that computer that is on 24×7 to be a Tor relay. If your home computer runs Linux, this involves installing a single package, opening a port in your firewall and uncommenting a few lines in the config file. The only hazard is that the default configuration sets your system to be not just a relay, but also an exit. Find the line that says ExitPolicy and disable it until you understand the risks. You can learn more about this by reading the tor-relays mailing list.

Providing storage and distribution for good tools coupled with adding capacity to the Tor network for those who want to use them doesn’t just benefit them, you’re getting a constant smoke screen of traffic which will help conceal your activities.

Images from Shutterstock.

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it
  • PacketWraith

    Great Article! I am in computer security, and whenever we talk about getting the majority of people using encryption for mail, voice and txt people just shut down and say “Oh they can decrypt that in seconds it doesn’t matter.” Its nice to see someone else trying to help.
    We used Jitsi for a while and it is a good app, but didn’t want to have to setup our own server. We switched over to RokaCom. It uses ZRTP for voice and video, and GPG for messaging. We have tested it all over the world too.

    Morale of the story, don’t give up. Take your right to privacy back.

    • droopyar

      I disagree with you. ALL central servers have a backdoor. So , create your own my friend, else your communication is NOT secure

      • yep, and using DPOS and/or a mix of Open Transactions (OT) to secure the Dapp may just be the way to go these days. Decentralize everything.

  • droopyar

    OTR is crackable i could do it. So please STOP posting nonsense on the forum.

  • Illutian Kade

    lol…you guys honestly think Snowden had complete access to all the ‘secret ingredients’ of the NSA?

    There is nothing outside of their reach. Not even your thoughts.
    ….go watch TV and when a food commercial airs. See how long it takes before you start thinking about food and get hungry.

  • Jitsi – Why is COMCAST invested in Jitsi now? No no no, the REAL reason is…….