D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OT surveillance

 

On 26/06/13 05:30, Kai Hendry wrote:
> After seeing http://www.bbc.co.uk/news/magazine-23049737 with GCHQ's
> Cornwall outpost I was wondering what other DCLUG members thought
> about the revelations that pretty much all our activites on the
> Internet are watched without due process.
>
> Are we comfortable with that?
>
> Seems like most people have gone into resigned acceptance mode (or
> they knew it all along) instead of writing to your MP mode and try to
> curtail it.
>

Well, there have certainly been a lot of responses to this.

I presume you can all guess my position on this: one of reluctant but
nonetheless correct "I told you so". I've worked under the assumption
for years that this is the case, and that you'd be a hopeless naif if
you didn't also operate under the full recognition that in the 21st
century we live in a surveillance society. So I won't pontificate,
speculate or crow at all, just offer up some practical advice from the
coal face, as it were.

Firstly, I'm going to presume that you are merely privacy minded, or an
activist or just plain cautious because you've always been more worried
about lower level threats like ID theft or computer compromise than
being spirited away by shadowy governmental organisations. I seriously
doubt that anyone here is actually a terrorist, a wanted human rights
activist, a potential Snowden-esque whistleblower or an otherwise
genuine target of the three/four letter agencies, rightly or wrongly.
Because if you are, you are probably screwed and should be getting your
computer security advice from a source much stronger than a random
poster on a public mailing list.

1: Privacy is effectively dead online, get over it. The genie will NOT
go back in the bottle.
2: SSL is a red herring - the relevant agencies already have all CA keys
through escrow or can force disclosure at will.
3: Privately issued (ironically, "untrusted") self-signed certs are much
more secure.
4: Basic avoidance tricks won't work - they are drinking raw data from
the firehose via fibre taps, as said above.
5: They can probably "black box" entire internet regions by now,
compromising Tor or other privacy network endpoints.
6: All cloud services, public email servers and company held data on you
is fair game to the spooks.
7: Same for your phone - it has zero privacy on it all. Your provider
coughs up all data willingly.
8: Your phone can have it's cameras, mics and contents accessed at will
remotely 24/7.
9: Your computer is better off, as long as it doesn't run a commercial
OS (Windows + Mac particularly).
10: Your computer can be hacked at will, unless you have god-like skillz
(I don't consider myself at this level).
11: Writing letters to your MP... are you fucking kidding me? There is
NOTHING you can do about this, ever.
12: Reflash your router: your ISP control it otherwise and can reflash
it at will or allow remote access.

The only positive thing I can offer is that as yet, there is no
mathematical way to defeat strong crypto, correctly applied. For any
true privacy, you need to set up a web of trust with the people
important to you. Exchange keys in person or through a side-channel and
only ever send signed+encrypted text/attachments. This also works for
data exchange - even a public service like dropbox or a free FTP drop
site can be used, as long as you GPG the material you're exchanging
first. Don't trust any external CA or issuer of any kind (practically,
during the day when I'm surfing the internet, I ignore this rule
routinely but I mean for the *important* stuff - random and legitimate
surfing isn't a problem). I only fully trust the SSH, SSL and private
crypto keys I generate, maintain and distribute for my own private
business.

Also, I'm 100% sure that when Neil Stone said "If you have nothing to
hide, why worry?" he was being sarcastic, which some of you seem to have
missed somehow.

Trust me, this is going to get a whole lot worse as well, before if it
gets better: if it ever does. I would suggest this huge mess has been
here since the earliest days of communication, and has only ever got
stronger. If you have even the slightest sense of trust or respect for
your government to do the right thing, please leave the table and let
the adults speak. Perhaps you could read some history and learn why you
are wrong.

So, pessimistic words of course. The good news is that you can make
yourself such a damn hard target, that if for some unlikely reason the
spooks do genuinely get an interest in you they'll have to do it the old
fashioned way. In my case, they'd probably have to get a rubber-stamped
warrant, stake out the house and wait for us to be out, then let
themselves in and plant physical keyloggers in all my keyboards to snoop
my login passwords. Which they could of course do, but it will still be
gratifying that they can't just unaccountably flick a switch in a
control centre somewhere and immediately trawl through the last 15 years
of my life in complete detail. It is utterly unrealistic to expect even
a tiny fraction of the population to share my skill set, paranoia or
willingness to put up with inconvenience for enhanced security but as I
have had cause to point out to dismayed friends recently, I'm too hard a
target for the general driftnet. If a considerably larger percentage of
the population could follow me at least half way there, this would
largely be a non-event because even the global spying machine we have
now would choke and die if 25% of us were using fully patched OpenBSD
routers/VPNs and strong crypto on everything. And it's not hard: I setup
and taught my retired parents how to use the Enigmail plugin for
Thunderbird years ago and haven't had an unencrypted email from them since.

On a final note I'll be meeting up with an old friend over the weekend
for an interesting chat: he was an engineer here in Devon for Nortel for
years up until they closed shop. He worked specifically on fibre comms,
particularly the DWDM kit that they sold off when they went down. This
is the gear that they hook up to each end of major backhaul pipes and
then set up the equivalent of a port mirror on: this is the device that
the spooks tap into for the raw flow. It's not like he's going to be
giving me any major insights into the technical aspects or anything,
just a strange coincidence of timing that we happen to be meeting.

Regards

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq