[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 26/06/13 05:30, Kai Hendry wrote: > After seeing http://www.bbc.co.uk/news/magazine-23049737 with GCHQ's > Cornwall outpost I was wondering what other DCLUG members thought > about the revelations that pretty much all our activites on the > Internet are watched without due process. > > Are we comfortable with that? > > Seems like most people have gone into resigned acceptance mode (or > they knew it all along) instead of writing to your MP mode and try to > curtail it. > Well, there have certainly been a lot of responses to this. I presume you can all guess my position on this: one of reluctant but nonetheless correct "I told you so". I've worked under the assumption for years that this is the case, and that you'd be a hopeless naif if you didn't also operate under the full recognition that in the 21st century we live in a surveillance society. So I won't pontificate, speculate or crow at all, just offer up some practical advice from the coal face, as it were. Firstly, I'm going to presume that you are merely privacy minded, or an activist or just plain cautious because you've always been more worried about lower level threats like ID theft or computer compromise than being spirited away by shadowy governmental organisations. I seriously doubt that anyone here is actually a terrorist, a wanted human rights activist, a potential Snowden-esque whistleblower or an otherwise genuine target of the three/four letter agencies, rightly or wrongly. Because if you are, you are probably screwed and should be getting your computer security advice from a source much stronger than a random poster on a public mailing list. 1: Privacy is effectively dead online, get over it. The genie will NOT go back in the bottle. 2: SSL is a red herring - the relevant agencies already have all CA keys through escrow or can force disclosure at will. 3: Privately issued (ironically, "untrusted") self-signed certs are much more secure. 4: Basic avoidance tricks won't work - they are drinking raw data from the firehose via fibre taps, as said above. 5: They can probably "black box" entire internet regions by now, compromising Tor or other privacy network endpoints. 6: All cloud services, public email servers and company held data on you is fair game to the spooks. 7: Same for your phone - it has zero privacy on it all. Your provider coughs up all data willingly. 8: Your phone can have it's cameras, mics and contents accessed at will remotely 24/7. 9: Your computer is better off, as long as it doesn't run a commercial OS (Windows + Mac particularly). 10: Your computer can be hacked at will, unless you have god-like skillz (I don't consider myself at this level). 11: Writing letters to your MP... are you fucking kidding me? There is NOTHING you can do about this, ever. 12: Reflash your router: your ISP control it otherwise and can reflash it at will or allow remote access. The only positive thing I can offer is that as yet, there is no mathematical way to defeat strong crypto, correctly applied. For any true privacy, you need to set up a web of trust with the people important to you. Exchange keys in person or through a side-channel and only ever send signed+encrypted text/attachments. This also works for data exchange - even a public service like dropbox or a free FTP drop site can be used, as long as you GPG the material you're exchanging first. Don't trust any external CA or issuer of any kind (practically, during the day when I'm surfing the internet, I ignore this rule routinely but I mean for the *important* stuff - random and legitimate surfing isn't a problem). I only fully trust the SSH, SSL and private crypto keys I generate, maintain and distribute for my own private business. Also, I'm 100% sure that when Neil Stone said "If you have nothing to hide, why worry?" he was being sarcastic, which some of you seem to have missed somehow. Trust me, this is going to get a whole lot worse as well, before if it gets better: if it ever does. I would suggest this huge mess has been here since the earliest days of communication, and has only ever got stronger. If you have even the slightest sense of trust or respect for your government to do the right thing, please leave the table and let the adults speak. Perhaps you could read some history and learn why you are wrong. So, pessimistic words of course. The good news is that you can make yourself such a damn hard target, that if for some unlikely reason the spooks do genuinely get an interest in you they'll have to do it the old fashioned way. In my case, they'd probably have to get a rubber-stamped warrant, stake out the house and wait for us to be out, then let themselves in and plant physical keyloggers in all my keyboards to snoop my login passwords. Which they could of course do, but it will still be gratifying that they can't just unaccountably flick a switch in a control centre somewhere and immediately trawl through the last 15 years of my life in complete detail. It is utterly unrealistic to expect even a tiny fraction of the population to share my skill set, paranoia or willingness to put up with inconvenience for enhanced security but as I have had cause to point out to dismayed friends recently, I'm too hard a target for the general driftnet. If a considerably larger percentage of the population could follow me at least half way there, this would largely be a non-event because even the global spying machine we have now would choke and die if 25% of us were using fully patched OpenBSD routers/VPNs and strong crypto on everything. And it's not hard: I setup and taught my retired parents how to use the Enigmail plugin for Thunderbird years ago and haven't had an unencrypted email from them since. On a final note I'll be meeting up with an old friend over the weekend for an interesting chat: he was an engineer here in Devon for Nortel for years up until they closed shop. He worked specifically on fibre comms, particularly the DWDM kit that they sold off when they went down. This is the gear that they hook up to each end of major backhaul pipes and then set up the equivalent of a port mirror on: this is the device that the spooks tap into for the raw flow. It's not like he's going to be giving me any major insights into the technical aspects or anything, just a strange coincidence of timing that we happen to be meeting. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq