In his keynote talk at the 30th Chaos Communications Congress (30C3) conference last month to an audience that consisted to a large extent of computer professionals and systems administrators, Glenn Greenwald talked about how the US government’s spying apparatus can, must, and will be foiled.
He said that it is important to be clear about the form the answer takes to the question of whether the spying apparatus of the governments of the US and UK and the others in the so-called “Five Eyes” club will be countered.
Typically, when people think the answer to that question is yes, the thing that they cite most commonly is probably the least significant, which is that there’s going to be some kind of debate, and our representatives in democratic government are going to respond to our debate, and they’re going to impose limits with legislative reform.
None of that is likely to happen. The US government and its allies are not going to voluntarily restrict their own surveillance powers in any meaningful way. In fact, the tactic of the US government that we see over and over, that we’ve seen historically, is to do the very opposite, which is that when they get caught doing something that brings them disrepute and causes scandal and concern, they’re very adept at pretending to reform themselves through symbolic gestures, while at the same time, doing very little other than placating citizen anger and often increasing their own powers that created the scandal in the first place.
He pointed to all the so-called reforms of the past, including the latest one advocated by the advisory panel convened by president Obama, as examples of this kind of subterfuge. He says that the future lies elsewhere.
It’s much more possible that other countries around the world who are truly indignant about the breaches of their privacy security will band together and create alternatives, either in terms of infrastructure, or legal regimes that will prevent the United States from exercising hegemony over the Internet or make the cost of doing so far too high. I think, even more promising is the fact that large private corporations, Internet companies and others will start finally paying a price for their collaboration with this spying regime.
We’ve seen that already, when they’ve been dragged into the light, and finally now are forced to account for what it is that they’re doing, and to realize that their economic interests are imperiled by the spying system, exercising their unparalleled power to demand that it be reined in. I think that all of those things are very possible as serious constraints on the surveillance state.
But I ultimately think that where the greatest hope lies is with the people in this room and the skills that all of you possess. The privacy technologies that have already been developed: the Tor Browser, PGP, OTR, and a variety of other products are making real inroads in preventing the US government and its allies from invading the sanctity of our communications.
None of them is perfect. None of them is invulnerable, but they all pose a serious obstacle to the US government’s ability to continue to destroy our privacy. And ultimately, the battle over Internet freedom, the question of whether or not the Internet will really be this tool of liberation and democratization and whether it’ll become the worst tool of human oppression in all of human history will be fought out, I think, primarily, on the technological battlefield.
The NSA and the US government certainly knows that. That’s why Keith Alexander gets dressed up in his little costumes, his dad jeans and his edgy black shirt and goes to hacker conferences.
We have seen that the NSA and GCHQ, while undoubtedly having the means to buy the most sophisticated equipment and hire large numbers of highly skilled people, cannot really defeat good encryption methods. For example, even though they seized David Miranda’s computer and thumb drives, the material was so heavily encrypted that they have not yet been able to access it even though you can be sure they have thrown everything at it because their ignorance of the extent of how much Edward Snowden took makes them vulnerable to being blindsided. In fact, as Greenwald repeatedly points out in interviews, he and his colleagues have proven themselves to be more secure in their handling of sensitive information than the US and UK governments.
Much of the success of the governments has been due to cheating rather than cleverness, by getting the NIST to weaken encryption standards, by colluding with internet companies to install backdoor access points to people’s communications systems, and exploiting weakness in transmission lines.
These weaknesses can be overcome if the big telecommunications companies make a concerted effort to do so and this is where the action is going to be in the coming years, with private companies in the US and UK being torn between their willingness to be agents of the governments in exchange for favors while dreading the wrath of their customers.
But it also requires all of us to start encrypting our computers and communications. One thing that I hope will happen is the increased availability, usability, and ubiquity of highly advanced, yet easy-to-use, encryption systems.
I personally feel embarrassed that for all my yelling about government spying, I do not encrypt my computer or communications. The reason is frankly ignorance of how to do it and what are the best and most convenient ways to do so. I know this weighs heavily on my mind because a few nights ago I dreamed that my laptop was stolen and in my dream I said to myself, “Damn! I wish I had encrypted the hard drive.”
Any suggestions from the savvy readers of this blog? If people can point me to a good tutorial on this topic, that would be greatly appreciated.
lanir says
These are some howto’s I used for my android phone. Sorry it’s not for a computer but it’s somewhat topical.
First, choose how you want to do this. You can encrypt the phone by skipping to step 3. If you also want to have Orbot give you a seamless Tor proxy then you also need to root it by following steps 1 and 2. Orbot can work without this but you will find it much simpler to use some programs when it’s not on (firefox, chrome, hangouts) and others that integrate with it specifically (orweb, chatsecure). If you go the separate apps route, only the apps you specifically setup to use Orbot will do so, even when it’s on. Other apps will ignore it and take the normal path from your phone out ot the internet.
1. If you want your Orbot to seamlessly proxy (read above!), first unlock the bootloader. This lets you flash a new image to the drive. As a security precaution it also wipes the drive, which is why I took this step first. The Google Play store remembers what apps you grabbed but it’s best to assume any data or files on the phone will be gone. This includes some settings so it’s safest to assume all settings will be wiped as well.
The write-ups I used are for a Nexus 5. I don’t think there’s any difference for any other android phone in the first step.
Unlock bootloader:
http://www.droid-life.com/2013/11/04/how-to-unlock-the-nexus-5-bootloader/
2. I also rooted my phone. There are a number of apps that do this and those are probably your best bet. I went the manual route below. THIS STEP IS OPTIONAL BUT VERY USEFUL -- if you root the phone you can later tell Orbot to seamlessly send all network data over the Tor network. If you don’t root the phone you can still use Orweb and the Tor network, but need to either use separate programs that only work when Orbot is connected or manually shuffle proxies in each program (if they even have a proxy setting).
Again, I recommend an app. In either case, THIS STEP IS HARDWARE SPECIFIC. You need the right app or image for your model of phone.
Manually root phone:
http://www.droid-life.com/2013/11/04/how-to-root-the-nexus-5/
3. Once you have this going, you can encrypt the phone. You will need to do the following process from the Settings app:
Settings --> scroll down and select Security --> select Screen lock --> choose either PIN, Password or Face unlock (I recommend PIN as you’ll be entering this a lot) --> setup your chosen screen lock --> go back to Settings and scroll down to Security --> Encrypt phone --> enable encryption
The last step will take some time. I would recommend restoring any files after you encrypt, it will probably make the process go faster.
It’s always good to have a way to back out of any procedure like this. The way to do that is to flash a factory image. This step, like rooting the phone, is very specific to your model of phone. You’ll need to get an image from the manufacturer if one is available.
flash factory image:
http://www.droid-life.com/2013/11/05/how-to-flash-nexus-5-factory-images/
ludicrous says
“One thing that I hope will happen is the increased availability, usability, and ubiquity of highly advanced, yet easy-to-use, encryption systems. ”
Me too!!
wtfwhateverd00d says
Well, you should encrypt your devices and communications, and you should stand up against forces that want to make every communication traceable and want laws and police actions against every communication they dislike and that practice and defend the outing of others for nothing more than speech, or that demand others be fired for their speech practices.
As to your lack of knowledge how to encrypt your devices and communications, get to work, and make that the subject of your talk.
Jörg says
Hi Mano,
one big problem is that you are running a closed-source operating system (Mac OS X) from an US-American company that because of its importance very likely has some employees that are also payed by that three-letter government agency you want to avoid
I suggest that you seek out Linux aficionados at CWRU or in your area and ask them to show you some user-friendly Linux distribution and have it installed in a virtual environment on your Mac for a test-run.
Here is an article on how to do this with Ubuntu:
http://www.tuaw.com/2013/09/06/running-linux-on-your-mac-2013-edition/
I personally prefer openSUSE Linux with KDE as GUI, but your taste may vary. The major Linux distributions come with easily installable encryption systems.
GeekGirl says
If you’re using a Mac:
http://support.apple.com/kb/HT4790
Mano Singham says
Thanks GeekGirl,
I was wondering about backups. I use Time Machine backups to an external hard disk. I assume that it is the encrypted material that will then get backed up.
If I encrypt my hard disk and later suffer a total hard drive crash, do you know if I can retrieve the backups onto a new machine and then recover the encrypted files?
GeekGirl says
The entire disk is encrypted, not individual files. The Time Machine disk will be unencrypted unless you encrypt it, too. If you didn’t encrypt the Time Machine disk when you first set it up, you can still turn on encryption by doing this:
1. In the Finder, control-click or right-click on the disk
2. Select “Encrypt …”
If you tell it to save the disk password in your keychain, you won’t have to enter it every time you log in. Your keychain is protected via encryption too, using your login password.
To recover from a total system crash you can use the Time Machine backup as usual, but you’ll need to supply the encryption password for the Time Machine disk at that time.
Mano Singham says
Thanks so much!