Friday, August 23, 2013

You likely can't protect your privacy from the NSA

I've been thinking for a couple weeks now about how you can protect your privacy.  I haven't posted, because everything I've come up with is pretty unconvincing.  This sums it up pretty well:
The publicly available tools for making yourself anonymous and free from surveillance are woefully ineffective when faced with a nationstate adversary. We don’t even know how flawed our mental model is, let alone what our counter-surveillance actions actually achieve. As an example, the Tor network has only 3000 nodes, of which 1000 are exit nodes. Over a 24hr time period a connection will use approximately 10% of those exit nodes (under the default settings). If I were a gambling man, I’d wager money that there are at least 100 malicious Tor exit nodes doing passive monitoring. A nation state could double the number of Tor exit nodes for less than the cost of a smart bomb. A nation state can compromise enough ISPs to have monitoring capability over the majority of Tor entrance and exit nodes.

Other solutions are just as fragile, if not more so.

Basically, all I am trying to say is that the surveillance capability of the adversary (if you pick a nationstate for an adversary) exceeds the evasion capability of the existing public tools. And we don’t even know what we should be doing to evade their surveillance.
Pretty pessimistic, but this sounds right.  His conclusion really gets to the heart of what you're facing:
Practicing effective counterintelligence on the internet is an extremely difficult process and requires planning, evaluating options, capital investment in hardware, and a clear goal in mind. If you just want to “stay anonymous from the NSA”, or whomever… good luck with that. My advice? Pick different adversaries.
This ends today's lesson in positive thinking.


Alan said...

I think some level of privacy is still possible if you don't use a 3rd party for anything. Obviously SOME sigint will leak though because you have an IP address but there are ways of communicating that can be done even if you KNOW someone is listening.

Prisoners do it all the time.

R.K. Brumbelow said...

Prisoners get away with it because prison guards are often of the mentality: "they don't pay me enough to care"

The NSA cares, and has the ability to go back and look at/ listen to conversations, sounds, scratch marks from years ago till now.

The only way to maintain privacy is to not use any networked electronics. That would mean no credit cards, no phone, no cable tv, no internet. Likely it would also mean not driving as scanning license plates is quickly becoming ubiquitous and while facial recognition is nowhere close to "Las Vegas" (the mid 2ks TV show) or Procedural crime drama would like to let us think, I suspect we are less than a decade away from real time facial scanning with database lookups. Example Makerbot recently released open sourced 3d scanning information. If they added a 2nd camera...

Years ago I worked in IT security and even then we were deploying active systems for 'defense'. Today such systems are grey at best, but nothing stops the TLAs from acting black let alone grey. Customers would ask how to completely harden their systems from hackers. My reply was all it takes is a hammer (for the drives), microwave (for media) and scissors (for the network connection) [and that is likely the only way]

The only practical methods for avoiding the TLAs is to erase yourself (basically impossible) or lay down false tracks. I had one more thought, but I will not record it as it might be useful one day.