Originally posted at: Capitalistexploits.at
So says Groklaw's founder, Pamela Jones, who has decided to pull the plug on the website, citing surveillance concerns in the wake of the NSA spying revelations.
"...the simple truth is, no matter how good the motives might be for collecting and screening everything we say to one another, and no matter how "clean" we all are ourselves from the standpoint of the screeners, I don't know how to function in such an atmosphere. I don't know how to do Groklaw like this."
"...for me, the internet is over."
Depressing, but we must press on...at least the majority of us. So, today we're back with our online data and security expert "John", who has some practical advice we can all apply immediately. Consider it your weekend homework!
Mark: John, there are two elements I think of in terms of security when working on my computer. The first is ensuring that the data on my machine is kept private and secure. This might be the easiest place to start, securing the machine itself. Can you speak to that a bit, especially as it relates to hardware/software, that might form a good starting point for the average consumer.
John: The best way to start looking at securing a computer, or any device for that matter, is to look at the threats to it. You computer's data can be lost or stolen if the machine itself is stolen or if some software running on the machine leaks the data to the outside world maliciously, or simply without your permission. To prevent physical data theft, encryption technology is your best bet.
There are different encryption algorithms and different ways to encrypt your data. It would be a best practice to stick to something like AES, Twofish, Blowfish or other well known, publicly-published encryption algorithms. You don't want to try and hide data using someone's proprietary algorithm. This is commonly referred to as "security by obscurity," and it simply doesn't work. You never know what bugs are in the software, or if it's encrypting really anything at all. Stick with known standards - if they're published and still not broken, you can have much higher confidence in them.
It's also preferable to use whole disk encryption over file level encryption, but this is particularly tricky for many people. Ideally, every bit of the machine is encrypted - no open holes anywhere. However, to do this, if all of the data on the machine is encrypted - it won't know how to boot up. As a result, most people use file level encryption or encrypt most of the disk except a portion of the OS code used to boot the system and unlock the drive. This leaves some potential holes in the system. If at all possible, it's ideal to boot up from a source off of the hard drive so the entire hard disk remains encrypted. This is just not possible with Windows or Mac OSX.
While most people think about their computer being stolen, this is just the tip of the iceberg. As the revelations from Edward Snowden show, you can't trust any software you don't have some control over. Backdoors to Windows have been discovered going back to the 1990s. We've seen iOS transmit data without user approval.
Mark: Right, for all the Apple fans out there, they are NO better than Microsoft. This article will drop a turd in your corn flakes.
John: Look the fact is, you don't know what your software is doing most of the time if it's entirely proprietary. You're at the mercy of the software developer - Microsoft, Apple...whoever - and are forced to trust that entity. Recent information says this is risky. For this reason, I recommend people go to Linux - and look at something like Mint or Debian (I personally avoid Ubuntu) to get started. It's a transition to a more secure software world and Linux is used on more devices than any other operating system on the planet. There's some learning curve here, but it's not as bad as people think.
Mark: OK, so once we've secured the machine itself we need to think about connecting to the outside world. Outward communications like surfing the Web, email, VoIP (e.g. Skype), IM (chat) and even the software we use for business.
The fact is that many of us are used to, and depend on, certain products like Microsoft Word, Internet Explorer, Gmail, Skype, Dropbox, etc. To reduce this dependency is very, very difficult.
One of our readers very succinctly pointed out the following:
"The main reason I'm using these products is because they work efficiently, and when they don?t the problems are solved (mostly) quickly and effectively, without me having to become a 'mini-guru' in the process of trying to trouble-shoot them myself. And that's without even going into the problem of clients and suppliers tiring of working with you if you constantly email them with messages along the lines of, 'Sorry, Geoff, let me get back to you next week with this one, having terrible trouble with my Linux/Super-duper-private-firewall/Opensource docs-office compatibility plugins'. Eventually you're labelled as a paranoid techie with no regard for smooth business operations, and dismissed."
Those are valid points. So, firstly how do we do do this properly in regards to the programs we should and should not be using - programs that will actually WORK and be compatible with what we are used to? And in a more general sense, how does one pursue this secure privatization theme without sacrificing a substantial amount of productivity in the process?
John: Most of the funding available for software development goes to making software easier to use for people in general. Combine this with an economic incentive for companies to collect information about how you're using their software, whether to improve it or sell that data to another company, and what we see has evolved in the software space is a strong focus on making software easier to use which increases the adoption rate while selling the users down the river.
Most open source software, and particularly security-focused and/or encryption software, is designed by people with security and technical feature set as a primary focus over end user usability. The corollary is also true - most user interface designers are not focused on security. They want users to have simple, easy experience with their software. So what's evolved as a result are a large set of insecure, easy-to-use, privacy-violating software applications versus a small set of less easy-to-use, but much more secure software apps. Right now, I only see minimal effort to join the two worlds.
The big money out there targets the easy-to-use software that attracts masses of people whose data will be stolen and privacy violated by thieves, governments or both. That said, all software has gotten easier to use over time. The problem is not that things are easier to use in general, it's that usability gap between a secure version of software and it's insecure cousin is larger than we'd like to see and not closing very quickly because there's no capital investment there.
People are going to have to choose what's important to them - privacy/security or the ultimate simplistic experience. Both have a price. For the first, there's going to be a learning curve and it's going to take some time to understand how to transition to software that doesn't throw you under the bus. For the latter, you're already paying for it, but on credit. It's not real yet, but if and when you have to pay the bill - because, for example, you say something now that is going to be used against you in the future via your Gmail account - it will be too late to fix the problem.
Mark: Everyone needs to read that paragraph again!
John: It's an important point. You can alleviate some of the pain of the learning curve of making the switch if you start with the basics: email, web browsing, productivity/"office" apps. These things have nearly identical cousins to what people are familiar with on Mac or Windows platforms. Firefox runs on Linux, there's the OpenOffice suite which is Microsoft Office compatible, there's Thunderbird for email, etc, etc. These apps need some individual securing as well, but a competent IT person can secure them for the user. The difficult areas for new users are with more complex programs and learning specific technology like encrypting email with GPG.
Mark: I can attest to that. Chris and I have been mucking around with it, and while it's not rocket science, it can get tricky.
John: There's a learning curve, but in the end there are a million reasons to not make a move but only one reason to switch: if your data security and privacy are important, you don't have a choice. Period. Choosing not to move is saying you'd rather trade your privacy and security for convenience. Millions of people do that every day in all aspects of their lives, and it works until it doesn't. Then it goes bad really, really fast and nothing can be done about it. Be proactive, not reactive.
Mark: It reminds me of something Rick Rule says about investing in junior resource companies, "You can be a contrarian or you can be a victim." This is kinda the same thing!
John: I like that!
Mark: Now that we've got ourselves somewhat sorted, another question that comes to mind is by pursuing data and internet privacy, doesn't one necessarily stop flying "under the radar" and become exposed to the Surveillance State even more? It's not realistic that every person who uses mainstream technology can be "actively" monitored (yet). Sure, the information is there and available, but the machines or manpower required to review and analyse it cannot possibly be invested in each and every communication. Just like us, "Big Brother" has to allocate his limited resources. So, wouldn't actively pursuing these avenues draw attention to those who were most likely effectively "invisible" until that point?
John: There's some validity to this. As we've recently seen, the "plan" from the Surveillance State is apparently to hold your data for 5 years - maybe that changes to "forever" - in the hopes that technology will advance and they will be able to decrypt all of the intercepted data. Even when this is possible, it's going to chew up even more resources. So point number one: why make it easy on them? Let them spend all of their cycles decrypting everything. Send your grandmother a "happy 80th!" birthday email and encrypt it. Make them work, it's YOUR tax dollars after all!
Secondly, if you start by securing your communications with a VPN, then much is alleviated. Millions of people use VPNs every day for connecting to their offices. That's a lot of encrypted traffic. It's not as if you're the only person out there doing it. So in reality, it's not as obvious as you may think. You connect to you bank account over an HTTPS connection, your email with a TLS connection, etc. Only after they've "punched through" the encrypted tunnel will they have any idea what data you were transmitting. These are more and more common types of connections, so they don't generate suspicion.
The area where you probably stick out the most today is if you're using something like a Gmail, Yahoo or Hotmail account and you're sending GPG encrypted email. For God's sake, stop buying an email account paid for in spying, privacy breaches, and Surveillance State back doors. Pay for one in cash. Email is very important these days. You wouldn't send a letter through snail mail without an envelope, but hundreds of millions of people send email without any protection at all every day. Buy an account from a trusted service or run your own domain on a trusted machine and encrypt your mail there - it will be much less obvious.
Finally, stop using software like Facebook, Foursquare, Google+, Twitter (perhaps less insidious than the prior apps) and other apps where you voluntarily create a profile about yourself. People do things in the electronic world they'd never do in the real world. They don't equate that it's the same problem...
Mark: Those are great points. I am really most concerned with the 20-somethings who for some reason think we just don't "get it". I have to laugh at their ignorance.
Final question is for the road warriors amongst our readers. It is now increasingly likely that simply crossing a border, especially into the US, could subject you to having your laptop inspected and the data copied from it by TSA goons.
Look at what just happened to Guardian journalist Glenn Greenwald's partner. How do you protect your privacy in this instance?
John: You're spot on. It is a war. This will not end well.
There is a solution for this. Of course, if equipment is confiscated you have a more complex problem, but there are still ways around that. I prefer not to go into this specifically in a forum like this.
Suffice it to say this is all going to end very badly, especially for people that don't educate themselves and are proactive in their defense. Some would argue this is paranoia. Unfortunately, it's becoming common sense. The non-paranoid will be shut up soon enough.
Mark: A good guide for travelers can be found on the Electronic Frontier Foundation website.
Thanks John, it's been an informative conversation!
John: You're welcome, glad to be of assistance.
John has agreed to put together some notes on best practices for online and data security. It's a short, no-nonsense practical guide to the services and software you'll need to stay safe out there. He'll recommend some specific services, and he'll give you some more information on how best to use those services. It will include a section on hardware as well, which should prove very useful for international travelers.
To get a copy of the guide, once it's ready, click over to this link.
And for your weekend humour, enjoy this video.
"Freedom is the will to be responsible for ourselves." -Nietzsche