Unless you’ve been living under a rock, you’ll know by now that government agencies around the world are watching everything you do online, collecting this data and using it for various undisclosed purposes. Even before then, we knew that various private companies were harvesting data on us, and we could only hope that the worst they wanted to do was sell us things.

To say I wasn’t comfortable with this arrangement was something of an understatement.

So, I used all this as a spur to get my data out of NSA/Big Corporate controlled systems and onto FOSS based platforms that I own and control.

Starting Point

I was somewhat fortunate in regards my starting point. I had never bought into gmail, so my email accounts are hosted by a private mail server, to which I connect over an encrypted link. My main server, which hosts, among other things this website, is run of a private server in Germany.

My main computers at home are Linux based, and I already make extensive use of encryption; I use DNSCrypt to secure my DNS lookups from prying eyes, have HTTPS Everywhere and Adblock Plus installed on every browser, and secure sites with HTTPS (made considerably more affordable by StartSSL’s provision of free SSL certificates), and private code is hosted on my gitolite (nee gitosis) install rather than Github.

However, I still made use of services like Dropbox and Google drive, talked on Google chat, and use Google analytics for tracking.

The low hanging fruit…

The first thing I did was to grab and install a whole bunch of free certificates from StartSSL to remove the browser warnings from a bunch of the non-user facing sites that I run. This was important since the browser warning encouraged people to click through errors, and since the site always generated an error (even thought the site was being encrypted) it would be very vulnerable to MITM attacks.

Once this was accomplished I installed ownCloud, with the client software configured to talk only to the HTTPS endpoints. This was painless, and basically just a matter of downloading and installing the server software on a subdomain for it (the latter isn’t strictly necessary, but I like having things separate like that). The ownCloud client works exactly like the dropbox one, and is available for Linux, OSX, Windows (and a paid for one for iOS – presumably to drum up some money for the project – but it’s only a few pence).

Next, I started moving my sites away from Google Analytics. The open source world has moved a long way since I last looked at this, and Piwik, the best of breed, is very performant. Again, it was just a matter of installing the software on my server and then changing the embed code on the various sites. WordPress has a very functional plugin that integrates nicely with most themes.

The last easy thing I did was to change my browser’s default search engine from google to Startpage. The reason I picked Startpage over DuckDuckGo (which is the other main alternative) is twofold, firstly, the engine piggybacks off of google (but with identifiers removed), and despite while Google profile you for the NSA they still built a damn good search engine. Second, as a US company based in Pensilvania, DDG falls squarely under the sinister shadow of the US Patriot act and FISA, so, regardless of what they do now, they could still be forced to start spying.

Next, the harder stuff…

Update: while at the time of writing the, events in the pressure cooker article, linked above, were believed to be the result of active surveillance on the part of google, it now turns out to have been the result of an employee tipoff. Nevertheless, it seems nightly unlikely that this honeypot of profiling data isn’t being actively monitored, given how much other stuff is, although at the moment we have no evidence. This is one of the things that makes the Snowden revelations so frustrating.

surveillance-cameras-400 The NSA/GCHQ spying scandal is far reaching in both scope and the damage it has done to our liberal democracies. It is primarily a political problem, as well as being an IT security issue.

It is also, and this gives me some hope that we can beat this thing, an economic problem.

One important thing that the recently leaked black budget tells us, is what the government considers to be a reasonable price tag for the mass surveillance of every man, woman and child on the planet.

$250 million dollars per year (British figure not known at time of writing, but likely to be in a similar ballpark), is not a particularly large amount of money, and is a figure based on a number of storage and processing assumptions.

Much of the internet traffic is unencrypted and so can be processed live, the contents not stored. Encrypted traffic carries an extra processing and storage overhead; encrypted messages are kept until they can be broken, and processing resources spent trying to break them. Even if some of the algorithms used have been deliberately weakened, there is still a significant number of messages they can’t break.

The $250m/y budget is calculated based on estimates based on these assumptions.

Raising the cost of doing business

What does all this mean?

Well, what this means is that we, the citizens, have a very real way of changing the economics of mass surveillance programs like PRISM and TEMPORA, and significantly increase the price tag. Hopefully, to a level where it becomes politically and economically impractical to run them.

These programs are budgeted and resourced based on the assumption that relatively few people use hard encryption (HTTPS having been compromised), so if there was a marked increase the level of encrypted traffic going over the network, it follows that there would need to be a corresponding increase in resource expenditure in order to maintain the same level of capability. To a point, hopefully, where they are unable to keep up.

Every time you use encryption you help increase the cost of the program, and provide herd protection to your fellow citizen. Even if that encryption has been deliberately weakened, there is still a net gain for the good guys, since some processing resources will still be spent.

Additionally, since they feed data collected through various pattern analysis algorithms (in order to better profile us and to optimise resource allocation), if a significant portion of the dataset were to become unavailable, we can dramatically screw around with the baseline calculations, which may act like a force multiplier.

What I’d like to see

We need to dramatically increase the amount of encrypted traffic on the internet at large (remember, it seems that the security services have been compromising the implementations of algorithms, and sometimes the hardware and RNGs they depend on, not the algorithms themselves. Backdoors will be fixed – in free software implementations at least – and compromised hardware replaced or worked around).

I would like to see everybody making a pledge that everything they send over the internet will be encrypted. As technologist we need to take the lead on this; we have the moral duty to help protect our users, which means designing systems and networks so that they are resilient to subversion and surveillance, and to help people without technical knowledge protect themselves (friends don’t let friends use cleartext, as I’ve discussed before).

Remember, every time you send an encrypted message, you – in a small way – help protect everyone else on the planet.

GCHQoogle: so much for "Don't be evil"Another day, another set of terrifying revelations about how we’re all being spied on.

So, what have we learnt from this?

Bruce Schneier has a nice summary, but in short, from what I understand, the situation is as follows:

Firstly, the bad news is that if the NSA or GCHQ want in, there is very little you can do. They simply have far too many resources; they have lists of exploitable vulnerabilities for every network connected device you own, have techniques to break into your wifi, own the root SSL certificates so they can hijack your HTTPS session, can reconstruct the electromagnetic emissions from your monitor into a picture, can root kit your mac, windows PC, games console and turn any mobile phone into a bug… and if all of that fails, they can just kick your door down.

The point is that these are all resource intensive things to do and don’t scale very well, plus there is a much higher chance of discovery. This is why they’ve concentrated on communication interception as a primary attack vector.

Some good news is that it looks very much like the actual encryption algorithms themselves – with a few possible exceptions – haven’t been broken (yet). Instead, as many of us who have been watching this unfold have suspect, they’ve been concentrating on weaknesses in the implementation of these algorithms; exploiting existing bugs (which have often been reported to them by industry partners or spies), or by deliberately creating bugs in implementations, or by circumventing the encryption altogether and getting access to the companies that hold the data on our behalf.

The fact that good crypto is probably still good is little consolation since, because of the engineered vulnerabilities, the cryptographic technologies that protects our privacy, medical and banking records, and the systems that run our entire economy, have still been compromised. Presumably this is what Theresa May meant when they said they could “Handle HTTPS”.

Even if you believe that the security services are brave noble and true defenders of our liberty, it is the height of naiveté to believe that a security hole will only be exploited by us but not them. It is only a matter of time before some other power, or even just plain ordinary crackers, exploit the same security holes to steal your identity or the contents of your bank account.

What can be done

The latest leaked documents do offer a glimmer of hope; by their own admission, the techniques they are deploying are massively vulnerable to disruption (so much so that it seems employees at GCHQ are under strict orders to not even speculate about how information is obtained). It seems that countermeasures, if adopted by the population at large, could very well be effective.

The first thing to do is get political; write to your MP, join the EFF and ORG etc. The security services have gone rogue, but that is a political problem which needs a political solution.

However, in the same way that while we have laws against burglary we still lock the door, we need to change up the way we conduct business on the internet.

This and earlier leaks have made abundantly clear that we absolutely can not trust cloud services, proprietary software products or software that communicates using closed proprietary protocols. Windows, OSX, Skype, Facetime, GMail, Facebook, etc, have all been compromised to some extent or another. Strongly consider moving over to Free software alternatives for your software, since the peer review process inherent in the development process makes them a much harder target to compromise.

Perform regular security audits; keep up to date with patches, and adopt a multi-layered approach to security that mixes protecting your electronic borders with detecting breaches when they occur. Do not rely on proprietary antivirus software to protect you, they’ve been compromised.

Remember, if they really want you, they can have you, so fundamentally the technical countermeasures we adopt should be focussed on changing the economics of mass surveillance. If significant portions of the population stopped using cloud services like Gmail and Google docs, and moved towards a self hosted solution, there would be no tempting large cache of data that could be sucked up. If everyone made more extensive use of strong crypto (and really, there is NO excuse to still be sending things cleartext), then we dramatically increase the effort required to surveil the population at large.

If we can deny them these cheap attack vectors, then we force them to use the much more expensive vectors mentioned above which, crucially, do not scale to the population at large. We don’t remove the ability of the security services to monitor the handful of genuine bad guys out there, but we prevent the possibility of any fishing expeditions, and crucially we stop some future government using mass surveillance via the internet as a tool of oppression.