I'm from the NSA, and I'm here to help you,

Story: NSA Hacker Chief Explains How to Keep Him Out of Your SystemTotal Replies: 21
Author Content
seatex

Jan 30, 2016
5:32 PM EDT
Oh, this is rich. The NSA's Chief of Hacking telling us how to protect ourselves from him.

gus3

Jan 31, 2016
3:24 PM EDT
A picture's worth a thousand words. And that one says it all.
gus3

Jan 31, 2016
5:44 PM EDT
Yesterday upon the stair / I saw a man who wasn't there / He wasn't there again today / I think he's from the NSA.
dotmatrix

Feb 01, 2016
10:37 AM EDT
The advice given isn't bad. It's not very specific, but it's not bad advice.

I know this is going to be somewhat controversial... However, I don't think the NSA is 'out-to-get-you' or is 'evil'.

The NSA does what the NSA is committed to doing, trying to gather information about the security of the USA and how secrets are stored, transmitted, and disseminated. While I certainly don't like the idea of an organization gathering and storing and trying to 'know' everything about me, it's really not the organization's fault -- so to speak.

It's really up to the citizens to protect themselves. It's hard to feel sorry for people who complain about email non-privacy when those same people are using gmail and aren't willing to invest a few minutes of the day to create a PGP key or pay $60/year for an S/MIME cert. It may be that people just don't know about methods to protect themselves from overtly revealing their digital selves... However, if someone is posting on twitter or facebook or google+ about how it's terrible that the NSA is 'tracking them everywhere', I just simply ignore those contradictory pleas.

I have several friends in the computer security business. I run my own email servers and have PGP keys posted. Not a single one of my computer security expert friends [CISOs included] cares enough about privacy to use PGP or even post a key. And certainly no one else cares enough to run an email server. So, I don't feel sorry for these friends of mine. They have deep knowledge of the security systems, but refuse to use it for themselves.

And so, the NSA will continue to sweep up all of their clear-text data, and they will continue to not use the technology that has been around for the last 20 years because: ... They have nothing to hide. But the NSA should just stop collecting data because the NSA should just collecting data.

The NSA is not your friend, but they have a job to do and they are going to that job whether anyone else likes it or not. It's up to the rest of us -- who have nothing to hide -- to implement self-protections which are and have been available for a long time.
jdixon

Feb 02, 2016
12:26 AM EDT
> While I certainly don't like the idea of an organization gathering and storing and trying to 'know' everything about me, it's really not the organization's fault -- so to speak.

No, it's the fault of the politicians we elect, who listen to people like the current head of the NSA rather than to the people who elect them.
cybertao

Feb 02, 2016
3:06 AM EDT
If politicians in the USA were elected on a platform of neutering cyber-warfare and information gathering organisations (and followed through) would citizens and companies in the USA be any safer? I think not. And the same for any other country with similar circumstances. As someone outside the US there's a chance my data and activity is logged by the NSA...and Australia, China, the UK, Russia, etc.

This isn't a game where you can win by not playing.
jdixon

Feb 02, 2016
7:40 AM EDT
> If politicians in the USA were elected on a platform of neutering cyber-warfare and information gathering organisations (and followed through) would citizens and companies in the USA be any safer?

The default constitutional position is that the NSA should not exist. Nothing in the constitution authorizes it, and thing s like unreasonable search and seizure argue against it. It's up to those arguing for the NSA to demonstrate that it makes us more safer, not the other way around.
dotmatrix

Feb 02, 2016
10:04 AM EDT
>Nothing in the constitution authorizes it

The NSA is a military organization that arose out of the ashes of World War I... The authorization for its creation is the same as for the any other military organization.

>and thing s like unreasonable search and seizure argue against it.

It's debatable whether or not information that passes through the Internet constitutes a conversation in a public space.

***

I'm as uncomfortable as anyone with the idea of governments or corporations sweeping up and analyzing everyone's data. However, the current legal framework is, at the very least, grey. The funny part is... you can use encryption to prevent prying eyes, however your encrypted data will be stored longer than the unencrypted data... waiting around until the speed of computing catches up with the encryption used at the time.

I'm still hoping for widely used DNSSEC along with widely available sshfp record types in registrars and DNS providers... along with a new CA structure which allows any domain/IP to be a 'trusted' CA -- if that domain/IP is listed in a DNS record... just like DMARC reporting. Such a structure would require compromise of the root DNS keys as well as all other DNS zones down to the target host in order for a government or corporation to MITM TLS traffic.

DANE is almost there:

https://wiki.mozilla.org/Security/DNSSEC-TLS-details

For those "out there" who wish to use "Lets Encrypt" certs, DNSSEC along with DANE is the only current way to add assurance for your users that the presented certificate is not fraudulent. And, by the same token, DANE along with a few extra cryptographic 'markers' should allow most reasonable persons to 'trust' a domain owned CA rather than a requirement for a third party CA.

Anyway, lost myself here:

To boot NSA out of the server...
  1. Use DNSSEC and DANE, and encourage users to install the browser extension
  2. Don't listen to the naysayers who hate all over DNSSEC, they spend all day arguing extreme edge cases
  3. Use a 'trusted' CA which issues DV certs to domains and not servers
  4. Use only Forward Secrecy TLS configurations
  5. Use ssh public key, and only ssh public key
  6. Use sshfp records for 'out-of-band' key fingerprinting
  7. Lock your passwds... passwd -l user
  8. Install only the software you need and nothing more
  9. Perform updates often
  10. Check CVE lists for your software
  11. And remember that, if any state [foreign or domestic] really wants to get in, they will find a way
jdixon

Feb 02, 2016
12:06 PM EDT
> The NSA is a military organization that arose out of the ashes of World War I... The authorization for its creation is the same as for the any other military organization.

Do I really need to note that a standing military isn't authorized by the constitution either? Apparently so.

> However, the current legal framework is, at the very least, grey.

Not really. It's been deliberately made grey by the courts. If you ignore all the obfuscation, it's fairly simple. The government has no automatic right to any conversation. Even the snooping of public conversations wouldn't have been tolerated by the founders without some justification.

> And remember that, if any state [foreign or domestic] really wants to get in, they will find a way.

Almost certainly.
dotmatrix

Feb 02, 2016
12:47 PM EDT
>Do I really need to note that a standing military isn't authorized by the constitution either? Apparently so.

I think you'd lose that argument....

http://www.usconstitution.net/xconst_A1Sec8.html

US Constitution wrote: To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water;

To raise and support Armies, but no Appropriation of Money to that Use shall be for a longer Term than two Years;

To provide and maintain a Navy;

...

To make Rules for the Government and Regulation of the land and naval Forces; To make all Laws which shall be necessary and proper for carrying into Execution the foregoing Powers, and all other Powers vested by this Constitution in the Government of the United States, or in any Department or Officer thereof.


The Constitution doesn't need to have a particular clause designating a standing army. If Congress votes to have a standing army "for carrying into Execution the foregoing Powers, and all other Powers vested by this Constitution in the Government of the United States, or in any Department or Officer thereof." .. Then a standing army is Constitutional...

The rules pretty much say, Congress makes the rules. The Constitution is not a limited document in time, space, or society.

Besides, the USA doesn't have a "Standing Army" .. the military is funded through Congress, and if Congress votes to defund the military, then it is no longer funded... Anyway, I don't think rational thought would arrive at the conclusion that the either the Constitution or the framers of that document intended to disallow the military as it is today.

However, [back to the NSA], you could argue that conversations over the Internet are not public space conversations... And, this seems to be to be a more rational debate, than trying to conclude that the Constitution does not allow for the creation of government and military agencies. Although, it would seem that an individual's failure to properly 'enclose' a conversation could easily stand in as permission given to record the conversation.

>Even the snooping of public conversations wouldn't have been tolerated by the founders without some justification.

I think you are not correct here...

Here are a couple of thoughts...
  • Freedom of Assembly. Citizens are allowed to assembly for peaceable purposes, but not to assemble anonymously. An assembly of masked people is illegal.
  • Freedom of the Press. In effect, citizens are explicitly allowed to listen in to conversations in public spaces without any justification.
  • I'm sure I can write more... but it all amounts to the same
In the USA, from the Constitutional beginning, citizens in public spaces were expected to have little to no privacy. So, the question is, is the Internet a public space. And I would imagine a sane argument would be that the unencrypted space is public while an encrypted space is private... kind of like your car. You can drive your car through the public space of a town, but the whatever is inside the car and not directly visible from outside the car is considered private.

However, this definition would then greatly complicate data collection. Defining an encrypted space as private space would mean that no government agent could collect that encrypted data without a warrant showing probable cause. So, the government solution would probably be to define probable cause as the presence of encrypted data... Which would then mean that nothing would change in the data collection process.

Again, I don't like the whole thing -- but I think the sane action is: Do something yourself to protect the data you care about.
jdixon

Feb 02, 2016
4:15 PM EDT
We'll simply have to agree to disagree about the military. That said:

> ...In the USA, from the Constitutional beginning, citizens in public spaces were expected to have little to no privacy

Little to no privacy does not equate to the government making records of every public conversation. I stand by my statement.

I agree that the unencrypted = public and encrypted = private differentiation makes perfect sense, and I agree about the government's likely response.

Our disagreement is that you're willing to accept the actions as being a misuse of otherwise valid government powers. That's a premise I'm not willing to accept. Not that my accepting or not makes any difference to our government, but the withdrawal of consent is a important step in eventual change.
cybertao

Feb 03, 2016
5:25 AM EDT
Even if the constitution legally protected US citizens from the NSA (as I understand it, the NSA isn't involved in domestic spying), it doesn't protect them from other countries and illegal domestic activity. The constitution is just an old, worthless piece of paper to the rest of the world.

The legitimacy of the NSA or it's actions are a different topic, unrelated to cyber-security. Privacy and security is still an individual's responsibility.
seatex

Feb 03, 2016
6:03 AM EDT
I agree with pretty much everything jdixon said here, as I usually do - I guess we think alike.

Anyway, the whole point is that American citizens shouldn't have to constantly fight to protect their rights (and their privacy) against their own government. The government is infringing on our rights by sweeping up our data without probable cause, and without a court order.

And yes, I realize our courts have forgotten to protect our rights as well - as they now pretty much rubber stamp whatever federal agencies request of them now - if they even bother to request anything.
jdixon

Feb 03, 2016
7:05 AM EDT
> (as I understand it, the NSA isn't involved in domestic spying), i

By their charter, they weren't supposed to, no. It's been an open secret since at least the 80's that they in fact do. And I believe that was officially changed sometime in the Bush years.
seatex

Feb 03, 2016
11:44 AM EDT
From the EFF newsletter...

House Holds Closed Hearing on Section 702 Surveillance, Rejecting Calls for Transparency

Our elected representatives are once again cutting out the public from an important debate over mass surveillance. The House Judiciary Committee held a "members only" meeting today to discuss Section 702 of the FISA Amendment Acts, the law on which the NSA relies to operate its notorious PRISM surveillance program and to tap into the backbone of the Internet. Last week, EFF joined two dozen civil liberties, human rights, and transparency organizations, demanding in writing that leaders of the House Judiciary Committee open the hearing, at least in part, to the public. Instead, the committee heard today only from a panel of intelligence officials drawn from the NSA, FBI, DOJ, and ODNI who released a 12-page unclassified statement.
NoDough

Feb 03, 2016
1:07 PM EDT
seatex wrote:...American citizens shouldn't have to constantly fight to protect their rights (and their privacy) against their own government.


Thomas Jefferson wrote:The price of Liberty is eternal vigilance.


jdixon

Feb 03, 2016
1:39 PM EDT
> Thomas Jefferson wrote:The price of Liberty is eternal vigilance.

Vigilance alone isn't enough, as he knew. He also said: "The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants."

Left to their own devices, governments always become tyrannical. It's a well documented process.
BernardSwiss

Feb 03, 2016
10:53 PM EDT
I thought it was Patrick Henry, not Thomas Jefferson.

Turns out we're both wrong:

http://www.thisdayinquotes.com/2011/01/eternal-vigilance-is-...
NoDough

Feb 04, 2016
11:19 AM EDT
Ugh!

Thomas Jefferson Charlton wrote:
Quoting:the price of liberty is eternal vigilance.


I'm guessing that a lot of people wrote it, we just don't know who authored it.
dotmatrix

Feb 04, 2016
11:41 AM EDT
Best Quote from 'other times':

Socratic paradox wrote:I know that I know nothing.


https://en.wikipedia.org/wiki/I_know_that_I_know_nothing
jdixon

Feb 04, 2016
12:36 PM EDT
> Socratic paradox wrote:I know that I know nothing.

Given that most of what we think we do know is probably wrong, that's the safe assumption to make. :)
cybertao

Feb 04, 2016
3:10 PM EDT
http://smbc-comics.com/index.php?db=comics&id=247

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!